Draft Regulations on Inquiry Procedure under Section 35 of the Personal Data Protection Act No.9 of 2022

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting relevant stakeholders to provide their feedback on the draft of the captioned regulations to be issued by the subject Minister with the concurrence of the DPA pursuant to subsections (1) and (2) of section 35, read with Section 53 of the Personal Data Protection Act No.9 of 2022 (‘PDPA’).

Upon receipt of a complaint or otherwise the DPA has reason to believe that any controller or processor has engaged in or is about to engage in a processing activity in contravention of the PDPA or has contravened or is likely to contravene or fails to comply with the provisions of the PDPA or any rule, regulation, guideline or order made thereunder or under any other written law relating to the processing of personal data, the DPA may conduct an inquiry under subsection (1) of section 35 of the PDPA. After giving an opportunity to the relevant controller or processor to be heard at such inquiry, the DPA may issue a binding directive in writing to such controller or processor under subsection (2) of section 35 of the PDPA.

These regulations intend to prescribe the procedure that will be adopted by the DPA when conducting inquiries under section 35(1) the time period within which the DPA may require the controller or processor to comply with the issued directive as per section 35(2). These regulations further contain the template that ought to be followed when making a complaint to the DPA.

When a controller is dissatisfied with the decision of controller in relation to a data subject’s request to exercise his/her said rights, then such data subject may prefer an appeal to the DPA against the decision of the controller, as per the PDPA. Accordingly, these draft regulations prescribe the form, manner and time periods relating to such appeal a data subject may make to the DPA.

Although there is no statutory obligation to submit these regulations for stakeholder and public consultations, the DPA has decided to seek feedback from the stakeholders and the public before final regulations are issued to the public before the enforcement date 18th March 2025.

Accordingly, the stakeholders are invited to submit their feedback using the attached template and email it to info@dpa.gov.lk.

The closing date for feedback is 15th November 2024.

Please read the data protection notice below carefully to understand how the DPA will process personal data that you may submit to the DPA during this consultation.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority of Sri Lanka (‘DPA’) will process your views and opinions to refine these draft regulations. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA does not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference.

The lawful basis the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to us during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights or have any other concerns or questions on how the DPA process your personal data, please contact the DPA via info@dpa.gov.lk.

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.