On October 2, 2024, the Data Protection Authority of Sri Lanka (the Authority) announced that it had launched a public consultation on the draft directive on the specification of instruments for the processing of personal data outside Sri Lanka under Sections 26(4), 32(s), and 33(c) of the Personal Data Protection Act No. 9 (PDPA).

The draft directive applies to controllers and processors who are not public authorities when processing personal data in a third country that is not prescribed pursuant to an adequacy decision under Section 26(2) of the PDPA, whilst ensuring compliance with the respective obligations imposed under Part I, Part II, and Sections 20, 21, 22, 23, 24, and 25 of Part III of the PDPA.

To ensure compliance with such obligations, the controllers and processors are required to adopt any of the instruments specified by the Authority through the draft directive, as the appropriate means of ensuring that the recipients of personal data in the third country are committed in a binding and enforceable manner to safeguard the rights of data subjects and remedies protected by the PDPA, as provided for under Section 26(4) of the PDPA. In this regard, the draft directive specifies the following instruments:

• Binding Corporate Rules (BCRs);
• binding agreements;
• codes of conduct;
• binding certification schemes;
• cross-border processing impact assessments; and
• resolutions of the board of directors or equivalent authority of a controller.

Public comments may be submitted to [email protected] by completing the feedback form until November 15, 2024.

You can read the press release here, the draft directive here, and download the feedback form here.