SRI LANKA Law and Practice Contributed by: Ayanthi Abeyawickrama, Varners
Trade secrets are protected in Sri Lanka under the concept of “undisclosed information” in the Intellectual Property Act, as well as through prin - ciples of unfair competition. This includes con - fidential business information such as formulas, recipes, customer lists, algorithms, business strategies and methods. These are not subject to registration but are protected through con - fidentiality obligations, non-disclosure agree - ments (NDAs) and the general principles of con - tract and delict (tort). In cases involving wilful misappropriation or breach of trust, criminal sanctions may apply under relevant laws such as the Penal Code or the Computer Crimes Act. Effective protection of these rights depends significantly on the use of internal controls, contractual safeguards and judicial enforcement, where necessary. Data privacy is governed and regulated by the Personal Data Protection Act, No 9 of 2022 (PDPA), which provides a comprehensive legal framework for the processing of personal data. The PDPA applies to both public and private sector entities, including foreign entities that process personal data in Sri Lanka or of indi - viduals located in Sri Lanka. It sets out key principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation and accountability. It grants data subjects specific rights, including the right to access, rectify, erase and object to the process - ing of their personal data. Data controllers and processors are required to: • implement appropriate security measures; 8. Data Protection 8.1 Applicable Regulations
• maintain records of processing activities; and • in most cases, obtain freely given, specific, informed and unambiguous consent before processing personal data. In addition to the PDPA, data protection is indi - rectly supported by: • the Computer Crimes Act, No 24 of 2007, which criminalises unauthorised access, data theft and related cyber offences; and • the Electronic Transactions Act, No 19 of 2006, which recognises the legal validity of electronic records and signatures and facili - tates secure data exchange. Together, these statutes represent a significant advancement in Sri Lanka’s data governance landscape, aligning it more closely with interna - tional standards such as the EU General Data The PDPA has extraterritorial application and extends its scope to cover certain activities of foreign entities. Specifically, it applies to any natural or legal person, whether incorporated or operating outside Sri Lanka, who processes the personal data of individuals located in Sri Lanka, in the course of: • offering goods or services to such individuals; or • monitoring their behaviour, in so far as that behaviour takes place within Sri Lanka. This means that foreign companies collecting, analysing or storing the personal data of Sri Lan - kan residents – whether via websites, apps or other digital platforms – are subject to the same obligations as local data controllers and proces - sors under the PDPA. Protection Regulation (GDPR). 8.2 Geographical Scope
782 CHAMBERS.COM
Powered by FlippingBook