Data Protection Statement

Data Protection Statement

Data Protection Statement


Welcome to the official website of the Data Protection Authority of Sri Lanka. We are committed to ensuring that we process your personal data in accordance with the Personal Data Protection Act No.9 of 2022 (‘PDPA’) as you browse through our website. This notice explains to you which personal data we collect, how we collect and use, and the safeguards (we’ve) established for your personal data.

Data We Collect, How and Why

Personal Data:

Personal data means any information that can identify a human being directly or indirectly by reference to data subject directly or indirectly, by reference to– (a) an identifier such as a name, an identification number, financial data, location data or an online identifier; or (b) one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual or natural person.

Accordingly, when you interact with our website, we may collect personal data such as your name, email address, contact number directly from you. This personal data will be used by us to process and respond to any general inquiry that you may raise using our website contact form. Since the provisions of the PDPA concerning processing of personal data, rights of data subjects, controllers and processors and penalties come into operation only from 18th March 2025, we may not be able to respond to complaints/query you may raise using our website. However, any personal data that you provide in raising a general query will be stored by us for a period not longer than six (06) months from the date of responding to your query.

We may also automatically collect your IP when you visit our website. The IP address is collected by us for statistical and web security purposes and will be retained by us for a period not longer than three (03) months.

Usage Data and Cookies:

We may gather information about how you use our site, including pages visited, time spent, and device/browser details using cookies on our website. This data will be used to continuously improve our website and provide you with a better user experience.

We may use cookies and similar technologies to analyse website traffic. You can manage cookie preferences in your browser settings.

Security of your Personal Data

We take appropriate technical and organizational measures to protect the personal data that we collect via this website (if any) from any unauthorized or accidental access, disclosure, alteration or destruction.

Changes to this Notice

We may update this data protection notice from time to time, which will be published on our website.

Contact Us

If you have any questions or concerns regarding this notice, please contact us at dg@dpa.gov.lk

Disclaimer

Any information provided by the Data Protection Authority (“we”, “us” or “our”) on the website www.dpa.gov.lk (the “Site”) is for general informational purposes only and is not a definitive statement of law. All information on the Site is provided in good faith and does not constitute legal or other professional advice. We make no representation or warranty of any kind, express or implied, regarding the accuracy, completeness, relevancy, availability, validity or reliability of any information published on the Site. Under no circumstances, shall we have any liability to you for any loss or damage of any kind arising in contract, tort or otherwise from the use or inability to use the information provided on the Site, reliance on any information provided on the Site, or any action or decision taken as a result of using the Site. Your reliance on any information on the Site is solely at your own risk.

The Site may offer links to other third-party websites which allows you to leave this Site and visit such 3rd party website. We are not responsible for any content of any linked site, or any transmission received from any linked website. Inclusion of such 3rd party website links does not imply that we endorse or approves the third-party website in any manner whatsoever. Such links are provided for the convenience of the visitors only.

Further please be aware that 18th March 2025 is the date on which the provisions of Part I (processing of personal data), II (rights of data subjects), III (controllers and processors) and VII (penalties) of the Personal Data Protection Act No. 9 of 2022 will come into operation. Therefore, we may not be able to respond to any specific complaint/query concerning those provisions until the respective sections become operational.