Privacy Policy

DATA PRIVACY NOTICE

Overview

This Notice describes how Capital Alliance Holdings Limited and its connected entities (hereinafter referred to as the “Group”, “We”, “Our” and “Us”) collects and uses the Personal Data of its employees and other personnel (as hereinafter defined). In doing so, it explains the types of Personal Data that we collect about such employees and personnel, as data subjects (each hereinafter referred to as “you” and “your”), the purposes for which such Personal Data is collected, the basis upon which we process it as well as your rights with respect to such data.

We also reserve the right to amend and / or update this Notice at any time and from time to time. It is therefore important that you read this Notice, together with any periodic updates thereto, so that you are aware of how and why we are using your Personal Data.

Scope and Context

This Notice applies to all employees of the Group – including, former employees after the conclusion of their employment with the Group as well as, where relevant, to job applicants, interns, consultants and other third parties whose information is provided to us in connection with their employment or other work engagement with the Group.

Unless, and except as, explicitly incorporated by specific reference, this Notice does not, however, form part of any contract of employment, engagement or other contract to provide services. It also does not confer any contractual right on you or place any contractual obligations on us (as distinct from any statutory obligations the Group may have under applicable law).

Definitions and Interpretation

For the purposes of this Notice:

“Personal Data” means and refers to any information that can identify a data subject directly or indirectly, by reference to – (a) an identifier such as a name, an identification number, financial data, location data or an online identifier; or (b) one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual or natural person.

The Group may also anonymize, tokenize and / or aggregate Personal Data in a manner in which the natural person to whom such data relates may not be personally identifiable. In such instances, we may, and will, utilize such non-Personal Data for any lawful purpose without further notice to you.

“PDPA” means and refers to the Personal Data Protection Act, No. 9 of 2022, as amended.

“processing”, with respect to Personal Data, means and refers to dealing with such data in any way – including, collecting, storing, altering, retrieving, disclosing, transmitting, erasing or destroying data.

Unless otherwise specifically stated, any reference in this Notice to the words “include(s”) or “including” shall not be construed restrictively but shall mean "includes but shall not be limited to” and "including, without limitation".

How and When Do We Collect Your “Personal Data”?

The Group may collect and process your Personal Data in a number of different ways – including: (a) as part and parcel of our recruitment and onboarding processes (for example, where information is provided or communicated to us in your job application or by a referee and / or recruitment agency); (b) in your interactions and dealings with us throughout the course of your employment or engagement (for instance, in relation to performance reviews, disciplinary processes, and by participating in voluntary benefit schemes); (c) when communicating with us by telephone, email, via our website or any other means (for example, to make inquiries or file complaints); as well as (d) from third parties (such as government bodies) and through other screening processes (as recognized and permitted by applicable law).

Where, and to the extent permitted by applicable law, such data may also be collected through your use of the devices and facilities made available to you by the Group (including, for example, office electronic devices, telephone logs and recordings, email and internet access logs as well as building and location access control and monitoring systems).

Note that the failure to provide any Personal Data reasonably requested from you may automatically disqualify yourself from being employed and / or engaged by the Group as we will not have the information we believe to be necessary for the effective and efficient administration and management of our professional relationship with you.

The Types of Personal Data We Collect

The types of Personal Data which we collect and process will vary depending on, amongst other things, your role, location and the other terms and conditions of your employment or engagement with the Group. Such data may include:

Your personal details – including, for example your name, date of birth, gender, blood type, emergency contact / next of kin details, immigration and eligibility to work data as well as languages spoken;

Your contact details – including, for example, your local and permanent address, email address and telephone number;

Your State issued identification details – including, for example, your national identity card number, passport number (for the purposes of work-related travel, etc.), tax identification number and other such identifiers;

Basic work details – including, for example, your work contact details (such as corporate email address and telephone number), unique employee identification number, login credentials, photograph, and the terms and conditions of your employment;

Recruitment and selection data – including, for example, any Personal Data contained in your CV, application form(s) and any supporting documentation, records of interview or interview notes, records of assessments, employment history (including pay stubs or salary statements from the previous workplace), references and recommendations;

Professional and academic qualifications and related data – including, for example, certifications, licenses and transcript documentation;

Remuneration and benefits data – including, for example, the details of your compensation and benefits package, bank account details, grade, statutory and social security data (including, the details of your gratuity, EPF and ETF accounts), credit score information, tax information and third-party benefit recipient information;

Leave and related data – including, for example, your annual and casual leave records, any Personal Data contained therein as well as any supporting medical reports, records and other documentation;

Health and safety data – including, for example, accident and first aid records, injury at work and third-party accident information, insurance information as well as, to the extent permitted by applicable law, information concerning your health and medical conditions (including, for e.g., your dietary needs and allergies);
Performance Management Data – including, for example, any Personal Data contained in colleague and supervisor feedback, appraisals, outputs from training programmes as well as in any formal or informal performance management or assessment processes;

Disciplinary and Grievance Data – including, for example, any Personal Data contained in records of allegations, domestic inquiries and investigations as well as any related records, reports and meeting outcomes;

Monitoring and Security Data – including, to the extent permitted by applicable law, any identifiable images contained in CCTV footage, system and building login and access records, keystroke, download and print records, call recordings as well as any data caught by IT security programmes and filters;

Termination Data – including, for example, the dates and reason for leaving, termination processes and arrangements as well as the details of any related payments, exit interviews and references; and

Any other personal data which you choose to disclose to the Group and its personnel during the course of your employment, whether verbally or in written form.

Apart from Personal Data relating to yourself, you may also provide the Group with the Personal Data of other third parties such as your referees, dependents and other family members or friends, for one or more of the purposes contemplated below (including, for example, for employment and qualification verification, the administration of benefits and to contact your next of kin in an emergency). Before doing so, you undertake on each occasion to first inform these third parties of any such data which you intend on providing the Group with (and any corresponding processing to be carried out by it, as detailed in this Notice) as well as obtain their consent for sharing such data with the Group on the terms set out in this Notice.

Special Categories of Personal Data

To the extent permitted by applicable law, the Group may also collect and process a limited amount of personal data that falls within the classification of a special category of personal data that merits greater care when processing.

Under this classification, we may collect and process information relating to: (a) an individual’s criminal record and activities (including any offences, charges, criminal proceedings and / or convictions) – which we will process, where permitted by law, as part of our recruitment and vetting processes, to investigate such activities and, where necessary, take legal action, as well as exercise or defend any legal claims relating thereto; (b) certain biometric and dactyloscopic data (for e.g., fingerprints to allow for, amongst other things, biometric access to our office facilities); (c) personal data relating to your children – only where, and to the extent that, such information is required for the purposes of specifying or documenting your dependents or next of kin (for e.g., in an emergency or for the allocation / payment of a benefit, where applicable); as well as (d) data concerning health – which we will process, where relevant and permitted by law, to assess your continued fitness to work as well as ensure your health and safety in the workplace (for e.g., in an emergency which threatens your life, health or safety or that of someone else’s).

How Your Personal Data Will Be Used

Subject to applicable law, we will use and process your Personal Data in the following circumstances:

Where processing is necessary for the performance of any contract that we have entered into with you or on your behalf, or in order to take steps at your request prior to entering into such a contract;
Where processing is necessary for us to comply with any legal obligation to which we are subject under any written law;
Where processing is necessary for the legitimate interests pursued by the Group, except where such interests are overridden by your interests which require the protection of personal data; and
Where you have consented to processing for one or more specific purposes.

There can also be certain occasions where it becomes necessary for the Group to use your personal information to protect your interests (or someone else's interests) – for example, in response to an emergency that threatens your life, health or safety (or that of someone else’s).

As and where required, we use and process your Personal Data for a number of purposes – including, those more fully set out in Annexure One below.

Please note that: (a) Annexure One is not an exhaustive list and we may process your Personal Data for other purposes that are consistent with the legal basis on which we process your personal data; and (b) some of these purposes will overlap and there can be several grounds which justify our use of your Personal Data.

Additional Processing with Your Consent

The Group may, from time to time and independent of this Notice, seek your consent for processing which is not otherwise justified under one of the bases contemplated above. If and where such consent is required, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time such consent is requested, along with the impact of not providing such consent (which may, for example, where consent has been sought to enable you to participate in a programme or benefit offered through the Group that falls outside of the scope of this Notice – may include your inability to participate in such programme or benefit).

Please note that we do not rely on your consent for processing any Personal Data if and where there is another lawful condition or basis for processing it.

The Sharing of Personal Data

For the purposes referred to in this Notice and in relying on the lawful bases for processing as set out above, we may share your Personal Data with certain third parties either where we are required to do so by applicable law and / or where necessary to administer and manage our working relationship with you. Such third parties may consist of a variety of recipients, including: (i) state or government bodies / instrumentalities; (ii) regulatory bodies and agencies; (iii) other members of the Group (as defined); (iv) internal and external auditors, attorneys, consultants, and other professional service providers; and (v) other parties who have a legitimate reason for receiving such information (such as, for example, third parties who assist and / or provide the Group with services, products, training, facilities, insurance, employee benefits and IT services, police or law enforcement agencies, next of kin; potential and current investors, and so on).

The Group expects such third parties to process any data disclosed to them in accordance with applicable law, including – with respect to data confidentiality and security. Where these third parties act as a "data processor", your personal data will only be disclosed to these parties to the extent necessary to provide the services required. We may also share your information with clients where you are part of a client team or proposed team (including as part of a tender process) as well as with sub-contractors, where you are, for example, designated as a point of contact on behalf of the Group. Your personal data may also be disclosed to advisors, potential transaction partners or interested third parties in connection with the consideration, negotiation and / or completion of a corporate transaction or restructuring of the business or assets of the Group and / or any part of the Group.

Cross-border Data Transfers

For the purposes referred to in this Notice and in relying on the lawful bases for processing as set out above, your Personal Data may be transferred / transmitted to, stored / maintained on and / or retrieved from servers and systems located outside of Sri Lanka and / or your country of domicile or residence, where – for example, the data protection laws may differ from those prevailing in your own jurisdiction.

Any and all such cross-border transfers of Personal Data will be carried out in accordance with applicable law. Please note that, while the Group shall seek to adopt all reasonable and commercially acceptable technical and organizational means to protect the confidentiality and integrity of such Personal Data, you equally acknowledge: (a) that the Group cannot guarantee its absolute security, confidentiality and integrity; and (b) that the Group shall not be responsible for any loss of confidentiality and / or integrity arising from or in connection with the unlawful, malicious or negligent actions or omissions of a third party (whether under the Computer Crime Act, No. 24 of 2007 or otherwise).

Data Retention

The Group uses the following criteria to establish its retention period in respect of any Personal Data that it collects and processes under this Notice:

As long as we have an ongoing engagement and / or employment relationship with you; or
or for a longer period where, and to the extent:
retention is required by any legal obligations to which we are subject (such as statutory labour, tax and accounting obligations);
retention is advisable in light of our legal position (such as applicable statutes of limitations) in order to establish, exercise and defend against any legal claims; and / or
retention is reasonably necessary to meet or fulfil our legitimate business needs or purposes (such as for record-keeping, follow-ups, etc). For example, where you request us to provide a reference or confirmation of employment on your behalf, we will necessarily need to maintain corresponding Personal Data about you in order to fulfil this purpose.

Data Subject Rights

Please also familiarize yourself with Part II of the PDPA to better understand your rights as a data subject. Such rights include, but are not limited to:

The right of access to any of your Personal Data that the Group may hold as well as receive a copy thereof;
The right to request us to rectify any inaccurate or incomplete Personal Data relating to you;
The right to review an automated decision – in the limited circumstances that a decision has been arrived at solely on the basis of automated processing, you may request us to review such decision – subject to the conditions prescribed by the PDPA; and / or
The right to request the erasure of any Personal Data relating to you – provided, however, that such right only exists where you can demonstrate that we have processed your Personal Data in contravention of the obligations in sections 5 to 11 of the PDPA or where erasure is required by any applicable written law or on an order of a competent court to which either you or the Group is subject to.

Note that where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider and review each request on a case-by-case basis. Furthermore, where such a request is granted by the Group – you may, depending on the relevance and importance of the information underlying such request to the facilitation, administration and management of the Group’s relationship with you, automatically and without further notice disqualify yourself from: (a) being employed and / or engaged by the Group; and / or (b) one or more benefits, opportunities and other entitlements otherwise made available by or through the Group.

Where you, in your capacity as a data subject, wish to submit a request to the Group for the purposes of exercising any rights conferred on you under the Act (hereinafter referred to as a “Request”), such Request:

must be in writing and be correctly addressed to the Group in accordance with the contact details specified below;
may be subject to your fulfilment of any counter-requests made by the Group for the purposes of establishing the identity of the data subject making such Request; and
must fairly and accurately identify the Personal Data in respect of which such Request is being made;
may be processed subject to the advance settlement by you of such fees as may be prescribed by regulations made under the PDPA.

Provided, however, that you acknowledge and agree that the Group shall have no obligation whatsoever to verify or otherwise confirm the authenticity and / or source of any emails received by us from the email address registered and / or maintained with the Group for you.

It is also important that the Personal Data that we have about you is true, accurate and up-to-date. As such, where you upload, submit or otherwise provide the Group with Personal Data (whether verbally, in writing or otherwise), you agree (and shall be deemed to have represented and warranted to us) that such information (including, for example, your address or bank account details) is true, comprehensive and accurate. You shall also be responsible for promptly updating such information by notifying us of any changes thereto as and when it becomes outdated, inaccurate or incomplete.

Correspondence, Concerns and Complaints

Any questions or other correspondence with the Group relating to this Notice should be directed to:

Attn:

Chief Risk and Compliance Officer

CAPITAL ALLIANCE HOLDINGS LIMITED

Level 05, Millennium House,

No. 46/58, Nawam Mawatha,

Colombo 02

If you have any questions, concerns or complaints about how we are using your Personal Data, we may be able to address and resolve such question, concern or complaint, and – accordingly, request that you contact the Group using the contact information provided above.

You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka – particularly, where you believe that we have not complied with the requirements of the PDPA in processing your Personal Data, or if you are not happy with the response you receive from us regarding a complaint.

ANNEXURE ONE

Purpose for processing	Lawful basis for processing			Legitimate Interest (Where applicable)
Purpose for processing	Necessary for the performance of a contract	Necessary for compliance with a legal obligation	Necessary for the purposes of the legitimate Interests of the Group	Legitimate Interest (Where applicable)
For the recruitment, evaluation, selection and / or onboarding of employees – including for appropriately vetting and verifying a candidate’s qualifications, right to work and employment history; and for making decisions thereon.	X		X	The Group considers that it has a legitimate interest in, amongst other things, fully reviewing, vetting, substantiating and deciding on applications for employment or engagement to ensure that only suitable and appropriate candidates are assessed, shortlisted, selected and / or engaged.
For providing and administering remuneration, benefits and incentive schemes, the reimbursement of business costs and expenses as well as for making appropriate tax and social security deductions and contributions.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, managing its workforce and operating its business – including, in order to administer and ensure that its employees are duly retained, remunerated and compensated – with suitable records thereof.
For general employee management, including – allocating and managing duties and responsibilities (as well as overseeing and measuring work hours); facilitating and administering business travel, lodging, perquisites and other such employee-related benefits and facilities as well as employee certifications, licensing and regulatory requirements; to enable budgeting, financial reviews and internal business reporting; maintaining emergency contact and beneficiary details; for managing health and safety at work as well as to investigate and report on incidents.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, managing its workforce and operating its business in order to, for example, ensure that each employee undertakes and is allocated appropriate duties, is properly trained and undertakes their roles correctly and in accordance with appropriate procedures.
For identifying and communicating with employees and other personnel, including managing and maintaining internal directories and relevant communication platforms / portals to facilitate contact. This also involves the maintenance of corresponding communication logs and records.	X		X	The Group considers that it has a legitimate interest in, amongst other things, efficiently communicating with its employees and other personnel as well as in maintaining an account thereof for facilitating, amongst other things, record-keeping, transitions, dispute resolution, etc.
For managing and operating appraisal, conduct, performance, capability, behavioural, absence and grievance related reviews, allegations (including those received as part of any whistleblowing report), complaints, investigations and processes and other informal and formal HR and legal compliance processes and for making related management decisions.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, assessing employee conduct and performance, and reviewing related concerns in order to implement necessary action to address and resolve any such concerns – as permitted by applicable laws and regulations.
For training, development, promotion, career, succession and business contingency planning and programming.	X		X	The Group considers that it has a legitimate interest in, amongst other things, efficient employee management in alignment with its business goals to ensure it continues to retain, reward and attract high calibre employees.
Processing information about absence or medical information regarding physical or mental health or condition in order to: assess eligibility for related benefits or exemptions; to determine fitness for work; facilitate a return to work; make adjustments or accommodations to duties or the workplace; make management decisions regarding employment or engagement or continued employment or engagement or redeployment; and conduct related management processes.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, ensuring that employees are adequately supported in relation to their mental and physical well-being to engage in the complete and proper performance of their respective roles.
For planning, managing and carrying out restructuring, VRS or other redundancy programmes including appropriate consultation, selection, alternative employment searches and related management decisions.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, making decisions which support its long-term business goals and implementing necessary action to either preserve or grow its business.
For complying with reference requests where the Group is named by the individual as a referee.			X	The Group considers that in the fulfilment of its role as a responsible corporate entity, it has a legitimate interest in, amongst other things, ensuring that any confirmation or corroboration on its part regarding its former employees is precise and accurate.
For operating email, IT, internet, social media, HR related and other Group policies and procedures as well as for maintaining all related accounts and systems; and to provide technical support in respect of all HR and other IT systems. Where deemed necessary, the Group monitors its IT systems to protect and maintain the integrity of such systems and infrastructure; and to ensure compliance with the Group’s IT policies (including through the monitoring of your business and personal use of our information and communication systems and devices) as well as locate information through searches where needed for a legitimate business purpose.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, efficiently managing its employee workforce and ensuring that the information networks utilized for such management purposes are adequate and secure.
For protecting the private, confidential and proprietary information of the Group, its employees, clients and third parties as well as protecting the security of its sites, systems, employees and visitors.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, protecting its assets, and strengthening the security and integrity of all confidential and proprietary information vested in the Group.
For the general administration of any contract entered into with an employee; and for otherwise contracting with employees and other personnel, as and when required.	X		X	The Group considers that it has a legitimate interest in, amongst other things, ensuring the proper and complete fulfilment of contractual obligations undertaken by and between the Group and its employees.
For complying with applicable laws and regulations (including, for example, the Shop and Office Employees (Regulation of Employment and Remuneration) Act, health and safety legislation (if any and where applicable) and taxation laws).		X		Not Applicable.
For planning, due diligence and implementation in relation to a commercial transaction or service transfer involving the Group that impacts on your relationship with it – including, for example, any mergers and acquisitions, or a transfer of your employment where permitted by applicable law.		X	X	The Group considers that it has a legitimate interest in, amongst other things, implementing business decisions required for the preservation or growth of its business.
For the provision of information to the Group’s shareholders, investors, asset managers and lenders for use, review, analysis in their capacity as such or pursuant to the performance of a contract.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, the fulfilment of its transparency obligations – including sharing required information with relevant stakeholders and implementing measures to ensure that such information is available, adequate and complete.
For business, operational and reporting documentation such as the preparation of annual reports or tenders for work or client team records, including the use of photographic images.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, ensuring that the general business operations of the Group are implemented as per due procedure, pursuant to its business goals.
Where relevant, for publishing appropriate internal or external communications or publicity material (including via social media in appropriate circumstances).	X		X	The Group considers that it has a legitimate interest in, amongst other things, maintaining and developing its goodwill and reputation – including, through its offline and online media presence.
To support HR administration and management and for maintaining and processing general records necessary to manage employees or other personnel under their respective contracts of employment or engagement (including, but not limited to, their respective personnel files); and to make decisions on the continuation of employment or engagement as well as to administer any terminations thereof.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, the efficient management of its employees to support its long-term and short-term business objectives.
To change, maintain and supervise access permissions - including IT and building access rights.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, maintaining the integrity and security of its assets and related networks.
To enforce our legal rights and obligations, and for any purposes in connection with any legal claims, reports of violations or allegations made by, against or otherwise involving you; as well as to prevent and deal with fraud.	X	X	X	The Group considers that it has a legitimate interest in, amongst other things, exercising its contractual and statutory legal rights and obligations – including, instituting legal action and defending itself from any and all legal claims.
To comply with any lawful requests made by public authorities (including without limitation to meet law enforcement requirements), discovery and disclosure requests, or where otherwise required or permitted by applicable law, court order, government regulation, or a regulatory authority.		X	X	The Group considers that it has a legitimate interest in, amongst other things, ensuring the fulfilment of legal and statutory obligations it is subject to.
To conduct data analytics studies to, amongst other things, review and better understand employee retention and attrition rates.			X	The Group considers that it has a legitimate interest in, amongst other things, effectively managing its workforce.
For any other purpose(s) permitted or mandated by applicable law, including any legitimate interests pursued by the Group where these are not overridden by the interests or rights of employees.		X	X	The Group considers that it has a legitimate interest in, amongst other things, implementing decisions pursuant to its short-term and long-term business objectives – as permitted by applicable law.