The Personal Data Protection Act (PDPA) of Sri Lanka extends its applicability to data processing activities carried out by controllers or processors that are legally incorporated or established under Sri Lankan law, as well as those domiciled or ordinarily resident in the country.

Text of Relevant Provisions

PDPA № 9 Art.2(1b)(ii):

"(1) This Act shall apply to the processing of personal data—

(b) where the processing of personal data is carried out by a controller or processor who–

(ii) is incorporated or established under any written law of Sri Lanka;"

PDPA № 9 Art.2(1b)(i):

"(1) This Act shall apply to the processing of personal data—

(b) where the processing of personal data is carried out by a controller or processor who–

(i) is domiciled or ordinarily resident in Sri Lanka;"

Analysis of Provisions

The PDPA of Sri Lanka explicitly includes entities incorporated or established under Sri Lankan law within its scope of applicability. This is evident from Article 2(1b)(ii), which states that the Act applies to data processing carried out by a controller or processor who "is incorporated or established under any written law of Sri Lanka".

Additionally, the law extends its reach to controllers and processors who are "domiciled or ordinarily resident in Sri Lanka" as per Article 2(1b)(i). This provision ensures that the PDPA covers not only legal entities but also individuals who are based in Sri Lanka and engage in data processing activities.

The inclusion of both incorporation/establishment and domicile/residence as criteria for applicability demonstrates the lawmakers' intent to cast a wide net, encompassing various types of entities and individuals operating within Sri Lanka's jurisdiction.

Implications

The implications of these provisions are significant for businesses and individuals engaged in data processing activities in Sri Lanka:

1. Legal entities: Any company, organization, or institution incorporated or established under Sri Lankan law is subject to the PDPA, regardless of where their data processing activities take place. This includes local companies, subsidiaries of foreign corporations registered in Sri Lanka, and other legal entities established under Sri Lankan legislation.
2. Resident individuals: Natural persons who are domiciled or ordinarily resident in Sri Lanka and engage in data processing activities as controllers or processors fall under the PDPA's jurisdiction. This could include freelancers, sole proprietors, or individuals running small businesses from their homes.
3. Extraterritorial reach: The law potentially extends its reach to foreign entities that have established a presence in Sri Lanka through incorporation or registration, even if their primary operations are conducted elsewhere.
4. Compliance requirements: Entities and individuals falling under these provisions must comply with all aspects of the PDPA, including data protection principles, data subject rights, and obligations such as appointing a Data Protection Officer and conducting impact assessments.
5. Enforcement jurisdiction: The Data Protection Authority of Sri Lanka would have clear jurisdiction over entities and individuals covered by these provisions, facilitating enforcement actions and investigations.