Privacy policy

1.1This Data Processing Addendum (DPA) is intended to form part of the End User License Agreement made between CodeGen International (Private) Limited (CGSL) and Bank of Ceylon dated 25.11.2024 (the Main Agreement), in relation to the purchase by the Customer of licences to and for CGSL’s proprietary software “Lia” (identified collectively in this DPA as the Software), as well as development, support, training and other associated services from CGSL (identified collectively in this DPA as the Services).

1.2In providing the Software and Services to the Customer under the Main Agreement, CGSL may process Customer Data which includes Personal Data, relating to Data Subjects, on behalf of the Customer; this DPA represents the parties’ agreement with regard to the processing of such Personal Data by CGSL and contains the mandatory clauses required under the SL PDPA (as defined below).

2.1The parties to this DPA agree that the provisions of this DPA will govern the processing of Personal Data under the Main Agreement and this DPA is incorporated into and subject to the terms of the Main Agreement. This DPA will be read and construed as one document together with the Main Agreement.

2.2Each party further agrees that it will not unreasonably withhold, delay or condition its agreement to any change requested by the other and needed to ensure that either party, Software, or Service can comply with the Data Protection Legislation.

2.3In the event of any conflict or inconsistency between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail.

3.1Terms specifically defined in this section 3 will have the meanings ascribed to them in this section; terms not specifically defined but capitalised in this DPA will have the meaning ascribed to them in the Main Agreement.

3.2In this DPA:

Customer

Means Bank of Ceylon; may also be referred to as Client in the Main Agreement and any other related documents including but not limited to the non-disclosure agreement, order form/s etc.

Customer Data

Means all data of Customer submitted by the Customer to the Software, or on its behalf to CGSL, and any such data created as a result of processing such data.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing

Have the meanings given to them in the Data Protection Legislation.

Data Protection Legislation

Means, to the extent the SLPDPA applies, the law of Sri Lanka to which CGSL or the Customer is subject, which relates to the protection of Personal Data.

Data Subject Request

Means a request from a Data Subject in relation to that Data Subject’s Personal Data, whereby the Data Subject wishes to exercise any or all rights under applicable Data Protection Legislation.

SLPDPA

Means the Sri Lanka Personal Data Protection Act No. 9 of 2022 passed in the Parliament of Sri Lanka and certified by the Speaker on 19th March 2022.

Sub-Processor

Means any Processor (including any associate company or subsidiary of CGSL, if applicable) appointed by CGSL or any other associate companies.

Supervisory Authority

Means, as the case may be, an independent public authority established pursuant to Data Protection Legislation.

Roles

3.3The parties both acknowledge and agree that, with regard to the processing of Personal Data:

3.3.1The Customer is the Data Controller;

3.3.2CGSL is the Data Processor; and

3.3.3CGSL will or may engage further Sub-Processors in accordance with the requirements of section 7.

4.1In its use of the Software and receipt of the Services:

4.1.1the Customer will Process Personal Data in accordance with the requirements of the Data Protection Legislation;

4.1.2all instructions given by the Customer to CGSL for the processing of the Personal Data will at all times be in accordance with the Data Protection Legislation; and

4.1.3all Personal Data sourced by the Customer, including any sensitive or special categories of Personal Data, prior to such data being submitted or uploaded to the Software, or provided to or made accessible by CGSL for the performance of the Services, will comply in all respects with the Data Protection Legislation, including but not limited to its collection, storage and processing, as well as provision by the Customer of all the required fair processing information to, and obtaining all necessary consents from, Data Subjects. The Customer will have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which the Customer acquired Personal Data.

4.2Personal Data may not, without the prior written consent of CGSL, include any sensitive or special categories of data that will or may impose specific additional data security or data protection obligations on CGSL under the Data Protection Legislation.

5.1CGSL will and will procure that CGSL will process Personal Data in accordance with the Data Protection Legislation requirements directly applicable to CGSL's provision of its Software and Services.

Processing

5.2CGSL processes limited information in relation to Customer and certain members of Customer personnel, as necessary to: (a) determine the nature of the Services, (b) arrange for Services to be provided (c) provide the Software and Services and, (d) invoice the Customer in accordance with the relevant provisions of the Main Agreement. CGSL will ensure that such Personal Data is processed in accordance with section 5.4.

5.3The Customer acknowledges that CGSL Personnel may access, view or otherwise process Personal Data uploaded or submitted to the Software by the Customer, in the context of providing technical support. The Customer will, to the extent reasonably possible, not transfer or make available any Personal Data forming part of the Customer Data to CGSL and, where any such transfer or access cannot otherwise be avoided the Customer will, to the extent reasonably possible, furnish CGSL with an anonymised/pseudonymised and encrypted data set in order that CGSL can diagnose any Fault or provide any Service or, should this not be reasonably possible, then first seek and thereafter comply with CGSL instructions as to the method to be used for transmission of such Personal Data.

5.4In the event that, notwithstanding the provisions of section 5.3, CGSL, or its or their Sub-Processors is or are exposed to Personal Data in the course of performing the Services and process Personal Data as a Data Processor (or Sub-Processor) on behalf of the Customer under this DPA, CGSL will at all times:

5.4.1maintain the confidentiality of all Personal Data and will not disclose the Personal Data to third parties unless the Customer specifically authorises the disclosure, or as required by law;

5.4.2only process Personal Data on behalf of and in accordance with documented instructions from the Customer in accordance with the Data Protection Legislation applicable to the provision by CGSL of the Software and its Services and for the following purposes only: (a) processing in accordance with the Main Agreement, (b) processing as initiated by Users in their use of the Services, and (c) processing to comply with other documented, reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the terms of this DPA.

5.5If a law, court, regulator or Supervisory Authority requires CGSL to process or disclose Personal Data, CGSL must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

5.6CGSL will not be required to comply with or observe the Customer’s instructions if such instructions would be in breach of any applicable Data Protection Legislation. CGSL will promptly inform the Customer if it reasonably considers any such instruction to have been given to it.

Scope of Processing

5.7The subject matter of processing of Personal Data by CGSL is the provision of the Software and the performance of the Services under the Main Agreement, or as otherwise agreed by the parties in writing from time to time in accordance with the Change Control Process. The duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects processed under this DPA are further detailed at Appendix 1 to this DPA. CGSL will not process Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation.

Data Security

5.8CGSL will at all times take and maintain (at its own cost and expense) appropriate technical and organisational measures for protection of the security, confidentiality and integrity of Personal Data (including those measures detailed in CGSL’s Security Policy from time to time, as detailed at https://codegen.co.uk/information-security-policy/ to meet the requirements of the Data Protection Legislation, taking into account the state of the art, the nature, scope, context and purposes of processing, as well as the risk or varying likelihood and severity for the rights and freedoms of Data Subjects (the Measures).

5.9The Measures will take into account the risks presented by the Processing in particular against any: (a) unauthorised or unlawful processing or access, (b) loss, (c) accidental or unlawful destruction, (d) corruption or alteration, (e) misuse or (f) unauthorised disclosure.

5.10CGSL will regularly test, assess, and evaluate the effectiveness of the Measures for ensuring the security of processing.

Personnel

5.11CGSL will limit access to Personal Data to those CGSL Personnel assisting in the performance of Services under and in accordance with the Main Agreement.

5.12CGSL will take commercially reasonable steps to ensure the reliability of any of its Personnel (and those of any Sub-Processor) engaged in processing Personal Data, including ensuring that all natural and legal persons authorised to process the Personal Data will:

5.12.1be under appropriate statutory obligations of confidentiality or have otherwise committed themselves to confidentiality; and

5.12.2have received adequate training on compliance with this DPA and the Data Protection Legislation applicable to the Processing under this DPA.

Co-operation

5.13At the Customer’s request, to the extent the Customer does not otherwise have access to the relevant information and taking into account: (a) the nature of Processing and, (b) the extent to which such information is available to CGSL, CGSL will provide reasonable assistance to the Customer in assisting the Customer, to the extent required under the Data Protection Legislation to comply with the Customer’s obligations under the Data Protection Legislation with respect to:

5.13.1carrying out a data protection impact assessment related to the Customer’s use of the Software or receipt of the Services;

5.13.2security of processing;

5.13.3notification of a Personal Data Breach to the appropriate Supervisory Authority;

5.13.4communication of a Personal Data Breach to the Data Subject; and

5.13.5prior consultation with the appropriate Supervisory Authority following a data protection impact assessment referred to in clause 5.13.1.

6.1CGSL will promptly notify the Customer if it receives a Data Subject Request.

6.2Taking into account the nature of the processing (if any) which CGSL undertakes, CGSL will:

6.2.1assist the Customer by appropriate organisational and technical measures, insofar as this is possible, for the fulfilment of the Customers obligations to respond to a Data Subject Request under the Data Protection Legislation; and

6.2.2to the extent only that the Customer in its use of the Software and receipt of the Services, does not have the ability to address a Data Subject Request, CGSL will, at the Customer’s written request, provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent CGSL may legally do so and provided the response to such Data Subject Request is required under the Data Protection Legislation.

6.3Unless legally prohibited the Customer will be responsible for any costs arising from CGSL’s provision of such assistance as may be required under this section 6.

7.1To the extent (if any) to which CGSL processes Personal Data on behalf of the Customer, the Customer acknowledges and agrees that CGSL:

7.1.1may appoint any of its associated companies or subsidiaries as a Sub-Processor;

7.1.2has entered into the appropriate data transfer instrument/s as may be required under Data Protection Laws with any associated company, if applicable, and may, at the request of the Customer enter into any such data transfer instrument/s with such associated company, in Customer’s name and on its behalf, with respect to the protection of Personal Data, to the extent applicable to the nature of the Services provided by CGSL and any other associated company; and

7.1.3CGSL may engage further Sub-Processors with respect to the performance of CGSL’s obligations under the Main Agreement. Those Sub-Processors (if any) current as at the date of this DPA and whose appointment the Customer has agreed by signing this DPA, are detailed at Appendix 1 to this DPA.

7.2CGSL will not appoint any Sub-Processor other than as described at section 7.1.1 to 7.1.3 without the prior written consent of the Customer.

7.3CGSL will at all times remain responsible for the compliance with this DPA and the Data Protection Legislation by any authorised Sub-Processor and agrees to be responsible for the acts or omissions of its Sub-Processors, to the same extent CGSL would be liable if performing the services of such Sub-Processor directly under the terms of this DPA, except as otherwise provided in the Main Agreement.

7.4CGSL will notify the Customer with full details of any new Sub-Processor which it (or CGSL) is intending to appoint before authorising any such new Sub-Processor to process Personal Data in connection with the provision of the Software or Services. In order to exercise its right to object to CGSL’s use of a new Sub-Processor, the Customer will notify CGSL in writing within twenty (20) business days after receipt of CGSL’s notice.

7.5In the event the Customer objects to a new Sub-Processor and that objection is not unreasonable, CGSL will use commercially reasonable efforts to make available to the Customer a change in the Software or Services, or recommend a commercially reasonable change to the Customer’s configuration or use of the Software or Services to avoid processing of Personal Data by the new Sub-Processor to which the Customer objects, without unreasonably burdening CGSL.

8.1Use of the Software by the Customer and performance of the Services by CGSL may involve the transfer, processing and storage of Personal Data outside Sri Lanka, such transfer and processing has been approved by the Customer subject to all such transfers being made only in accordance with section 7.

8.2CGSL may, in any event, only transfer and process the Personal Data for those purposes expressly identified and agreed in this DPA and CGSL warrants that it will take all necessary steps to protect any Personal Data so transferred.

8.3CGSL acknowledges and expressly agrees that, other than as specifically so provided at section 8.1, it may not, without the prior written consent of the Customer:

8.3.1transfer or otherwise process Personal Data provided by the Customer to a country or territory outside Sri Lanka to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Legislation of the foregoing territories, to the extent such transfers are subject to such Data Protection Legislation; or

8.3.2sub-contract or outsource the processing of Personal Data, or otherwise permit the processing of Personal Data by third parties.

9.1CGSL will notify the Customer promptly and without undue delay of any actual or reasonably suspected Personal Data Breach by it (or any Sub-Processor, where relevant) of which CGSL becomes aware.

9.2To the extent such Personal Data Breach is caused by a breach of the requirements of this DPA by CGSL, CGSL will: (a) make reasonable efforts to identify the cause of such Personal Data Breach and (b) take such steps as CGSL deems necessary and reasonable to correct the cause of such Personal Data Breach, to the extent the correction is within CGSL’s reasonable control. The obligations under this section 9 will not apply to incidents caused by the Customer or any Customer User.

9.3Notwithstanding the remaining provisions of this section 9, each party will promptly provide all information and assistance that the other requires in the investigation, mitigation, notification, and remediation of any Personal Data Breach.

10.1CGSL will maintain complete, accurate and up-to-date written records of all processing activities carried out on behalf of the Customer, as required under applicable Data Protection Legislation (Records).

10.2CGSL will promptly make available to the Customer on written request:

10.2.1copies of the Records; and

10.2.2such other information demonstrating CGSL’s compliance with its obligations under the Data Protection Legislation and this DPA as the Customer reasonably requires,

and CGSL agrees that, where the Customer is required to do so under the Data Protection Legislation, such written record may be submitted to relevant Supervisory Authorities.

11.1CodeGen will allow an independent third party auditor appointed by the Customer (at the Customer’s cost) to audit CodeGen’s compliance with this DPA in relation to the processing of Personal Data by CodeGen or its Sub-Processor, provided that such audit will be conducted within CodeGen’s normal business hours and on reasonable prior written notice. CodeGen will co-operate fully with such audit, which will not take place on more than one occasion in any calendar year, unless the Customer has reasonable grounds on which to suggest that CodeGen may be in breach of its obligations under this DPA or applicable Data Protection Legislation.

11.2The Customer will treat any audit report as CodeGen’s Confidential Information in accordance with the Main Agreement.

11.3CodeGen will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by CodeGen’s management.

11.4Customer shall bear all reasonable expenses incurred by CodeGen in assisting with the audit.

12.1Each party’s (together with its affiliates or Associates) liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort (including negligence) or under any other theory of liability, is subject to the Liability section of the Main Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates / Associates under the Main Agreement and this DPA together. CGSL’s liability and that of its affiliates/ Associates for all claims arising out of or relation to the Agreement and this DPA will apply in the aggregate for all claims under both the Main Agreement and this DPA and will not be understood to apply individually and severally to the Customer.

Indemnities

12.2Subject always to sections 12.1 and sections 12.3 to 12.5 (inclusive), each party will defend the other and its [Permitted] Affiliates or associated companies, as the case may be, from any and all claims, demands, suits or proceedings brought against the other or its Affiliates or associated companies by a third party (Claims) in accordance with the remaining provisions of this section 12:

12.2.1CGSL will defend the Customer from Claims brought against the Customer and arising from a breach by CGSL of its obligations under this DPA in relation to the processing of Personal Data submitted to or collected through the Software or provision of the Services. CGSL will indemnify the Customer for all damages, losses, liabilities, settlements, penalties, costs, and reasonable legal fees: (a) finally awarded by a court of competent jurisdiction, (b) imposed by a governmental agency or regulator (including a Supervisory Authority), or (c) paid to a third party in accordance with a settlement agreement signed by CGSL in connection with such a Claim; and

12.2.2the Customer will defend CGSL from Claims brought against CGSL and arising from a breach by the Customer (or its Affiliates/ Associates) of its obligations under this DPA. The Customer will indemnify CGSL for all damages, losses, liabilities, settlements, penalties, costs, and reasonable legal fees: (a) finally awarded by a court of competent jurisdiction, (b) imposed by a governmental agency or regulator (including a Supervisory Authority), or (c) paid to a third party in accordance with a settlement agreement signed by the Customer in connection with such a Claim.

12.3The party seeking indemnity under section 12.3 (Indemnitee) must give the other party (Indemnitor): (a) prompt written notice of any claim for which the Indemnitee intends to seek indemnity, (b) all co-operation and assistance reasonably request by the Indemnitor in the defence of the claim, and (c) sole control over the defence and settlement of the claim, provided that the Indemnitee may participate in the defence of the claim at its sole expense.

12.4In no event will the aggregate liability of each party, together with all its [Permitted] Affiliates or associated companies, under the indemnities detailed at section 12.3 exceed the greater of: (a) the total amount paid by the Customer and its [Permitted] Affiliates/ or associated companies for the relevant Software or Service in the twelve-month period preceding the first incident out of which the liability arose, or (b) LKR 50,000 (Sri Lanka Rupees Fifty Thousand).

12.5To the maximum extent permitted by applicable law, neither CGSL nor any of its affiliates or Associate companies will have any liability whatsoever to the Customer, howsoever arising (whether in contract, tort (including negligence) or otherwise), for any claim, liability, loss or damage arising directly from any processing of Personal Data in accordance with the specific instructions given by the Customer following CGSL’s receipt of such instructions to the extent that following those specific instructions was the direct or indirect cause of the claim, loss or damage.

13.1CGSL will, without delay, at the Customer’s written request (unless legally required to do otherwise, or unless retention is requested of CGSL according to applicable law) either securely delete or return the Customer Data and all existing copies which CGSL holds to the Customer in such form as the Customer reasonably requests, or take all steps necessary to procure that any third party to which CGSL has provided the Customer Data returns or destroys such Customer Data, after the earlier of:

13.1.1the end of provision of the relevant Services related to processing; or

13.1.2once processing by CGSL of any Customer Data is no longer required for the purpose of CGSL’s performance of its relevant obligations under this DPA or the Main Agreement,

provided always that:

13.1.3CGSL will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; and

13.1.4Only upon a request made by the Customer, prior to the effective date of termination of the Main Agreement, CGSL shall make available to Customer, for thirty (30) days following the date of termination of the Main Agreement for download a file of Customer Data. After such 30-day period, CGSL shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data.

13.1.5Notwithstanding the provisions in clause 13.1.4, in all cases where applicable, CGSL will continue to protect the Customer Data in accordance with this DPA and the Main Agreement.

14.1This DPA and any documents referred to within it represent the entire agreement between the parties in relation to its subject matter.

14.2No variation of this DPA will be effective unless it is in writing and signed by both parties.

14.3This DPA will be governed by and construed in accordance with English law and each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales.

14.4Each reference to the DPA in this Agreement means this DPA including its Appendix and Schedules.