Varners
What law(s) specifically govern personal data / information?
The Personal Data Protection Act, No. 9 of 2022 (“PDPA”) as amended by the Personal Data Protection (Amendment) Act, No. 22 of 2025
The PDPA regulates the processing of personal data, the identification and strengthening of the rights of data subjects in relation to the protection of personal data, regulates the use of personal data to disseminate solicited messages, and provides for the establishment of the Data Protection Authority.
In addition, there are sector specific statutes, which are applicable only in so far as those specific sectors are concerned. Some of these statutes are listed below:
- Sri Lanka Telecommunications Act, No. 25 of 1991, as amended;
- Banking Act, No. 30 of 1988, as amended;
- Finance Business Act, No. 42 of 2011, as amended;
- Registration of Persons Act, No. 32 of 1968, as amended;
- Credit Information Bureau of Sri Lanka Act, No. 18 of 1990, as amended;
- Computer Crimes Act, No. 24 of 2007; and
- Intellectual Property Act, No. 36 of 2003, as amended
The provisions in these statutes will continue to be applicable to the extent they are not inconsistent with the PDPA.
What are the key data protection principles in this jurisdiction?:
The PDPA requires the collection, usage, storage, alteration, disclosure, and transmission of personal data to be performed in compliance with the following data protection obligations:
- the obligation to process personal data in a lawful manner;
- the obligation to define a purpose for personal data processing;
- the obligation to confine personal data processing to the defined purpose;
- the obligation to ensure accuracy of the processed personal data;
- the obligation to limit the period of retention;
- the obligation to maintain Integrity and confidentiality of the processed personal data;
- the obligation to process personal data in a transparent manner; and
- the obligation to ensure accountability in the processing of personal data.
What is the supervisory authority / regulator in charge of data protection?
The Data Protection Authority of Sri Lanka
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement to register with the Data Protection Authority in order to process personal data in Sri Lanka. However, controllers or processors providing identity management and related services to data subjects using personal data should obtain licences from the Data Protection Authority based on recommendations from the advisory committee set up under the PDPA.
In addition, every controller and processor, who meets the requirements set out in section 20(1) of the PDPA, must designate or appoint a Data Protection Officer and communicate the contact details of such Data Protection Officer to the Data Protection Authority.
Is there a requirement to notify the supervisory authority / regulator?
In the event of a personal data breach, every controller must notify the Data Protection Authority. Additionally, if a controller refuses to comply with a data subject's data protection rights, the controller is required to notify the Authority upon request.
In addition, controllers must submit a Personal Data Protection Impact Assessment (DPIA) to the Authority. Upon a written request from the Authority, the controllers must provide any additional information necessary to assess compliance with data protection laws, evaluate any potential risks to the personal data of the data subject, and address the recommended safeguards.
Aside from the above obligations, there is no general requirement for a controller or processor to notify the Data Protection Authority regarding the collection, use, or processing of personal data in Sri Lanka.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, any person (i.e., data subjects, controllers, and processors) may contact the Data Protection Authority.
What are the key data subject rights under the data protection laws of this jurisdiction?
The PDPA recognises the following rights of data subjects:
- Right to information,
- Right of access,
- Right to completeness and rectification of errors,
- Right to erasure,
- Right to restriction of processing,
- Right to object to processing,
- Right to withdraw consent,
- Right not to be subject to automated individual decision-making, and
- Right to complain / appeal to the Data Protection Authority.
Is there a requirement to appoint a data protection officer (or equivalent)?
Every controller and processor are required to designate or appoint a Data Protection Officer in the circumstances specified in the PDPA
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Where a controller intends to carry out processing activities that involve: (a) the systematic and extensive evaluation of personal data or special categories of personal data, including profiling; (b) the systematic monitoring of publicly accessible areas or telecommunication networks; or (c) any other processing activities as determined by rules, based on the scope and associated risks of such processing, the controller must, prior to commencing such processing, conduct a Personal Data Protection Impact Assessment (DPIA). This assessment should be in the form and manner prescribed by law and is intended to evaluate the impact of the proposed processing on the controller's obligations under the PDPA, as well as the rights of data subjects under the PDPA.
Does this jurisdiction have any specific data breach notification requirements?
In the event of a personal data breach, the controller must notify the Data Protection Authority in accordance with the provisions of the PDPA. Additionally, the controller should notify the affected data subjects in any of the circumstances prescribed by the Authority.
What restrictions apply to the international transfer of personal data / information?
A controller or processor may engage in cross-border data transfers only if it complies with Part I and Part II of the PDPA, and with sections 20, 21, 22, 23, 24, and 25.
Even where these requirements are not met, a transfer may still take place if one of the following conditions applies:
- the data subject has given consent;
- the transfer is necessary for the performance of a contract;
- the transfer is necessary for the establishment, exercise, or defence of legal claims;
- the transfer is necessary for reasons of public interest; or
- the transfer is necessary in an emergency that threatens life, health, or safety.
To demonstrate compliance with the requirements for cross-border transfers, the controller or processor must adopt the instruments specified by the Authority. These instruments must create binding and enforceable obligations on the recipient in the third country, ensuring appropriate safeguards for data subjects’ rights and access to remedies under the PDPA.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, where the processing of personal data is carried out by an overseas controller or processor who:
- offers goods or services to data subjects in Sri Lanka including the offering of goods or services with specific targeting of data subjects in Sri Lanka, or
- specifically monitors the behaviour of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behaviour of such data subjects in so far as such behaviour takes place in Sri Lanka.
What rules specifically deal with marketing?
The PDPA regulates the collection and usage of personal data regardless of its purpose, this includes any personal data collected or used for the purposes of marketing.
Further, the PDPA regulates the use of personal data to disseminate solicited messages (e.g., call, text, email, video call, etc.). Accordingly, a controller may use postal services, telecommunication services, electronic means or any other similar means for the purposes of disseminating messages only if a data subject has given consent to receive such messages.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, the PDPA is limited to the regulation of personal data of natural data subjects and does not protect the information of businesses. This includes the dissemination of solicited or unsolicited messages to businesses through various communication channels.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Other than the regulation of personal data for the dissemination of solicited messages, the PDPA does not contain any specific provisions pertaining to electronic marketing.
What rules specifically deal with cookies?
The PDPA addresses the use of personal data, including personal data collected or stored via cookies, although it does not explicitly mention cookies by name.
What are the consequences of non compliance with data protections laws (including marketing laws)?
If the Data Protection Authority finds that a controller or processor has violated any provisions of the PDPA, it can issue directives requiring that person to take corrective actions to ensure compliance with the PDPA.
If a controller or processor fails to comply with such directives, they may be fined up to LKR 10 million for each violation, based on the impact on data subjects and the nature of the non-compliance. If the same controller or processor violates the directive again after already being penalized, then an additional penalty double that of the aforesaid fine will be levied on top of the fine for such repeat violations.
Additionally, paying a fine does not prevent other regulatory bodies from taking further action, such as suspending the person from carrying on of their business or profession, cancelling licences, or any other measures allowed under relevant laws and regulations.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinational organisations processing personal data from data subjects in Sri Lanka, even if not based there, need to follow the PDPA. This includes ensuring that personal data transferred outside Sri Lanka is protected either by adequate safeguards or by complying with specific transfer rules. They must also obtain explicit consent from data subjects for data processing, respect their rights to access and correct their data, and conduct Data Protection Impact Assessments if necessary. Organisations should be ready to interact with Sri Lanka’s Data Protection Authority if needed and ensure that any local contracts include proper data protection clauses. Regularly reviewing and updating data protection practices is crucial to remain compliant with the law.
What upcoming data protection developments should multinational organisations be aware of?
The Data Protection Authority has been set up and is currently in the process of finalizing rules and regulations for the protection of personal data in both public and private sectors. The Authority plans to engage stakeholders and develop policy frameworks, with initiatives expected to be unveiled in 2026. Most of the substantive provisions of the PDPA are expected to come into effect from early 2026.