Draft Regulation on Fees Applicable for Exercising Rights of Data Subjects under Section 17 of the Personal Data Protection Act No. 9 of 2022

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting the public and the relevant stakeholders to provide their feedback on the working draft of the above-mentioned regulation to be issued by the subject Minister with the concurrence of the DPA. This regulation relates to fees that are applicable for exercising rights of data subjects under subsection (6) of section 17 of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

Every data subject can exercise the right of access to personal data, the right of withdrawal of the consent and the right to object processing, the right to rectification or completion and the right to erasure through a written request under sections 13, 14, 15 and 16 of the PDPA, respectively. A controller may charge a fee for such request under subsection (6) of section 17 of the PDPA. The above-mentioned regulation prescribes that the exercise of rights of data subjects shall be free of charge except in the circumstances expressly provided in the regulation.

The regulation prescribes that when the controller believes that the request is manifestly unreasonable, unfounded, excessive or made in bad faith to cause disruptions to the controller or when the data subject requests further copies of their personal data when exercising the right of access to personal data under section 13 of the PDPA, the controller may charge a fee not exceeding Rs. 1,000 per request. When assessing whether a request is manifestly unreasonable, the controller shall adopt an objective assessment involving a test of proportionality considering the effort or costs involved in giving effect to the request of the data subject.

Although there is no statutory obligation to submit this regulation for public and stakeholder consultations, the DPA has decided to seek public and stakeholder feedback before the final regulation is issued before the enforcement date 18th March 2025.

Accordingly, the stakeholders are invited to submit their feedback using the attached template and email it to info@dpa.gov.lk.

The closing date for feedback is 15th November 2024.

Please read the data protection notice below carefully to understand how the DPA will process personal data that you may submit to the DPA during this consultation.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority of Sri Lanka (‘DPA’) will process your views and opinions to refine this draft regulation. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA does not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference.

The lawful basis the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to us during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights or have any other concerns or questions on how the DPA process your personal data, please contact the DPA via info@dpa.gov.lk.

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.