We understand that your personal data is important to you. Guided by our corporate values and our code of conduct, the Hayleys Way, we are committed to protecting your privacy and handling your information responsibly.
This Privacy Notice outlines the commitment of Hayleys PLC to the secure and transparent management of personal data. We operate in accordance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (“PDPA”) and relevant international standards such as the European Union’s General Data Protection Regulation (GDPR), ensuring accountability across all our global touchpoints.
This notice applies to Hayleys PLC and all our subsidiaries. When we say “Hayleys,” “we,” or “us,” we refer to the Hayleys Group company you are interacting with.
For the purposes of this notice, “Personal Data”, “Data Controller”, “Data Processor”, shall have the meanings assigned to them under the PDPA.
This Privacy Notice outlines the commitment of Hayleys PLC to the secure and transparent management of personal data. We operate in accordance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (“PDPA”) and relevant international standards such as the European Union’s General Data Protection Regulation (GDPR), ensuring accountability across all our global touchpoints.
This notice applies to Hayleys PLC and all our subsidiaries. When we say “Hayleys,” “we,” or “us,” we refer to the Hayleys Group company you are interacting with.
For the purposes of this notice, “Personal Data”, “Data Controller”, “Data Processor”, shall have the meanings assigned to them under the PDPA.
Who collects your Personal Data
Depending on the context, Hayleys acts as a Data Controller and may appoint third-party service providers as Data Processors acting on our written instructions. Depending on the service you use, the relevant Hayleys Group company you engage with may act as the Data Controller responsible for your information.
We are a globally present, diversified conglomerate with operations in over 20 countries. We comply with the PDPA and uphold equivalent international standards for data protection.
We are a globally present, diversified conglomerate with operations in over 20 countries. We comply with the PDPA and uphold equivalent international standards for data protection.
What Personal Data we collect
Hayleys limits data collection to the information necessary for specific business operations. We collect various types of Personal Data depending on your interaction with us, including (but not limited to):
- Information you give us: Examples include your name, date of birth, ID or passport number, email, phone number and financial details for transactions.
- Information collected automatically: Examples include IP address, browser type, device identifiers and website usage data (such as pages visited and time spent).
We ensure that all Personal Data collected is relevant, limited and used only for its intended purpose.
How we collect it
- Directly when you fill out a form, apply for a job, or contact us.
- Automatically through cookies and tracking tools that remember your preferences.
- From others, occasionally from trusted partners or public sources (for example, if you interact with us through social media).
Why we use your Personal Data
We process your Personal Data based on consent, contractual necessity, legal obligation, or legitimate interests, as permitted under the PDPA.
Primary purposes include:
Primary purposes include:
- Service Delivery: Creating accounts, processing payments and delivering products.
- Communication: Sending updates, responding to inquiries, or recruitment updates.
- Improvement: Enhancing our websites and customer experiences through analytics.
- Compliance and Safety: Preventing fraud, ensuring security or meeting legal or regulatory obligations.
- Legal obligation or Legitimate Interests: Processing may also occur where we are obligated under law or in the interests of subjects such as responding to emergencies affecting life, health, or safety.
Special Categories of Personal Data and Children
We only collect Personal Data which falls under the special categories of Personal Data as defined in the PDPA if it is essential, for example to support employment or safety. Such Personal Data may include biometric, genetic, criminal offence-related, health, and other categories set out in the PDPA. This is done with your explicit consent at all times.
Our websites and services are not intended for children under 16. If we become aware that we have collected such data without parental consent, we will delete it immediately. Parents or guardians can contact our Data Protection Officer to request its deletion.
Our websites and services are not intended for children under 16. If we become aware that we have collected such data without parental consent, we will delete it immediately. Parents or guardians can contact our Data Protection Officer to request its deletion.
Sharing your Personal Data
We do not sell or rent your Personal Data. We only share your Personal Data when necessary for the purposes outlined in this notice, such as fulfilling a contract with you or meeting legal or legitimate requirements.
- Within the Hayleys Group to provide seamless service and unified support.
- With trusted third-party service providers and partners (such as cloud or payment providers) under written agreements that enforce strict confidentiality and security obligations.
- For legal or legitimate reasons – if required by law, court order, or regulatory authorities or to protect interests.
All our service providers process Personal Data only on our written instructions and are contractually required to maintain confidentiality, implement security measures, and delete or return of Personal Data after completion of services.
Your rights
You are always in control of your Personal Data. Under the PDPA, you have the right to the following:
| Your Right | What It Means |
|---|---|
| Access & Correction | Ask for a copy of your data or correct any inaccuracies. |
| Erasure (“Be Forgotten”) | Request deletion of your data when it is no longer needed. |
| Restrict or Object | Limit how we use your data or object to certain processing. |
| Data Portability | Request your data in a format you can transfer elsewhere. |
| Withdraw Consent | Withdraw your consent for specific uses at any time. |
| Review of Automated Decisions | The right to request meaningful information about the logic involved and to ask for a human review of any automated decision that affects you. |
These rights may also be exercised by authorised representatives, or by heirs within ten years of an individual’s passing, in accordance with the Act.
To exercise your rights, email us at DPO@hayleys.com. We will respond to you within a maximum of 21 working days. If we are unable to grant your request due to legal or security reasons, we will provide you with a written explanation for our decision.
If you are not satisfied with our response, you have the right to raise a complaint with the Data Protection Authority of Sri Lanka.
How we keep your Personal Data safe
Hayleys maintains a robust security framework. Technical safeguards, such as encryption and firewalls are supplemented by strict internal access controls to ensure Personal Data is only accessible to personnel with a verified business requirement.
We also maintain incident response procedures to identify, investigate, and respond to Personal Data breaches in accordance with applicable legal requirements.
We also conduct assessments to identify and mitigate potential risks to your privacy.
All third-party service providers process Personal Data under written agreements with appropriate confidentiality and security obligations.
We also maintain incident response procedures to identify, investigate, and respond to Personal Data breaches in accordance with applicable legal requirements.
We also conduct assessments to identify and mitigate potential risks to your privacy.
All third-party service providers process Personal Data under written agreements with appropriate confidentiality and security obligations.
Data Protection Management Programme
Hayleys maintains a Data Protection Management Programme to ensure ongoing compliance with applicable data protection laws, including governance oversight, risk assessments, breach management, and continuous improvement.
How long we keep your Personal Data
Retention periods are determined based on legal requirements, contractual obligations, regulatory standards and operational necessity. A detailed retention schedule is maintained internally to ensure we do not keep your Personal Data longer than is required for its intended purpose.
How we protect cross-border transfers of Personal Data
For cross-border data processing, Hayleys implements adequacy safeguards and binding contracts to maintain a level of protection consistent with Sri Lankan law and international requirements.
Cookies and tracking
We use cookies to make your experience smoother by remembering your preferences. You can manage or disable cookies in your browser settings. However, please note that some parts of our site may not function fully without them.
Updates to this notice
This notice is subject to periodic review to ensure ongoing alignment with regulatory changes and the Hayleys Group’s operational standards. The latest version is made available on our website.
Contact our Data Protection Officer
If you have any questions, concerns, or wish to exercise your rights, please contact:
Data Protection Officer
Your trust matters deeply to us. This commitment to privacy reflects our identity as a responsible corporate citizen, that values people and integrity in everything we do.
Last Updated: February 2026