This Privacy Policy applies to you if you are (“You”):

• A customer of the bank – meaning any individual or entity that has acquired or uses our products or services, entered into a contract with us, or maintains an ongoing banking or business relationship with UB. This also includes individuals acting on behalf of such customers (e.g., authorized representatives, guarantors, or beneficiaries)..
• A person interested in our products, services, or content, who interacts directly or indirectly with us (for example, through our branches, customer service channels, contact forms on our websites, or our social networks), or who consults our websites or participates in an event organized by Union Bank.
• A candidate interested in job offers published by UB, including those subscribing to our job alerts via email.
• A journalist in contact with our press teams.
• A user of social networks, who may post or interact with publications related to the activity of the UB.

When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Privacy Policy. We will also make reasonable efforts to do the same whenever possible (e.g., when we have the person’s contact details).

We may collect the following types of personal data (hereafter referred to as ‘Personal Data’) to serve you better:

(A). For Customers:

• Identification Information: Information that uniquely or semi uniquely identifies you.
  • For example: name, gender, date of birth, nationality, your photographs, signature, EPF/ETF, Pension number, etc.
• Official Identification Information: Information that are official/government identifiers.
  • For example: national identification number, passport number, tax identification number, driving license number. etc.
• Contact Information: Information that allows to address, send or communicate messages to you.
  • For example: residential address, email address, phone number (mobile or landline), etc.
• Financial Information: Information that identifies your financial position, background, status and history as required.
  • For example: account details, credit card details, transaction history, credit score, etc.
• Communications Information: Information relating to you collected via online or digital interactions
  • For example: telephone conversations, messaging, email and other communications we have with you
• Geo-location data: Information that provides or contains a device’s location.
  • For example, your internet protocol (IP) address or time zone settings, etc.
• Personal Relationship Data: Information about associations or close connections between individuals or entities that can determine your identity.
  • For example, if you are a politically exposed person, public official, or hold close personal or financial relationships with such persons.
• Education and Employment Data: Information about individuals’ professional and academic qualifications and occupational information.
  • For example, level of education, employment, employer’s name.
• Status as customer or prospect
• Device Information: Information related to user’s device and digital activities
  • For example, PC, mobile phone, tablet, IP, address, browsing activity, geo-location data
• Data relating to individuals’ habits and preferences: Tracking data such as cookies and trackers on our websites, our online services, our apps, and our social network pages.

We may require to collect special categories of Personal Data about you sometimes, but this information is only collected if necessary and with your consent or where allowed by law. This may include:

• Racial / Ethnic Information: Information which reveals your racial or ethnic origin.
• Biometric Information: Information which uniquely identifies you through physical or behavioral characteristics, such as your fingerprints, images of you or CTTV and video recording, of you.

Your Personal Data is directly collected from you, but we may also obtain your Personal Data from other sources as required, which includes but are not limited to people you know:

• For example, Parents or guardians of minors. If you are a minor. We will get your parent or guardian’s consent before collecting, using or sharing your personal data.
• Publications/databases made available by official authorities or third parties (e.g., CRIB, Department of Registration of Persons, GoAML, AML system etc.)

(B). For Employment Candidates and Employees:

In addition to the information above we may also collect:

• Behavioral Data: Analytics information that describes your behavioural characteristics.
  • For example, results of any pre-employment screening test.
• Personal Relationship Data: Information about associations or close relationships between yourself and other employees of Union Bank.
  • For example, if any family members are employees of Union Bank.

We may require to collect special categories of Personal Data about you sometimes, but this information is only collected if necessary and with your consent or where allowed by law. This may include:

• Health Information: Information relating to your health.
• Criminal convictions, proceedings or allegations information: Information about criminal convictions or related information that we identify in relation to our financial crime prevention obligations. This includes details of offences or alleged offences or convictions.

Your Personal Data is directly collected from you, but we may also obtain your Personal Data from other sources as required, which includes but are not limited to:

• Businesses and other organizations:
  • For example, your employer and/or company, business or organization you represent or is related to your credit reference and fraud prevention agencies, law enforcement authorities, social network sites, for example LinkedIn, Facebook, Instagram etc.
• Publicly available resources:
  • For example: online directories, career platforms, publications, social media posts and other information that is publicly available.

(C). External Suppliers and Partners:
Depending on the nature of the products or services provided by the supplier or partner, we collect various types of personal data about you, including:

• Identification Information:
  • For example: Full name, NIC, passport information, nationality, place and date of birth, gender, professional photographs.
• Professional Contact Information:
  • For example: Postal and email address, phone number, emergency contact details
• Connection and tracking data and information about your device:
  • For example: IP address, technical logs, computer traces, information on the use and security of the device
• Education and employment information:
  • For example: CV, level of education, professional qualifications and references, date of hire and position held with your employer, information on business travel, details of training or of information session completed where necessary for the performance of the relevant contract (e.g. in areas such as PDPA, data security, banking and financial sectors when the mission requires it)
• Your presence in our premises
  • For example: Vehicle license number
• Data from your interactions with us
  • For example: Minutes of Meetings, Phone Calls, Video conferences, electronic communications such as emails, instant messaging etc.
• Images Recording
  • For example: Video surveillance (CCTV), photos
• Social network data
  • For example: Data coming from pages and publications on social networks that contain information that you publicly made available.

We may collect the following special categories of data (or “sensitive data”) only upon obtaining your explicit prior consent and/or when required by law:

• Data relating to criminal convictions and offences (e.g. extract of criminal records); and
• Biometric data (e.g. fingerprint which can be used for identification and security purposes)

We never ask any other sensitive personal data such as data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your children unless it is required through a legal obligation or if you requested it.

For us to effectively carry out Our mission, it is essential for us to be present on social networks, and this presence may result in the processing of some of your personal data.

Thus, as part of our legitimate interest for our communication needs, as well as for crisis management and customer relationship management, we may collect the following personal data:

• Your interactions with Us on our social media pages and posts, including your latest claims and complaints.
• Data from social media pages and posts containing information that you have made public.

More specifically this personal data will be processed for the following purposes:

• Crisis management (social listening) and customer relationship management, which includes:
  • Crisis prevention: monitoring and analysing social networks and the web using keywords to assess Union Bank’s reputation as well as to be informed of what is being said about specific topics in order to be able to communicate accordingly.
  • Crisis management: being able to analyse issues related to certain publications and act accordingly, respond to publications or comments from social media users; detect and report fake accounts and publications; or investigate serious allegations or claims.

In this section we explain why we process your personal data and the legal basis for doing so.

• Your personal data are processed to comply with our various legal and regulatory obligations:

Your personal data are processed when this is necessary to enable us to comply with the regulations to which we are subject, such as banking and financial regulations, and in particular in the following context, this may include but not limited to,

• • Replying to an official request from a duly authorised public or judicial authority.
  • Preventing or detecting financial crime, frauds such as anti-money laundering etc.
• Your personal data are processed to perform a contract to which you are a party or pre-contractual measures taken at your request:

Your personal data are processed when it is necessary to enter into or perform a contract to, this may include but not limited to,

• • Providing Financial Services: Managing your accounts, processing transactions, and providing banking services, etc.
  • Provide you with information related to our products and services.
  • Access our digital services.
  • Assisting with your inquiries and requests to enhance customer experience etc.
  • Providing Other Services: Statement printing, card embossing, and postage/delivery services, etc.

Anyone who fails to provide the above details should be aware that, where applicable, if the requested information is mandatory, failure to provide it may result in our inability to offer the relevant product or service.

• Your personal data are processed to fulfil our legitimate interest or that of a third party:

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 11 below.

We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, and also for the following purposes, this may include but not limited to,

• • Keeping you and our people safe: Conducting identity verification security checks for building access, using CCTV surveillance recordings at our premises and ATMs for the purposes of preventing and detecting fraud and/or other crimes, such as theft, for other health and safety compliance purposes, etc.
  • IT management, including infrastructure management & business continuity and IT security,
  • Taking the necessary measures in the event of suspicion and/or breach of IT security rules,
  • Managing security of our IT systems and preventing fraud,
  • Establishing aggregated statistics and /or tests (e.g., A/B testing), to improve existing products and services or create new ones or to improve your experience on our websites,
  • Communicating and interacting with you via our various communication channels (emails or messages, visits to our websites, etc.),
  • Managing our activities and our presence on social networks (see more details in section 4),
  • Analyzing your habits and preferences in our various communication channels (emails or messages, visits to our website, social networks, etc.),
  • Administering a contest, giveaway, competition, or other similar marketing campaign or offering promotional games and managing events,
  • Managing and sending prices won by participating to one of our contests,
  • Communicating about our news, and what we generally do at Union Bank,
  • Responding to your inquiries,
  • Improving and personalizing your experience on our websites and applications,
  • Administering any consumer loyalty or rewards programs that are associated with your user account.
  • In exercising our legal rights, to retain and produce your data records including but not limited to financial information if required by the law, regulations, legal proceedings and/or recovery actions.

In addition to the above purposes, we may also use your personal data under the same lawful ground for the below purposes, this may not be limited to:

• Processing job applications: Reviewing applications, assessing skills, qualifications and suitability for the job role or engagement applied for (including results of screening tests), conducting pre-employment or pre-engagement searches, background checks to verify identity and obtain references, etc.
• Communication: Communicating with you in relation to your application. We may also notify you of other potential career opportunities or job vacancies that we think might suit you.
• Improving our applicant screening procedures and recruitment process: Performing administrative tasks, risk management activities, auditing business operations, etc.

Your data may be aggregated into anonymized statistics that may be shared with our partners and service providers when needed. In this case those receiving your personal data will be unable to ascertain your identity.

• Your personal data are processed if you have given your consent:

For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.

Especially, we ask for your consent for following purposes, this may include but not limited to,:

• Administering promotional or marketing campaigns such as sending information about our products, services, and promotions etc.
• Sending email notifications and letters if you have subscribed to them.
• Prior to processing any special categories of data such as health information or any information referred under the definition of “special categories of personal data” in Personal Data Protection Act, No.9 of 2022.

You may be asked for further consent to process your personal data where necessary.

• We may share your Personal Data within the UB and our advisors, consultants, service providers, business partners and third parties (including but not limited to their employees, sub-contractors, service providers, directors and officers, etc.) for the purposes given in Section 3 above or as required by law or requested by any authority. We may share your Personal Data with both local or foreign entities, depending on the nature of the services and the requirements of your banking relationship with us, in compliance with applicable data protection laws for data sharing and cross border transfers.
• We do limit how and whom we share your Personal Data with and we take necessary steps to ensure Personal Data shared is kept confidential and protected when we share it. The parties with whom your Personal Data is shared may vary based on your banking relationship and on your interactions with us as an individual. We will not disclose your Personal Data to anyone unless we have your consent, are required to do so by law or have previously informed you of such sharing.
• We may share your Personal Data with the following: This may include but is not limited to:
  • Our advisors and consultants
  • Our service partners/suppliers
  • Third party business partners
  • Government and law enforcement authorities
  • CRIB and other related institutions
  • With Courts, Tribunals and any such forum for purposes of legal recovery and/or in prosecuting or defending legal rights.

We may collect and store your Personal Data in electronic or physical form, depending on the requirement. We may store, share and transfer your Personal Data within Union Bank and with other third parties in order to improve and support our processes, business operation and to comply with legal and regulatory obligations. This may include cloud storage and cross-border transfers to jurisdictions with different data protections laws outside of Sri Lanka but only in compliance with applicable data protection laws.

We are committed to retaining your Personal Data for only as long as necessary to fulfill the purposes for which it was collected and in accordance with applicable laws and regulations. The specific retention periods may vary depending on the type of data and legal or statutory requirements, but as a general guideline:

• Personal Data necessary for account and transaction management will be retained for the duration of your banking relationship with us and thereafter for a minimum period as required by relevant financial regulations or our legitimate interests in relation to our relationship with you.
• Data collected for legal and regulatory compliance will be retained in accordance with specific legal requirements and industry standards.
• Information used for marketing and customer communication purposes will be retained until you withdraw your consent or request erasure subject to applicable laws.

We regularly review our data retention practices to ensure compliance with our policy and relevant regulations. After the retention period expires, we will securely and permanently delete or anonymize your Personal Data as per the guidelines provided by the Data Protection Authority (hereinafter referred to as the “DPA”) created under the Personal Data Protection Act No. 09 of 2022 (as amended).

We implement adequate technical, physical and organizational security measures to protect your Personal Data against unauthorized access, disclosure, alteration, or destruction. We also ensure our practices are, in compliance with legal and regulatory requirements. We require and train our staff to maintain our privacy and security standards, and we will procure any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

Subject to applicable law, you have following rights which allow you to exercise real control over your personal data, circumstances applicable to each right and how we process them.

• You can request access to your personal data: If you wish to have access to your personal data, we will provide you with a copy of the personal data you requested as well as information relating to their processing.
• You can ask for the correction of your personal data: If you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified or completed accordingly. In some cases, supporting documentation may be required.
• You can request the deletion of your personal data: If you wish, you may request the deletion of your personal data, to the extent permitted by law.
• You can object to the processing of your personal data based on legitimate interests: If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your personal situation, by informing us precisely of the processing activity involved and the reasons for the objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise, or defence of legal claims.
• You have rights to request a review against an automated decision: As a matter of principle, you have the right to review a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you.In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.
• You can withdraw your consent: If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.
• How to file a complaint with the data protection authority: In addition to the rights mentioned above, you may also choose to file a complaint or an appeal against a decision made in relation to a request to exercise your data subject rights with the Data Protection Authority.

To make it easier for you to exercise your rights, please complete the ‘Data Subject Request Form’ provided below and email it to dataprotection@unionb.com. We will then get in touch with you. Alternatively, you may contact our customer service hotline or reach out directly to our Data Protection Officer (DPO) using the contact details provided below.

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal and regulatory reasons. Our privacy policy is available on www.unionb.com/privacy-policy for your reference. Please visit the website periodically for the latest version.

If you require any further information or require to contact our Data Protection Officer (where applicable) or if you have any questions or concerns about this Privacy Policy or your Personal Data, please contact us at:
​
Data Protection Officer
Union Bank of Colombo PLC
Address: 64, Galle Road, Colombo 03, Sri Lanka
Phone: +94 11 237 4120
Email: dataprotection@unionb.com