September 2021

1. Governing Texts

1.1. Legislation

• Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA')

Please note that after Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') failed to pass on 15 August 2021, a new bill to reform Canada's private sector privacy law was introduced, on 16 June 2022, in the House of Commons. Bill C-27 for the Digital Charter Implementation Act 2022 is divided into three parts, with each aimed at enacted a new Act, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Bill C-27 is now under consideration in the Canadian Parliament.

1.2. Regulatory authority guidance

The Office of the Privacy Commissioner of Canada ('OPC') has issued the following guidance:

• Privacy Toolkit for Businesses ('the Privacy toolkit');
• PIPEDA Fair Information Principle 1 – Accountability ('the Accountability Guidance');
• PIPEDA Fair Information Principle 7 – Safeguards;
• PIPEDA Interpretation Bulletin - Accountability ('the Accountability Interpretation Bulletin');
• Respond to a privacy breach at your business ('the Breach Guidance');
• Privacy and Outsourcing for Businesses (January 2014) ('the Outsourcing Guide'); and
• PIPEDA: Processing Personal Data Across Borders Guidelines ('the Cross-border Guidelines').

1.3. Regulatory authority templates

The OPC has not issued any templates for vendor contracts.

2. Definitions

Data controller | Data processor: There is no definition of data controller or data processor in PIPEDA. An 'organisation' that PIPEDA applies to is one that collects, uses or discloses personal information in the course of commercial activities; or, one that collects, uses or discloses personal information about an employee of, or an applicant for employment with, the organisation, in connection with the operation of a federal work, undertaking, or business (Section 2(1) of PIPEDA).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

PIPEDA highlights that an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing (Clause 4.1, Schedule 1 of PIPEDA).

PIPEDA allows for the transfer of personal information to a third party as long as the transferee organisation uses contractual or other means to provide a comparable level of protection while the information is being processed by a third party (Section 4.1.3 of Clause 4.1, Schedule 1 of PIPEDA).

The OPC advises that organisations that transfer personal information to third parties (page 9 of the Privacy Toolkit):

• obtain appropriate consent from the customer/client for the transfer;
• ensure the third party has identified a person to handle all privacy aspects of your contract with them;
• limit the third party's use of any personal information you supply to the purposes specified to fulfil the contract;
• limit any disclosure by the third party of this information to what is authorised by your organisation or required by law;
• ensure the third party refers any people looking to access their personal information to your organisation;
• ensure the third party returns or disposes of the transferred information upon completion of the contract;
• ensure the third party uses appropriate security measures to protect the personal information; and
• allow your organisation to audit the third party’s compliance with the terms of your contract as necessary.

The OPC has noted that organisations can meet their obligations under PIPEDA's Accountability Principle by having contracts in place with the third party to provide guarantees of confidentiality and security of personal information as well as allowing for oversight, monitoring and auditing of services provided by the third party (the Accountability Interpretation Bulletin).

3.2. What content should be included?

PIPEDA does not explicitly outline any content which must be included, however, see the section above.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

PIPEDA does not explicitly require processors to assist controllers with the handling of requests from data subjects, however, the OPC recommends that organisations ensure that third parties have a designated person to handle the privacy aspects of the contract (page 9 of the Privacy Toolkit).

In addition, the OPC recommends that organisations ensure that third parties refer any people looking to access their personal information to the organisation (page 9 of the Privacy Toolkit).

Moreover, PIPEDA does provide for the right of access, among several other individual rights, which an organisation is expected to comply with.

For further information see Canada – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

An organisation is required to document the purposes for which personal information is collected in order to comply with the Openness principle of PIPEDA in Schedule 1, Clause 4.8 and the Individual Access principle of PIPEDA in Schedule 1, Clause 4.9.

An organisation is also required to notify the OPC if it uses personal information without the knowledge or consent of the individual to whom the personal information relates for statistical, scholarly study, or research purposes that cannot be achieved without using the information, it would be impractical to obtain consent, and the data's confidentiality is maintained (Section 7(2)(c) of PIPEDA).

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

PIPEDA requires organisations to implement appropriate safeguards to protect against loss or theft as well as unauthorised access, disclosure, copying use or modification. The personal information must be protected regardless of its format (Section 4.7.1 of Clause 4.7 of Schedule 1 of PIPEDA).

PIPEDA provides for varying safeguards depending on the sensitivity of the information which has been collected, the amount, distribution, and format of the information as well as the method of storage with more sensitive information being provided a higher level of protection (Section 4.7.1 of Clause 4.7 of Schedule 1 of PIPEDA).

The methods of protection by organisations should include (Section 4.7.3 of Clause 4.7 of Schedule 1 of PIPEDA) physical, organisational, and technological measures.

Organisations are further required to make their employees aware of the importance of confidentiality (Section 4.7.4 of Clause 4.7 of Schedule 1 of PIPEDA) and care should be used in the disposal or destruction of the personal information to prevent unauthorised access (Section 4.7.5 of Clause 4.7 of Schedule 1 of PIPEDA).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

PIPEDA stipulates that, in case of a breach of personal information held by an organisation, the organisation must notify the OPC where it is reasonable to believe that the breach creates a 'real risk of significant harm' to an affected individual (Section 10.1(1) of PIPEDA).

The OPC notes that an organisation is advised to ensure that sufficient contractual arrangements are in place with the third party to outline the compliance with the PIPEDA's breach provisions. However, the OPC notes that assessing which organisation is in control of the personal information must be done on a case by case basis. If a third party uses or discloses the same personal information as the organisation, but for other purposes, then it is acting as the organisation in control and not on behalf of the primary organisation (the Breach Guidance).

For further information see Canada – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The OPC advises that if a third party wishes to sub-contract all or part of the services provided in the undertaking to an organisation then the agreement between the organisation and the third-party outlining obligations and expectations must include provisions on sub-contracting (the Accountability Interpretation Bulletin).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

The Cross-border Guidelines highlight that organisations must use contractual privacy protection clauses or other means to ensure a comparable level of protection while the information is being processed by the third party and the appropriate means include, but are not limited to, ensuring that the third party:

• has appropriate policies and processes in place;
• has trained its staff to ensure information is properly safeguarded at all times; and
• has effective security measures in place.

The OPC highlights that it is important for organisations to assess the risks that could jeopardise the integrity, security, and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada (page 9 of the Cross-border Guidelines).

In addition, organisations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement, and national security authorities (page 9 of the Cross-border Guidelines).

For further information see Canada - Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

PIPEDA does not expressly require for processors to assist controllers with regulatory investigations, however, please see section 3.1. above.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

An organisation is required to assign a designated individual or individuals who is accountable for the organisation's compliance (Section 4.1.1 of Clause 4.1 of Schedule 1 of PIPEDA)

For further information see Canada - Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The OPC notes that organisations can meet their obligations under PIPEDA's Accountability Principle by having contracts in place with the third party to provide guarantees of confidentiality and security of personal information as well as allowing for oversight, monitoring and auditing of services provided by the third party (the Accountability Interpretation Bulletin).

Authored by OneTrust DataGuidance DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.