CSS being a duly registered company in Sri Lanka, certifies that it complies with the Sri Lankan Data Protection regulations and further certifies that it adheres to:
(i) Lawfulness, fairness and transparency,
(ii) purpose limitation,
(iii) Data minimization,
(v) Storage limitation,
(vi) Integrity and confidentiality (security), and
As regards any Personal Data, CSS is fully committed to implementing the rights for individuals under the Sri Lankan Data Protection Regulations as a "Data Processor" or as a "Data Collector" as a case may be and complies with the Sri Lankan Data Protection Regulations from time to time.
"Personal Data" is information that can be used to identify you. Such information might include your name, social security number, mailing address, email address, telephone number, company, title, username and password. Personal Data does not include data that is de-identified, anonymous or publicly available.
"Sensitive Personal Data" is Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation.
"Data Controller" A person who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed.
"Data Processor" Any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
Principle 1 – Data shall be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met.
Principle 2 – Data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose
Principle 3 – Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
Principle 4 – Data shall be accurate and where relevant kept up to date
Principle 5 – Data shall not be kept longer than is necessary for that purpose
Principle 6 – Data shall be processed in accordance with the rights of the data subjects under applicable data protection legislation (e.g. right of access to personal information)
Principle 7 – Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Principle 8 – Data shall not be transferred to a country, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
CSS may act as a Data Processor or a Data Controller. Generally Data Controllers have a higher degree of responsibility than Data Processors. A Data Controller remains fully responsible for its actions and the security of the Personal Data and is subjected to all the requirements of the data protection legislation. A Data Controller is also responsible for Data that is transferred to the Data Processor that processes the Personal Data. CSS shall comply with relevant Sri Lankan Data Protection Regulations as a "Data Processor" or as a "Data Controller" as the case may be from time to time.
CSS discloses Personal Data to third parties who reasonably need to know such Personal Data in connection with a contracted task or CSS business purpose, e.g., processing of benefits/payroll through third-party providers or credit/background checking. Such third parties contractually agree to similar protection of your Personal Data and limitation on the use of your Personal Data as CSS provides.
Roles and responsibilities- Each of CSS’s management bears the ultimate responsibility for management of data protection within the business. Specifically, the management would ensure that sound governance arrangements are in place to manage, monitor and control data protection issues. All members of the management are responsible for ensuring compliance with this Policy within their area of accountability.
All employees have a responsibility to treat all personal data in an appropriate manner, in accordance with this Policy and associated guidelines and processes. Employees are required to complete training and awareness on policies, procedures and internal controls and ensure they understand their responsibilities in relation to the use of personal data.
The Privacy Officer is the appointed Data Protection Officer and is responsible for ensuring appropriate controls are in place to minimize the risk of a breach.
Review ownership and regularity - This policy will be reviewed at least annually. Any proposed variations or amendments to this Policy must be approved by the Directors of CSS.
Non-adherence with this Policy - Non adherence with this Policy will be dealt with through the normal company disciplinary procedures.
CSS has reasonable and appropriate measures in place to protect against the loss, misuse and unauthorized access, disclosure, alteration, and destruction of Personal Data.
CSS employs various physical, administrative, and technical measures to maintain the confidentiality and security of Personal Data and other confidential information, including by (i) educating and training CSS Personnel and keeping CSS Personnel up-to-date on its security and privacy practices, (ii) keeping such information in its offices and storing such information on its servers in a secure environment, with appropriate security measures, and (iii) only granting access to such information to individuals who need the information to perform a specific, authorized task.
You may request to opt out from CSS’s use of your Personal Data that you previously provided to CSS. CSS will comply with such requests unless CSS has a legitimate business purpose for continuing to use such Personal Data.
To protect your privacy and security, CSS will take reasonable steps to verify your identity before granting access to your Personal Data. In addition, CSS may limit or deny access to Personal Data, including, without limitation where providing such access would be burdensome or expensive or where such information is legally privileged.
CSS’s website is not intended for use by children. CSS does not knowingly solicit or collect Personal Data from children under the age of 18. If you are under the age of 18, you must obtain the consent of your parent or guardian to use CSS’s website. CSS encourages parents and guardians to take an active role in their children’s online activities and interests.
CSS’s website may contain links to other websites. CSS is not responsible for the content or privacy practices of such other websites. You are required to be aware when you leave CSS’s website and read the privacy policies of other websites that may collect your Personal Data.