Draft Regulations on Personal Data Protection Impact Assessments under the Personal Data Protection Act No. 9 of 2022 Available for Public Consultation

The Data Protection Authority of Sri Lanka (‘DPA’) is inviting the stakeholders, the public as well as organisations to provide their feedback on the draft regulations on personal data protection impact assessments (‘PDPIA’) which is to be issued under section 24 read with section 53(1) of the Personal Data Protection Act No.9 of 2022 (‘PDPA’).

A PDPIA must be carried out by a controller when it intends to carry out any of the following activities:

• a systematic and extensive evaluation of personal data or special categories of personal data including profiling;
• a systematic monitoring of publicly accessible areas or telecommunication networks; or
• a processing activity as may be determined by way of rules taking into consideration the scope and associated risks of that processing.

The draft regulation seeks to prescribe the form and manner of carrying out a PDPIA which will assist a controller to ascertain the impact of the intended processing on the obligations imposed on the controller under Part I and the rights of data subjects under Part II of the PDPA and to this end, a PDPIA format is included in the draft regulations.

In addition, the draft regulations seek to clarify the terms “systematic” and “extensive” which are necessary thresholds to be considered when determining whether a PDPIA is required or not. The rules determining additional processing activities which will warrant a PDPIA under section 24(1)(c) will be considered by the DPA at a later stage.

Moreover, the regulations contain guidance on measures to mitigate risks as identified through a PDPIA. The regulations reiterate the requirement to submit a copy of the PDPIA to the DPA as per section 24(5) of the PDPA and to comply with any instructions issued by the DPA when it is consulted by a controller under specific circumstances under section 25 of the PDPA.

Though there is no statutory requirement to submit these regulations for public consultations, the DPA is of the view that public feedback will be useful in shaping the final regulations which a controller has to comply by 18th March 2025.

Accordingly, the stakeholders, the public and organisations are invited to submit their feedback using the given template and email it to info@dpa.gov.lk.

The closing date for feedback is 31st October 2024.

Please read the data protection notice below carefully to understand how the personal data that you may submit to us during this consultation will be processed by the DPA.

Data Protection Notice for Public Consultations:

Whilst feedback on this consultation can be submitted anonymously, you may indicate your name, contact details, organizational affiliations and/or profession, in the consultation feedback template in addition to your views and opinions.

The Data Protection Authority (‘DPA’) will process your views and opinions to refine this document. The DPA may store any personal data that you have provided with the feedback to contact you to obtain any further information regarding the feedback you have provided. The DPA do not intend to share your personal data with any 3rd party and any request for disclosure by a 3rd party shall be dealt with in accordance with the provisions of the Personal Data Protection Act No.9 of 2022.

Any personal data that the DPA will receive through this consultation will be stored by the DPA for a period of 6 months from the last date of communication with the respective data subject. The DPA may however retain the feedback in aggregated and/or anonymized format for a longer period for the purpose of maintaining a catalogue of feedback received for future reference.

The lawful basis that the DPA is relying on to process your personal data (if any) is item (e) of Schedule 1 of the PDPA, which allows the DPA to process personal data when this is necessary to exercise the powers, functions or duties conferred, imposed or assigned to the DPA under the PDPA in its capacity as a regulator.

With regards to the personal data that you provide to us during this consultation, you are entitled to the following rights:

• right to request access under section 13
• right to object under section 14(2)
• right to rectification or completion under section 15
• right to erasure under section 16.

If you wish to exercise any of these rights or have any other concerns or questions on how the DPA process your personal data, please contact the DPA via info@dpa.gov.lk.

However, please be mindful that the provisions in the PDPA concerning the matters referred to in this notice will only be operational by 18th March 2025.