Financial Crime World

Here is the rewritten article in markdown format:

Personal Data Protection Act (PDPA) of Sri Lanka

====================================================

The Personal Data Protection Act (PDPA) of Sri Lanka outlines key principles and obligations related to the processing of personal data. The following are some of the main points from the provided text.

Key Principles and Obligations

1. Data Protection Principles

  • Transparency: Controllers must handle personal data in a transparent manner.
  • Fairness: Personal data should be processed fairly and lawfully.
  • Lawfulness: Personal data can only be processed with the consent of the data subject or as required by law.
  • Purpose Limitation: Personal data should be collected for specific, explicit, and legitimate purposes.
  • Accuracy: Controllers must ensure that personal data is accurate and up-to-date.
  • Storage Limitation: Personal data should not be stored longer than necessary.
  • Integrity: Controllers must ensure the confidentiality, integrity, and availability of personal data.
  • Security: Measures to protect against unauthorized access or breach must be taken.
  • Accountability: Controllers are responsible for ensuring compliance with the PDPA.

Breach Notification

A breach includes any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. The PDPA obliges controllers to notify the Authority upon a breach, with specifics yet to be defined by way of rules under the Act.

Enforcement and Corrective Powers

1. Enforcement

Enforcement is carried out by the Data Protection Authority of Sri Lanka (Authority). Controllers can appeal decisions, and the Authority has powers to conduct inquiries, including requiring persons to appear before it, examine them under oath, or demand information related to processing functions.

2. Corrective Powers

Upon inquiry, the Authority can issue directives that may include ceasing an activity, taking measures to rectify a situation, or paying compensation to aggrieved individuals.

Administrative Penalties

Non-compliance with directives can result in penalties not exceeding LKR 10 million for each instance. The penalty is determined by considering factors such as the nature of the contravention and previous offenses.

Electronic Marketing

For direct marketing using electronic or other means, controllers must first obtain consent from data subjects before sending messages. Consent must be freely given, specific, informed, and unambiguous in writing or affirmative action.

Online Privacy

While there are no specific requirements for online privacy aspects like cookies and location data, the general obligations under the PDPA apply, including the rights of data subjects over their personal data processed online.

The text provides an overview of key provisions within the PDPA as it relates to the protection of personal data in Sri Lanka.