In compliance with the Personal Data Privacy Act, No. 9 of 2022, this Personal Data Protection Policy sets out the basis on which [name of organization] (“we,” “us,” or “our”) may gather, use, disclose, or otherwise treat the “personal data” of our clients. This policy applies to any personal information that we may have or that we have control over, including information held by companies that we have hired to gather, use, disclose, or process information about individuals for our benefit.

As used in this policy,

“Personal data” means any information that can be used to directly or indirectly identify a data subject. A person’s name does not have to be present for data to be considered personal data under the Personal Data Privacy Act, No. 9 of 2022. 

“Data subject” is a live or deceased natural person to whom personal data pertains and who may already be directly or indirectly identified or identifiable by reference to any personal data. Therefore, information on businesses or other legal entities is not included in the definition of a data subject.

“Processing” includes any actions taken on personal data, including gathering, storing, protecting, modifying, retrieving, disclosing, transmitting, making accessible, erasing, and destroying information, as well as consulting, aligning, combining, and performing mathematical or logical calculations.

“Consent” is defined as a freely provided, explicit, informed, and clear statement of acceptance of processing that is either in writing or by an affirmative action taken by the data subject.

PROCESSING OF PERSONAL DATA

We do not collect your personal information unless you voluntarily provide it to us with your consent. Consent should be freely provided, explicit, informed, and unequivocal, expressed in writing or by affirmative action, and it is reversible at any moment.

Some forms of personal data that we may collect from you depend on the nature of our interactions with you. These include your name and identifying information like your contact details like your address, email address, or phone number, nationality, gender, marital status, date of birth, and other audiovisual materials, job details, financial details like credit card numbers, and other details like information about bank accounts or debit card numbers.

We may collect your information

1. Directly from you;
2. From Email messages;
3. From Telecommunications – SMS/Voice/chat;
4. When you submit a query via our website;
5. From resources such as websites where your information is publicly available;
6. Provided by a third party.

Your information may be gathered and utilized by us for any or all of the following purposes:

1. verifying your identity;
2. performing responsibilities during or related to our supply of the products or services that you have requested;
3. responding, managing, and processing your requests, complaints, applications, and comments; 
4. Processing payments or credit transactions;
5. providing you with marketing materials about our products or services, such as alerts about upcoming events, campaigns, newsletters, promotions, giveaways, membership and reward programs, and other special offers;
6. any other scenarios in which context you provided the information; 

you can decide not to receive any further marketing material from us or unsubscribe from mailing lists and registrations. You may contact us in this regard.

To ensure that any processing of personal data is “lawful,” we make sure that it is based on the most suitable legal basis among the ones listed below, as stipulated by the Personal Data Privacy Act, No. 9 of 2022:

1. consent of the data subject;
2. required for completing a contract or initiating a contract with the data subject;
3. necessary for fulfilling a legal requirement that Sri Lankan law subjects us (the controller or processor) to;
4. If it’s necessary to deal with an emergency that threatens the data subject’s life, health, or safety or the safety of another natural person,
5. Or necessary for the controller’s or a third party’s legitimate interests (subject to an assessment where the controller’s interests should be balanced against the rights of the data subjects and accordingly, must not override the interests of the data subjects, especially when the data subject is a child); or necessary for the performance of a task carried out in the public interest or the exercise of powers, functions, or duties imposed under Sri Lankan law.

DISCLOSURE OF PERSONAL DATA TO THIRD PARTY

We do not disclose personal information to third parties unless we are compelled to by law, have the person’s consent, or have hired third parties like data intermediaries or subcontractors expressly to help with our business’s operations.  Any such third parties that we work with will have a legal obligation to maintain the privacy of any information.

SECURITY AND PROTECTION OF PERSONAL DATA

We only collect data that is necessary to provide the service and store it in an anonymized way in our system. We maintain all procedural safeguards and implement well-recognized standards to prevent the unauthorized or unlawful processing of personal data and the loss, destruction, or damage of personal data.

POLICY ON OUR WEBSITE

This policy likewise covers any personal information we collect via our websites. Our websites may employ cookies.”Cookies” are small text files that are stored on your device and help us deliver a more personalized online experience. We use cookies to recognize your browser or device, learn more about your interests, and improve users’ navigations on erp services.

If you do not want the cookies to be stored in your devices, you can decline the cookies or set your preferences on cookies you would like to allow and If you wish to remove previously stored cookies, you can delete the cookies anytime.

RETENTION OF PERSONAL DATA

We ensure that any personal information that is processed will only be retained in a format that allows you to be identified for as long as it may be needed to achieve the objectives for which the information is being processed.

However, we may retain personal information for extended periods if it is processed further for statistical analysis, scientific study, historical research, or public archiving.

DATA SUBJECT RIGHTS

Regarding data processing and recorded information on them, data subjects (you) are entitled to the following rights:

Right of access:  You have the right to access your data and be provided confirmation of whether or not such personal data has been processed upon writing a request to us.  Within 21 working days after the requested date, we shall provide a written notification to you if we receive one. This includes informing you whether your request has been granted or denied, along with the reasons why, unless a written law prohibits disclosure.

Right to be informed: We shall provide information such as our identity and contact details and, where applicable, the controller’s representative; the contact details of the DPO, etc. You will be notified when we also intend to handle personal data for an additional purpose.

and any decisions taken in response to a request in a clear, succinct, understandable, and easily accessible manner, whether in writing or electronically.

Right to rectification: You have the right to request an update or correction of any incomplete or incorrect personal data. We shall, without undue delay, correct or complete your personal information upon receiving a written request to do so.

Right to erasure: You are entitled to request in writing that your data be deleted under certain conditions and to get a response from us within 21 working days of the requested date.

Right to object:  You have the right, at any time, to withdraw your permission if processing is based on it. However, the right to withdraw consent will not impact the legality of any processing that has already occurred.

Automated individual decision-making: You have the right to ask us to review decisions made exclusively based on automated processing if such processing has resulted in, or is likely to result in, an irreversible and ongoing impact on your rights and freedoms as guaranteed by any written law.

Right to appeal to the Authority against certain decisions of the controller: You have the right to file an appeal with the Authority to object to any decisions we’ve made that violate data subjects’ rights.

If you make a request, there may be fees associated with it that are specified by the Personal Data Privacy Act, No. 9 of 2022. We will inform you about the details of such fees and the reasons for imposing them.

Refusing a data subject’s request based on the aforementioned rights is only allowed under specific circumstances, taking into account the following:

1. National security;
2. Public order;
3. Any inquiry, investigation, or procedure carried out under Sri Lankan law;
4. The prevention, investigation, and prosecution of criminal offenses;
5. The execution of criminal penalties; the protection of the rights and fundamental freedoms of persons under Sri Lankan law;
6. In the circumstances where we are unable to establish the identity of a data subject,
7. The rights and freedoms of other persons under any written law

SOLICITED MESSAGES

We may use postal services, telecommunication services, electronic means, or any other similar means to disseminate messages only if you have given consent to receive such messages.

CROSS-BORDER DATA TRANSMISSION

We are subject to the restrictions outlined in the Personal Data Privacy Act, No. 9 of 2022, when processing data in a third-party country outside Sri Lanka. We are permitted to process the data in third-party countries under the following circumstances:

1. You have explicitly consented, upon having been informed of the risks of such processing; 
2. the transfer is necessary for the performance of a contract between you (the data subject) and erp services (the controller) or the implementation of any pre-contractual measures taken by us (the controller)  at the request of yours;
3. the transfer is necessary for the establishment, exercise, or defense of legal claims relating to you; the transfer is necessary for reasons of public interest;
4. the transfer is necessary to respond to an emergency that threatens your  life, health, or safety, or another person and where the data subject is incapable of giving consent;
5. or any other condition that may be prescribed under the Personal Data Privacy Act, No. 9 of 2022, in the future

DATA PROTECTION OFFICER

If you would like to make any requests or have any questions about our data privacy policies and processes, please get in touch with our data protection officer using the information below: 

DPO Name; Geethal Fernando

DPO Contact Details; +94 770415387

DPO Address: 31 Wijerama Lane Nugegoda

This tailored Privacy Policy was developed by Cybersafe.lk