Update your browser to view this website correctly. Outdated Browser
For online banking click here.
We are committed to protecting the privacy and security of your personal data. This Privacy Notice explains how we collect, process, disclose, and protect your personal data when you use our services, visit our branches, or interact with our website and digital platforms. We are committed to complying with the Personal Data Protection Act, No. 09 of 2022 (PDPA) of Sri Lanka and other applicable laws and regulations.
As part of our regular banking operations, we collect your personal data to facilitate service delivery, ensure legal and regulatory compliance, prevent fraud, and enhance your overall banking experience.
We may collect various types of personal data from you, including but not limited to:
Identification Data: Information that allows us to identify/contact you. For example, Name, National Identity Card (NIC) number, passport number, date of birth, gender, nationality, photographs, signatures and surveillance recordings.
Contact Information: Information that can allow to address you. For example, Address, email address, telephone number, and mobile number.
Financial Data: Your financial information. For example, Bank account details, transaction history, credit and debit card information, income details, Cheque return, financial statements and Credit Information Bureau (CRIB) information.
Transactional Data: Details about deposits made, payments to and from you and other details of products and services you have purchased from us.
Technical Data: Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website and digital platforms.
Usage Data: Information about how you use our website, digital platforms, products, and services.
Marketing and Communications Data: Your preferences in receiving marketing materials from us and connected third parties.
At times, we may need to collect certain sensitive personal data about you. We do so only when it is necessary and either with your explicit consent or as permitted by law. This type of data often referred to as special categories of personal data that may include information such as:
Bio Metric Data: Information that can identify you physically. For example, Facial recognition, Dactyloscopy data, Voice recognition.
Health Data: Information relating to health data. For example, Disability data to provide special access or Medical records to premature upliftment or closure of accounts.
Child Data: Any personal data relating to a Child (Age below 16).
We collect personal data through various methods, including but not limited to:
Direct Interactions: When you apply for our products or services, open an account, make transactions, fill out forms, or communicate with us in person, by post, phone, email, or through our digital channels.
Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies.
Third Parties or Publicly Available Sources: We may receive personal data about you from various third parties and public sources, such as credit reference agencies, fraud prevention agencies, and publicly available domains.
We process your personal data for the following purposes:
To Provide Services: To process your applications, manage your accounts, execute transactions, implement security measures and provide you with banking products and services.
Customer Relationship Management: To manage our relationship with you, including notifying you about changes to our terms or privacy policy, and carrying out promotional activities and surveys with the Opt-in and Opt-Out option.
Marketing and Promotions: To send you marketing communications about our products and services that may be of interest to you, where you have consented to receive such communications for which You can opt-out at any time.
Security and Fraud Prevention: To protect our systems, detect and prevent fraud, money laundering, and other criminal activities.
Compliance and Regulatory Obligations: To comply with legal and regulatory requirements, including those related to Anti Money Laundering (AML) and Know Your Customer (KYC) obligations.
Internal Operations: Instances such as disseminating loan recovery reminders, internal record keeping, data analysis, research, statistical purposes, and to improve our products, services, and website.
We may share your personal data with:
Our Group of Companies: For internal reporting, analysis, and to provide you with integrated services.
Third-Party Service Providers: Who provide services such as IT support, marketing, Insurance companies, Debt collectors and professional advisory services. These providers are obligated to protect your data and use it only for the purposes for which we disclose it to them.
Regulatory and Law Enforcement Bodies: When required by law or to comply with a legal obligation, court order or regulatory requests.
Credit Reference Agencies and Fraud Prevention Agencies: Share data with CRIB to assess your creditworthiness and prevent fraud.
Other parties: For ordinary course of banking business which falls under lawful processing.
We ensure that all parties with whom we share your personal data, respect the security of your personal data and treat it in accordance with the law. We strictly instruct our third-party service providers to process your personal data only for specified purposes and in accordance with our instructions.
We have taken extensive measures to implement appropriate technical and organizational security controls to prevent your personal data from loss, unauthorized access, misuse, alteration, or unauthorized disclosure. Additionally, access to your personal data is restricted to employees, agents, contractors, and third parties who require it for legitimate business purposes. They are obligated to process your personal data strictly in accordance with our instructions and are bound by confidential and contractual obligations to comply with the Personal Data Protection Act and other relevant laws.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal & regulatory, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Under the Personal Data Protection Act, No. 09 of 2022, you have certain rights regarding your personal data. These rights include:
Right to Access: Request access to your personal data.
Right to Rectification: Request correction of the personal data that we hold about you.
Right to Erasure: Request erasure of your personal data.
Right to Object to Processing: Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
Right to Restriction of Processing: Request restriction of processing of your personal data.
Right to Data Portability: Request the transfer of your personal data to you or to a third party.
Right to Withdraw Consent: Withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
We will respond to requests to exercise your personal data rights in line with applicable laws. We may ask you to verify your identity before processing your request. If you have any questions about your rights, please contact us using the details below.
We may update this Privacy Notice from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by posting the new Privacy Notice on our website and updating the "Last Updated" date.
If you have any questions about this Privacy Notice or our data protection practices, please contact our Data Protection Officer at:
Commercial Bank of Ceylon PLC
No 21, Sir Razik Fareed Mawatha
P.O Box 856, Colombo 01, Sri Lanka
Email: dpo@combank.net
Contact No: +94 11 235 3353
Date : 29.09.2025
If you`d like more help & information, you can:
