Effective Date: 17 August 2025

1. Introduction

ACMI Group (“ACMI,” “we,” “us,” or “our”) is a multidisciplinary professional services firm headquartered at 09-5/1, Station Road, Colombo 04, Sri Lanka. We provide accounting, audit & assurance, tax, legal, company secretarial, and HR services to clients in Sri Lanka and abroad. Protecting personal data is integral to our commitment to ethical and professional services.

Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (PDPA), the first comprehensive data protection law in South Asia, which is inspired by the EU General Data Protection Regulation (GDPR) and imposes obligations on controllers and processors. This Privacy Policy explains how ACMI collects, uses, shares, retains, and protects personal data in line with the PDPA and other applicable laws. Note: Certain PDPA parts are already in force, while the commencement of other core provisions is pending further government notification following Gazette No. 2427/34 (March 14, 2025).

2. Scope

This Privacy Policy applies to all personal data processed by ACMI in connection with our professional services and website.

Under the Personal Data Protection Act, No. 9 of 2022 (PDPA), the law applies to:

  • processing of personal data carried out within Sri Lanka;
  • controllers or processors that are incorporated, domiciled, or established in Sri Lanka; and
  • entities that, while not established in Sri Lanka, offer goods or services to individuals in Sri Lanka.

The PDPA does not apply to personal data processed solely for personal or household purposes.

3. Information We Collect

We collect personal data only when it is relevant, adequate, and limited to a specified, explicit, and legitimate purpose in line with the PDPA. Depending on your relationship with ACMI, we may collect the following categories of data:

  • Contact information: name, mailing address, email address, telephone number, and similar identifiers.
  • Identity and registration data: national identity card numbers, tax identification numbers, company registration numbers, passport details, or other government-issued identifiers required to meet legal and regulatory obligations.
  • Financial and transactional information: bank account details, payment information, and records of transactions related to services we provide.
  • Employment and HR data: curriculum vitae, employment history, references, and other details shared during recruitment processes or HR services.
  • Technical data: IP address, browser type, device identifiers, log data, and cookies collected automatically when you visit our website. Cookies may be used for analytics, security, and improving user experience.
  • Other information you provide: details you voluntarily supply through enquiries, forms, surveys, or direct interactions with our team

Note: ACMI does not intentionally collect sensitive personal data (such as health information or biometric identifiers) unless required by law or directly relevant to the services we provide. If collected, such data will be subject to additional safeguards.

4. How We Collect Data

Direct interactions: You may provide personal data directly to us by filling out forms, contacting us by email or phone, signing up for newsletters, attending events, providing documents for our professional services, or submitting job applications.

Automated technologies: When you use our website, we may automatically collect technical information (such as IP address, browser type, and browsing activity) through
cookies and similar technologies. These tools help us understand how visitors use the site and improve user experience. Where required by law, we will seek your consent for non-essential cookies. You can adjust your browser settings to block or delete cookies, though certain features of the site may not work properly.

Third parties: We may obtain data from trusted third parties such as business partners, recruitment agencies, regulatory bodies, credit reference agencies, payment processors,
and public databases, but only as permitted by law and where it is necessary for our professional services.

5. Purpose and Use of Personal Data

Under the Personal Data Protection Act, No. 9 of 2022 (PDPA), processing must be for a specified, explicit, and legitimate purpose, and limited to what is adequate, relevant, and proportionate. ACMI processes personal data for the following purposes:

  • Providing professional services: delivering accounting, audit & assurance, tax, legal, company secretarial, and HR services; managing client engagements; and issuing deliverables.
  • Contract administration: preparing proposals, contracts, service agreements, and invoices; responding to enquiries and requests for proposals.
  • Regulatory compliance: fulfilling obligations under Sri Lankan law (including tax, anti-money laundering, company law, and labour regulations) and professional standards.
  • Communication and support: responding to queries, sending important service updates, and providing client support.
  • Recruitment and HR: assessing job applications, conducting background checks (where permitted), administering employment contracts, and managing payroll and benefits.
  • Marketing: sending information about our services, events, or newsletters only where you have provided consent. We do not send marketing communications without prior opt-in consent, and you may withdraw consent at any time.
  • Website analytics and improvements: monitoring site usage, analysing trends, troubleshooting issues, and improving user experience.
  • Legal defence and security: protecting our rights and property, enforcing agreements, preventing or investigating fraud, and responding to legal claims or regulatory requests.

We will not process personal data for purposes incompatible with the above without first informing you and obtaining consent where required.

Our processing relies on lawful bases including consent, performance of a contract, compliance with a legal obligation, or legitimate interests. In line with the PDPA, we also
commit to ensuring accuracy, storage limitation, integrity and confidentiality, transparency, and accountability throughout the data lifecycle.

6. Data Sharing and Disclosure

ACMI does not sell your personal data. We only disclose data in the following circumstances:

  • Affiliates and service providers: We may share data with affiliated entities within ACMI Group and with trusted service providers (e.g., IT support, cloud hosting, data analytics, payroll administration, recruitment, background checks, or professional advisers). These providers act under strict confidentiality and data protection obligations and may process data only as necessary to deliver their services.
  • Professional advisers: We may share data with auditors, accountants, lawyers, consultants, or other professional advisers where necessary to provide our services.
  • Regulators and authorities: We may disclose data to regulatory or law enforcement agencies, courts, or government bodies where required by law or to meet professional or regulatory obligations.
  • Business transfers: In the event of a merger, acquisition, restructuring, or sale of part or all of our business, personal data may be transferred to the acquiring entity. We will take appropriate steps to maintain confidentiality and protect your rights.
  • With your consent: We may share data with third parties where you have expressly consented to such sharing.

Cross-border transfers: Where personal data is transferred outside Sri Lanka, for example, to cloud servers or affiliates overseas, we will ensure such transfers comply with the PDPA, using safeguards such as adequacy decisions, contractual clauses, or explicit consent.

7. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit our website. We use cookies and similar technologies to:

  • ensure the website functions properly;
  • understand how visitors use our site;
  • remember your preferences; and
  • provide relevant and tailored content.

Some cookies are essential for the operation of the website and do not require your consent. Other cookies, such as those used for analytics or marketing, are non-essential and will only be used with your consent.

You can manage or withdraw your cookie preferences at any time through your browser settings. For more details about the types of cookies we use and how they are managed, please see our Cookie Policy.

8. Data Security

ACMI implements appropriate technical and organisational measures to protect the integrity, confidentiality, and availability of personal data. These measures include, where relevant:

  • encryption and pseudonymisation;
  • strict access controls and role-based permissions;
  • secure data storage and backup;
  • regular vulnerability assessments and security audits;
  • employee awareness training; and
  • internal policies and procedures on data protection.

We also require our service providers and business partners to implement equivalent safeguards when handling data on our behalf.

While we take every reasonable step to protect personal data, no system can be guaranteed to
be completely secure.

In the event of a personal data breach, ACMI will:

  • notify the Data Protection Authority of Sri Lanka without undue delay; and
  • where the breach is likely to result in a high risk to individuals’ rights and freedoms, promptly inform the affected individuals.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and professional obligations. For example,
accounting, tax, labour, and anti-money laundering regulations may require us to retain certain records for defined statutory periods.

When personal data is no longer required, we will either securely delete it, anonymise it, or otherwise remove identifying details so that it can no longer be associated with an individual.

Retention periods are determined based on:

  • the purpose for which the data was collected;
  • the nature and sensitivity of the data;
  • legal, regulatory, or professional retention requirements; and
  • the potential risk of harm from unauthorised use or disclosure.

10. International Data Transfers

ACMI may transfer personal data to service providers or affiliates located outside Sri Lanka. Under Sri Lanka’s Personal Data Protection Act (PDPA), such transfers are subject to strict controls.

Key requirements:

  • There are currently no countries deemed “adequate” by the Data Protection Authority (DPA) or Minister of Sri Lanka.
  • Private entities (like ACMI) may still transfer data abroad if they:
    • Implement appropriate safeguards, such as binding corporate rules, contractual clauses, certification schemes, or cross-border impact assessments; and/or
    • Rely on a PDPA exception, including:
      • Explicit consent (after informing you of the risks);
      • Necessity for the performance of a contract;
      • Establishing, exercising, or defending legal claims;
      • Public interest reasons; or
      • Emergency circumstances (e.g., to protect life or health).

Where data is transferred internationally, ACMI will:

  • Rely on PDPA-compliant safeguards or exceptions;
  • Preferably document transfers via written, enforceable instruments;
  • Inform you about such transfers via our Privacy or Cookie policy.

11. Data Subject Rights

The PDPA grants data subjects several rights, and ACMI respects these rights while facilitating their exercise:

  • Right of access: You may request access to the personal information we hold about you.
  • Right to withdraw consent and object: You may withdraw your consent or object to certain processing activities at any time.
  • Right to rectification: You may request correction of inaccurate or incomplete personal information.
  • Right to erasure: You may request deletion of your personal information under certain circumstances.
  • Right to restrict processing and right to portability: Where applicable, you may request restriction of processing or obtain a copy of your data in a portable format. We aim to respond to requests within 21 business days, as required by the PDPA. Some requests may be subject to legal or regulatory exemptions.

12. Data Privacy Officer

Where required under the PDPA, ACMI Group will appoint a Data Protection Officer (DPO) to oversee our data protection programme. The DPO will advise on compliance, monitor
adherence to data protection principles, provide guidance to staff, and serve as a point of contact with the Data Protection Authority.

If you have questions regarding this policy or wish to exercise your data subject rights, you may also reach us at [email protected] or write to us at our postal address listed below.

13. Marketing Communications

We will only send you marketing or promotional communications if you have provided your prior consent, in line with Sri Lanka’s Personal Data Protection Act, No. 9 of 2022 (PDPA). You may opt out of receiving such communications at any time by following the unsubscribe instructions in the message or by contacting us directly.

14. Children

Our services are intended for use by adults and are not directed at children under the age of 18. We do not knowingly collect, use, or disclose personal information from individuals under 18. If you believe that a child has provided us with personal information, please contact us immediately. We will take steps to verify and promptly delete such information from our systems.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, business practices, or legal requirements. When we make material changes, we will update the “Effective Date” at the top of this page and post the revised policy on our website. We encourage you to review this policy periodically to stay informed about how we protect your information.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, you may contact us at:

ACMI Group
No. 09-5/1, Station Road, Colombo 04, Sri Lanka
Telephone: +94 11 2 559 362
Mobile: +94 777 780 087
Email: [email protected]


You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka if you believe we have not complied with the Personal Data Protection Act (PDPA).