Financial Crime World

SRI LANKA INTRODUCES COMPREHENSIVE DATA PROTECTION LEGISLATION

COLOMBO, SRI LANKA - In a significant move towards protecting citizens’ personal data, the Sri Lankan government has passed the Personal Data Protection Act (PDPA), a comprehensive regulatory framework for the protection of personal data. The legislation, which took effect on December 1, 2023, is expected to have far-reaching implications for financial institutions in the country.

The Personal Data Protection Act (PDPA)

Key Provisions

  • Right to Access: Individuals have the right to access all data collected on them by a data controller or processor.
  • Right to Withdraw Consent: Individuals can withdraw their prior consent to data collection at any time.
  • Right to Rectification: Individuals can request rectification of outdated, incorrect, or obsolete data.
  • Right to Erasure: Individuals have the right to have all their data erased upon request.
  • Right to Object to Automated Decision-Making: Individuals can object to automated decision-making that affects them.

Conditions for Lawful Data Processing

  • Informed Consent: Informed, free, and granular consent is required from individuals before collecting or processing their personal data.
  • Contractual Necessity: Data collection and processing must be necessary for fulfilling a contract between the collector/processor and the individual.
  • Legal Mandate: Processing must be mandated by law.
  • Legitimate Interest: Collection/processing must be based on a legitimate interest, where it does not infringe on an individual’s rights.

Impact Assessments and Data Protection Officers

  • Impact Assessment Requirements: Impact assessments must contain a detailed record of all data collection and processing activities.
  • Updating Assessments: Assessments must be updated to reflect any changes in data collection, storage, or protection methodologies.
  • Appointment of DPO: Data controllers/processors must appoint a qualified Data Protection Officer (DPO).

Penalties for Non-Compliance

  • Fines up to LKR 10 million ($119,910 / €111,200 / ¥866,930) for each instance of non-compliance.
  • Repeat offenses are subject to doubled fines.

The PDPA is expected to have a significant impact on financial institutions in Sri Lanka, as it will require them to implement robust data protection measures and ensure compliance with the Act. Companies that fail to comply risk facing hefty fines and reputational damage. The Act’s provisions are designed to protect citizens’ personal data and promote transparency and accountability in data processing practices.