Privacy Policy | Credit Information Bureau of Sri Lanka

The Credit Information Bureau of Sri Lanka (herein after referred to as “CRIB”), which was established by the Credit Information Bureau of Sri Lanka Act No 18 of 1990, as amended is an independent statutory body and a public - private partnership with the Monetary Board of the Central Bank of Sri Lanka holding the majority of equity. The rest of the shares are divested among other shareholder members of CRIB.

Safeguarding your privacy is the topmost priority for us. This Privacy Notice describes how and what type of personal data will be collected, why it is collected and to whom it is shared or revealed. Please take time to properly go through this Privacy Notice prior to sharing any personal data with us.

Note that this Privacy Notice has been revised to comply with the requirements of Personal Data Protection Act (PDPA) No. 09 of 2022, as amended.

The use of this website signifies your understanding and acceptance of the terms of this Privacy Notice. This Privacy Notice is incorporated into, and part of, the CRIB Website Terms and Conditions, which govern your use of this website.

1. What is CRIB’s Role under PDPA?

A Data Controller, as defined by the PDPA, is any natural or legal person which alone or jointly with others determines the purposes and the means of processing personal data and a data processor processes personal data on behalf of the Data Controller CRIB is legally authorized to collect, collate and synthesize data according to the said CRIB Act. As per the applicable data protection laws and regulations, CRIB is considered as a Data Controller.

Contact details of the data controller is mentioned under the section “How can you contact us?” of this privacy notice.

2. What personal data will be collected?

We will collect and process various types of personal data and/ or Special categories of personal data about you as follows:

Basic personal details (such as Full name, Gender, Date of Birth, Citizenship, Address, etc.)
National Identity Card/Passport/ Driving License Details
Contact details (e.g. Mobile No., Email address etc.)
Educational & Professional Experience & affiliations
Employment details (e.g. Employment, Employer details etc.)
Business Activities (e.g. Profession, Business details etc.)
Financial Details (e.g. Bank Account Details etc.)
Credit information (e.g. Credit facility details, Cheque details etc.)
Other Information (e.g. Utility details, Insurance details etc.)
Identification checks & background vetting
Photographic and video information (such as photos, CCTV etc.)
Genetic or biometric data

If you are visiting through the website, in addition to above, we will collect below data types as well;

IP Address
The website from which you visited us
The type of browser software used
The pages you visited on the CRIB website
The date, time and duration of your visit to the CRIB website

Note – Links to other Websites

The CRIB website may contain references or links to third-party websites/ services. We do not control what information third parties track or collect. Any access to and use of such third-party websites/ services is not governed by this Privacy Policy but is governed by the privacy policies of those respective third parties.

3. What are the purposes and legal basis for processing personal data?

We will process your personal data only on the legal basis mentioned under the PDPA in order;

To perform the functions of the CRIB as specified in the said CRIB Act
To comply with other legal obligations (e.g. under CRIB Act, tax, accounting etc.)
To perform contract administration
for customer/user administration (technical administration)
for maintaining business relationships;
for conducting research and development of the CRIB and analysis with regard to our business relations;
for fraud prevention and detection
for other legitimate interest of the Data Controller
for any other processing which you have specifically consented to

For the purposes indicated above, we will process personal data pertaining to you as receive (as per Section 7A of the said CRIB Act);

directly from you;
from the member institutions (the updated list is available at Member Institutions | Credit Information Bureau of Sri Lanka) and
from the Credit Granting Institutions (eg. Ceylon Electricity Board, National Water Supply and Drainage Board, Tele-Communication Services etc.)
from Insurance Companies
from Commissioner of Registrar of Persons
Registrar of Business Registration
Registrar of Companies

Where we undertake automated individual decision-making, including profiling, this privacy notice will disclose the underlying logic applied in reaching such decisions, together with the significance and the anticipated consequences of the processing for you.

4. Are Cookies used on the CRIB website?

Yes, Cookies assist us in managing and enhancing the usability of our Website, such as recognizing prior interactions from your device and identifying the most frequently accessed sections. A detailed explanation of cookie usage is provided through our Cookie policy, which enables you to set and manage your preferences, including granting or withdrawing consent at any time.

Saved cookie settings are intended to apply to future visits; however, due to technical factors beyond CRIB’s control, this cannot be assured. For instance, resetting your browser, deleting cookies, or accessing the Website from a different browser or device may result in the loss of your settings. In compliance with applicable laws and regulations, certain jurisdictions may require you to confirm or reset your cookie preferences upon initial or subsequent visits.

In addition, many browsers allow you to control cookies directly. Please ensure your browser settings reflect whether you wish to be notified of or accept the cookies (such as cookies), where supported. Guidance on these capabilities can typically be found in your browser’s manual or help resources.

Without such technologies, the availability of services offered through the Website may be diminished, and certain features may fail to operate properly.

5. Who will have access to your personal data?

We shall ensure that your personal data is processed in a manner consistent with the purposes specified above.

For the stated purposes, your personal data may be disclosed on request to designated parties acting as third party data controllers (as per Section 7B of the said CRIB Act);

Member institutions (the updated list is available at Member Institutions | Credit Information Bureau of Sri Lanka) and
The Central Bank
The Credit Granting Institutions (eg. Ceylon Electricity Board, National Water Supply and Drainage Board, Tele-Communication Services etc.)
Insurance Companies (with your consent)
International Credit Bureaus (with your consent)

For the stated purposes, we may also share your personal data with the following parties who operate as data processors who will ensure appropriate technical and organizational measures are in place;

Technical Consultants
Lawyers/ Law firms
Service companies (e.g. IT, document management, System Vendors etc.)

Finally, we may share your personal data in the following instances:

For the purpose of fulfilling legal obligations, including disclosures to the relevant ombudsman in the event you lodge a complaint regarding a product or service we have provided.
To comply with applicable legal or regulatory requirements through disclosures to law enforcement authorities, governmental agencies, and regulatory bodies.
In connection with any proposed or actual restructuring, merger, acquisition, joint venture, assignment, transfer, or other disposition of all or part of our business, assets, or shares (including in the context of insolvency or similar proceedings).

We will refrain from disclosing your personal data to any party who are not authorized to process those.

6. Where will my personal data be processed?

Your personal data is processed locally on a need to know basis by the parties identified above. We shall implement contractual safeguards to ensure confidentiality and security in accordance with applicable data protection laws and regulations. Disclosure of your personal data will not be made to any party lacking proper authorization to process such information.

In the event of a cross-border transfer data transfer, we will ensure to follow the requirements mentioned under the PDPA.

7. What are your rights in respect of your personal data?

Where permitted by applicable law or regulation, you have the right to:

Access your personal data held about you (Section 13 of the PDPA)
Withdraw your consent at any time where your personal data is processed with your consent (Section 14 of the PDPA);
Request the Data Controller to refrain from further processing your personal data where such processing is based on the grounds specified in item (e) of (f) of Schedule I or item (f) of Schedule II of the PDPA (Section 14 of the PDPA);
Rectify or complete your personal data to ensure accuracy (Section 15 of the PDPA);
Erase your personal data from our records if it is no longer needed for the purposes indicated above (Section 16 of the PDPA);
Request to review any decision based solely on automated processing (Section 18 of the PDPA)
File a complaint with us and/or the relevant Data Protection Authority (item (k) of Schedule V of the PDPA)

In order to exercise the above rights, please reach out to Data Protection Officer (Contact Details are mentioned under the section “How can you contact us?” below)

8. How can you object to the processing of your personal data?

Subject to the applicable law or regulation, you are entitled to object to the processing your personal data. Upon receiving such request, we will cease processing your personal data unless otherwise permitted under relevant legal framework. This right may be exercised in the same manner as your other rights described above.

9. How long do we keep your personal data?

We will retain your Personal Data solely for the period necessary to accomplish the purpose for which it was the purposes for which the data was collected for or to comply with the legal obligations. Your personal data will not be preserved beyond the period of necessity and shall be maintained exclusively for the purposes for which was originally obtained.

10. What are the consequences of not providing your personal data?

May prevent us from processing your application and/or delivering our products and services.
May hinder our ability to respond to your inquiries regarding our products and services.
May restrict or block access to certain features on our website, links, or digital platforms.
May prevent us from providing you with updates on promotions, product or service offerings, or new launches.
May result in your exclusion from invitations to promotional events organized by us.
May impair our ability to maintain effective communication with you.
May constitute non-compliance with applicable laws or regulations requiring the collection of such personal data.

11. How can you contact us?

You can contact us by any of the following means:

Via Post;
Data Protection Officer,
Data Protection Department,
Credit Information Bureau of Sri Lanka,
No. 201, Sir James Peiris Mawatha,
Colombo 02, Sri Lanka

Via Phone;
0112 13 13 38

Via email;
privacy@crib.lk

12. How often do we update this privacy notice?

This Privacy Notice is reviewed on a regular basis. However, CRIB reserves the right to at its discretion, to change this Privacy Notice at any time without prior notice. The caption "Last Updated" at the bottom of this Privacy Notice indicates the date on which the most recent updates were made to this Notice. Any changes to this Privacy Notice will become effective upon posting of the revised content on this site. Your use of the site following these changes signifies your acknowledgement and acceptance of this revised Privacy Notice. We encourage you to check this Privacy Notice from time to time when you use this website to keep yourself informed of the most recent revisions to this Privacy Notice.

Last updated – 18th May 2026.