Privacy Policy

Home / Privacy Policy

Privacy Policy

1. Introduction 

We, at the American Chamber of Commerce in Sri Lanka (“we”, “us”, “our” and  “AmCham”, which terms as hereinafter used shall mean and refer to the American  Chamber of Commerce in Sri Lanka), are committed to respecting the privacy of all of  those who interact with us. 

The following policy therefore outlines how we collect, use, share and otherwise process  Personal Data (as hereinafter defined) and includes information on the categories of  Personal Data collected by us, the purposes for which it is processed and shared, as well as  the rights available to you in your capacity as a “data subject” in respect of your Personal  Data. This policy does not, however, apply or extend to our employees (whether current or  prospective – including any job applicants), whose respective rights and terms of processing  are dealt with elsewhere. 

2. What Personal Data do we collect? 

The term and expression “Personal Data”, for these purposes, may broadly be defined as  information that relates to and can identify a particular natural person. 

We collect and process a variety of Personal Data about you based on the nature, duration  and extent of your interaction with us, as well as the services offered to you by AmCham.  This may include categories of Personal Data such as your: 

  • personal details – including, for example, your full name, date of birth, citizenship details, signature, photograph and status of residency; 
  • contact details – including, for example, your contact number (fixed line and mobile  number), email address, permanent address and correspondence address; 
  • state issued identification details – including, for example, your national identity card  number and passport number; 
  • basic employment details – including, for example, your designation, status of employment, name and contact details of your employer and your work contact details; 
  • online presence – including, for example, the duration and frequency of your visits to  our website, website interaction information, and IP address: 

provided, further, that we shall inform you as and where required by applicable law where,  and to the extent, that we process any other categories of Personal Data relating to you.

Any processing of Personal Data that is deemed to be a “special category of Personal Data”  by applicable law, will be processed in accordance with the conditions for lawful  processing stipulated by applicable law (in particular, the Personal Data Protection Act,  No. 09 of 2022 or the “PDPA”). Please note however that this remains subject to the data  subject rights available to you under Section 8 below. 

3. How do we collect your Personal Data? 

As you interact with us, we may collect your Personal Data in a number of different ways,  including from the following sources: 

  • Directly from you – such as when you apply for membership with AmCham, register  for our workshops and forums, or interact with us via telephone, email or our website. 
  • Online – including through our website and other online platform(s), which, like most  other websites, use cookies and other technology to gather details about your interaction  with such websites and platforms. 
  • Other third parties – such as, through third party service providers that assist us in  the facilitation of events. 

4. How do we process your Personal Data? 

We generally collect and process your Personal Data for one or more of the lawful bases  provided by the Personal Data Protection Act No. 9 of 2022, such as; with your consent,  for the performance of contractual obligations, to carry out legal obligations required by  applicable law, to pursue our legitimate interest related to serving you, where Personal Data  has been manifestly public, to defend any legal claim or for statistical purposes. At  AmCham, the processing of Personal Data would include, but may not be limited to, the  following: 

  • to effectively provide you with our services, which include notifying you of events,  workshops, annual and extraordinary general meetings, financial statements,  newsletters, information regarding the membership directory and membership payment  reminders, as well as providing efficient customer support, account management,  processing of payments and issuing general updates; 
  • to pursue our professional relationship with you, to keep you informed and updated  about our workshops, forums and events; 
  • to facilitate networking and connections between AmCham members; 
  • to document and promote AmCham’s activities by using photographs taken at events  for inclusion in the membership directory, newsletters and on official communication  channels such as our website and social media platforms;
  • to comply with legal and statutory obligations, protect and enforce our rights, or  respond to requests for information issued by government or statutory authorities; and 
  • for our own internal purposes, such as for monitoring, analysing and evaluating the participation of our services and for maintaining internal records. 

We may also anonymize, tokenize and / or aggregate Personal Data in a manner where you  may no longer be personally identifiable. In such instances, you acknowledge and agree  that that AmCham would be entitled to utilize such non-Personal Data for any lawful  purpose without further notice to you. 

5. For how long do we retain your Personal Data? 

As a general policy, we process your Personal Data for as long as it may be required to: make our services available to you; 

  • comply with applicable legal and statutory obligations and information requests; and /  and / or 
  • fulfil the legitimate business purposes for which such Personal Data was collected, as  described in Part 4 of this Policy. 

Once your relationship or engagement with us has ended, we may still retain your  information in our systems and records for a period of up to two (02) years, to, for example,  ensure the adequate fulfilment of any surviving provisions in a terminated / expired contract  or to comply with any record keeping obligation(s) imposed on us under applicable law. 

Information collected in connection with AmCham events, workshops or similar activities  will be retained for such period as may be necessary to fulfil the purposes for which it was  collected, or as otherwise required under applicable law. 

Furthermore, if, at any instance, your Personal Data has been collected solely on the basis  of your consent and not in accordance with any other lawful basis of processing as  recognized by applicable law, then such Personal Data shall be retained until the purpose  for which it was processed is fulfilled, or until you revoke the consent previously granted  to us – whichever may occur first. 

6. To whom may we disclose your Personal Data? 

For the fulfilment of the purposes set out in Part 4 above and in relying on the lawful bases  for processing as permitted by applicable law, we may disclose and / or transfer your  Personal Data to the following categories of third parties: 

  • Authorized agents and representatives – where you have designated an authorised  agent or representative to act on your behalf, we may disclose certain specified personal  information to such authorised representatives, to the extent permitted and subject to  the limitations prescribed by applicable law. 
  • Service providers and partner entities – to the extent necessary to facilitate, deliver  and / or improve our services or other interactions with you, we may disclose your  Personal Data to third-party service providers and business partners – including, but not  limited to, information technology service providers and payment processors. 
  • Third parties for legal, security or safety purposes – we may disclose your Personal  Data to professional advisors, law enforcement authorities and / or other government  agencies and state instrumentalities to comply with legal and statutory requirements, to  enforce and defend our legal and equitable rights, to protect the rights, property and  safety of our customers and associated third parties, to carry out tasks in the public  interest as well as pursue our legitimate interests as permitted by applicable law. 
  • Other third parties with your consent – in situations not covered by the above  categories of personnel, we will seek your consent prior to disclosing your Personal  Data to third parties. 

We may also transfer your Personal Data to entities located outside Sri Lanka for the  purposes outlined in this Policy – where the Personal Data protection laws are likely to  differ to that of Sri Lanka. In such instances, we will ensure that such cross-border transfers  are in accordance with and subject to the limitations imposed by the PDPA, the directions  or orders of the Data Protection Authority of Sri Lanka and any other applicable law. 

7. Security 

We take reasonable effort to monitor and update our security standards in relation to your  Personal Data, by implementing appropriate and commercially acceptable contractual,  technical and organizational measures to help prevent the loss, misuse of and unauthorized  access to your Personal Data. 

Despite our best efforts, however – we cannot guarantee the absolute security of such  Personal Data, given that no means of data transmission or storage is 100% secure.  Furthermore, when you access a link to a third-party site – whether accessible on or through  our website or other platforms, you acknowledge that you will be leaving our website and,  accordingly, that we cannot control, endorse or be held responsible for the security of any  such third-party website. 

8. Your rights 

As a data subject, you are vested with certain rightsin respect of your Personal Data,subject  to the specifications and restrictions imposed by applicable law. Such rights include:

  • The right to request access to your Personal Data – this enables you to request a  copy of your Personal Data processed by us. 
  • The right to request the rectification of your Personal Data – this enables you to  request us to correct and / or complete any Personal Data that we hold in relation to you  which may be demonstrably inaccurate and / or incomplete. 
  • The right to request the erasure of your Personal Data – this enables you to request  us to delete or remove your Personal Data, subject to our rights as permitted by the  PDPA. 
  • The right to withdraw consent – where and to the extent certain Personal Data is  processed solely on the basis of your consent, you have the right to withdraw your  consent – provided, however, that no such withdrawal shall affect the legality of any  processing prior to such withdrawal. For example, this includes the right to withdraw  consent for the use of your photographs in our promotional materials and / or member  directories. 
  • The right to object to further processing – where and to the extent certain Personal  Data is processed on the grounds of public interest or in the exercise of our legitimate  interest, as provided for by the PDPA, you may request us to refrain from further  processing your Personal Data. However, where such Personal Data is fundamental and  indispensable to the provision of our services, we may not be able to offer some of our  services to you thereafter. 
  • The right to review an automated decision – in the limited circumstances that a  decision has been arrived at solely on the basis of automated processing, this enables  you to request us to review such decision – subject to the conditions prescribed by the  PDPA. 

In exercising such rights, you must however ensure that your requests: are communicated in writing and addressed to Shiranthi@amcham.lk; set out the nature of the request and the respective right being exercised by you; and 

  • fairly and reasonably identify the Personal Data in respect of which you wish to exercise  such right. 

We will respond to all data subject requests within the time frame(s) prescribed by  applicable law. In doing so, we reserve the right to request and require you to provide  additional information where, and to the extent, such information is necessary to process  your request (for e.g., where you have failed or neglected to reasonably identify the  Personal Data to which your request relates). We also reserve the right to decline processing  any requests from you that are manifestly unfounded or fraudulent or on other grounds of  refusal provided and permitted by applicable law.

You also have a right to appeal. Should you be dissatisfied against a decision made by  us in relation to your aforesaid rights, you may choose to file an appeal against our decision,  under applicable law, through the appeal process available with the Data Protection  Authority. 

9. Contact us 

AmCham Sri Lanka, located at #1 Lower Lobby, Cinnamon Lakeside Colombo, No. 115,  Sri Chittampalam A Gardiner Mawatha, Colombo 00200, Sri Lanka, is the company  responsible for the collection, use, and disclosure of your personal data under this  Statement. 

If you have questions regarding this Statement or our handling of Personal Data in Sri  Lanka, please contact us by email at: 

Attention: Shiranthi Wijesuriya  

Email address: Shiranthi@amcham.lk 

10. Changes to the Policy 

We may update and revise this policy in accordance with the rapidly changing commercial,  legal, regulatory and technological landscape. For such reason, we encourage you to visit  our website and this Policy to ensure that you are aware of and updated on the manner and  extent to which your Personal Data is processed by us. 

This policy is effective from the 3rd of February 2026