Privacy Policy

 

Who we are

United Motors Lanka PLC, a company duly incorporated and existing under the laws of Sri Lanka, bearing company registration number PQ 74, with its registered office at No. 100, Hyde Park Corner, Colombo 2, Sri Lanka, together with all entities controlled by it or under common control with it, including its subsidiaries and affiliates, whether existing now or established in the future (hereinafter collectively referred to as the “Company,” “UML,” “we,” “our,” or “us”.

United Motors Lanka PLC (UML), listed on the Colombo Stock Exchange, is one of Sri Lanka’s pioneering and most recognized automobile companies with over eight decades of excellence. Supported by an island-wide branch and dealer network. UML has earned a place among the country’s leading corporate entities. The Company has been consecutively ranked in the LMD 100 and recognized as one of Sri Lanka’s Most Respected Entities. More information is available at www.unitedmotors.lk.

Why your privacy is important to Us

At United Motors Lanka PLC (UML), we are committed to maintaining a strong, transparent, and accountable personal data protection framework. As such your privacy is important to us, and we want to assure you that any personal data collected will be handled responsibly and in accordance with applicable data protection laws. This Privacy Notice outlines:

  • how we collect, store use, and safeguard your personal data when you engage with us—whether as a customer, service provider, job applicant, or visitor to our premises, website or digital platforms; -UML is the data controller of all personal data we collect and process in relation to our customers (whether potential or existing), investors, employees, vendors, and other business associates and stakeholders. This means UML is responsible for deciding how and why your personal data is processed, in line with applicable data protection laws in Sri Lanka.
  • your rights in relation to your personal data; and
  • the legal protections available to you under the law.

 

By continuing to use our services, visiting our website, submitting personal information, applying for employment, purchase of a product or service from us or entering into any contract with UML, you acknowledge that you have read, understood, and agreed to the terms of this privacy notice

 

Definitions

This privacy policy uses a number of definitions which are set out below:

Personal data: any information which identifies an individual or information relating to an individual who can be identified (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data does not include anonymized data, aggregated data or data which does not disclose the identity of an individual.

Processing or process: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including collecting, organizing, storing, preserving, amending, retrieving, using, transmitting, disclosing, erasing or destroying it.

Special categories of personal data: any data which reveals detail of an individual’s race or ethnicity, religious or philosophical beliefs, sexual relations, sexual orientation, political opinions, trade union membership, offences, proceedings, convictions, information about health, genetic, bio metric data and/or personal data relating to a child.

 

The Data we collect about you

We may collect and process various categories of personal data about you, as well as data relating to third parties that you may disclose to us. This information has been grouped into the following categories:

Personal data - This includes information that you voluntarily provide to us, such as your full name, National Identity Card (NIC) number or passport number, date of birth, residential or permanent address, contact details including telephone numbers and email addresses, as well as any other identifying details required for us to fulfill our services or comply with applicable legal obligations. This also includes any footage or images that may be used to identify you.

Technical data - This refers to information collected through your interactions with our website or applications, including your Internet Protocol (IP) address, login credentials, browser type and version, time zone settings and location, operating system and platform, device identifiers, and other technical data relating to the device or method you use to access our services.

Usage data - This includes information about how you use our website, services, or mobile applications.

Marketing and communication preferences - This includes your preferences regarding the receipt of promotional material from us and/or our third-party affiliates, as well as your preferred methods of communication, such as email, SMS, telephone, or any other channel you may specify.

Aggregated and anonymized data – When you visit this website or use any of our mobile application, we may also collect, use, and share aggregated and/or anonymized data that does not directly or indirectly reveal your identity. Such information may include the duration and frequency of website visits, pages viewed, referring websites, and details of your internet service provider. This data is used to improve our website and services, analyze traffic, measure performance, and support internal reporting and analytics. We may also share aggregated or anonymized information with group companies of United Motors Lanka PLC (UML) and with third-party analytics or service providers.

Tracking technologies and cookies -We use cookies and similar tracking technologies (e.g., web beacons, pixels, scripts, and tags) to track activity on our website and store certain information for analytics, personalization, and service improvement.

 

Types of cookies we use:

Type

Cookie duration

Purpose

Essential Cookies

Session

These cookies are necessary to provide you with website functionality and secure user sessions. Without them, core features may not work.

Consent Cookies

Persistent

These cookies store your consent status regarding our use of cookies.

Functionality Cookies

Persistent

These cookies help remember your preferences, such as login details or language settings, to improve your experience.

 

How we collect your personal data

We collect information about you in the following ways:

Directly from You – You may provide personal data directly to us when contacting us by phone, email, post, through our website, on social media, during in-person conversations, or when entering into a relationship with us, including when giving feedback or making a complaint

Through our website - We may automatically collect technical information about your device and how you use our website, for example via cookies and server logs. This may also include information from other websites that use our cookies.

Through our mobile apps - Our mobile site and apps may access certain information from your device to provide better services.

From third parties or public sources -We may receive information from other individuals who refer to you or provide your data to us, such as employment candidates, your employer, analytics providers, advertising networks, or search information providers, both within and outside Sri Lanka.

 

Use of your personal data

Legal bases for processing your personal data

We will process your personal data only in accordance with the legal bases permitted under the Personal Data Protection Act, No. 09 of 2022 (“PDPA”). These legal bases include, but are not limited to:

  1. Consent – where you have provided clear consent for us to process your personal data for a specific purpose.
  2. Performance of a contract – where processing is necessary to perform our obligations under a contract with you, or to take steps at your request prior to entering into such a contract.
  3. Compliance with a legal obligation – where processing is required for us to comply with applicable laws and regulatory obligations.
  4. Legitimate interests – where processing is necessary for our legitimate business interests, provided such interests are not overridden by your fundamental rights and freedoms.
  5. Public interest – where processing is necessary for reasons of public interest as permitted by law.
  6. Protection of vital interests – where processing is required to protect your vital interests or those of another individual.

 

Purposes for which we will use your personal data

The table below outlines the ways in which we may use your personal data and the legal bases on which such use is founded (which may include our Legitimate Interests). This list is not exhaustive, and you may request further details from us at any time. We will provide any additional information you require upon request.

Purpose

Type of data

Lawful basis for processing (including our legitimate interest to give you the best and most secure user experience.)

To provide you with advice, services, or fulfill our contract with you

Personal Data

We need this to comply with the law and to offer you the right products and services.

To manage and improve our relationship with you, including personalizing your experience and improving our services

Technical, Usage, Marketing

We need this to comply with legal obligations and because it’s in our legitimate interest to understand how you use our services and give you a better experience.

To run and protect our business and website, including troubleshooting, maintenance, support, security, and fraud prevention

Technical

This is necessary for our legitimate interest in keeping our business secure and operating smoothly, and to comply with legal requirements.

To deliver you relevant content and advertisements and measure their effectiveness

Usage, Marketing, Technical

We do this as part of our legitimate interest to improve our services and marketing, and to understand what works best for you.

To analyze data to improve our website, services, marketing, and client experiences

Marketing, Technical, Usage

We use analytics as it’s in our legitimate interest to make your experience better and improve our services.

To make recommendations about services that may interest you

Technical, Usage

With your consent, so we can give you personalized suggestions.

To analyze anonymized data to develop our business and marketing strategy

Aggregated / Anonymized Data

We do this as it’s in our legitimate interest to understand trends and improve our services.

To verify identities and references, especially in relation to employment

Personal Data

To ensure that we bring onboard the highest quality talent.

 

Change of Purpose

We use your personal data only for the purpose it was collected. If we need to use it for a different purpose that is compatible with the original reason, we will notify you, explain the legal basis, and where necessary, obtain your consent.

Marketing

We may use your personal data to improve our services and to send you information about our products and services, as well as those of our Group companies, that may be of interest to you, subject to the permitted uses of personal data under applicable laws and regulations.

Sharing and disclosure of your personal data

We may share your personal data within United Motors Lanka PLC (“UML”), its Group companies, and with selected third parties when it is necessary to fulfil the purposes described in the Purposes for which we will use your personal data section, or to comply with legal obligations. Such sharing may take place both within and outside Sri Lanka, subject to applicable data protection laws and safeguards for cross-border transfers.

We limit how and with whom we share your personal data, and we take necessary steps to ensure that any data shared is kept confidential and protected. The parties with whom your personal data is shared may vary depending on your relationship and interactions with us.

We will not disclose your personal data unless,

  • you have provided consent,
  • we are required to do so by law, or
  • we have previously informed you of such sharing. We do not sell or rent your personal data to third parties for their independent marketing purposes.

 

Internal third parties

Entities within the UML Group and their affiliates (both within and outside Sri Lanka), who may act as:

  • Joint controllers – where they determine the purpose and means of processing;
  • Processors or sub-processors – providing internal administrative, operational, or technical services such as IT, data analytics, research, revenue optimization, or customer service support.

 

External Third Parties

We may share personal data with trusted third parties outside UML, including:

  • Service providers and contractors:
    IT providers, analytics companies, cloud service providers, logistics partners, payroll and recruitment agencies, training providers, security services, and marketing or research agencies acting as processors on our behalf.
  • Professional advisors:
    Legal firms, auditors, consultants, insurers, banks, tax advisers, and other professionals providing services under strict confidentiality.
  • Business partners:
    Vendors, dealers, suppliers, joint ventures, or co-branding partners with whom we collaborate to deliver products, services, promotions, or events.
  • Regulatory authorities or law enforcement agencies:
    Where required under applicable laws, or pursuant to any order, inquiry, investigation, or national/public security need (including crime prevention, detection, or investigations).
  • Corporate transactions:
    Third parties to whom we may sell, transfer, or merge parts of our business or assets. If a change occurs, the new owners may use your personal data in accordance with this privacy notice.
  • International data transfers: Due to the nature of our operations and our affiliation with a broader group of companies, it may be necessary to transfer your personal data outside Sri Lanka. These transfers may be required for administrative, operational, or contractual purposes and will be conducted in accordance with applicable data protection laws to ensure that your personal data continues to be protected.

 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. In particular, we require our third-party service providers to limit the processing of personal data for specified purposes and in accordance with our instructions.

 

Data security

We are committed to protecting your personal data. Accordingly, we have implemented appropriate technical and organizational measures to prevent unauthorized access, accidental loss, misuse, or disclosure of your personal data. These measures include:

  • Restricted access to personal data based on a strict need-to-know basis;
  • Confidentiality obligations for all employees, service providers, and third parties handling such data;
  • Ongoing monitoring and detection mechanisms for identifying data breaches or suspicious activity.

 

In the event of a data breach, and where required by law, we will promptly notify you and the relevant regulatory authority, providing all necessary information and support. However, you are responsible for maintaining the security of any personal data prior to our receipt of the same.

 

Data retention

We will retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including:

  • To comply with legal, regulatory, or accounting requirements;
  • To resolve disputes;
  • To enforce our agreements.

 

When determining the appropriate retention period, we consider:

  • The nature, volume, and sensitivity of the data;
  • The potential risk of harm from unauthorized use or disclosure;
  • The purposes for processing and whether these can be achieved by other means;
  • Applicable legal and regulatory requirements.

 

Where possible, we may anonymize your data (so it can no longer be associated with you) for research or statistical purposes, in which case it may be retained indefinitely without further notice to you.

Your responsibility to provide accurate information and inform us of changes

It is important that the personal data we hold about you is accurate and current. Please ensure that you notify us of any changes to your information during the course of your relationship with UML so we can update our records accordingly. If you fail to provide such data upon request, we may be unable to offer certain services.

Third-party consent

If you provide us with personal data on behalf of another individual, you confirm that you have obtained their informed and specific consent, and that the individual has read and agreed to the terms of this Privacy Notice. You also confirm that such data is accurate, complete, and up to date, and that you are authorized to share it with UML.

 

Your legal rights

Subject to applicable laws, you have the following rights concerning your personal data:

  • Right to access: to access information we hold about you and to obtain information about how we process it.
  • Right to rectification or completion: to request rectification of your information if it's inaccurate or incomplete.
  • Right to request a review an automated decision making: to request a review of a decision made by an automated process.
  • Right to erasure: in certain circumstances, to request erasure of your information.

 

Please note if you choose to erase your information, we may continue to retain your information if we have another legitimate reason to retain same and are entitled or required to do so.

  • Right to withdraw consent and object to processing: in certain circumstances, you may withdraw your consent for processing your information.

 

Please note if you choose to withdraw your consent, we may continue to process your information if we have another legitimate reason to do so. The withdrawal of consent may also impact your ability to continue to have access to our products and services.

  • Right to appeal: you may also choose to file a complaint or an appeal against a decision made in relation to a request to exercise your data subject rights with the Data Protection Authority.

 

To exercise these rights, please contact our Data Protection Officer via ‘dpo@unitedmotors.lk’.

Additional information on rights

  • No fee required: You will not be charged for accessing your personal data or exercising your rights. However, a reasonable fee may be charged if your request is excessive, repetitive, or clearly unfounded.
  • Verification of identity: We may request further information to confirm your identity and to ensure your right to access or exercise any of the above rights.
  • Response timeframe: We aim to respond to all legitimate requests within 21 days. In cases of complex or multiple requests, we may require more time, in which case we will notify you accordingly.

 

 

Updates and amendments to our privacy notice

We may update this privacy notice from time to time to reflect changes in our practices, legal and regulatory reasons, or technology and the updated version will be posted on this website. We request that you revisit this website from time to time for updates on the privacy policy.

We encourage you to review this privacy notice periodically to stay informed about how we are protecting your data.

The updated privacy notice will take effect on the date it is published, unless stated otherwise.

 

Important information

Children’s privacy

Our services and website are not intended for individuals under the age of 13, and we do not knowingly collect personal data from children under this age.

If you are a parent or legal guardian and believe that your child has provided us with personal data without your consent, please contact us immediately. Upon becoming aware that such data has been collected inadvertently, we will take prompt steps to delete the information from our records.

In cases where consent is required under applicable law for processing data relating to children, and such consent must be provided by a parent or guardian, we will not process such data without first obtaining verified parental consent.

Links to third-party websites

Our website may contain links to external websites, plug-ins, or applications operated by third parties. Clicking on such links may allow those third parties to collect or process personal data about you in accordance with their own privacy practices. UML does not control these third-party sites and is not responsible for their content, privacy policies, or data security measures. We encourage you to carefully review their privacy policies before interacting with those websites.

Contact us

If you have any questions or concerns regarding this privacy notice or how your personal data is handled, please contact:

  • Full Name of Legal Entity: United Motors Lanka PLC
  • Designation: Data Protection Officer
  • Postal Address: 100, Hyde Park Corner, Colombo 2, Sri Lanka
  • Email Address: dpo@unitedmotors.lk
  • Extension: 0114 696 104