Sri Lanka Data Privacy Laws: PDPA Compliance Guide (2026)

Sri Lanka holds a unique position in South Asian data privacy law. When the Personal Data Protection Act No. 9 of 2022 was certified by the Speaker of Parliament on March 19, 2022, the country became the first in the region to pass comprehensive standalone legislation governing personal data.

The PDPA was developed with input from the Information and Communication Technology Agency (ICTA) and draws heavily from the European Union's General Data Protection Regulation (GDPR), while incorporating elements from data protection frameworks in the United States and across Asia.

This guide covers the full scope of Sri Lanka's data protection framework as it stands in 2026, including the phased implementation timeline, the powers of the Data Protection Authority, data subject rights, controller and processor obligations, cross-border transfer rules, and the 2025 amendments that reshaped enforcement timelines.

Overview of the Personal Data Protection Act No. 9 of 2022

The PDPA is structured in ten parts that cover everything from definitions and scope to the establishment of the regulatory authority and enforcement mechanisms. It applies broadly to the processing of personal data within Sri Lanka and by entities domiciled or operating in Sri Lanka.

The law also has extraterritorial reach. Any entity outside Sri Lanka that offers goods or services to individuals in Sri Lanka, or that monitors the behavior of data subjects located in the country, falls under the PDPA's jurisdiction.

What Counts as Personal Data

The PDPA defines personal data as any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a person.

The Act also recognizes a special category of sensitive personal data that receives heightened protections. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, genetic data, biometric data, and data concerning a person's sex life or sexual orientation.

Phased Implementation Timeline

The PDPA did not take effect all at once. The Sri Lankan government adopted a phased approach to give organizations and the regulatory authority time to prepare.

Parts Already in Force

Part V of the Act, which establishes the Data Protection Authority, came into operation on July 17, 2023. This enabled the President to appoint the Chairman and Board of Directors of the DPA, with those appointments announced in October 2023.

Parts VI, VIII, IX, and X came into operation on December 1, 2023. These parts cover the DPA's organizational structure, staffing, funding mechanisms, and administrative operations.

Delayed Substantive Provisions

Parts I, II, and III (definitions, scope, and data subject rights) along with Part VII (enforcement and penalties) were originally scheduled to become operational on March 18, 2025. However, this date was repealed by Gazette No. 2427/34 on March 14, 2025, just days before the deadline.

Part IV, which governs the use of personal data to disseminate unsolicited messages, was separately scheduled for no later than March 18, 2026.

The 2025 Amendment

In February and March 2025, the Cabinet of Ministers approved a bill to amend the PDPA. The Personal Data Protection (Amendment) Act, No. 22 of 2025 extended the operational timelines by at least six months. The substantive provisions of the PDPA are now expected to take full effect in 2026, once the DPA completes its staffing, institutional setup, and issuance of key regulations.

The Data Protection Authority of Sri Lanka

The Data Protection Authority (DPA) is the independent regulatory body established under Part V of the PDPA to oversee and enforce data protection in Sri Lanka. It operates under the Ministry of Digital Economy.

Structure and Leadership

The DPA is governed by a Board of Directors appointed by the President. The Authority is headed by a Director General who is recruited through an open, transparent, and competitive process. The DPA's headquarters are located at the Bandaranaike Memorial International Conference Hall (BMICH) in Colombo.

Powers and Functions

The DPA has broad authority to regulate personal data processing across both the public and private sectors. Its key powers include:

• Investigating complaints from data subjects about alleged violations of the PDPA
• Conducting audits and inspections of controllers and processors
• Issuing compliance directives to organizations found in violation
• Imposing administrative penalties for non-compliance
• Issuing sector-specific guidelines and codes of practice
• Making adequacy determinations for cross-border data transfers
• Advising the government on data protection policy matters

Regulatory Activity

The DPA has been active in preparing the regulatory groundwork even before full enforcement. In September 2024, it opened a public consultation on draft guidelines for Data Protection Management Programs (DPMP), which remained open until October 2024. It has also issued circulars on Data Protection Officer requirements and is finalizing rules on breach notification procedures.

Data Subject Rights Under the PDPA

The PDPA grants individuals a comprehensive set of rights over their personal data. These rights are modeled closely on the GDPR framework and place significant obligations on controllers and processors.

Right of Access

Data subjects have the right to request access to all personal data that a controller holds about them. The controller must provide this information in a concise, transparent, intelligible, and easily accessible form. This includes details about the purposes of processing, the categories of data collected, and any third parties with whom the data has been shared.

Right to Rectification

When personal data is inaccurate or incomplete, data subjects can request that the controller correct or complete it. The controller must act on this request without unreasonable delay.

Right to Erasure

Data subjects can request the deletion of their personal data under certain conditions, such as when the data is no longer necessary for the purpose it was collected, when consent has been withdrawn, or when the processing was unlawful.

Right to Withdraw Consent

Where processing is based on consent, data subjects can withdraw that consent at any time through a written request. The withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

Right to Object to Processing

Data subjects can object to the processing of their personal data, including processing for direct marketing purposes. The controller must cease processing unless it can demonstrate compelling legitimate grounds that override the interests of the data subject.

Right to Object to Automated Decision-Making

The PDPA gives data subjects the right to request a review of decisions made solely through automated processing, including profiling, that significantly affect them. The 2025 amendments further clarified procedures for seeking remedies against automated decision-making and strengthened constitutional rights to challenge bias or discrimination.

Response Timeframe

Controllers must respond to any written request from a data subject regarding their rights within 21 working days of receiving the request. This timeframe is fixed by the PDPA and applies to all categories of rights requests.

Lawful Basis for Processing Personal Data

The PDPA requires every instance of personal data processing to have a lawful basis. Controllers cannot process personal data unless at least one of the following conditions is met.

Consent

The data subject has given consent to the processing of their personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. It must be provided in writing or through affirmative action, and it must be capable of being withdrawn at any time.

Contractual Necessity

Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract.

Legal Obligation

Processing is necessary to comply with a legal obligation to which the controller or processor is subject under Sri Lankan law.

Emergency or Vital Interests

Processing is necessary to respond to an emergency that threatens the life, health, or safety of a person. This basis applies in genuinely urgent situations where obtaining consent is not feasible.

Public Interest

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions, or duties conferred on the controller or processor under written law.

Legitimate Interests

Processing is necessary for the purpose of legitimate interests pursued by the controller, except where those interests are overridden by the fundamental rights and interests of the data subject. This basis requires a balancing test similar to the one used under the GDPR.

Controller and Processor Obligations

The PDPA imposes detailed obligations on both controllers (entities that determine the purposes and means of processing) and processors (entities that process data on behalf of controllers).

Record-Keeping

All controllers and processors must maintain detailed records of their data collection and processing activities. These records must be kept in writing or by electronic means, in a concise, transparent, intelligible, and easily accessible form. They must be made available to data subjects upon request and to the DPA during audits.

Purpose Limitation

Personal data must be collected for specified, explicit, and legitimate purposes. It cannot be further processed in a manner incompatible with those original purposes. Controllers must clearly define and communicate the purpose of collection at or before the point of collection.

Data Minimization and Accuracy

Controllers must ensure that personal data is adequate, relevant, and limited to what is necessary for the stated purposes. They must also take reasonable steps to ensure that data is accurate and, where necessary, kept up to date.

Processor-Specific Duties

Processors have specific obligations to follow the instructions of the controller and to assist the controller in meeting its obligations under the PDPA. A processor cannot engage another sub-processor without the prior authorization of the controller.

Data Protection Impact Assessments

Where a controller intends to carry out processing that involves systematic and extensive evaluation of personal data (including profiling), systematic monitoring of publicly accessible areas or telecommunications networks, or large-scale processing of special categories of data, the controller must conduct a Data Protection Impact Assessment (DPIA) before beginning such processing.

The DPIA must document the nature and scope of the proposed processing, the risks to data subjects, and the measures and safeguards the controller will implement to mitigate those risks. The controller must seek assistance from its Data Protection Officer when conducting this assessment.

Data Protection Officer Requirements

The PDPA requires certain organizations to appoint a Data Protection Officer (DPO). This requirement applies to controllers and processors whose core activities involve regular and systematic monitoring of data subjects on a large scale, or the large-scale processing of special categories of personal data.

Qualifications

The DPO must have relevant academic qualifications and professional competency for the role. The DPA has issued regulatory guidance on DPO qualifications and appointment procedures.

Responsibilities

The DPO serves as the primary point of contact between the organization, data subjects, and the DPA. Their duties include monitoring internal compliance, advising on Data Protection Impact Assessments, training staff on data protection obligations, and cooperating with the DPA during investigations.

Publication Requirements

Controllers and processors must publish the contact details of their DPO on their website and communicate those details to the DPA as soon as the appointment is finalized.

Shared DPOs

A group of related entities may appoint a single DPO who is easily accessible to each entity. Public authorities may likewise designate a single DPO for multiple authorities, provided the organizational structure supports this arrangement.

Breach Notification Requirements

The PDPA establishes mandatory breach notification obligations for controllers and processors.

Notification to the DPA

In the event of a personal data breach, the controller must notify the Data Protection Authority within 72 hours of becoming aware of the breach. The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

Notification to Data Subjects

The DPA will determine the circumstances under which data subjects must be notified of a breach, as well as the manner and medium of that communication. Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, direct notification is expected.

Ongoing Rule Development

The DPA has published draft rules on personal data breach notifications and is in the process of finalizing these regulations. Controllers should monitor the DPA's website for updates on the final breach notification framework.

Cross-Border Data Transfers

The PDPA restricts the transfer of personal data outside Sri Lanka to ensure that data subjects' rights are protected regardless of where their data is processed.

Adequacy Decisions

Transfers are permitted to countries or territories that the DPA has determined provide an adequate level of data protection. The adequacy determination process is similar to the mechanism used under the GDPR. As of early 2026, the DPA has not yet issued formal adequacy decisions, but the framework is in place for them.

Appropriate Safeguards

In the absence of an adequacy decision, controllers and processors may transfer data internationally if they implement appropriate safeguards. These must create binding and enforceable obligations on the recipient, ensuring that data subjects retain access to their rights and remedies under the PDPA.

Other Permitted Transfers

Cross-border transfers are also allowed when the data subject has given explicit consent, the transfer is necessary for the performance of a contract with the data subject, the transfer is necessary for important reasons of public interest, or the transfer is necessary for the establishment, exercise, or defense of legal claims.

2025 Amendment Changes

The 2025 amendments introduced greater flexibility for cross-border data flows. Organizations can now choose between resident, sovereign, or public cloud facilities based on the sensitivity and security classification of their data. This change was designed to support digital economy growth while maintaining appropriate protections.

Penalties and Enforcement

The PDPA establishes an administrative penalty framework enforced by the DPA.

Financial Penalties

Organizations that fail to comply with directives issued by the DPA face fines of up to 10 million Sri Lankan rupees (approximately USD $30,000) per instance of non-compliance. For repeat offenses, this amount doubles with each subsequent violation.

When determining the amount of a penalty, the DPA considers the nature and extent of the non-compliance, the impact on affected data subjects, and any mitigating steps taken by the organization.

Comparison to International Standards

Unlike the GDPR, which calculates fines based on a percentage of global annual revenue, the PDPA uses fixed monetary caps. While these penalties are meaningful in the Sri Lankan context, they may be less significant for large multinational corporations. The 2025 amendment discussions included consideration of revenue-based penalties, but the final text retained the fixed-cap approach.

Compliance Directives

Beyond financial penalties, the DPA can issue binding compliance directives requiring organizations to change their data processing practices, implement specific safeguards, or cease processing activities that violate the Act. Failure to comply with these directives can trigger additional penalties.

Unsolicited Messages and Direct Marketing

Part IV of the PDPA specifically addresses the use of personal data for disseminating unsolicited messages, including direct marketing communications.

When obtaining consent for marketing communications, the controller must provide clear details on how the data subject can opt out of receiving further messages, free of charge. The opt-out mechanism must be available both at the time of initial data collection and in each subsequent message sent.

Part IV was separately scheduled for implementation no later than March 18, 2026, and businesses should prepare their marketing consent mechanisms accordingly.

Sensitive Data Protections

The PDPA provides heightened protections for special categories of personal data. Processing sensitive data generally requires explicit consent or must meet one of the narrow exceptions specified in the Act.

The categories of sensitive personal data under the PDPA include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data used for identification purposes
• Health data
• Data concerning a person's sex life or sexual orientation

Controllers processing sensitive data must implement additional technical and organizational safeguards and are more likely to be required to conduct a DPIA before commencing processing.

Practical Compliance Steps for Organizations

Organizations that process personal data of individuals in Sri Lanka should take the following steps to prepare for full enforcement.

Conduct a Data Audit

Map all personal data your organization collects, processes, and stores. Identify the lawful basis for each processing activity and document it.

Appoint a Data Protection Officer

Determine whether your organization meets the threshold for mandatory DPO appointment. Even if not required, appointing a DPO is considered best practice.

Update Privacy Notices

Ensure your privacy policies clearly describe the purposes of processing, the lawful basis relied upon, data subject rights, retention periods, and cross-border transfer mechanisms.

Establish Breach Response Procedures

Implement internal procedures for detecting, investigating, and reporting data breaches within the 72-hour notification window. Assign clear roles and responsibilities.

Review Cross-Border Transfers

Audit all transfers of personal data outside Sri Lanka. Implement appropriate safeguards such as standard contractual clauses or binding corporate rules. Monitor the DPA for adequacy decisions.

Prepare for Part IV Compliance

Review direct marketing practices and ensure all consent mechanisms comply with the PDPA's requirements for opt-out at the point of collection and in every subsequent message.

This article provides general information about Sri Lanka's data privacy laws and does not constitute legal advice. Data protection requirements change frequently, and enforcement priorities evolve as the DPA issues new guidelines. Consult with a qualified attorney licensed in Sri Lanka for guidance specific to your situation.