	Global Data Privacy Guide
	Sri Lanka
	(Asia Pacific) Firm D. L. & F. De Saram Updated 08 Aug 2025
1. What is the key legislation?	The principal legislation governing personal data protection in Sri Lanka is the Personal Data Protection Act, No. 9 of 2022 (“PDPA”), which was certified on 19 March 2022. Our responses are based on this legislation, subject to limited application as described i.e., The PDPA is in force in respect of only Part V - that is the setting up of the Regulator in the form of the, Data Protection Authority (DPA). The DPA is currently in the stage of capacity building. All other substantive provisions: Parts I, II, III, and VII (covering core provisions on data protection principles, controller/processor obligations, data subject rights, and penalties) and Part IV, (which governs unsolicited messages), are yet to be made effective. Thus, there is no implementation of the PDPA with no date yet published for implementation.
2. What are the key decisions applying that legislation?	Not applicable.
1. How are “personal data” and “sensitive data” defined?	The PDPA provides the following definitions - • Personal data: any information that can identify a data subject (an identified or identifiable natural person) directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that person. • Sensitive data : is referred to as ‘Special Categories of personal data’ and is defined as ‘the personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, personal data relating to offences, criminal proceedings and convictions, or personal data relating to a child.
2. How is the defined data protected?	The defined data is protected through a combination of technical, organizational, and legal safeguards designed to ensure confidentiality, integrity, and availability. Organizations are required to: • Implement technical and organizational measures to prevent unauthorized access, loss, disclosure, or destruction of data. • Adhere to core data protection principles, such as lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. • Conduct Data Protection Impact Assessments (DPIAs) where processing poses a high risk to individuals’ rights and freedoms. • Appoint a Data Protection Officer (DPO) if considered processing high risk data • Maintain records of processing activities and ensure that all processing is based on a lawful basis. For sensitive personal data, additional safeguards are required. Such data can only be processed under stricter conditions - typically requiring explicit consent or a demonstrable legal necessity (e.g., for legal claims). The Data Protection Authority oversees enforcement and compliance, with certain limited exemptions (e.g., for national security, judicial independence, or public safety). Through these measures, the PDPA ensures that personal and sensitive data is lawfully and securely processed with appropriate oversight and accountability.
3. Who is subject to privacy obligations?	• All public and private sector organizations—including data controllers (who decide why and how data is processed) and data processors (who process on behalf of controllers)—are subject to the PDPA when handling personal data of individuals in Sri Lanka, regardless of processing location. • This applies to entities within Sri Lanka and those outside offering goods/services or monitoring behavior of individuals in Sri Lanka. Joint controllers share compliance responsibilities.
4. How is “data processing” defined?	“processing” is defined as any operation performed on personal data including but not limited to collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on personal data.
5. What are the principles applicable to personal data processing?	Core principles include: • Lawfulness, fairness, and transparency • Purpose limitation • Data minimization • Storage limitation • Accuracy • Integrity and confidentiality • Accountability
6. How is the processing of personal data regulated?	Processing is regulated through the following key requirements: • Legal Basis: Must be based on valid grounds such as consent, contract, legal obligation, protection of vital interests, public interest, or legitimate interests (subject to a balancing test). • Data Protection Principles: Processing must be fair, lawful, and transparent; limited to specific purposes; and ensure data is accurate, secure, and retained only as necessary. • Special Categories of Data: Sensitive personal data (e.g., health, biometrics) requires explicit consent or other lawful grounds with enhanced safeguards. • Data Subject Rights: Individuals have enforceable rights including access, correction, erasure, and objection, which must be respected and facilitated. • Transparency & Accountability: Controllers must provide clear privacy notices, implement safeguards, and ensure that processors act only on instructions through binding contracts. • Security & Compliance: Appropriate technical and organizational measures must be in place to ensure data protection and compliance throughout processing activities. • Automated Decision-Making: Subject to restrictions where decisions significantly affect individuals’ rights, unless specific conditions and safeguards are met.
7. How are storage, security and retention of personal data regulated?	Storage, security, and retention are regulated through the following requirements: • Security Measures: Controllers must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or damage. • Retention Limits: Personal data must be retained only for as long as necessary to fulfil the purpose for which it was collected. After that, it must be securely erased or anonymized. • Ongoing Review: Data retention policies must be regularly reviewed to ensure compliance with legal and operational needs. • Governance Controls: Controllers are required to establish a Data Protection Management Programme (DPMP) to ensure internal accountability, conduct risk assessments, and monitor data protection practices.
8. What are the data subjects' rights under the data legislation?	Under the PDPA, data subjects are granted the following rights: • Right of Access: To access their personal data and obtain copies. • Right to Rectification: To correct inaccurate or incomplete data. • Right to Withdraw Consent: At any time, without affecting prior lawful processing. • Right to Object: To processing based on legitimate interests or for direct marketing, and to decisions based solely on automated processing. • Right to Restrict Processing: In specific circumstances (e.g., accuracy contested or processing unlawful). • Right to Erasure: To request deletion of data when no longer necessary, or if consent is withdrawn, subject to legal exceptions. Controllers must respond to such requests within 21 working days, extendable up to two months in complex cases.
9. What are the consent requirements for data subjects?	Consent must be freely given, specific, informed, and unambiguous, indicated by a clear affirmative action or written statement. It must be as easy to withdraw as to give, and can be withdrawn at any time. Consent is invalid if bundled with other matters or if there’s a power imbalance. For children under 16, parental consent is required. Consent is especially critical for processing sensitive personal data.
10. How is authorization for use of data handled?	Authorization requires a valid legal basis such as consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests (subject to a balancing test). For sensitive data, explicit consent or other stricter grounds apply. Controllers must document, justify, and be able to demonstrate compliance with the chosen legal basis.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	Yes, cross-border transfers are regulated. Transfers are allowed only if: • The recipient country has an adequacy decision from the Minister, or • Suitable safeguards are in place (e.g., binding corporate rules, contractual clauses), or • Specific exceptions apply, such as explicit consent, contractual necessity, or public interest. Public authorities need Authority permission to transfer data outside Sri Lanka. Without adequacy or safeguards, transfers require informed data subject consent or must be necessary for contracts or public interest.
12. How are data "incidents" and "breaches" defined?	Breach: means, any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Incidents” are not separately defined but encompass broader security events.
13. Are there any notification requirements for incidents and/or data breaches?	Yes; controllers must have breach management procedures and notify the Data Protection Authority, the Regulator within 72 hours of becoming aware of a breach likely to risk individuals’ rights or freedoms. If the breach poses a high risk, affected data subjects must be informed without undue delay, including details of the incident and mitigation measures. Processors must notify controllers immediately upon detecting a breach.
14. Who is/are the privacy regulator(s)?	The Data Protection Authority (DPA).
15. What are the consequences of a data breach?	Consequences of a data breach under the PDPA include warnings, compliance orders, administrative fines up to 10 million rupees per violation (doubled for repeat offenses), compensation to affected individuals, suspension of operations, and criminal penalties in severe cases. Enforcement considers breach severity, cooperation, and prior violations. Legal actions are heard in the Magistrate Court of Colombo, with appeals directed to the Court of Appeal.
16. How is electronic marketing regulated?	Electronic marketing is regulated through requirements for explicit, informed consent and the obligation to provide clear opt-out mechanisms for recipients. Additional rules may apply for certain sectors.
17. Are there sector-specific or industry-specific privacy requirements?	No.
18. What are the requirements for appointing Data Protection Officers or similar roles?	Appointment of a Data Protection Officer (DPO) is mandatory for public authorities and for controllers or processors engaged in large-scale monitoring or processing of sensitive data. The DPO advises on compliance, conducts DPIAs, supports training, and acts as the liaison with the DPA. Contact details must be published and notified to the Authority. One DPO may serve multiple entities if accessible. The DPA provides guidance on when a DPO is required.
19. What are the record-keeping and documentation obligations?	Controllers and processors must maintain up-to-date records of all data processing activities, including the legal basis, purposes, data categories, recipients, retention periods, and security measures, as part of their Data Protection Management Programme (DPMP). Documentation must also cover DPIA results, breach notifications, and evidence of compliance, and must be made available to the DPA upon request.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	Data Protection Impact Assessments (DPIAs) are required before undertaking processing likely to pose high risks to individuals’ rights and freedoms—such as large-scale profiling, sensitive data processing, use of new technologies, or systematic public monitoring. DPIAs must identify risks, propose mitigation measures, be documented, updated as needed, and submitted to the DPO or the Data Protection Authority if required.
21. What are the requirements for third-party vendor management and data sharing?	Organizations must ensure third-party vendors (processors) provide adequate legal and technical safeguards and enter into binding contracts outlining the processing scope, duration, purpose, data types, and respective obligations. Processors must implement security measures, support data subject rights, breaches, and DPIAs, return or delete data after processing, and permit audits. Sub-processors may only be engaged with the controller’s consent. All data sharing must be based on a lawful basis and include appropriate safeguards.
22. What are the penalties and enforcement mechanisms for non-compliance?	The DPA may impose administrative fines up to LKR 10 million per violation, doubled for repeat offenses, based on factors like severity, cooperation, and impact. It can also issue compliance orders or initiate legal proceedings. Fines are paid to the Consolidated Fund after compensation is awarded to affected individuals. Non-payment may lead to action in the Magistrate Court and potential suspension of operations. Appeals can be made to the Court of Appeal within 21–30 days.
23. What are the ongoing compliance and audit requirements?	None.
24. Are there any recent developments or expected reforms?	Prior to implementation of the PDPA, a legislative amendment is expected by way of “Data Protection (Amendment) Act”, which is expected to have several amendments to key areas such as Cross Borders Transfers, Automated decision making etc. Further, ongoing stakeholder consultations focus on sectors such as finance, health, and telecom, with increased emphasis on cybersecurity and digital economy regulation.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

The principal legislation governing personal data protection in Sri Lanka is the Personal Data Protection Act, No. 9 of 2022 (“PDPA”), which was certified on 19 March 2022.

Our responses are based on this legislation, subject to limited application as described i.e., The PDPA is in force in respect of only Part V - that is the setting up of the Regulator in the form of the, Data Protection Authority (DPA). The DPA is currently in the stage of capacity building.

All other substantive provisions: Parts I, II, III, and VII (covering core provisions on data protection principles, controller/processor obligations, data subject rights, and penalties) and Part IV, (which governs unsolicited messages), are yet to be made effective. Thus, there is no implementation of the PDPA with no date yet published for implementation.

2. What are the key decisions applying that legislation?

Not applicable.

1. How are “personal data” and “sensitive data” defined?

The PDPA provides the following definitions -

• Personal data: any information that can identify a data subject (an identified or identifiable natural person) directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that person.

• Sensitive data : is referred to as ‘Special Categories of personal data’ and is defined as ‘the personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, personal data relating to offences, criminal proceedings and convictions, or personal data relating to a child.

2. How is the defined data protected?

The defined data is protected through a combination of technical, organizational, and legal safeguards designed to ensure confidentiality, integrity, and availability.

Organizations are required to:

• Implement technical and organizational measures to prevent unauthorized access, loss, disclosure, or destruction of data.
• Adhere to core data protection principles, such as lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
• Conduct Data Protection Impact Assessments (DPIAs) where processing poses a high risk to individuals’ rights and freedoms.
• Appoint a Data Protection Officer (DPO) if considered processing high risk data
• Maintain records of processing activities and ensure that all processing is based on a lawful basis.

For sensitive personal data, additional safeguards are required. Such data can only be processed under stricter conditions - typically requiring explicit consent or a demonstrable legal necessity (e.g., for legal claims).

The Data Protection Authority oversees enforcement and compliance, with certain limited exemptions (e.g., for national security, judicial independence, or public safety).
Through these measures, the PDPA ensures that personal and sensitive data is lawfully and securely processed with appropriate oversight and accountability.

3. Who is subject to privacy obligations?

• All public and private sector organizations—including data controllers (who decide why and how data is processed) and data processors (who process on behalf of controllers)—are subject to the PDPA when handling personal data of individuals in Sri Lanka, regardless of processing location.
• This applies to entities within Sri Lanka and those outside offering goods/services or monitoring behavior of individuals in Sri Lanka. Joint controllers share compliance responsibilities.

4. How is “data processing” defined?

“processing” is defined as any operation performed on personal data including but not limited to collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on personal data.

5. What are the principles applicable to personal data processing?

Core principles include:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Storage limitation
• Accuracy
• Integrity and confidentiality
• Accountability

6. How is the processing of personal data regulated?

Processing is regulated through the following key requirements:

• Legal Basis: Must be based on valid grounds such as consent, contract, legal obligation, protection of vital interests, public interest, or legitimate interests (subject to a balancing test).
• Data Protection Principles: Processing must be fair, lawful, and transparent; limited to specific purposes; and ensure data is accurate, secure, and retained only as necessary.
• Special Categories of Data: Sensitive personal data (e.g., health, biometrics) requires explicit consent or other lawful grounds with enhanced safeguards.
• Data Subject Rights: Individuals have enforceable rights including access, correction, erasure, and objection, which must be respected and facilitated.
• Transparency & Accountability: Controllers must provide clear privacy notices, implement safeguards, and ensure that processors act only on instructions through binding contracts.
• Security & Compliance: Appropriate technical and organizational measures must be in place to ensure data protection and compliance throughout processing activities.
• Automated Decision-Making: Subject to restrictions where decisions significantly affect individuals’ rights, unless specific conditions and safeguards are met.

7. How are storage, security and retention of personal data regulated?

Storage, security, and retention are regulated through the following requirements:

• Security Measures: Controllers must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or damage.
• Retention Limits: Personal data must be retained only for as long as necessary to fulfil the purpose for which it was collected. After that, it must be securely erased or anonymized.
• Ongoing Review: Data retention policies must be regularly reviewed to ensure compliance with legal and operational needs.
• Governance Controls: Controllers are required to establish a Data Protection Management Programme (DPMP) to ensure internal accountability, conduct risk assessments, and monitor data protection practices.

8. What are the data subjects' rights under the data legislation?

Under the PDPA, data subjects are granted the following rights:

• Right of Access: To access their personal data and obtain copies.
• Right to Rectification: To correct inaccurate or incomplete data.
• Right to Withdraw Consent: At any time, without affecting prior lawful processing.
• Right to Object: To processing based on legitimate interests or for direct marketing, and to decisions based solely on automated processing.
• Right to Restrict Processing: In specific circumstances (e.g., accuracy contested or processing unlawful).
• Right to Erasure: To request deletion of data when no longer necessary, or if consent is withdrawn, subject to legal exceptions.

Controllers must respond to such requests within 21 working days, extendable up to two months in complex cases.

9. What are the consent requirements for data subjects?

Consent must be freely given, specific, informed, and unambiguous, indicated by a clear affirmative action or written statement.
It must be as easy to withdraw as to give, and can be withdrawn at any time.
Consent is invalid if bundled with other matters or if there’s a power imbalance.
For children under 16, parental consent is required.
Consent is especially critical for processing sensitive personal data.

10. How is authorization for use of data handled?

Authorization requires a valid legal basis such as consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests (subject to a balancing test). For sensitive data, explicit consent or other stricter grounds apply. Controllers must document, justify, and be able to demonstrate compliance with the chosen legal basis.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

Yes, cross-border transfers are regulated. Transfers are allowed only if:

• The recipient country has an adequacy decision from the Minister, or
• Suitable safeguards are in place (e.g., binding corporate rules, contractual clauses), or
• Specific exceptions apply, such as explicit consent, contractual necessity, or public interest.

Public authorities need Authority permission to transfer data outside Sri Lanka. Without adequacy or safeguards, transfers require informed data subject consent or must be necessary for contracts or public interest.

12. How are data "incidents" and "breaches" defined?

Breach: means, any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Incidents” are not separately defined but encompass broader security events.

13. Are there any notification requirements for incidents and/or data breaches?

Yes; controllers must have breach management procedures and notify the Data Protection Authority, the Regulator within 72 hours of becoming aware of a breach likely to risk individuals’ rights or freedoms. If the breach poses a high risk, affected data subjects must be informed without undue delay, including details of the incident and mitigation measures. Processors must notify controllers immediately upon detecting a breach.

14. Who is/are the privacy regulator(s)?

The Data Protection Authority (DPA).

15. What are the consequences of a data breach?

Consequences of a data breach under the PDPA include warnings, compliance orders, administrative fines up to 10 million rupees per violation (doubled for repeat offenses), compensation to affected individuals, suspension of operations, and criminal penalties in severe cases. Enforcement considers breach severity, cooperation, and prior violations. Legal actions are heard in the Magistrate Court of Colombo, with appeals directed to the Court of Appeal.

16. How is electronic marketing regulated?

Electronic marketing is regulated through requirements for explicit, informed consent and the obligation to provide clear opt-out mechanisms for recipients. Additional rules may apply for certain sectors.

17. Are there sector-specific or industry-specific privacy requirements?

No.

18. What are the requirements for appointing Data Protection Officers or similar roles?

Appointment of a Data Protection Officer (DPO) is mandatory for public authorities and for controllers or processors engaged in large-scale monitoring or processing of sensitive data. The DPO advises on compliance, conducts DPIAs, supports training, and acts as the liaison with the DPA. Contact details must be published and notified to the Authority. One DPO may serve multiple entities if accessible. The DPA provides guidance on when a DPO is required.

19. What are the record-keeping and documentation obligations?

Controllers and processors must maintain up-to-date records of all data processing activities, including the legal basis, purposes, data categories, recipients, retention periods, and security measures, as part of their Data Protection Management Programme (DPMP). Documentation must also cover DPIA results, breach notifications, and evidence of compliance, and must be made available to the DPA upon request.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

Data Protection Impact Assessments (DPIAs) are required before undertaking processing likely to pose high risks to individuals’ rights and freedoms—such as large-scale profiling, sensitive data processing, use of new technologies, or systematic public monitoring. DPIAs must identify risks, propose mitigation measures, be documented, updated as needed, and submitted to the DPO or the Data Protection Authority if required.

21. What are the requirements for third-party vendor management and data sharing?

Organizations must ensure third-party vendors (processors) provide adequate legal and technical safeguards and enter into binding contracts outlining the processing scope, duration, purpose, data types, and respective obligations. Processors must implement security measures, support data subject rights, breaches, and DPIAs, return or delete data after processing, and permit audits. Sub-processors may only be engaged with the controller’s consent. All data sharing must be based on a lawful basis and include appropriate safeguards.

22. What are the penalties and enforcement mechanisms for non-compliance?

The DPA may impose administrative fines up to LKR 10 million per violation, doubled for repeat offenses, based on factors like severity, cooperation, and impact. It can also issue compliance orders or initiate legal proceedings. Fines are paid to the Consolidated Fund after compensation is awarded to affected individuals. Non-payment may lead to action in the Magistrate Court and potential suspension of operations. Appeals can be made to the Court of Appeal within 21–30 days.

23. What are the ongoing compliance and audit requirements?

None.

24. Are there any recent developments or expected reforms?

Prior to implementation of the PDPA, a legislative amendment is expected by way of “Data Protection (Amendment) Act”, which is expected to have several amendments to key areas such as Cross Borders Transfers, Automated decision making etc. Further, ongoing stakeholder consultations focus on sectors such as finance, health, and telecom, with increased emphasis on cybersecurity and digital economy regulation.