This Privacy Statement governs the way Cinnamon Hotel Management Limited (“Company”) [company registration number PB 7] of No. 117, Sir Chittampalam A. Gardiner Mawatha, Colombo 02, Sri Lanka and the hotels it operates under the Cinnamon Brand (jointly “Cinnamon Hotels & Resorts”) collects, uses, maintains and discloses information collected before, during, and after your working relationship with Cinnamon Hotels & Resorts. It applies to all permanent and temporary employees, workers, contractors, past employees and any other individuals who are working for us but are not directly employed (“employees” or “you”). It also applies to those who have applied for employment with Cinnamon Hotels & Resorts (“employment candidates” or “you”). This privacy statement may also be referred to as the ‘Employee & Employment Candidate Privacy Policy”.

1. WHAT PERSONAL DATA DO WE COLLECT?

We collect, maintain, and use different types of Personal data in the context of our employment relationship or potential employment relationship with you. The following provides examples of the type of information that we collect from you and how we use the information.

• Contact information (such as name, address, telephone number, email address, etc.)
• Unique Identifiers (such as national identity card, passport, driver’s license etc.)
• Educational and professional information (qualifications and licenses etc.)
• Employment history (previous employment records, information of and from referees, information from your social media accounts such as LinkedIn and from other John Keells Group companies)
• Special categories of personal information (police reports, grama sevaka certificates, religion, Biometrics, gender, race, nationality, medical reports)
• Financial information (bank account details, credit and debit card etc.)
• Technology equipment and system information (call logs, system usage logs, browsing history etc.)
• Audio recordings
• Photographs and CCTV footage
• Contact details of your family or other relationships for emergency
• Other master data required such as marital status, spouse and dependent children with name and date of birth, residence permit (when applicable), work permit (when applicable) and tax information

2. HOW DO WE USE AND PROCESS YOUR PERSONAL DATA?

• Your personal data is only used for lawful and necessary purposes in furtherance to your employment and/ or as per our requirement to comply with any of our contractual and legal obligations.  
• Most commonly, we will rely on the following types of lawful basis to process your Personal Data:
• Legitimate Interests: The legitimate interests of CH&R in conducting and managing its business in order to ensure a high standard of service, secure experience and legal compliance. We use best endeavors to balance any potential impact on you and your rights (both positive and negative) prior to processing your Personal Data for our legitimate interests. We will not use your Personal Data for activities where our interests are overridden by the impact on you (save with your express consent or as required/permitted by law).
• Performance of Contract:  Processing and using your data is necessary for the performance of any services or contract to which you are a party to or to take steps at your request before entering into such a contract and the provision of the same to our service providers, agents and other parties as required for the purpose of facilitating the performance of the contract with you.
• Comply with a legal or regulatory obligation:  It may be necessary for us to process your Personal Data to ensure compliance with applicable legal obligations or to comply with requests from Government, law enforcement, regulatory, judicial or related authorities in relation to obligations under law, regulation, national or public security or related inquiry.
• Consent: Where you have explicitly provided your consent, we will process your Personal Data for the specific purpose(s) for which that consent was obtained. You have the right to withdraw your consent at any time; however, this will not affect the lawfulness of any processing carried out prior to withdrawal. Where consent is the basis for processing, we will ensure that it is freely given, informed, specific, and unambiguous.
• Public Interest: We may process your Personal Data where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in CH&R. This may include situations where processing is required to support public functions or statutory duties that contribute to broader societal or community objectives, while ensuring that your rights and freedoms are respected.

Vital Interests: In rare circumstances, we may process your Personal Data where it is necessary to protect your vital interests or those of another individual. This basis will only be relied upon where the processing is essential to protect someone’s life or physical safety, and when no other lawful basis is available

3. WHEN DO WE COLLECT YOUR PERSONAL DATA?

• When you make an employment application (such to us through the website, by post or in person)
• When you communicate with us (such as via SMS, telephone calls, emails, etc.).
• From external agencies (such as employment agencies or background check providers).
• When you visit any of our premises.
• From your referees.
• From your previous employers.
• From anyone with whom you may have or had a business relationship with.
• From your doctor or other medical professional
• From our surveillance camera (CCTV) system.
• From other John Keells Group companies.

4. HOW DO WE USE YOUR PERSONAL DATA?

For employment Candidates

Purpose/Activity

Lawful Basis for Processing

Identifying, evaluating, and selecting candidates for current and future job openings. Maintaining records Conducting background checks to verify information provided by candidates. Ensuring compliance with laws, regulations, and contracts. Contacting you or your emergency contact in case of emergencies. Any other legitimate purposes necessary for potential employment and business operations. Collecting health-related data, for conducting pre-employment medical checkups and assessments.

Necessary for our legitimate interests (to assess candidate suitability, verify information, maintain an effective recruitment process, and support business operations) or; To comply with our legal obligations (where checks or disclosures are required by law) or; To protect vital interests (when contacting you or your emergency contact in an emergency) or; Necessary for obtaining explicit consent (to collect, process, and share sensitive personal information, including health-related data, for pre-employment medical checkups and related assessments).

For Employees (in addition to the above):

I. Human Resources Management: Identifying, evaluating, and selecting candidates for employment. Processing new hires and managing terminations. Conducting performance reviews and setting performance goals. Providing training, development opportunities, and career counseling. Administering salary, benefits, and incentive plans. Managing employee relations, including resolving disputes and grievances. Ensuring a safe and healthy work environment. Sharing employee health information with authorized third-party service providers (e.g., Lanka Hospitals) to facilitate these medical assessments.	Necessary for the performance of the employment contract (to manage the employment relationship, fulfil contractual obligations, and support employee development) or; Necessary for our legitimate interests (to maintain an effective HR function, ensure fair management practices, support workforce planning, and maintain a productive organizational environment) or; Necessary for obtaining explicit consent (to collect, process, and share sensitive personal information, including health-related data, for pre-employment medical checkups and related assessments, and to ensure compliance with applicable data protection laws while protecting the rights of employees and prospective employees).
II. Legal and Regulatory Compliance: Adhering to employment laws, tax laws, and other relevant regulations. Processing work permits and visas for foreign employees. Conducting background checks as required by law or company policy. To fulfill the employment contract	Necessary to comply with our legal obligations (to meet statutory, regulatory, immigration, and compliance requirements) or; Necessary for the performance of the employment contract (to administer essential employment processes and ensure lawful continuation of the employment relationship).
III. Business Operations: Conducting investigations into misconduct or other issues. Monitoring access to company facilities and systems. Processing payroll, managing expenses, and conducting audits. Supporting corporate governance initiatives. Organizing company events. Operation of Closed-Circuit Television (CCTV) systems within and around the premises to ensure security, safety, protection of people and property, and to support quality assurance.	Necessary for our legitimate interests (to ensure the security and integrity of our operations, maintain effective financial and administrative processes, uphold governance standards, and facilitate organizational activities).

Obtaining and Handling Your Consent

When we collect your personal data, we’ll let you know whether the details we’re asking for are optional. If you share personal data about your spouse or children, we trust that you’ve received their permission to do so. Please note that choosing not to provide certain details may limit access to some benefits or services, for example, if you choose not to provide information about your spouse, you may not be able to receive spousal coverage under employer-sponsored health insurance.

Testimonials and Event Coverage

From time to time, we may use photos, videos, or testimonials to showcase our vendor partnerships, events, or collaborative achievements. If you do not want your personal data to be shared or published, you can let us know anytime by contacting our Data Protection Officer (DPO). Please note that this would not affect your employment.

5. WHOM DO WE DISCLOSE YOUR PERSONAL DATA TO?

• To other John Keells Group Companies
• To public authorities
• To any other third-party organizations that are contracted with us to provide service such as external auditors, insurance companies, business card printers etc.
• If another company acquires, or plans to acquire part of our business, we will also share information with that company.

In addition to the above, our service providers may while providing you services directly collect personal data from you. You are required to read the privacy policy of every such service provider and direct any clarification to them. We have no control over their privacy practices and assume no responsibility.

6. TRANSFERS OF PERSONAL DATA

Please note that personal information submitted to us may be transferred to, stored, and processed on cloud servers located in and outside of Sri Lanka, in accordance with applicable laws and regulations.  The transfer of your personal data is carried out under organizational, technical and contractual protection.

7. HOW DO WE PROTECT YOUR PERSONAL DATA?

We implement industry accepted security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. However, please be aware that no system is completely secure. In the event of a data security breach that could potentially impact your personal information, we will take appropriate steps to investigate the incident and notify you as required by applicable laws and regulations.

8. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

We will retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Statement or as required by applicable laws and regulations.  Once the retention period expires, we will dispose or securely anonymize your personal information to prevent unauthorized access or disclosure.

9. WHAT ARE YOUR RIGHTS?

You have the right to be informed of, access, rectify/correct, erase, withdraw consent for, and object to the processing of your personal information. You also have the right to data portability and to inquire about automated individual decision-making... To exercise these rights, please contact your relevant HR Business Unit Head or the DPO. We will respond to your request within a reasonable timeframe. However, we reserve the right to decline such requests where permitted by law.

Appeal to the Data Protection Authority

If your request regarding the processing of your personal data is refused or not properly addressed, you have the right to appeal to the Sri Lankan Data Protection Authority (DPA) or a relevant Supervisory Authority.

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, unreasonable, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

10. CONSEQUENCES OF NOT PROVIDING YOUR PERSONAL DATA

Failure to provide such information may:

• Limit or prevent access to features on our website or digital platforms.
• affect our ability to communicate with you.
• Hinder our degree to enter into a contract with you
• Impact your chances of being selected for employment or internship.
• Be in violation of any applicable law or regulation that requires us to collect such personal data.

11. BY SUBMITTING PERSONAL DATA TO US, YOU ACKNOWLEDGE THAT:

• You have read and understood this Privacy Statement and agree to the usage, processing, disclosure and transfer of personal data as set out herein.
• All information and representations provided by you are true and correct to the best of your knowledge, and you have not knowingly omitted any relevant information.
• If you are providing information on behalf of another person, you guarantee you have the authority to do so and they are aware of this privacy statement.

12. CINNAMON DATA PROTECTION POLICY

All employees are required to read, understand and follow the Cinnamon Data Protection Policy, which is available on the internal intranet, HR or with your Data Protection Champion. We’ll do our best to keep you informed about any updates to this Privacy Statement. You’re also welcome to check back on it from time to time so you always know how we look after your personal information. Failure to adhere to the policy will result in disciplinary action.

13. WHOM CAN YOU CONTACT FOR MORE INFORMATION?

If you have any questions or complaints about this statement or about our privacy and information handling practices, kindly reach out to the Data Protection officer at [email protected]

14. UPDATES TO THE PRIVACY NOTICE

We reserve the right to amend, modify, vary or update this Privacy Statement, at our discretion from time to time, as and when the need arises. The most recently published Privacy Notice shall prevail over any of its previous versions.

Last updated date: 10/12/2025