Draft Directive on Classification of Categories of Personal Data for Public Authorities under Section 26(1) of the PDPA

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting relevant stakeholders to provide their feedback on the working draft of the above-mentioned Directive to be made by the DPA. This specific directive relates to “Controllers” who are public authorities on the classification of categories of personal data permitted to be processed in a third country under Section 26(1) of the PDPA.

The PDPA defines a controller as “any natural or legal person, public authority, public corporation, nongovernmental organization, agency or any other body or entity which alone or jointly with others determines the purposes and means of the processing of personal data.

The PDPA defines a public authority as a “Ministry, any Department or Provincial Council, local authority, statutory body or any institution established by any written law, or a Ministry, any Department or other authority or institution established or created by a Provincial Council”.

In paragraph 4.3 of DPA Circular No. 1 of 2024, dated 13th September 2024, addressed to Ministries, Departments, Provincial Councils etc, attention was drawn to provisions of the PDPA concerning cross-border data flow under Section 26, which relates to movement of personal data out of the territory of Sri Lanka for the purpose of processing personal data in a third country using cloud service providers. This draft directive identifies categories of personal data which may be processed by a public authority in a third country that is prescribed under an adequacy decision under section 26(2) of the PDPA.

Although there is no statutory obligation to submit these directives for stakeholder consultations, the DPA has decided to seek stakeholder feedback before the final directive is issued to public authorities before the enforcement date 18th March 2025.

Accordingly, the stakeholders are invited to submit their feedback using the attached template and email it to info@dpa.gov.lk.

The closing date for feedback is 31st October 2024.

Please read the data protection notice below carefully to understand how the DPA will process personal data that you may submit to the DPA during this consultation.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority of Sri Lanka (‘DPA’) will process your views and opinions to refine this draft directive. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA does not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference.

The lawful basis the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to the DPA during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights, or have any other concerns or questions on how the DPA process your personal data, please contact us via info@dpa.gov.lk

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.