Version 0 | Last Updated in August 2025

David Pieris Holdings (Private) Limited and its subsidiaries within the Group are committed to protect the Personal Data of our Customers, Stakeholders, Business Partners, Employees, Visitors and Candidates and the Personal Data of individuals who work for, provide services or act on behalf of our Customers and/or Business Partners provided to us.

Purpose of the Data Protection Policy is to set principles and ensure compliance how the Organization collect, store, process and share Personal Data (collected through digital and physical manner) and legal rights regarding the collection, process of Personal Data. The Organization requires Personal Data to maintain the efficiency of the business, to comply with legal and regulatory obligations, to evaluate internal controls and audits for compliance, and to provide best Customer service and matters relating thereto.

The Personal Data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to Data Subject.
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Kept in a form which permits identification of Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored as stipulated in the respective law, insofar as it is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subject; and
6. Processed in a manner that ensures appropriate security of the Personal Data, using appropriate technical or organisational measures.
7. The Personal Data shall be processed and communicated in writing or by electronic means, ensuring that it is presented in a concise, transparent, intelligible, and easily accessible form.
8. Personal Data shall NOT be transferred to any country or territory outside Sri Lanka unless it is authorized by the respective authority and/or the country or territory to which the data is transferred ensures an adequate level of protection for the rights and freedoms of Data Subject in relation to the processing of Personal Data. Such transfers shall only occur in compliance with applicable laws and regulations governing data protection.

The Organization acknowledges and upholds the following rights of Data Subject as defined under the relevant applicable laws of the country. These rights, as outlined in the applicable data protection legislation, and shall be respected and facilitated in accordance with the definitions in the law and application.

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to withdrawal
5. Right to erasure
6. Right to object to processing
7. Rights in relation to automated decision making and profiling
8. Right to appeal

The Organization will collect data/information including but not limited to personal information, health information, financial information and digital information and other relevant information as the case may be subject to the purpose of the policy.

The Organization will ensure the following when processing of Personal Data

1. 6.1.Lawful purposes
   1. All Personal Data processed by the Organization shall be based on one of the following lawful grounds: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
   2. Where consent is relied upon as a lawful basis for processing data, evidence of such consent shall be kept with the Personal Data.
   3. Where communications are sent to Data Subject based on their consent, the option for the Data Subject to revoke their consent will be clearly available
2. 6.2.Data minimisation and Accuracy
   1. The Organization shall ensure that the Personal Data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
   2. The Organization shall take reasonable steps to ensure Personal Data is processed accurately at the time collection and kept up to date.
3. 6.3. Lawful and fair processing
   1. Ensure processing of Personal Data in lawful and fair manner
   2. The Data Subject has the right to access their Personal Data, and any such requests made to the Organization shall be dealt within a timely manner.
4. 6.4 Retention and removal
   1. The Personal Data is kept for no longer than necessary. The Organization will assess the necessity of the Personal Data and review periodically. Any Personal Data that is no longer required will be removed as stipulated in the respective Law.
5. 6.5 Security
   1. The Personal Data is stored securely using secure methods by the Organization or through a service provider. The Organization will ensure to have appropriate back-up and disaster recovery solutions in place.
   2. Access to Personal Data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of Personal Data.
   3. Removal of Personal Data will be done safely and non-retrievably.
Return to Top

7. Personal Data Sharing

The Organisation will share information with the following entities

1. Internal Parties: within the Organization, professional advisors such as financial advisors, investment advisors, legal advisors, auditors, authorized representatives based in Sri Lanka and outside Sri Lanka acting as joint controllers or processors and other relevant parties as the case may be ensuring an adequate level of protection for the rights and freedoms of Data Subject in relation to the processing of Personal Data and shall only occur in compliance with applicable laws and regulations governing data protection.
2. External Third Parties: contractors and service providers, external dispute resolution institute/bodies, professional advisors acting as processors or joint controllers including lawyers, bankers, auditors, investment analyst, consultants who provide consultancy on banking, legal, insurance and financial services, regulatory bodies, government agencies and law enforcement bodies, payment systems operators (for example, merchants receiving card payments, other Business Partners, etc.) in any jurisdiction and same will be shared for business purposes on need-to-know basis.
   When sharing Personal Data with third parties, the Organization shall ensure that formal agreements are established with those who process or access Personal Data on behalf of the Organization, on a need-to-know basis, incorporating similar obligations and aligned with this policy.
Return to Top

8. Review and Compliance

1. The Data Protection Officer (DPO) of the Organization will be responsible for the ongoing compliance with this policy.
2. The procedure of data processing will be reviewed annually as and when required.
Return to Top

9. Procedure for Handling Requests, Complaints and Inquiries

This procedure ensures that all complaints related to Data Protection are handled in a structured, fair, and timely manner. The Data Protection Officer (DPO) is responsible for overseeing the process and ensuring compliance with all relevant provisions of this Data Protection Policy and data protection laws.



1. 9.1. Receiving Requests and Complaints

   All complaints related to data protection issues should be reported to the Data Protection Officer (DPO) via the following channels:

   • In writing: The Data Protection Officer, David Pieris Holdings (Private) Limited. 120,120A, Pannipitiya Road, Battaramulla. Sri Lanka.
   • Email to: dataprotection@dpmco.com
   • Phone call to +94 11 470 0600.
   • In-person submission: Data Protection Officer, David Pieris Holdings (Private) Limited. 120,120A, Pannipitiya Road, Battaramulla. Sri Lanka.
2. 9.2. Acknowledgment of Complaint

   Once a complaint is received, the Data Protection Officer (DPO) will acknowledge the complaint and provide information on the next steps in the process.

3. 9.3. Documentation and Record-Keeping

   All complaints, inquiries, and appeals will be documented by the Data Protection Officer (DPO). The records will be kept confidential and secure in line with the Organization's data protection policy and applicable data protection laws.

Return to Top

10. Use of Cookies

The Organization’s websites may use cookies, to enhance website functionality, improve user experience, and support secure access.
Cookies deployed directly by the Organization are not used to store sensitive data such as account credentials or passwords. Some cookies may collect information that may be considered Personal Data under applicable data protection laws, and such collection will be carried out in compliance with relevant legal requirements.
This information is used solely for internal analysis and performance optimization. Our websites may also include integrations with or links to third-party services, which may independently deploy cookies. e.g. social media platforms, Analytics tools, Payment Gateways etc. The Organization does not control or assume responsibility for cookie practices or data policies of such third parties

Return to Top

11. Data Handling

Personal Data may be handled at a cloud system within the territory of Sri Lanka or outside and the Organization ensure the protection of the Personal Data in accordance with the applicable laws and regulations. The Data Subject has explicitly consented to the proposed processing of Personal Data outside Sri Lanka, after having been informed of the possible risks of such processing.

Return to Top

12. Data Protection Management Program

The Organization shall implement internal controls and procedures to ensure compliance with this policy, and periodic audits of data protection practices shall be conducted to verify adherence.

Return to Top

13. Governing Law

This Data Protection Policy shall be governed by the Personal Data Protection Act No. 09 of 2022 (As amended) of the Democratic Socialist Republic of Sri Lanka.

Return to Top

14. Effective Date

This Data Protection Policy is effective from 15th of August 2025

Return to Top

15. Revisions

The Organization reserves the right to review and revise Data Protection Policy at any time by posting the updated policy with the revision date and no.

Return to Top



16. Definitions

• Organization: David Pieris Holdings (Private) Limited and its subsidiaries within the Group
• Data Subject: Customers, Stakeholders, Business Partners, Employees, Visitors and Candidates of the Organization
• Personal Data: Any information that can identify a natural person, directly or indirectly.
• Processing of Data: Any action performed on Personal Data, such as collecting, using, storing, or deleting it.
• Business Partners: External parties engaged with the organization through commercial or contractual relationships.
• Stakeholders: Individuals or entities with an interest in the organization’s operations or outcomes.
• Customers: Individuals who purchase or use the organization’s products or services.
• Candidates: Individuals applying for employment or engagement opportunities within the David Pieris Group of Companies.
Return to Top