Privacy Policy

Our Privacy Policy

Candor Shared Services (Pvt) Ltd hereinafter ("CSS") is committed to protecting the privacy of their clients, prospective clients, contractors, employees and business partners. This Privacy Policy sets forth the privacy principles Candor Shared Services follow with respect to Personal Data (as defined below) that CSS collects or processes.

Privacy Policy regulations and Data Protection Regulations

CSS being a duly registered company in Sri Lanka, certifies that it complies with the Sri Lankan Data Protection regulations and further certifies that it adheres to:

(i) Lawfulness, fairness and transparency,

(ii) purpose limitation,

(iii) Data minimization,

(iv) Accuracy,

(v) Storage limitation,

(vi) Integrity and confidentiality (security), and

(vii) Accountability.

As regards any Personal Data, CSS is fully committed to implementing the rights for individuals under the Sri Lankan Data Protection Regulations as a "Data Processor" or as a "Data Collector" as a case may be and complies with the Sri Lankan Data Protection Regulations from time to time.

1. Definitions

"Personal Data" is information that can be used to identify you. Such information might include your name, social security number, mailing address, email address, telephone number, company, title, username and password. Personal Data does not include data that is de-identified, anonymous or publicly available.
"Sensitive Personal Data" is Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation.
"Data Controller" A person who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed.
"Data Processor" Any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

2. General Principles
CSS requires that all personal data is treated in an appropriate manner. This means that:
  • We are clear and open with individuals about how their information will be used
  • We only use information about individuals in line with their reasonable expectations
  • The information we hold about an individual is relevant and sufficient, but not excessive
  • We take reasonable steps to ensure that the information held is accurate and is kept up to date
  • We do not keep personal data for longer than is necessary
  • We respect an individual’s right of access to a copy of the information we hold about them, and their right to object or prevent our processing of information in certain circumstances
  • The disclosure is to another Candor Shared Services entity or to persons or entities providing services on Candor Shared Services or the individual’s behalf (each a "transferee"), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
  • We keep all personal data secure
  • We do not transfer personal data to a country that does not have adequate data protection laws or processes in place. It is therefore important that CSS complies with the following Data Protection Principles.

Principle 1 – Data shall be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met.

Principle 2 – Data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose

Principle 3 – Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

Principle 4 – Data shall be accurate and where relevant kept up to date

Principle 5 – Data shall not be kept longer than is necessary for that purpose

Principle 6 – Data shall be processed in accordance with the rights of the data subjects under applicable data protection legislation (e.g. right of access to personal information)

Principle 7 – Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Principle 8 – Data shall not be transferred to a country, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

CSS may act as a Data Processor or a Data Controller. Generally Data Controllers have a higher degree of responsibility than Data Processors. A Data Controller remains fully responsible for its actions and the security of the Personal Data and is subjected to all the requirements of the data protection legislation. A Data Controller is also responsible for Data that is transferred to the Data Processor that processes the Personal Data. CSS shall comply with relevant Sri Lankan Data Protection Regulations as a "Data Processor" or as a "Data Controller" as the case may be from time to time.

3. Disclosures of Information

CSS may share your Personal Data with and among its affiliated or related entities. These entities will use your Personal Data in accordance with this Privacy Policy.
CSS discloses Personal Data to third parties who reasonably need to know such Personal Data in connection with a contracted task or CSS business purpose, e.g., processing of benefits/payroll through third-party providers or credit/background checking. Such third parties contractually agree to similar protection of your Personal Data and limitation on the use of your Personal Data as CSS provides.
In addition, CSS may disclose your Personal Data in the following circumstances: (a) as required by law, legal process, litigation and/or requests from public or governmental authorities, including to meet national security or law enforcement requirements, (b) in the context of an audit or to investigate fraud, (c) when CSS believes in good faith that disclosure is necessary to protect CSS’s rights, protect your safety or the safety of others, enforce the Terms and Conditions of Use of CSS’s website or of this Privacy Policy, (d) to a relevant third party if CSS becomes involved in a merger, acquisition or sale of some or all of its assets, (e) operational needs related to CSS Personnel, such as the booking of a flight, hotel room, or insurance coverage, or (f) with your prior consent to do so.

4. Governance

Roles and responsibilities- Each of CSS’s management bears the ultimate responsibility for management of data protection within the business. Specifically, the management would ensure that sound governance arrangements are in place to manage, monitor and control data protection issues. All members of the management are responsible for ensuring compliance with this Policy within their area of accountability.
All employees have a responsibility to treat all personal data in an appropriate manner, in accordance with this Policy and associated guidelines and processes. Employees are required to complete training and awareness on policies, procedures and internal controls and ensure they understand their responsibilities in relation to the use of personal data.
The Privacy Officer is the appointed Data Protection Officer and is responsible for ensuring appropriate controls are in place to minimize the risk of a breach.
Candor Shared Services periodically verifies the accuracy of the policy, implementation and its conformity. Candor Shared Services encourages interested persons to raise any concerns about its implementation of this Privacy Policy using the contact information below. Candor Shared Services will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Privacy Policy. CSS shall ensure that when entering into a new business arrangement that the appropriate data protection clauses are included within contract documentation wherever relevant, including consideration of both the purposes for which CSS may wish to use data, and the controls over the use of data by our third party partners.
Review ownership and regularity - This policy will be reviewed at least annually. Any proposed variations or amendments to this Policy must be approved by the Directors of CSS.
Non-adherence with this Policy - Non adherence with this Policy will be dealt with through the normal company disciplinary procedures.

5. Security

CSS has reasonable and appropriate measures in place to protect against the loss, misuse and unauthorized access, disclosure, alteration, and destruction of Personal Data.
CSS employs various physical, administrative, and technical measures to maintain the confidentiality and security of Personal Data and other confidential information, including by (i) educating and training CSS Personnel and keeping CSS Personnel up-to-date on its security and privacy practices, (ii) keeping such information in its offices and storing such information on its servers in a secure environment, with appropriate security measures, and (iii) only granting access to such information to individuals who need the information to perform a specific, authorized task.

6. Opting Out

You may request to opt out from CSS’s use of your Personal Data that you previously provided to CSS. CSS will comply with such requests unless CSS has a legitimate business purpose for continuing to use such Personal Data.

7. Access, Change or Delete Information

You may also request from CSS if you want to (i) review your Personal Data that has been collected and stored by CSS, (ii) request modification/correction of any Personal Data that is incorrect, or (iii) request removal/inactivation of Personal Data. Any resulting modification/correction or removal/inactivation of your Personal Data will not affect other information that CSS maintains or information that CSS has provided to third parties in accordance with this Privacy Policy before such update. CSS will use reasonable efforts to comply with such requests unless CSS has a legitimate business purpose for not doing so.
To protect your privacy and security, CSS will take reasonable steps to verify your identity before granting access to your Personal Data. In addition, CSS may limit or deny access to Personal Data, including, without limitation where providing such access would be burdensome or expensive or where such information is legally privileged.

8. Children

CSS’s website is not intended for use by children. CSS does not knowingly solicit or collect Personal Data from children under the age of 18. If you are under the age of 18, you must obtain the consent of your parent or guardian to use CSS’s website. CSS encourages parents and guardians to take an active role in their children’s online activities and interests.

9. Changes to this Privacy Policy

CSS reserves the right, in its sole discretion, to make changes to this Privacy Policy, provided that such changes are not inconsistent with data protection and privacy laws/principles applicable to CSS. Changes become effective upon notice, which may occur by posting a revised Privacy Policy to CSS’s website, through email or other communication mediums. CSS encourages you to periodically review this Privacy Policy to be informed of any changes.

10. Links

CSS’s website may contain links to other websites. CSS is not responsible for the content or privacy practices of such other websites. You are required to be aware when you leave CSS’s website and read the privacy policies of other websites that may collect your Personal Data.

11. Contact Information

Questions regarding CSS’s Privacy Policy should be submitted through the contact channels listed below:

Candor Shared Services (Pvt) Ltd Level 8, South Wing Millennium House 46/58, Nawam Mawatha Colombo 2, Sri Lanka. Telephone: +94 11 2359100