This Privacy Policy governs the collection, use, disclosure, transfer, retention, storage and protection of Personal Data by Sudath Perera Associates (hereinafter referred to as “We,” “Us,” “Our,” or “SPA”). This policy applies to all individuals and entities (“you,” “your”) who access our website, www.sudathpereraassociates.com (the “Website”), or who share Information with us including clients and staff members.
For the avoidance of doubt, this Privacy Policy forms part of the Terms of Use of this Website and should be read in conjunction with such Terms of Use.
At SPA, we value your privacy and are dedicated to ensuring the protection and responsible handling of your Personal Data in compliance with all applicable laws.
Definitions
For the purposes of this Privacy Policy:
“Consent”- means, any freely given, specific, informed and unambiguous indication by way of a written declaration or an affirmative action signifying your agreement to the processing of your Personal Data.
“PDPA”- means the Personal Data Protection Act, No. 09 of 2022 of Sri Lanka.
“Processing”- means, any operation performed on Personal Data including but not limited to collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on Personal data.
“Personal Data”- means, any information that can identify you directly or indirectly, by reference to-
- An identifier such as a name, an identification number, financial data, location data or an online identifier; or
- One or more factors specific to the physical, physiological, economic, cultural or social identity of that individual or natural person.
Special categories”- means, the Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data or the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, Personal Data relating to offences, criminal proceedings and convictions, or Personal Data relating to a child.
Other defined terms used herein shall have the meanings attributed to such terms within this Privacy Policy or, in the absence thereof, in the PDPA.
Personal Data collected by SPA
The Personal Data we collect may include (but is not limited to) the following:
- your name, gender and contact particulars, including contact number(s), residential/mailing address(es), and e-mail address(es);
- information from your identification documents, such as NIC, passport numbers, and driving license numbers, as well as details of any relevant visas and permits, including employment passes, student passes, work permits, permanent residency status, and biometric data;
- financial information, which includes details about bank accounts, salaries and bonuses, and retainer fees;
- professional background information, including your employment and training history, as well as your academic and professional qualifications and certifications;
- name and contact details of an individual’s next-of-kin;
- information collected during your use of the Website, including device identifiers, IP addresses, web browser types, page views, operating systems, and data regarding the timing, frequency, and patterns of your visits. This may also include details on how you navigate through the Website and interactions with various features;
- Special Categories of Personal Data which may include information about your health, race, ethnicity, religious beliefs or criminal records;
- legal and compliance information which may include data related to legal matters, including case details, legal documents, and any other information necessary for the provision of legal services;
- information we receive from third parties, such as public records, and social media platforms; and,
- any other information that may be construed as ‘personal data’, in terms of the PDPA, that is collected through our interactions and operations.
How SPA collects your Personal Data
We may collect your Personal Data through various channels, depending on the nature of your interactions with us. This includes, but is not limited to, the following methods:
- Personal Data that you provide directly to us when you engage our legal or other professional services, fill out forms, contact us, or otherwise communicate with us, whether through our Website, email, written correspondence, telephone or in person;
- Personal Data automatically collected when you visit our Website, through cookies, web beacons, and similar technology;
- when SPA receives your Personal Data through referrals or references from its business partners or other third parties (including other law firms or professional services providers);
- Personal Data we receive when you participate in or attend any events hosted or organized, individually or jointly, by SPA;
- Personal Data we obtain through third parties, such as public records, social media platforms, or other service providers, where you have made that information available, or where it is provided to us in the course of our legal services;
- Personal Data collected in the course of providing legal services which may include Personal Data from documents, communications, and other sources relevant to your case or matter. This includes data shared with us by other parties involved in your legal matters;
- when we communicate with other legal entities, government bodies, or third-party service providers in relation to your case or legal matter;
- when you provide us with your Personal Data as part of an employment application process or in connection with the provision of any goods or services; and
- when you submit your Personal Data to SPA for any other purpose related to or in connection with SPA’s business operations.
How SPA Processes your Personal Data
We will Process Personal Data only to the extent necessary and proportionate to achieve the specific purposes set out below:
- for the provision of legal or other professional services which includes providing you with legal advice, company secretarial services, representing you in legal proceedings, preparing legal documents and carrying out all related activities as instructed by you;
- client relationship management which includes communication, billing, and providing updates on your legal matters;
- for compliance with legal, regulatory, and professional obligations, conflicts checks and other compliance related activities;
- to support SPA’s internal operations, including audits and data analysis;
- to ensure the security of our Website, premises, and information systems, including monitoring and preventing fraud, unauthorized access, or any other malicious activity;
- to manage relationships with our employees, consultants and vendors, including recruitment and contract management; and
- to pursue other ‘Legitimate Interests’ (as defined below).
Legal Basis for Processing Personal Data
In accordance with the PDPA we rely on the following grounds for Processing your Personal Data:
- you have given Consent to the Processing of your Personal Data; or
- the Processing is necessary to fulfill a contract to which you are a party or to take preparatory steps at your express or implied request before entering into a contract; or
- the Processing is necessary to address an emergency that poses a threat to the life, health, or safety of you or another individual; or
- the Processing is necessary to comply with a legal obligation to which SPA is subject under applicable laws.; or
- the Processing is necessary to perform a task carried out in the public interest or to exercise powers, functions, or duties assigned to SPA under any applicable laws, including government-issued circulars, directives, or codes; or
- Processing is necessary to achieve the ‘Legitimate Interests’ of SPA or a third party, unless overridden under applicable law by the interests of a data subject which require protection of personal data (in particular if the data subject is a child).
As per Schedule I of the PDPA, “Legitimate Interest” includes-
- Processing in scenarios where you are a client or providing services to SPA;
- where you can be deemed to reasonably expect, at the time of and in the context of the data collection, that your Personal Data may be Processed for that purpose;
- where Processing of your Personal Data is strictly necessary for the purpose of preventing fraud; and
- Processing of Personal Data to the extent that is strictly necessary and proportionate for the purposes of ensuring network and information security.
Although your express Consent is a primary basis for Processing your Personal Data, there are situations where we may lawfully Process your Personal Data without obtaining such consent. This includes situations where Processing is necessary to comply with legal obligations, fulfill contractual requirements, or pursue Legitimate Interests are detailed above.
Please also note that even if you withdraw your Consent, it may still be lawful for us to continue Processing your Personal Data where one or more of the other legal grounds applies.
How SPA protects your Personal Data
At SPA, we are committed to upholding your rights and ensuring that the integrity and confidentiality of your Personal Data, by implementing a variety of physical, electronic, and managerial measures to protect your Data from unauthorized access, disclosure, or destruction. These measures include:
- providing education and training to relevant staff to ensure they understand our privacy obligations when handling Personal Data;
- applying administrative and technical controls to restrict access to Personal Data on a need-to-know basis;
- using technological security measures such as firewalls, encryption, and antivirus software;
- implementing physical security measures, including staff security passes, to control access to our premises; and,
- limiting the collection and retention of Personal Data to what is necessary and proportionate for fulfilling the purposes outlined in this Privacy Policy.
While we implement reasonable security measures to protect your Personal Data, no method of internet transmission or electronic storage is completely secure. As such, we cannot guarantee the absolute security of data sent to or from us over the internet. In particular, by providing us your Personal Data, you acknowledge that you understand and accept these risks.
Sharing your Personal Data
We may disclose or share the Personal Data we collect under the following circumstances:
- Disclosure to the personnel within SPA.
Access to your Personal Data will be restricted to those individuals within SPA who need it to fulfill the purposes outlined in this Privacy Policy. This access is granted on a need-to-know basis, and all personnel are required to handle your Personal Data with confidentiality and in compliance with our security protocols. - Disclosures to third parties.
We may share your Personal Data with third parties (wheresoever located) only under specific circumstances and for purposes that align with this Privacy Policy. This may include, but is not limited to, our affiliated company or other persons connected with the provision of legal or other professional services to you (including transactional or dispute counterparties and/or their advisers and representatives), IT service providers, data storage providers, data processors, and payment processors. - Mandatory disclosures.
We may disclose information if required by law or if necessary to comply with a court order, judicial or governmental warrant, or to cooperate with law enforcement or other government agencies. This disclosure may occur to fulfill legal obligations, respond to legal processes, or support investigations and enforcement actions as mandated by relevant authorities. - Transferring Personal Data outside Sri Lanka.
Personal Data in our possession may also be transferred to other countries for any of the purposes described in this Privacy Policy. You and they understand and accept that these countries may have differing (and potentially less stringent) laws relating to the degree of confidentiality afforded to the information they hold and that such information can become subject to the laws and disclosure requirements of such countries, including disclosure to governmental bodies, courts regulatory agencies and private persons, as a result of applicable governmental or regulatory inquiry, court order or other similar process. In addition, a number of countries have agreements with other countries providing for exchange of information for law enforcement, tax and other purposes. When we, or our permitted third parties, transfer information outside Sri Lanka, we or they will impose contractual obligations on the recipients of that data to protect such information to the standard required under Sri Lankan law. We or they may require the recipient of the relevant Personal Data to subscribe to international frameworks intended to enable secure data sharing. In the case of transfer by us, we may also transfer your Personal Data where the transfer is otherwise permitted by applicable data protection legislation in Sri Lanka.
Cookies and tracking technology
Our website uses cookies and similar technology to improve your experience, analyze usage, and manage site performance. Cookies are small data files placed on your device to help recognize your device, remember your preferences, and improve the functionality and performance of our website.
The types of cookies we use is set out below:
- Strictly Necessary Cookies: These are essential for the website’s core functions, such as secure access and site navigation. Without these cookies, certain features of the site may not operate correctly.
- Performance Cookies: These cookies gather data on how you interact with our site, such as which pages are frequently visited. This information helps us enhance site performance and user experience.
- Functionality Cookies: These cookies remember your preferences and settings, such as language or login details, to offer a more customized browsing experience.
Managing cookies
You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or to delete cookies that have already been set. However, please note that disabling cookies may affect your ability to use certain features of our Website. On our Website, a notification banner will appear, giving you the option to manage your consent for cookies.
From time to time, our webpages may include third-party tools and widgets to offer additional functionality. Depending on your browser settings or preferences set through the cookie banner, these tools or widgets might place cookies on your device to enhance their usability and ensure proper display of interactions on our site. Cookies do not provide us with your email address or personally identify you. In our analytical reports, we may collect identifiers such as IP addresses, but this data is used solely to determine the number of unique visitors to our site, not to identify individual users.
Your Rights and Choices
Under the PDPA, you have certain rights regarding your Personal Data such as:
- Right to request access – You have the right to request access to the Personal Data we hold about you, including information on how your data is being used;
- Right of withdrawal – You have the right to withdraw your Consent at any time by submitting a written request. Please note that withdrawing your consent will not affect the legality of any Processing that occurred before the withdrawal or our rights under applicable laws to Process such Personal Data without Consent.
- Right to request rectification or completion – If you believe that the Personal Data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected or updated; and,
- Right to request erasure – You have the right to request the deletion of your Personal Data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected, or if you withdraw your Consent (and there is no other legal basis for the continuation of such Processing).
- Right to refrain from further Processing- You have the right to request that we refrain from further processing your personal data if such processing is based on the grounds specified in items (e) or (f) of Schedule I or item (f) of Schedule II of the PDPA.
- Right to review a decision based solely on automated processing- You have the right to request a review of any decision made by us solely through automated processing, particularly if it has a significant or continuous impact on your rights or freedoms.
- Right of appeal- If we refuse to act on your request regarding access, rectification or erasure, you have the right to appeal to the Data Protection Authority of Sri Lanka.
SPA will take reasonable steps to ensure that the personal data we process is accurate and up to date. However, we will not be liable for any issues arising from our services if the Personal Data you provide is incomplete, inaccurate, or if you do not inform us of any relevant changes to your Personal Data in a timely and appropriate manner.
Data Retention
We retain your Personal Data only for so long as it is reasonably necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. We will securely delete, anonymize or pseudonymize your data once it is no longer required for the purpose it was collected or to comply with our responsibilities under applicable law.
Links to other websites
This Website may contain links to third-party websites that are not owned or controlled by us. We are not responsible for the privacy practices, content, or activities of these third-party sites. This Privacy Policy does not apply to, and we cannot control, the activities of such third parties. By accessing or using third-party links, you acknowledge and agree that we are not liable for any loss or damage arising from your use of such third-party sites.
Changes to this Privacy Policy
SPA reserves the right to modify or update this Privacy Policy at any time, without prior notice. Any changes to this Privacy Policy will be effective immediately upon posting on our Website.
In the event of a significant change that materially impacts your rights or obligations, we will make reasonable efforts to notify you of such changes. In cases where these changes require your renewed Consent, we may request that you review and accept the updated terms.
Governing Law and Jurisdiction
This Privacy Policy and any dispute or claims arising out of or in connection with them shall be governed by and construed in accordance with the laws of the Democratic Socialist Republic of Sri Lanka.
Any legal action or proceeding arising out of or related to this Privacy Policy shall be brought exclusively in the courts of Sri Lanka. By agreeing to this Privacy Policy, you consent to the jurisdiction of, and venue in, such courts and waive any objections to such jurisdiction or venue.
Data Protection Officer
SPA has appointed a Data Protection Officer (DPO) to oversee compliance with the PDPA and to address any concerns or questions you have regarding the Processing of your Personal Data.
If you have any questions, concerns, or requests related to your Personal Data, your rights, or this Privacy Policy, you may contact our DPO using the following details:
Name: The Data Protection Officer.
Email: dpo@sudathpereraassociates.com
© Sudath Perera Associates December 2024