පෞද්ගලිකත්ව ප‍්‍රතිපත්තිය

PERSONAL Data Protection Notice

This Data Protection Notice explains how Cargills Bank PLC, as a data controller under the Personal Data Protection Act No.9 of 2022 (PDPA), handles your personal data. It covers what information we collect, how and why we use it, who we share it with, and how we keep it secure. The notice applies to anyone inquiring about, using, or having used our products or services, and may be updated periodically.

1. The Basic Terms

When this Notice uses “we”, “us”, or “our”, it refers to Cargills Bank PLC as the data controller under the PDPA, responsible for deciding how and why your personal data is processed.

“You” or “your” refers to anyone who is a potential, current, or former customer, an authorized representative, or a visitor to our website or social media pages. As a “data subject”, this Notice applies to you if your personal data is involved; it does not however apply to data about companies or non-personal data such as anonymised or data that cannot identify a human being.

Our “products and services” include accounts, loans, credit cards, and similar offerings of Cargills Bank PLC.

2. Types of information we collect, how and why

We collect personal data relevant and necessary to your financial needs and our business requirements, always in line with applicable laws. Personal data can be gathered directly from you (e.g., applications, surveys, branch visits), generated through your use of our products and services, and obtained from third parties like employers, financial institutions, credit reporting agencies, public sources, and social media.

The personal data we process covers a broad range of information essential to providing you with tailored and secure financial services. This includes:

Identity & Contact Details: Such as your full name, date and place of birth, nationality, identification numbers (like NIC, passport, or driving licence), residential and mailing addresses, telephone and mobile numbers, and email addresses. These details help us confirm your identity, communicate with you effectively, and comply with regulatory and legal requirements.
Financial Data: Including your account numbers, credit and debit card numbers, transaction records, account balances, payment history, credit limits, credit scores, and credit risk assessments. We may also collect information about your employment status, salary, income sources, and assets or liabilities, all of which are crucial for evaluating your eligibility for products and services, managing your financial relationship with us, and comply with regulatory and legal requirements.
Usage & Preferences: Information about your product and service preferences, frequency and patterns of account usage, communication and marketing choices, as well as feedback provided through surveys or interactions with our staff. We also gather details about your use of our digital platforms, including device types, operating systems, browser information, and engagement with our website, app, or other online services.
Compliance & Security Data: This encompasses records required for due diligence, anti-money laundering, and fraud prevention, such as verification documents, records of communications, suspicious transaction alerts, and audit trails. We may utilise cookies, analytics tools, and similar technologies to monitor system security, verify your identity online, and detect unusual or unauthorised activities which in turn help us to respond to legal and regulatory requirements.

In addition to direct interactions, such as completing forms, applications, making enquiries, or visiting branches, we may collect information through digital means, including our website, mobile applications, online banking, and customer support hotlines. These channels may use technologies like cookies, tracking pixels, and secure logins to safeguard your data, personalise your experience, and ensure the integrity of our services.

We also receive relevant information from third-party sources, including employers, other financial institutions, credit reference agencies, publicly accessible sources, and social media. This helps us verify the accuracy of your data, assess eligibility, fulfil legal obligations, and enhance the overall quality of our services.

Your privacy and security are paramount, and all personal data is handled with strict adherence to the PDPA and our internal policies, ensuring confidentiality, integrity, and the lawful use of your information at every step. Therefore, we will not process your personal data unless one of the following bases applies:

To perform a contract with you, including taking any pre-contractual measures at your request (example: when we run a credit check on you when you approach us for a housing loan)
To comply with a legal obligation imposed on us by law. (example: notifying the Financial Intelligence Unit of any suspected money laundering and terrorist financing activities pursuant to the requirements under the Financial Transactions Reporting Act No.6 of 2006)
With your consent (example: when we seek your consent to promote personalised product offerings to you via SMS)
For our legitimate interests (example: when we monitor transactions to detect fraud)
For the performance of a task carried out in the public interest

3. How we secure your personal data

We adopt industry accepted technology, security protocols and practices to ensure the confidentiality, integrity and availability of the personal data that we collect, store, transmit and dispose. We adopt suitable technical and organisational measures to ensure the personal data is safeguarded from misuse, loss and unauthorised access, modification or disclosure.

4. How long we keep your personal data

When determining for how long your personal data is retained, we consider the applicable regulatory framework, legal requirements and operational needs of the bank.

In accordance with our internal policies, we are required to retain customer data that may include, without limitation, your identity data and financial data for a period of seven (7) years from the time you cease to be our customer.

However, we may adopt a shorter retention period such as 6 months or less in the case of communication records, chat history and internet cookies.

We may however keep your data for a period longer than 7 years in the following circumstances:

To respond to ongoing disputes or litigation.
To respond to legal and regulatory demands, provided they are within the legal prescription periods, and
For research or statistical purposes

When the purposes of collecting and processing personal data has ceased, will take adequate steps to securely destroy or permanently de-identify or anonymise such personal data.

5. Disclosing your personal data

We keep your data confidential, but may be required to share it with third parties in specific instances, such as those listed below:

External service providers (for processing, marketing, deliveries, research, debt collection, etc.), both in and outside Sri Lanka;
Regulatory bodies like the Central Bank of Sri Lanka for audits or compliance requirements as prescribed by law;
Law enforcement authorities and regulatory entities if unlawful activity is suspected;
Courts of law when your data is sought pursuant to court orders;
Your employer in the case of corporate-issued credit cards;
Related companies in the Cargills Group for product and service delivery or information;
Credit reporting agencies such as the Credit Information Bureau.
Outsourced personnel for specific services at your request (e.g., Foreign Exchange, managed funds);
Anyone else you authorize in writing to access your personal data.

6. Transferring your personal data out of Sri Lanka

Your personal data may be transferred to and stored in locations outside of Sri Lanka due to various operational and/or legal requirements. This may include your personal data being stored in countries which may not have the same level of protection as provided under the PDPA. Therefore, when we must transfer personal data out of Sri Lanka, we will ensure that such transfer is in line with applicable legal requirements under the PDPA and other applicable laws ensuring an adequate level of protection.

7. Use of Automated Decisions Making Systems

We may implement automated decision-making systems within our operational framework when offering and/or managing your relationship with us. Automated decision-making refers to decisions or profiling conducted solely through automated mechanisms without human involvement. These systems are typically employed to assist human decision-making processes by analysing data according to specific criteria established by us. We may utilise these systems for evaluating your eligibility, risk and preferences for or when using our products and services.

8. Your rights

You are entitled to the following rights under the PDPA. If you wish to exercise any of those rights, please reach out to us.

Right	Description
Access	You have the right to confirm whether we are processing any information about you. If we are, you may request access to the personal data in our possession. You may also request additional details regarding any matter outlined in this notice.
Object	If you believe your data is being processed to fulfill our legitimate interests or public interest objectives, you may raise an objection to how your personal data is processed for such purposes.
Withdraw Consent	If we have obtained your consent to process your personal data for a specific purpose, you are entitled to withdraw that consent at any time. Please note that withdrawal will not affect processing activities carried out prior to your withdrawal.
Rectification	You can request correction of any inaccurate personal data or ask for incomplete data to be completed.
Erasure	Should you believe we are processing your data in violation of the PDPA, or if you have withdrawn your consent, you may request that we erase your personal data. We may also erase your data if required by court order in accordance with applicable laws.
Automated Individual Decision Making	If any decision regarding you has been made entirely by automated means without human involvement and has a significant or lasting impact on your rights or freedoms, you may request a review of that decision.
Exemptions	Under the PDPA, we may lawfully deny your request based on specific grounds, including concerns related to national security, public order, active legal proceedings, prevention or prosecution of criminal offenses, the rights and freedoms of others, technical or operational feasibility, inability to confirm your identity, or legal obligations requiring us to process your data.
Appeal to DPA	If you are dissatisfied with our response to any such request, you have the right to appeal to the Data Protection Authority of Sri Lanka. For more details on lodging an appeal, please visit their official website: www.dpa.gov.lk

9. Get in touch with us

Connect with us if you need any further information or wish to exercise your rights.

By calling our hotline : 0117640640

By walking into any of our branches : https://www.cargillsbank.com/our-network/

By contacting the Data Protection Officer : Kusala Karunaratne

Email : Kusala.k@cargillsbank.com

Post : No.696, Galle Road, Colombo 3.

කාගිල්ස් බැංකුව වෙත සාදරයෙන් පිළිගනිමු!

කාගිල්ස් බැංකුව විසින් පිරිනමනු ලබන විශ්මිත සේවා අත්විඳින්න.

අමතන්න

ඊ මේල් කරන්න