Privacy Policy


Colombo Stock Exchange Group (hereinafter referred to as the "CSE Group") pays special attention to the collection, use, processing and storage of personal data with which it comes into contact in its day-to-day activity. Compliance with the legislation and alignment with the new provisions in the field of data protection has always been a priority for the company.

For an example, starting with May 25, 2018, Regulation no. 679/2016 on the protection of individuals concerning the processing of personal data and the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as „GDPR") enters into force and it shall be applicable in all Member States of the European Union. As global financial services and technology provider, CSE Group is committed to protecting Personal Information and complying with applicable privacy requirements in a trustworthy, transparent and responsible manner. Since CSE Group collects, process and transfer personal identified information when performing businesses with internal and external stakeholders. Therefore, we adopt the Organizational Privacy Policy to align and be compliant with the EU-GDPR regulation.

  1. 1.1 This Privacy Policy explains how the Colombo Stock Exchange Group ("CSE Group") collects information from you when you:
    1. 1.1.1 use our products or services; including but not limited to the opening of Securities Accounts with The Central Depository Systems (Pvt.) Ltd (CDS) - a subsidiary of the CSE, CDS e-connect, SMS Alerts Facility and e-Statements;
    2. 1.1.2 submit documents to the CDS or subscribe for alerts or newsletters;
    3. 1.1.3 attend one of our events, or an event hosted by the CSE Group, at the Head Office or the CDS premises or any place defined by the CSE Group, within or outside Sri Lanka;
    4. 1.1.4 visit or register to use (the “Website”) or any CSE Group Website.
  2. 1.2 Our Websites use cookies and other tracking technologies to improve and tailor your browsing experience. Please read our latest Information Security Policy for more information.
  3. 1.3 Further, please read this Privacy Policy carefully and re-visit this page from time to time to review any changes that may have been made to the said Policy.
  4. 1.4 It should be noted that all the personal information collected and processed by the CSE Group will also be stored and maintained with your respective stockbroker firm/s for providing stock brokering services.
  5. 1.5 In the event of any conflict between this Privacy Policy and the terms of a contract you have with us, the relevant provision of that contract shall prevail. Nothing in this Privacy Policy shall apply to the extent that it is incompatible with applicable data protection laws.
  6. 1.6 Your personnel information shall be held in our databases.


  1. 2.1” Personal Information" refers to information which does or can identify you as an individual. The types of Personal Information that we process will depend largely on the service you receive from us (and may also vary by country, and according to applicable law). However, the following is an overview of the types of Personal Information which the CSE Group would process:
    1. 2.1.1 your name;
    2. 2.1.2 email address;
    3. 2.1.3 other personal contact details (including telephone number and postal address)
    4. 2.1.4 corporate contact details (including business "direct dial" or office address);
    5. 2.1.5 financial information (where necessary to conclude services contracts with you);
    6. 2.1.6 your photograph (for instance, where you attend a CSE Group event);
    7. 2.1.7 your passport or National ID Card (creating a CDS account or required to confirm your identity where you visit our premises,).
  2. 2.2 Your use of the Website and related online services involves the automated collection of certain types of information, some of which may be considered Personal Information under applicable laws or in specific circumstances. This information includes:
    1. 2.2.1 IP address;
    2. 2.2.2 browser type; and
    3. 2.2.3 operating system.
  3. 2.3 We will only collect information that is necessary for us to provide you with the product or service that you have requested. The type of information that we may collect will depend upon the nature of that service or product.


  1. 3.1 It will often be apparent from the context of how we intend to use your Personal Information.
  2. 3.2 All processing of Personal Information which we undertake is justified by a "condition" for processing. In most cases, processing will be justified on the basis that:
    1. 3.2.1 you have consented to the processing
    2. 3.2.2 the processing is necessary to perform a contract or to take steps to enter into a contract;
    3. 3.2.3 the processing is necessary for us to comply with a relevant legal obligation; or
    4. 3.2.4 the processing is in our legitimate commercial interests, subject to your interests and fundamental rights.
  3. 3.3 The purposes for which we process your Personal Information include the foll0wing:
    1. 3.3.1 To provide you with specific services such as opening a securities account, trading on the Colombo Stock Exchange and other related services provided by the CSE Group such as but not limited to:
      • CDS e-connect,
      • SMS Alerts Facility and
      • e-Statements

      following a contract you are entering, or have entered with us;

    2. 3.3.2 To register you for other services provided by the Colombo Stock Exchange Group.
    3. 3.3.2 To carry out regulatory reporting or to disclose to other authorities as required by law [for instance, Securities and Exchange Commission of Sri Lanka (SEC), Central Bank of Sri Lanka (CBSL) and any competent court of law];
    4. 3.3.4 To provide you with newsletters or alerts where you have signed-up for these on the website’s owned by the Colombo Stock Exchange Group
    5. 3.3.5 To conduct market research surveys, where you choose to participate in these;
    6. 3.3.5 To participate in events hosted by the Colombo Stock Exchange Group;
    7. 3.3.6 To control access to our premises.

Your data may be processed either electronically or in hard copy form.

3.4 We may send you direct marketing communications. Where these are electronic communications (email or telephone) we will have obtained your prior consent. In limited circumstances, where we have obtained your explicit prior consent, we may send you marketing communications to carefully selected products and services, which may be of interest to you. You may opt-out of certain kinds of marketing, or all forms of marketing, by emailing us at the following address: Alternatively, you can click on the "opt-out" link provided in all our marketing emails.


  1. 4.1 We may share your personal information within the CSE Group to provide you with our services. Access to your Personal Information is strictly limited to those employees of the CSE Group who need access to provide you with our services; to communicate with you (including, with your consent, to send you marketing communications); and to carry out legal or regulatory obligations.
  2. 4.2 We may also employ the services of third-party service providers to help us in certain areas, such as website hosting, physical security, marketing, and market research. Where third-party service providers receive your information, we will remain responsible for the use of your Personal Information. We take appropriate steps to ensure that such third parties treat your Personal Information with the same consideration that we do.
  3. 4.3 We may from time to time be required to disclose your Personal Information to applicable Sri Lankan law enforcement bodies, regulators such as SEC, CBSL or third parties under a legal requirement or court order. We act responsibly and take account of your interests when responding to any such requests


  1. 5.1 We apply a general rule of keeping your Personal Information for as long as required to fulfill the purposes for which it was collected. However, in some circumstances, we may retain your Personal Information for longer periods, for instance where we are required to do so by legal and/or regulatory requirements.
  2. 5.2 In specific circumstances we may also retain your Personal Information for longer periods so that we have an accurate record of your dealings with us in the event of any complaints or challenges.
  3. 5.3 We maintain an Information Security Management System (ISMS) retention procedure which we apply to records in our care. In all cases, where your information is no longer required we will ensure it is disposed of securely and, where required by applicable law, we will notify you when such information has been disposed of.


  1. 6.1 CSE and its facilities have been Certified in information security management system namely: ISO|IEC 27001:2013, Certified in Business Continuity Management System namely: ISO 22301:2012 and Certified in IT Service Management namely: ISO 20000:2012, all these certifications are internationally recognized incapacity of information security, Business Continuity & IT Service Management.
  2. 6.2 We will hold your Personal Information securely whilst it is under our control, including where it is processed by third-party service providers on our behalf. We train CSE employees in respect of their obligations under data protection laws, and we ensure that we will only share and disclose your personal information as listed in section 4 above. 6.3 We take the security of our physical premises, our servers, and the Website seriously and we will take all appropriate technical measures using recognized security procedures and tools following good industry practice to protect your personal information across all these platforms.
  3. 6.4 Whilst we use all reasonable endeavors to protect the security of your data in the manner described above, we consider that it is only appropriate to advise you that data transmission over the Internet and the World Wide Web cannot always be guaranteed as 100% secure, and therefore that you use the Website at your own risk.


  1. 7.1 Subject to rights of the CSE Group as per the applicable laws, you may have some or all of the following rights in respect of your personal information:
    1. 7.1.1 to obtain a copy of your personal information together with information about how and on what basis that Personal Information is processed;
    2. 7.1.2 to rectify inaccurate Personal Information (including the right to have incomplete Personal Information completed);
    3. 7.1.3 to erase your Personal Information (in limited circumstances, where it is no longer necessary to the purposes for which it was collected or processed);
    4. 7.1.4 to restrict processing of your personal information where:
      1. the accuracy of the Personal Information is contested;
      2. the processing is unlawful, but you object to the erasure of the Personal Information;
      3. we no longer require the Personal Information, but it is still required for the establishment, exercise or defense of a legal claim
  2. 7.1.5 to challenge processing which we have justified based on a legitimate interest (as opposed to your consent, or to perform a contract with you);
  3. 7.1.6 to prevent us from sending you direct marketing;
  4. 7.1.7 to withdraw your consent to our processing of your personal information.
  5. 7.1.8 to object to decisions that are based solely on automated processing or profiling.
  6. 7.1.9 In addition to the above, you have the right to complain to the competent supervisory authority.
  7. 7.1.10 If you wish to investigate the exercising of any of these rights, please contact us using the details set out below.
  8. 7.1.11 Under the provisions of the General Data Protection Regulation and the Act Implementing the General Data Protection Regulation, if you believe that there has been a breach of your personal data or that your rights have been infringed, you have the right to contact the competent supervisory authority.


8.1 Any changes we make to this Privacy Policy will be detailed on our Web site to ensure that you are fully aware of what Personal Information is collected, how it is used and under what circumstances it will be disclosed. Only the latest privacy policy will be listed on the CSE website.


9.1 In all cases, if you have any complaints or queries relating to the processing of your Personal Information by the CSE Group, or to exercise any rights in respect of your Personal Information, you should contact us in one of the following ways:

By e-mail sent to

By post to:
Colombo Stock Exchange,
#04-01, West Block
World Trade Center, Echelon Square,
Colombo 01.
Tel: +94 11 2356456
Fax: +94 11 2445279

Central Depository Systems (Pvt) Ltd
Central Depository Systems (Pvt) Limited
Ground Floor, M & M Center, 341/5,
Kotte Road, Rajagiriya, Sri Lanka.
Tel: +94 11 2356456 & +94 11 7 420 400
Fax: +94 11 2440396

Data Protection Officer office:
Tel: +94 11 2356456


10.1 The ownership of the policy shall be vested in the board. DPO shall be responsible to conduct annual or requirement based periodic reviews of the policy and its adherence. The CSE Group has the right to amend this Policy and align it with any changes and updates based on applicable regulations; it will ensure that the most recent version of the Policy is available on the CSE website


11.1 You can send a request for the exercise of said right by email or post to the above-mentioned address to the DPO.

11.2 The CSE Group has the right to ask for you to provide documents necessary for identification and verification of your identity as the person submitting the request. If the requests of the data subject are manifestly unfounded or excessive (in particular, because of their repetitive character), we may charge a reasonable fee or refuse to act on the request.