FT

SLID webinar sheds key insights to Personal Data Protection Act of Sri Lanka

Thursday, 30 June 2022 02:11 -     - {{hitsCtrl.values.hits}}

Himali Mudadeniya
 
Shanaka Gunasekara
 
Amanda Perera

The Education and Training Committee of the Sri Lanka Institute of Directors (SLID) recently organised a webinar to share in-depth insights into the legal and compliance obligations for Sri Lankan companies processing personal data of persons, consequent to the enactment of the Personal Data Protection Act No. 9 of 2022 (PDPA) in March 2022. 

The eminent panel comprised of moderator FJ&G de Saram Partner Himali Mudadeniya, and speakers FJ&G de Saram Partner, Head of Data Protection and Privacy Shanaka Gunasekara and FJ&G de Saram Senior Associate Amanda Perera.

“This Act has significant implications consisting of both legal and compliance obligations for companies in Sri Lanka that process personal data. Until its enactment, Sri Lanka did not have a statute of general application which protected personal data other than limited statutory confidentiality obligations which were imposed on certain regulated entities such as banks and finance companies. As the obligations are serious in nature and require extensive preparation time, we advise companies to commence their compliance process immediately. Some of our clients have already started this process,” said Himali Mudadeniya in her opening remarks. 

“The PDPA grants rights to data subjects, imposes obligations on entities that process personal data, regulates direct marketing, provides for an enforcement authority, and imposes severe penalties for violations. To understand the enactment, there are a few fundamental terms that need to be understood clearly such as personal data, special categories of personal data, data subject and processing of data. Personal data means practically anything which can be used to identify an individual either directly or indirectly. A special category of personal data or sensitive data is identified in the enactment including personal data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, biometric, genetic, health related data, personal data relating to offences and criminal proceedings, sex life and orientation and personal data relating to a child for which there are more stringent requirements applicable. 

“A data subject is any human being who is a natural person whether living or deceased, and processing is any operation performed on personal data. Customer data, third party service provider data and employee data including a person’s business contact information are all considered as personal data. It has to be kept in mind that a person need not be a citizen of Sri Lanka for the enactment to be applicable,” said Shanaka Gunasekara in his presentation. 

He added that the two parties regulated under the PDPA are the Controller who determines why (the purpose) and how (the means) personal data is processed, and the Processor who is a third party that processes personal data on behalf of the Controller. 

The Processor does not include persons who are under the Controller’s hierarchical control (i.e. employees). “Your employees and consultants are not Processors but are part of the Controller itself. In the case a Controller does not engage a third-party service provider, the Controller is deemed to be doing all acts or processing of personal data.” 

Speaking about the Data Protection Authority (DPA) set up under the PDPA to regulate processing of personal data, safeguard privacy of data subjects and provide protection for personal data used in digital transactions and communications, speaker Amanda Perera said that it is empowered to issue directives, make rules, investigate complaints, conduct inquiries, examine people under oath, inspect any information held by a Controller or Processor, enter their premises and inspect or seize their records, and carry out investigations if there are any reasonable grounds to believe that the processing possesses an imminent risk to data subjects. She also said that in the case of a violation, the DPA will issue a directive which may direct the Controller or Processor to cease and refrain from engaging in such acts/omissions, to take action to rectify the situation or to make payment to an aggrieved person as compensation, and in the case a directive is not complied with, to impose penalties. In case a Controller or Processor receives an order to pay a penalty, they may appeal to the Court of Appeal within 21 working days of receiving the notice of penalty.  The presentations were followed by a Q&A session.

COMMENTS