The Sri Lankan PDPA explicitly includes processing activities conducted by controllers or processors that are "incorporated or established under any written law of Sri Lanka" within its scope of application. This provision ensures that entities with a formal legal presence in Sri Lanka are subject to the country's data protection regulations.

The use of the terms "incorporated" and "established" suggests that the law applies to various types of legal entities, including companies, partnerships, and other organizations that have been formally recognized under Sri Lankan law. This broad language aims to capture a wide range of business structures and prevent potential loopholes that might arise from limiting the application to specific types of legal entities.

The phrase "under any written law of Sri Lanka" further clarifies that the establishment must be in accordance with Sri Lankan legislation. This could include entities registered under the Companies Act, partnerships formed under relevant partnership laws, or other forms of legal entities recognized by Sri Lankan statutes.

Implications

This provision has several important implications for businesses and organizations:

1. Local entities: Any company, organization, or legal entity incorporated or established in Sri Lanka must comply with the PDPA when processing personal data, regardless of where the data subjects are located or where the actual processing takes place.
2. Foreign companies with local subsidiaries: Multinational corporations that have established local subsidiaries or affiliates in Sri Lanka will find that these local entities are subject to the PDPA's requirements.
3. Compliance obligations: Entities falling under this provision must ensure they have appropriate data protection measures in place, including data processing agreements, consent mechanisms, and data subject rights procedures, as required by the PDPA.
4. Enforcement jurisdiction: The Sri Lankan data protection authority will have clear jurisdiction over these locally established entities, making it easier to enforce the law and conduct investigations if necessary.
5. Level playing field: This provision helps create a level playing field for all businesses operating in Sri Lanka, as it ensures that local establishments are subject to the same data protection standards regardless of their ownership structure or origin.
6. Legal certainty: For businesses, this clear statement of applicability provides legal certainty about their obligations under Sri Lankan data protection law, helping them to plan their compliance strategies accordingly.