Privacy Policy

Introduction

The FITIS Digital Excellence Awards (DEX) is the premier national recognition programme celebrating digital innovation in Sri Lanka, organised by the Federation of Information Technology Industry Sri Lanka (FITIS). FITIS is an industry body and a registered non-governmental organisation (NGO).

This Privacy Policy describes how FITIS collects, uses, discloses, retains, and protects personal data in connection with the DEX Awards programme and its associated digital platforms. It applies to all participants, applicants, judges, sponsors, and website visitors.

By accessing the DEX website, submitting an application, or engaging with any DEX digital channel, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We collect personal data only to the extent necessary to administer the DEX Awards. This may include:

1.1 Identity & Contact Information

• Full name
• Organisation name and type
• Job title / designation
• Email address
• Telephone number
• Postal and registered business address

1.2 Award Application Data

• Application form responses
• Supporting documents, case studies, and media files uploaded during submission
• Declarations and certifications made by the applicant

1.3 Financial Information

• Payment card details or bank transfer records (processed via PCI-DSS compliant payment gateways; FITIS does not store raw card data)
• Invoice and receipt records

1.4 Technical & Usage Data

• IP address, browser type, operating system, and device identifiers
• Website navigation data, referral URLs, and session duration
• Cookies and similar tracking technologies (see Section 5)

1.5 Communications

• Emails, messages, or feedback submitted to FITIS
• Correspondence related to judging, appeals, or enquiries

2. Legal Basis for Processing

FITIS processes personal data in accordance with the Personal Data Protection Act, No. 9 of 2022 (PDPA) of Sri Lanka. Our legal bases include:

• Contractual necessity: To fulfil obligations arising from award participation and registration agreements.
• Legitimate interests: To administer and improve the DEX Awards programme.
• Legal obligation: To comply with applicable Sri Lankan law, regulatory directives, and financial reporting requirements.
• Consent: For optional marketing communications, where you have provided explicit consent.

3. How We Use Your Information

Personal data collected is used strictly for the following purposes:

• Processing, evaluating, and administering award applications;
• Verifying the accuracy and authenticity of submitted information;
• Managing participant and judge registrations;
• Coordinating and facilitating judging panel activities;
• Communicating important award updates, results, and event logistics;
• Issuing certificates, trophies, and recognition materials to winners;
• Publishing winner names, organisation names, and category titles in award announcements and FITIS publications (personal contact details are not published without consent);
• Improving the DEX website, digital submission platform, and user experience;
• Sending event-related announcements and, where you have consented, promotional communications;
• Maintaining financial records and fulfilling statutory reporting obligations;
• Responding to enquiries, disputes, or appeals.

4. Award Submission Confidentiality

FITIS recognises that award submissions may contain commercially sensitive or proprietary information. The following safeguards apply:

• All submissions are classified as confidential and accessible only to authorised personnel;
• Access is strictly limited to: the DEX Organising Committee, authorised judges assigned to the relevant category, and technical administrators managing the submission platform;
• All judges are required to sign a Confidentiality and Conflict-of-Interest Declaration prior to accessing submissions;
• Judges must recuse themselves from evaluating submissions where a conflict of interest exists;
• Submission data is not used for any commercial, competitive, or non-DEX purpose;
• Anonymisation of submissions may be applied where required for fair evaluation.

5. Cookies and Tracking Technologies

The DEX website uses cookies and similar technologies to enhance the user experience and gather aggregated usage analytics. Cookie categories include:

• Essential / strictly necessary cookies: Required for core website functionality (login sessions, form tokens); cannot be disabled without impairing website operation.
• Functional cookies: Remember user preferences (language, region).
• Analytics cookies: Aggregate, anonymised data used to analyse traffic and improve website performance (e.g., Google Analytics).
• Marketing / advertising cookies: Used only where explicit consent has been obtained.

You may manage your cookie preferences at any time via the Cookie Settings panel on the website. Disabling non-essential cookies will not affect your ability to submit an application. Please refer to our separate Cookie Policy for full details.

6. Sharing and Disclosure of Information

FITIS does not sell, rent, or trade personal data. Disclosure is limited to the following circumstances:

6.1 Internal Recipients

• FITIS staff and volunteers involved in award administration.
• Authorised judging panels (limited to information relevant to their assigned category).

6.2 Trusted Service Providers

• Technology partners providing website hosting, cloud infrastructure, or the digital submission platform (bound by data processing agreements).
• Payment service providers (PCI-DSS compliant; receive only necessary payment data).
• Event management, printing, or logistics partners (receive only necessary event data).

6.3 Legal and Regulatory Disclosure

• Government authorities, regulatory bodies, or courts where disclosure is required by applicable Sri Lankan law or a lawful order.

All third-party service providers are contractually required to process data only on FITIS's documented instructions, maintain appropriate security controls, and not use the data for any independent purpose.

7. Data Security

FITIS implements appropriate administrative, technical, and organisational measures to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:

• Encrypted data transmission using TLS/HTTPS protocols;
• Access controls and role-based permissions for internal systems;
• Regular security assessments and vulnerability management;
• Secure cloud infrastructure with reputable, certified providers;
• Staff awareness and data protection training.

While FITIS takes reasonable precautions, no online system can guarantee absolute security. In the event of a personal data breach that poses a risk to individuals, FITIS will notify affected parties and relevant authorities in accordance with applicable legal requirements and within mandated timeframes.

8. Data Retention

FITIS retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Indicative retention periods are:

• Award application records: 7 years from the date of the relevant DEX Awards ceremony.
• Financial / payment records: 7 years in accordance with Sri Lankan financial regulatory requirements.
• Website usage / analytics: Up to 26 months (aggregated; anonymised thereafter).
• Marketing communications: Until consent is withdrawn or 3 years of inactivity, whichever is earlier.
• Judge declarations: 7 years from the relevant awards cycle.

After the applicable retention period, data will be securely deleted or irreversibly anonymised.

9. Your Rights

Subject to applicable Sri Lankan law, you have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data held by FITIS.
• Right to rectification: Request correction of inaccurate or incomplete information.
• Right to erasure: Request deletion of your data where there is no overriding legal basis for retention.
• Right to restriction: Request that we limit processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: If you are dissatisfied with how FITIS handles your data, you may file a complaint with the designated Data Protection Authority of Sri Lanka once established, or contact us directly.

To exercise any of the above rights, please submit a written request to digital@fitis.lk. We will respond within 30 days of receipt. Identity verification may be required before processing your request.

10. Third-Party Links and Services

The DEX website may contain hyperlinks to external websites, social media platforms, or embedded third-party services (e.g., payment gateways, analytics tools). FITIS is not responsible for the privacy practices, security, or content of such third-party sites. We recommend reviewing the privacy policies of any third-party services you access.

11. Children's Privacy

The Digital Excellence Awards programme is intended exclusively for business professionals, organisations, and entities. FITIS does not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data has been collected from a minor without verified parental consent, we will take immediate steps to delete such data.

12. International Data Transfers

Where personal data is transferred to or processed by service providers located outside Sri Lanka, FITIS will ensure that appropriate safeguards are in place — including contractual protections equivalent to those required under Sri Lankan law — prior to such transfer.

13. Updates to This Privacy Policy

FITIS may update this Privacy Policy periodically to reflect changes in legal requirements, technology, or our operational practices. The revised policy will be published on this page with the updated effective date. Material changes will be communicated via email to registered participants where practicable. Continued use of the DEX website or services after the revised policy is published constitutes your acceptance of the changes.

14. Contact Us

For any queries, concerns, or requests relating to this Privacy Policy or your personal data, please contact FITIS using the details below:

• Organisation: Federation of Information Technology Industry Sri Lanka (FITIS)
• Programme: FITIS Digital Excellence Awards (DEX) 2026
• Email: digital@fitis.lk
• Role: DEX Awards Secretariat / Data Controller

Document Control