26:
53:
An Act to provide for the regulation of processing of personal data; to identify and strengthen the rights of data subjects in relation to the protection of personal data; to provide for the establishment of the Data
Protection Authority; and to provide for matters connected therewith or incidental
421:
The
Personal Data Protection Act represents a significant step in Sri Lanka's digital governance framework. It aligns Sri Lanka's data protection regime with international standards, potentially facilitating cross-border data flows and digital trade. The Act is expected to enhance trust in digital
263:
The Act was passed by the
Parliament of Sri Lanka in 2022 to address the growing need for data protection in the digital age. It is designed to safeguard personal data while allowing for legitimate data processing activities.
391:
The
Authority considers several factors when determining penalties, including the nature and duration of the violation, the number of data subjects affected, and any actions taken to mitigate damages.
368:
The Act provides additional protections for sensitive personal data, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data.
299:
The Act establishes the Data
Protection Authority of Sri Lanka as the primary regulatory body responsible for enforcing the law and promoting data protection practices.
406:
December 1, 2023: Parts VI (Director-General and staff of the
Authority), VIII (Fund of the Authority), IX (Miscellaneous), and X (Interpretation) came into effect.
560:
255:. The Act aims to protect the privacy of individuals, establish rights for data subjects, and impose obligations on data controllers and processors.
409:
March 18, 2025: Parts I (Preliminary), II (Rights of Data
Subjects), III (Controllers and Processors), and VII (Penalties) will come into effect.
104:
360:
The Act regulates the transfer of personal data outside Sri Lanka, requiring adequate protection measures or specific conditions to be met.
436:
179:
387:
For subsequent non-compliances, an additional penalty of twice the amount imposed for the previous non-compliance may be levied.
489:
431:
422:
transactions and services while promoting responsible data handling practices across public and private sectors.
570:
474:
86:
33:
413:
This phased implementation allows organizations and the government time to prepare for full compliance.
214:
204:
194:
565:
441:
155:
169:
466:
66:
251:) is a comprehensive data protection law enacted to regulate the processing of personal data in
381:
533:
509:
119:
554:
403:
July 17, 2023: Part V (establishing the Data
Protection Authority) came into effect.
25:
446:
494:
380:
For the first instance of non-compliance, a penalty not exceeding ten million
44:
252:
351:
Notifying the
Authority and affected individuals of personal data breaches
287:
Related to the offering of goods or services to data subjects in Sri Lanka
376:
The Act empowers the
Authority to impose penalties for non-compliance:
284:
By controllers or processors domiciled or established in Sri Lanka
76:
348:
Appointing Data Protection Officers under specific circumstances
290:
Involving the monitoring of data subjects' behavior in Sri Lanka
345:
Conducting data protection impact assessments in certain cases
307:
The Act grants several rights to data subjects, including:
490:"Personal Data Protection Bill passed with amendments"
277:
The Act applies to the processing of personal data:
223:
213:
203:
193:
185:
175:
165:
154:
149:
141:
118:
110:
100:
92:
82:
72:
62:
32:
18:
342:Implementing data protection management programs
528:
526:
331:Obligations of data controllers and processors
467:"Personal Data Protection Act, No. 9 of 2022"
8:
339:Ensuring lawful processing of personal data
245:Personal Data Protection Act, No. 9 of 2022
67:Personal Data Protection Act, No. 9 of 2022
19:Personal Data Protection Act, No. 9 of 2022
317:Right to erasure ("right to be forgotten")
24:
326:Right to review automated decision-making
314:Right to rectification of inaccurate data
399:The Act is being implemented in phases:
458:
229:Data protection, Privacy, Personal data
50:
145:Data Protection Authority of Sri Lanka
15:
7:
561:Acts of the Parliament of Sri Lanka
364:Special categories of personal data
437:General Data Protection Regulation
14:
281:Wholly or partly within Sri Lanka
311:Right of access to personal data
1:
432:Online Safety Act (Sri Lanka)
320:Right to object to processing
170:Personal Data Protection Bill
161:Personal Data Protection Bill
356:Cross-border data transfers
587:
335:Key obligations include:
323:Right to withdraw consent
295:Data Protection Authority
233:
228:
105:Speaker of the Parliament
39:
23:
475:Parliament of Sri Lanka
417:Impact and significance
395:Implementation timeline
303:Rights of data subjects
136:(Parts I, II, III, VII)
131:(Parts VI, VIII, IX, X)
87:Parliament of Sri Lanka
34:Parliament of Sri Lanka
180:Minister of Technology
534:"Gazette No. 2366/08"
510:"Gazette No. 2341/59"
273:Scope and application
142:Administered by
543:. 29 December 2023.
442:Information privacy
150:Legislative history
237:Not fully in force
73:Territorial extent
241:
240:
189:November 25, 2021
129:December 1, 2023
578:
545:
544:
541:documents.gov.lk
538:
530:
521:
520:
517:documents.gov.lk
514:
506:
500:
499:
486:
480:
479:
478:. 19 March 2022.
471:
463:
199:January 20, 2022
28:
16:
586:
585:
581:
580:
579:
577:
576:
575:
571:Data protection
551:
550:
549:
548:
536:
532:
531:
524:
519:. 19 July 2022.
512:
508:
507:
503:
498:. 9 March 2022.
488:
487:
483:
469:
465:
464:
460:
455:
428:
419:
397:
384:may be imposed.
374:
366:
358:
333:
305:
297:
275:
270:
261:
134:March 18, 2025
133:
128:
83:Enacted by
58:
55:
49:
48:
12:
11:
5:
584:
582:
574:
573:
568:
563:
553:
552:
547:
546:
522:
501:
481:
457:
456:
454:
451:
450:
449:
444:
439:
434:
427:
424:
418:
415:
411:
410:
407:
404:
396:
393:
389:
388:
385:
373:
370:
365:
362:
357:
354:
353:
352:
349:
346:
343:
340:
332:
329:
328:
327:
324:
321:
318:
315:
312:
304:
301:
296:
293:
292:
291:
288:
285:
282:
274:
271:
269:
266:
260:
257:
239:
238:
231:
230:
226:
225:
221:
220:
217:
211:
210:
207:
205:Second reading
201:
200:
197:
191:
190:
187:
183:
182:
177:
173:
172:
167:
163:
162:
159:
152:
151:
147:
146:
143:
139:
138:
124:July 17, 2023
122:
116:
115:
114:March 19, 2022
112:
108:
107:
102:
101:Signed by
98:
97:
94:
90:
89:
84:
80:
79:
74:
70:
69:
64:
60:
59:
57:
56:
52:
42:
41:
40:
37:
36:
30:
29:
21:
20:
13:
10:
9:
6:
4:
3:
2:
583:
572:
569:
567:
564:
562:
559:
558:
556:
542:
535:
529:
527:
523:
518:
511:
505:
502:
497:
496:
491:
485:
482:
477:
476:
468:
462:
459:
452:
448:
445:
443:
440:
438:
435:
433:
430:
429:
425:
423:
416:
414:
408:
405:
402:
401:
400:
394:
392:
386:
383:
379:
378:
377:
371:
369:
363:
361:
355:
350:
347:
344:
341:
338:
337:
336:
330:
325:
322:
319:
316:
313:
310:
309:
308:
302:
300:
294:
289:
286:
283:
280:
279:
278:
272:
267:
265:
258:
256:
254:
250:
247:(abbreviated
246:
236:
232:
227:
222:
219:March 9, 2022
218:
216:
215:Third reading
212:
209:March 9, 2022
208:
206:
202:
198:
196:
195:First reading
192:
188:
184:
181:
178:
176:Introduced by
174:
171:
168:
166:Bill citation
164:
160:
157:
153:
148:
144:
140:
137:
132:
127:
123:
121:
117:
113:
109:
106:
103:
99:
96:March 9, 2022
95:
91:
88:
85:
81:
78:
75:
71:
68:
65:
61:
51:
47:
46:
38:
35:
31:
27:
22:
17:
540:
516:
504:
493:
484:
473:
461:
420:
412:
398:
390:
375:
367:
359:
334:
306:
298:
276:
268:Key features
262:
248:
244:
242:
234:
135:
130:
125:
43:
566:Privacy law
447:Privacy law
555:Categories
495:News First
453:References
259:Background
186:Introduced
45:Long title
372:Penalties
253:Sri Lanka
120:Effective
77:Worldwide
426:See also
224:Keywords
126:(Part V)
63:Citation
54:thereto
235:Status:
93:Enacted
382:rupees
111:Signed
537:(PDF)
513:(PDF)
470:(PDF)
158:title
249:PDPA
243:The
156:Bill
557::
539:.
525:^
515:.
492:.
472:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.