Draft Directive on Specification of Instruments for Processing of Personal Data Outside Sri Lanka under Section 26(4) of the Personal Data Protection Act No. 9 of 2022.

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting relevant stakeholders to provide their feedback on the draft of the above-mentioned directive to be issued by the DPA under section 26(4) read with sections 32(s) and 33(c) of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

This specific directive applies to “controllers” and “processors” who are not public authorities, when processing personal data in a third country that is not prescribed pursuant to an adequacy decision under section 26(2) of the PDPA, whilst ensuring compliance with the respective obligations imposed under part I, part II and sections 20, 21, 22, 23, 24 and 25 of part III of the PDPA.

In order to ensure compliance with such obligations, the said controllers and processors are required to adopt any of the instruments specified by the DPA through this draft directive, as the appropriate means of ensuring that the recipients of personal data in the third country are committed in a binding and enforceable manner to safeguard the rights of data subjects and remedies protected by the PDPA, as provided for under Section 26(4) of the PDPA. In this regard, the draft directive specifies the following instruments:

• Binding corporate rules
• Binding agreement
• Code of conduct
• Binding certification scheme
• Cross border processing impact assessment and
• Resolution of the board of directors or equivalent authority of a controller

Although there is no statutory obligation to submit these directives for stakeholder consultations, the DPA has decided to seek stakeholder feedback before the final directive is issued to relevant controllers and processors before the enforcement date 18th March 2025.

Accordingly, the stakeholders are invited to submit their feedback using the attached template and email it to info@dpa.gov.lk.

The closing date for feedback is 15th November 2024.

Please read the data protection notice below carefully to understand how the DPA will process personal data that you may submit to the DPA during this consultation.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority of Sri Lanka (‘DPA’) will process your views and opinions to refine this draft directive. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA does not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No. 9 of 2022 (‘PDPA’).

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference

The lawful basis that the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to us during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights or have any other concerns or questions on how the DPA process your personal data, please contact the DPA via info@dpa.gov.lk.

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.