Colombo Stock Exchange Group (hereinafter referred to as the "CSE Group") pays special attention to the collection, use, processing
and storage of personal data with which it comes into contact in its day-to-day activity. Compliance with the legislation and alignment
with the new provisions in the field of data protection has always been a priority for the company.
For an example, starting with May 25, 2018, Regulation no. 679/2016 on the protection of individuals concerning the processing of
personal data and the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as „GDPR") enters into
force and it shall be applicable in all Member States of the European Union. As global financial services and technology provider, CSE
Group is committed to protecting Personal Information and complying with applicable privacy requirements in a trustworthy,
transparent and responsible manner. Since CSE Group collects, process and transfer personal identified information when
compliant with the EU-GDPR regulation.
- 1.1.1 use our products or services; including but not limited to the opening of Securities Accounts with The Central Depository
Systems (Pvt.) Ltd (CDS) - a subsidiary of the CSE, CDS e-connect, SMS Alerts Facility and e-Statements;
- 1.1.2 submit documents to the CDS or subscribe for alerts or newsletters;
- 1.1.3 attend one of our events, or an event hosted by the CSE Group, at the Head Office or the CDS premises or any place
defined by the CSE Group, within or outside Sri Lanka;
- 1.1.4 visit or register to use https://www.cse.lk/corporate (the “Website”) or any CSE Group Website.
Information Security Policy for more information.
been made to the said Policy.
- 1.4 It should be noted that all the personal information collected and processed by the CSE Group will also be stored and maintained
with your respective stockbroker firm/s for providing stock brokering services.
- 1.6 Your personnel information shall be held in our databases.
02. WHAT PERSONAL INFORMATION DO WE COLLECT?
- 2.1” Personal Information" refers to information which does or can identify you as an individual. The types of Personal
Information that we process will depend largely on the service you receive from us (and may also vary by country, and according to
applicable law). However, the following is an overview of the types of Personal Information which the CSE Group would process:
- 2.1.1 your name;
- 2.1.2 email address;
- 2.1.3 other personal contact details (including telephone number and postal address)
- 2.1.4 corporate contact details (including business "direct dial" or office address);
- 2.1.5 financial information (where necessary to conclude services contracts with you);
- 2.1.6 your photograph (for instance, where you attend a CSE Group event);
- 2.1.7 your passport or National ID Card (creating a CDS account or required to confirm your identity where you visit our
- 2.2 Your use of the Website and related online services involves the automated collection of certain types of information, some of
which may be considered Personal Information under applicable laws or in specific circumstances. This information includes:
- 2.2.1 IP address;
- 2.2.2 browser type; and
- 2.2.3 operating system.
- 2.3 We will only collect information that is necessary for us to provide you with the product or service that you have requested. The
type of information that we may collect will depend upon the nature of that service or product.
03. HOW WILL WE USE ANY PERSONAL INFORMATION THAT WE COLLECT?
- 3.1 It will often be apparent from the context of how we intend to use your Personal Information.
- 3.2 All processing of Personal Information which we undertake is justified by a "condition" for processing. In most cases, processing
will be justified on the basis that:
- 3.2.1 you have consented to the processing
- 3.2.2 the processing is necessary to perform a contract or to take steps to enter into a contract;
- 3.2.3 the processing is necessary for us to comply with a relevant legal obligation; or
- 3.2.4 the processing is in our legitimate commercial interests, subject to your interests and fundamental rights.
- 3.3 The purposes for which we process your Personal Information include the foll0wing:
- 3.3.1 To provide you with specific services such as opening a securities account, trading on the Colombo Stock Exchange and
other related services provided by the CSE Group such as but not limited to:
- CDS e-connect,
- SMS Alerts Facility and
following a contract you are entering, or have entered with us;
- 3.3.2 To register you for other services provided by the Colombo Stock Exchange Group.
- 3.3.2 To carry out regulatory reporting or to disclose to other authorities as required by law [for instance, Securities and
Exchange Commission of Sri Lanka (SEC), Central Bank of Sri Lanka (CBSL) and any competent court of law];
- 3.3.4 To provide you with newsletters or alerts where you have signed-up for these on the website’s owned by the Colombo
Stock Exchange Group
- 3.3.5 To conduct market research surveys, where you choose to participate in these;
- 3.3.5 To participate in events hosted by the Colombo Stock Exchange Group;
- 3.3.6 To control access to our premises.
Your data may be processed either electronically or in hard copy form.
3.4 We may send you direct marketing communications. Where these are electronic communications (email or telephone) we will
have obtained your prior consent. In limited circumstances, where we have obtained your explicit prior consent, we may send you
marketing communications to carefully selected products and services, which may be of interest to you. You may opt-out of certain
kinds of marketing, or all forms of marketing, by emailing us at the following address: www.cse.lk Alternatively, you can click on the
"opt-out" link provided in all our marketing emails.
04.DISCLOSURE OF YOUR PERSONAL INFORMATION
- 4.1 We may share your personal information within the CSE Group to provide you with our services. Access to your Personal
Information is strictly limited to those employees of the CSE Group who need access to provide you with our services; to
communicate with you (including, with your consent, to send you marketing communications); and to carry out legal or regulatory
- 4.2 We may also employ the services of third-party service providers to help us in certain areas, such as website hosting, physical
security, marketing, and market research. Where third-party service providers receive your information, we will remain responsible
for the use of your Personal Information. We take appropriate steps to ensure that such third parties treat your Personal Information
with the same consideration that we do.
- 4.3 We may from time to time be required to disclose your Personal Information to applicable Sri Lankan law enforcement bodies,
regulators such as SEC, CBSL or third parties under a legal requirement or court order. We act responsibly and take account of your
interests when responding to any such requests
05.RETENTION OF YOUR PERSONAL INFORMATION
- 5.1 We apply a general rule of keeping your Personal Information for as long as required to fulfill the purposes for which it was
collected. However, in some circumstances, we may retain your Personal Information for longer periods, for instance where we are
required to do so by legal and/or regulatory requirements.
- 5.2 In specific circumstances we may also retain your Personal Information for longer periods so that we have an accurate record of
your dealings with us in the event of any complaints or challenges.
- 5.3 We maintain an Information Security Management System (ISMS) retention procedure which we apply to records in our care. In
all cases, where your information is no longer required we will ensure it is disposed of securely and, where required by applicable law,
we will notify you when such information has been disposed of.
06.PROTECTION OF YOUR PERSONAL INFORMATION
- 6.1 CSE and its facilities have been Certified in information security management system namely: ISO|IEC 27001:2013, Certified in
Business Continuity Management System namely: ISO 22301:2012 and Certified in IT Service Management namely: ISO
20000:2012, all these certifications are internationally recognized incapacity of information security, Business Continuity & IT
- 6.2 We will hold your Personal Information securely whilst it is under our control, including where it is processed by third-party
service providers on our behalf. We train CSE employees in respect of their obligations under data protection laws, and we ensure
that we will only share and disclose your personal information as listed in section 4 above.
6.3 We take the security of our physical premises, our servers, and the Website seriously and we will take all appropriate technical
measures using recognized security procedures and tools following good industry practice to protect your personal information
across all these platforms.
- 6.4 Whilst we use all reasonable endeavors to protect the security of your data in the manner described above, we consider that it is
only appropriate to advise you that data transmission over the Internet and the World Wide Web cannot always be guaranteed as
100% secure, and therefore that you use the Website at your own risk.
- 7.1 Subject to rights of the CSE Group as per the applicable laws, you may have some or all of the following rights in respect of your
- 7.1.1 to obtain a copy of your personal information together with information about how and on what basis that Personal
Information is processed;
- 7.1.2 to rectify inaccurate Personal Information (including the right to have incomplete Personal Information completed);
- 7.1.3 to erase your Personal Information (in limited circumstances, where it is no longer necessary to the purposes for which it
was collected or processed);
- 7.1.4 to restrict processing of your personal information where:
- 18.104.22.168 the accuracy of the Personal Information is contested;
- 22.214.171.124 the processing is unlawful, but you object to the erasure of the Personal Information;
- 126.96.36.199 we no longer require the Personal Information, but it is still required for the establishment, exercise or defense
of a legal claim
- 7.1.5 to challenge processing which we have justified based on a legitimate interest (as opposed to your consent, or to perform
a contract with you);
- 7.1.6 to prevent us from sending you direct marketing;
- 7.1.7 to withdraw your consent to our processing of your personal information.
- 7.1.8 to object to decisions that are based solely on automated processing or profiling.
- 7.1.9 In addition to the above, you have the right to complain to the competent supervisory authority.
- 7.1.10 If you wish to investigate the exercising of any of these rights, please contact us using the details set out below.
- 7.1.11 Under the provisions of the General Data Protection Regulation and the Act Implementing the General Data Protection
Regulation, if you believe that there has been a breach of your personal data or that your rights have been infringed, you have
the right to contact the competent supervisory authority.
Personal Information is collected, how it is used and under what circumstances it will be disclosed. Only the latest privacy
policy will be listed on the CSE website.
09. CONTACT DETAILS
9.1 In all cases, if you have any complaints or queries relating to the processing of your Personal Information by the CSE
Group, or to exercise any rights in respect of your Personal Information, you should contact us in one of the following ways:
By e-mail sent to email@example.com
By post to:
Colombo Stock Exchange,
#04-01, West Block
World Trade Center, Echelon Square,
Tel: +94 11 2356456
Fax: +94 11 2445279
Central Depository Systems (Pvt) Ltd
Central Depository Systems (Pvt) Limited
Ground Floor, M & M Center, 341/5,
Kotte Road, Rajagiriya, Sri Lanka.
Tel: +94 11 2356456 & +94 11 7 420 400
Fax: +94 11 2440396
Data Protection Officer office:
Tel: +94 11 2356456
10.1 The ownership of the policy shall be vested in the board. DPO shall be responsible to conduct annual or requirement
based periodic reviews of the policy and its adherence. The CSE Group has the right to amend this Policy and align it with any
changes and updates based on applicable regulations; it will ensure that the most recent version of the Policy is available on
the CSE website www.cse.lk
11.1 You can send a request for the exercise of said right by email or post to the above-mentioned address to the DPO.
11.2 The CSE Group has the right to ask for you to provide documents necessary for identification and verification of your
identity as the person submitting the request. If the requests of the data subject are manifestly unfounded or excessive (in
particular, because of their repetitive character), we may charge a reasonable fee or refuse to act on the request.