Page 20 - KDU Law Journal Volume 4 Issue 2
P. 20
KDU Law Journal Volume 04 Issue II
September, 2024
organizations handle sensitive information.
Section 6 and section 4 (1) (a) of the Digital Personal Data
36
37
Protection Act require explicit consent from individuals to collect
and process their personal data. This means that organizations will
no longer be able to arbitrarily gather data without the knowledge
and consent of the individuals involved. These provisions of the act
are crucial in protecting the privacy of individuals and preventing the
misuse of personal information for commercial or other purposes.
Furthermore, Section 4(1) of the act establishes clear guidelines
38
for collecting, processing and storing personal data. Section 11 , the
39
right to access information about personal data; the data principal
has the right to request information about their personal data being
processed and with whom their data has been shared. Section
36 Section 6 of the Digital Personal Data Protection Act-“(1) The consent given by the Data Principal
shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action,
and shall signify an agreement to the processing of her personal data for the specified purpose and
be limited to such personal data as is necessary for such specified purpose”. Supra note 34.
37 Section 4-(1)(a)” A person may process the personal data of a Data Principal only in
accordance with the provisions of this Act and for a lawful purpose, -(a) for which the Data
Principal has given her consent”, Supra note 34.
38 “Section 4- Grounds for processing of personal data- (1) A person may process the personal data
of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose, -
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.” Supra note 34.
39 Section 11 – Right to access information about personal data- (1) The Data Principal shall have
the right to obtain from the Data Fiduciary to whom she has previously given consent, including
consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary)
for processing of personal data, upon making to it a request in such manner as may be prescribed,-
(a) a summary of personal data which is being processed by such Data Fiduciary and the processing
activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of all other Data Fiduciary and Data Processor with whom the personal data has
been shared by such Data Fiduciary, along with a descriptive of the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and in processing, as
may be prescribed.
(2) Nothing contained in clause (b) or clause (c) of subsection (1) shall apply in respect of the
sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorized
by law to obtain such personal data, where such sharing is pursuant to a request made in writing by
such other Data Fiduciary for the purpose of preventing or detection or investigation of offences or
cyber incidents, or for prosecution or punishment of offences. Supra note 34.
law.faculty@kdu.ac.lk
13
