Enhance your TRUST relationship with PRIVACY and SECURITY. Privacy Made Simple! 

   +1 866 267 0049   830 NE Pop Tilton Place, Jensen Beach, FL 34957

Canada
Privacy Laws

Overview

BREACH NOTIFICATION – Mandated Timeframe
As soon as feasible

FINES & PENALTIES – Violations
Up to $100,000

Legal

Regulation Levels

  • Breach Reporting

    Breach Reporting

  • Consumer Notification

    Consumer Notification

  • Vendor Management

    Vendor Management

  • Vendor Contract Required

    Vendor Contract Required

PRIVACY AND SECURITY LAWS

Laws related to personal information and privacy and security.

QUICK FACTS

Canada Privacy Law Information

CANADA'S PERSONAL INFORMATION PROTECTION & ELECTRONIC ACT (PIPEDA)

Privacy laws in Canada are a mixture of federal laws and provincial laws and are based on the 10 principles of fair information practice. Private-sector Organizations in Canada that collect, use or disclose personal information in the course of commercial activity are subject to PIPEDA. Federally-regulated businesses operating in Canada engaged in commercial activity (FWUBs) are subject to PIPEDA, including their employees’ personal information. All businesses operating in Canada who handle personal information that crosses provincial or national boarders are subject to PIPEDA.

AUDIT

Organization must keep internal records of its personal information management practices. The Office of the Privacy Commissioner of Canada (the “OPC”) has the right to audit an Organization’s records. Organizations have the right to inspect or audit the Vendor’s policies and procedures for handling and protection of personal information.

PRIVACY PROGRAM

Organizations and their Vendors processing personal information in the course of commercial, for profit activities must designate an individual(s) to be responsible for personal information under the Organization’s control. Organizations and their Vendors must have policies and procedures in place for handling of and protection and security of personal information.

DATA SUBJECT ACCESS REQUEST

Consumers have the right to request access to their personal information, request correction of their personal information, withdraw consent or have their personal information deleted, and know it will be safeguarded. Organizations must establish a process to ensure all Vendors processing that consumer’s information update the information as necessary.

CONSUMER RIGHTS

PIPEDA requires organizations to obtain individuals’ consent to collect, use or disclose their personal information. Individuals have the right to know what personal information is being collected, and for what purposes it is being collected and used. Organizations transferring personal information to a Vendor located in a foreign jurisdiction are required to inform consumers that their personal information may be accessed by foreign courts, law enforcement an national security authorities in the foreign Vendor’s jurisdiction.

BREACH REPORTING

Breach reporting and consumer notification are mandatory. If a Vendor experiences a breach of security safeguards involving and Organization’s personal information, the Vendor must notify the Organization. An Organization required to complete breach notification must also notify any entities or governmental institutions it believes can assist with reducing the risk of harm to the affected individuals (e.g., law enforcement, Vendors). Organizations must keep internal records of every breach incident involving personal information under its control (even if it was determined that there was no real risk of significant harm and did not have to report to the OPC).

CONSUMER NOTIFICATION

Organizations transferring personal information to a Vendor located in a foreign jurisdiction are required to inform consumers that their personal information may be accessed by foreign courts, law enforcement and national security authorities in the foreign Vendor’s jurisdiction. The Organization in control of the personal information is responsible for any necessary consumer notifications and/or breach reporting to the OPC if it is determined that the breach will create a real risk of significant harm (RROSH) to an individual(s).

VENDOR/THIRD PARTIES

Organizations with the direct consumer relationship are responsible for personal information its possession and custody, including information it transfers to Vendors for processing. Organizations must contract with Vendors for the processing of personal information or must have strict oversight (e.g., auditing) of Vendors if no contract exists. Vendors processing personal information in an international jurisdiction are subject to the laws of its country and a contract cannot override those laws. It is important for Organizations to pay close attention to the legal requirements within each foreign Vendor’s jurisdiction.

FINES & PENALTIES

Failure to comply with PIPEDA’s data breach notifications and record keeping requirements can result in fines of up to $100,000. PIPEDA is overseen by the Office of the Privacy Commissioner of Canada.

Canada Statutes and Laws

PIPEDA

CANADA’S PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

DISCLAIMER

The information provided is not legal guidance or recommendations and are for informational purposes only.