Draft Rules on Personal Data Breach Notifications under the Personal Data Protection Act No.9 of 2022 Available for Public Consultation

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting the stakeholders, the public as well as organisations to provide their feedback on the draft rules on personal data breach notifications which is to be issued under section 23 read with section 52 of the Personal Data Protection Act No.9 of 2022 (‘PDPA’).

These draft rules contain the following:

• Prescribing that a personal data breach must be notified to the DPA within 72 hours from becoming aware of the breach
• The circumstances under which a personal data breach must be notified to the DPA and the affected data subjects, and
• What information ought to be included in the respective notifications made to the DPA and the data subjects and manner of notification.

The Draft rules apply to controllers and includes any breach that occurs with respect to processing of personal data by a processor or any downstream sub processor on behalf of such controller.

Accordingly, the stakeholders, the public and organisations are invited to submit their feedback using the given template and email it to info@dpa.gov.lk.

The closing date for feedback is 31st October 2024.

Please read the data protection notice below carefully to understand how the personal data that you may submit to us during this consultation will be processed by the DPA.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority (‘DPA’) will process your views and opinions to refine this document. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA do not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No.9 of 2022.

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference.

The lawful basis that the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to us during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights or have any other concerns or questions on how the DPA process your personal data, please contact the DPA via info@dpa.gov.lk.

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.