You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
back to GOV portal
About the Office
Mission and Vision
The Data Protection Commissioner
The Powers of the Commissioner
The Functions of the Commissioner
Data Protection Act 2017
Data Protection Regulations
Controllers and Processors
Principles relating to processing of personal data
Your Legal Obligations
Roles & Responsibilities of Data Protection Officer
Exceptions and restrictions
Right of Access
Automated individual decision making
Rectification, erasure or restriction of processing
Right to object
Exercise of rights
Data Protection Day 2022
Guidelines Data Protection Act 2017
Interviews of the Commissioner
Privacy Compliance Assessment
Useful References and Links
Data Protection Office
Immunity Offences and Penalties
Unlawful disclosure of personal data
(1) Any controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected shall commit an offence.
(2) Any processor who, without lawful excuse, discloses personal data processed by him without the prior authority of the controller on whose behalf the data are being or have been processed
shall commit an offence.
(3) Subject to subsection (4), any person who –
(a) obtains access to personal data, or obtains any information constituting such data, without the prior authority of the controller or processor by whom the data are kept; and
(b) discloses the data or information to another person,
shall commit an offence.
(4) Subsection (3) shall not apply to a person who is an employee or agent of a controller or processor and is acting within his mandate.
(5) Any person who offers to sell personal data where such personal data has been obtained in breach of subsection (1) shall commit an offence.
(6) For the purpose of subsection (5), an advertisement indicating that personal data is or may be for sale constitutes an offer to sell the personal data.
Offence for which no specific penalty provided
(1) Any person who commits an offence under this Act for which no specific penalty is provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not
exceeding 200,000 rupees and to imprisonment for a term not exceeding 5 years
(2) In addition to any penalty referred to in subsection (1), the Court may –
(a) order the forfeiture of any equipment or any article used or connected in any way with the commission of an offence;
(b) order or prohibit the doing of any act to stop a continuing contravention.