Vendors

This Privacy Statement governs the way Cinnamon Hotel Management Limited (“Company”) [company registration number PB 7] of No. 117, Sir Chittampalam A. Gardiner Mawatha, Colombo 02, Sri Lanka and the hotels it operates under the Cinnamon Brand (jointly “Cinnamon Hotels & Resorts”) collects, uses, maintains and discloses information collected before, during, and after your business relationship with Cinnamon Hotels & Resorts. This Statement applies to Suppliers, Service Providers and Business Partners (“Vendors”,” You”) who are involved in, but not limited to, the selling or buying of goods, services and other business transactions with Cinnamon Hotels & Resorts. This Privacy Statement may also be referred to as the “Vendor Privacy Policy” and forms part of your contract.

1. WHAT PERSONAL DATA DO WE COLLECT?

We collect, maintain, and use different types of Personal Information in the context of our business or potential business relationship with you. Please always use your business email, phone or other official contact information when communicating with us in the capacity of a vendor.  The following provides examples of the type of information that we collect from you.

Personal Information:

  • Name
  • Email Address
  • Phone Number
  • Employer

Financial Information:

  • Bank Account Details
  • Payment Card Information
  • Financial Status and history
  • Tax details
  • Audit reports

Onsite Visit Information:

  • Vehicle Information
  • CCTV Footage

Government Documents:

  • Business Registration Documents
  • National Identity Card or Passport
  • Other Relevant Government-Issued Identification

Publicly available information :

  • Social media
  • Websites

2. WHEN DO WE COLLECT YOUR PERSONAL DATA?

We collect your personal data when you directly interact with us, such as sending us an email, filling a form or when you use any of our systems or applications. We also may collect your information from other John Keells Group Companies and third-party source like the internet, social media, private agencies or government authorities.

3. HOW DO WE USE YOUR PERSONAL DATA?

We always process your personal information based on one or more of the following legal grounds: your consent, contractual necessity, legitimate interests, legal obligation, vital interests, or public interest. Some of these instances are detailed below. 

  • To administer and manage our business relationship with you.
  • For internal operations, such as billing, accounting, and improving our services.
  • To comply with legal obligations, protect against fraud, and ensure the security of our systems.

4. WHOM DO WE DISCLOSE YOUR PERSONAL DATA TO?

  • To other John Keells Group Companies
  • To public authorities
  • To any other third-party organizations that are contracted with us to provide services
  • If another company acquires, or plans to acquire part of our business, we will also share information with that company.

5. TRANSFERS OF PERSONAL DATA

We may transfer your personal data outside of Sri Lanka. The transfer of your personal data is carried out under organizational, technical and contractual protection.

6. HOW DO WE PROTECT YOUR PERSONAL DATA?

We implement industry accepted security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. However, please be aware that no system is completely secure. In the event of a data security breach that could potentially impact your personal information, we will take appropriate steps to investigate the incident and notify you as required by applicable laws and regulations.

7. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

We will retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Statement or as required by applicable laws and regulations.  Once the retention period expires, we will securely anonymize your personal information to prevent unauthorized access or disclosure.

8. WHAT ARE YOUR RIGHTS?

You have the right to access, correct, or request anonymization of your personal information. To exercise these rights, please contact the Data Protection officer at [email protected]. We will respond to your request within a reasonable timeframe. However we reserve the right to deny these requests at our discretion within the legal framework.

9. CONSEQUENCES OF NOT PROVIDING YOUR PERSONAL DATA

Failure to provide such information may:

  • Limit or prevent access to features on our website or digital platforms.
  • affect our ability to communicate with you.
  • Hinder the degree of our ability to enter into a contract with you
  • Be in violation of any applicable law or regulation that requires us to collect such personal data.

10. BY SUBMITTING PERSONAL DATA TO US, YOU ACKNOWLEDGE THAT:

You have read and understood this Privacy Statement and agree and consent to the use, processing, disclosure and transfer of personal data as set out herein.

All information and representations provided by you are true and correct to the best of your knowledge, and you have not knowingly omitted any relevant information.

If you are providing information on behalf of another person, you guarantee you have the authority to do so and they are aware of this privacy statement.

11. VENDOR DATA PROTECTION AND PRIVACY OBLIGATIONS

Vendors shall strictly comply with the European Union General Data Protection Regulation (GDPR), Sri Lanka Data Protection Act (PDPA) and all other applicable privacy or data protection related legislation at all times. The Company has the right to periodically request at its discretion for external audit reports from the Vendor, or conduct its own assessments from time to time, with the full support of the Vendor and at the sole cost of the Vendor. If there is any violation of legislation or written direction given by the company related to privacy or data protection to the Vendor, the Company has the right to terminate the contract with the Vendor. If there is any data breach, near miss or a violation of legislation by the Vendor, the Vendor must inform the Company within three calendar days.

12. WHOM CAN YOU CONTACT FOR MORE INFORMATION?

If you have any questions or complaints about this statement or about our privacy practices, kindly reach out to the Data Protection officer at [email protected]

13. UPDATES TO THE PRIVACY STATEMENT

We reserve the right to amend, modify, vary or update this Privacy Statement, at our discretion from time to time, as and when the need arises. The most recently published Privacy Statement shall prevail over any of its previous versions. We have no obligation to directly inform you of any changes and you have a responsibility to periodically review https://www.cinnamonhotels.com/privacy-statement for any changes.