Privacy Statement


Bank of Ceylon (referred to as ‘we’, ‘us’, ‘our’, ‘Bank of Ceylon’ or the ‘Bank’) is committed to protecting the privacy and security of personal information. This Privacy Statement explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. By accessing or using our services, you consent to the practices described in this Privacy Statement. 

Throughout this statement, "personal data" or "personal information" refers to any information that identifies or can identify you, including but not limited to your name, address, and identification number. Actions involving your personal data, such as handling, collecting, protecting, and storing, are collectively referred to as "processing."

This privacy statement provides

1. An overview of data collection and processing according to the Data Protection Act No. 9 of 2022 

This Privacy Statement is designed in relation to the collection, use and disclosure of any personal data, including special or sensitive personal data. It also applies to individuals who have had a previous business relationship with the Bank.

2. Information we hold, collect and process

We hold, collect and process personal data that you provide to us directly or indirectly, such as your name, contact details, identification information, date of birth, financial information, transaction data, payment card information, gender, nationality, information received from third parties, the public domain, collected through use of our website, cookies, and our electronic banking services which we believe it is reasonably required for ordinary business purposes. This data is essential for offering you our services and ensuring a seamless banking experience.

3. How we use your personal data 

We use and process your personal data to manage your accounts; to deliver banking services; to process transactions; to administer, evaluate and improve our products and services; to market our products and services; to manage our risks; to perform accounting, auditing and other internal functions and to fulfill and comply with legal and regulatory requirements, relevant industry standards, contractual obligations. We may also use your personal data for communication purposes, such as sending you account updates, relevant promotions, and other service-related notifications. 


Purposes for which we may process your Personal Data

At Bank of Ceylon, we are dedicated to provide you with the products and services you request. To ensure the fulfillment of our contractual obligations and to provide you with the best possible service, we process your personal data for various essential purposes as follow but not limited. 

1. Processing Your Requests

We process your data to handle applications for products and services, process payments, conduct transactions, and fulfill your instructions or requests promptly and accurately. This includes every channel we use including providing electronic banking services to enhance your banking experience.

2. Assessing Suitability

We evaluate your suitability for our products and services to tailor our offerings to your specific needs and requirements.

3. Credit Assessment

We conduct credit assessments, including credit checks and setting credit limits, to ensure responsible lending practices and financial stability.

4. Operational and Statistical Purposes

Your data is used for operational and statistical purposes, enabling us to improve our services and meet regulatory requirements effectively.

5. Banking Relationships and Security

We establish, continue, and manage banking relationships and accounts, and monitor our premises and ATMs to ensure your safety and security.


Disclosure of Your Personal Data

To provide you with our services and uphold our contractual obligations, the Bank discloses your Personal Data to the following parties for the purposes specified above.

1. Professional Advisers, Partners and Service Providers

We share your personal data with professional advisers, consultants, credit rating agencies, insurers, insurance brokers, auditors, third-party service providers, agents, corresponding banks and financial institutions and exchange houses to conduct credit checks, and independent contractors who support for Bank's business operations subject to Non- Disclosure agreements/confidentiality obligation with such parties to ensure that our services meet the highest standards.

2. Business Alliance Partners

We share your personal data with our business alliance partners who offer products or services that could be of interest to you, enhancing the range of options available to meet your needs.

3. Card Association Members and Merchants

We disclose your personal data to merchants or members of the Card Association to facilitate payment card transactions.

4. Attorneys, Legal Representatives and Family Members

We disclose your personal data with your attorney who is appointed by you through a Power of Attorney.

In the case of a child, we disclose child’s personal data to the parent or legal guardian of such child.

Upon your death or contractual incapacity, we share your personal data with your legal representatives, legal heirs and immediate family members as applicable, allowing them to act on behalf of you. 

5. Compliance with Laws and Authorities

We disclose your personal data to any court, tribunal, regulator, law enforcement agency, exchange body, tax authority, or any other authority (including any authority investigating an offence) or their agents/officials as required or permitted by law. 

We also disclose your personal data to any person to whom disclosure is allowed or required by local or foreign law or regulation.

6. Mergers and Acquirers

We reserve the right to share your personal information in connection with a corporate change including a merger, acquisition or sale of all or any relevant portion of our business or assets.

These disclosures may occur in any jurisdiction and are carried out with the utmost care and in compliance with applicable laws and regulations.

Security of Your Personal Data

Ensuring the security of your personal data is a paramount concern for us at Bank of Ceylon. We want you to be confident that your information is protected regardless of where they are stored or transferred. Following is how we prioritize your data security.

1. Technical and Organizational Measures

We have implemented rigorous and accepted standards of technical and organizational security measures to safeguard your personal data. These measures are designed to protect your information from unauthorized access, disclosure, alteration, and destruction.

2. External Service Providers

When we engage with external service providers, we ensure that they adhere to the stringent security standards mandated by Bank of Ceylon. We enforce these standards through contractual provisions, as required by privacy regulators/authorities, and maintain oversight to ensure compliance.

3. International Transfers and Risks

Your personal data may be transferred to locations outside Sri Lanka, including countries without data protection laws comparable to Sri Lanka while adhering to the provisions of Personal Data Protection Act and the applicable regulations. We take every reasonable step to ensure that, regardless of the location, your personal data remains securely protected.

4. Internet Risks

Although we use appropriate security measures, transmitting personal data over the internet carries inherent risks, including the potential for access and interference by unauthorized third parties.

5. International Data Transmission

Information transmitted over the internet may pass through various countries, even if the sender and recipient are located in the same country. Some of these countries may have privacy and data protection laws that are less robust than those in your country of residence.


Our Commitment to Your Security

Despite these challenges, we endeavor to mitigate these risks. We employ the latest security technologies and protocols to protect your data during the transmission and storage.

We aspire to maintain the confidentiality and integrity of your personal data. Your trust is invaluable to us, and we are committed to earning and preserving it through our unwavering dedication to your privacy and security.

If you have any concerns or questions about the security of your personal data, please do not hesitate to contact us. Your privacy and peace of mind are of utmost importance to us.


How long do we retain your data 

We retain your personal data in accordance with legal and regulatory requirements, and for essential business and operational needs. Typically, this retention period spans twelve years from the conclusion of your association with us unless applicable law requires a longer retention period. 


Marketing Communications

We value your trust and privacy, and we want to keep you informed about our products and services. To achieve this, we may use your Personal Data for specific purposes.

1. Improving Our Services

Conducting market research and surveys enable us to better understand your needs and preferences. This insight helps us enhance our products and services, ensuring they align with your expectations.

2. Promotions and Engaging Events

We use your data for marketing purposes, including promotional events, competitions, and lucky draws. These initiatives are designed to provide you with exciting opportunities and valuable offers.

3. Your Control Over Marketing Communications

Your preferences matter to us. If you have asked us not to send you marketing material, rest assured, we respect your choice. You have the right to opt out of receiving marketing communications at any time.

To exercise this right, please reach out to your branch. We are here to promptly accommodate your preferences.

4. Your Changed Preferences

If you change your mind and decide not to receive marketing material or any other promotional or research material you previously subscribed to, we will honor your request. However, for record-keeping purposes, we may retain a record confirming your preference. This ensures that you do not receive any further communications, respecting your choices and privacy.


Monitoring Your Electronic Communications

In our commitment to upholding the highest standards of compliance, we may, within the limits of the law, record and monitor your electronic communications with us. This practice is in place to ensure strict adherence to our legal obligations and internal policies, aligning with the purposes previously outlined.

By monitoring electronic communications, we maintain a secure and compliant environment, fostering trust and reliability in our interactions. Your understanding and cooperation in this regard are essential as we work together to ensure the integrity and legality of our services.

Your Privacy Rights

Your privacy is of utmost importance to us, and we are dedicated to ensuring you have control over your personal data. In accordance with applicable laws, regulations, and banking industry guidelines, you have the following rights:

1. Access

You have the right to request a copy of the personal data that pertains to you. Please note, under certain circumstances, there might be a fee associated with this request, as allowed by law.

2. Rectification or Completion 

We take reasonable steps to rectify any inaccurate or outdated personal data, without undue delay in order to keep such data up to date and accurate manner. 

Accordingly, if you believe your personal data needs correction, you can request us to rectify any inaccuracies. This can be done conveniently at your branch.

3. Erasure

You can ask us to delete your personal data, particularly unless otherwise if there is no any prevailing law directed to maintain the records further.


Resolving Complaints

We take your concerns about the processing of your Personal Data seriously. If you have a complaint and feel dissatisfied with how it is being addressed, we encourage you to take the following steps

1. Branch level Resolution

Initially, we recommend discussing your complaint with your branch. They are equipped to assist and address your concerns directly.

2. Data Protection Officer at Bank of Ceylon

Contact Information:

For further details or assistance, you can reach out to us by emailing

Your written requests can be made:
             Data Protection Officer,
             11th Floor,
             Bank of Ceylon,
             No 1, BOC Square,
             Bank of Ceylon Mawatha,
             Colombo 01.

We are committed to resolving your concerns promptly and effectively, and we are here to support you throughout the process.

Data Protection Authority

As an additional avenue, you have the right to file a complaint with the data protection authority. 


Updates to Our Privacy Statement

As Bank of Ceylon, we strive to keep your personal data protection at the forefront. To ensure you are informed about how your data is handled, our Privacy Statement may undergo updates periodically. We encourage you to revisit this site regularly to stay abreast of any changes or amendments.

Last Updated: 12.01.2024


Linked Websites Disclaimer

Please be noticed that our Privacy Statement is specific to our platform and services. It does not extend to third-party websites where you might encounter our online advertisements, nor does it apply to linked third-party websites that we don't operate or oversee.

When you navigate to external websites through links provided, please be aware that their privacy policies and practices are entirely separate from ours.