Draft Regulations on the Exercise of Data Subjects’ Rights and Appeals under the Personal Data Protection Act No. 9 of 2022

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting stakeholders to provide their feedback on the captioned draft regulations to be issued by the subject Minister with the concurrence of the DPA under sections 17(5) and 19(1) and 19(3) of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’) respectively.

The PDPA defines a data subject as “an identified or identifiable natural person, alive or deceased, to whom the personal data relates”, and Part II of the PDPA confers several rights to data subjects such as right of access, right to withdraw consent, right to object to processing, right to rectification and completion and right to erasure.

Accordingly, these regulations prescribe the manner in which data subjects’ rights can be exercised when the data subject is:

• a minor (a person who is under the age of 16 years)
• a person who is physically or mentally unfit,
• deceased and rights are being exercised by his/her heir or
• authorising another person to exercise the said rights on his/her behalf

When a controller is dissatisfied with the decision of controller in relation to a data subject’s request to exercise his/her said rights, then such data subject may prefer an appeal to the DPA against the decision of the controller, as per the PDPA. Accordingly, these draft regulations prescribe the form, manner and time periods relating to such appeal a data subject may make to the DPA.

Although there is no statutory obligation to submit these regulations for stakeholder consultations, the DPA has decided to seek stakeholder feedback before final regulations are issued before the enforcement date of 18th March 2025.

Accordingly, the stakeholders are invited to submit their feedback using the attached template and email it to info@dpa.gov.lk.

The closing date for feedback is 15th November 2024

Please read the data protection notice below carefully to understand how the DPA will process personal data that you may submit to the DPA during this consultation.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority of Sri Lanka (‘DPA’) will process your views and opinions to refine these draft regulations. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA does not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference

The lawful basis the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to us during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights or have any other concerns or questions on how the DPA process your personal data, please contact the DPA via info@dpa.gov.lk.

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.