How to Comply with Canadian Laws?
The C-27 bill is currently being adopted in Canada, while a part of Bill 25 has been in effect in Québec since September 22, 2022.
The processing of personal data in the province of Québec is governed by Bill 25 and in Canada by the C-27 bill.
All the information you’ll find on this page is for informative purposes only and is limited to those aspects that apply to our solutions.
New Obligations Arising from Bill 25
Bill 25 includes a number of new obligations to be complied with, applicable from September 22, 2022:
Appointment of a Personal Information Protection Officer
The identification and contact details of the Personal Information Protection Officer, the person with the highest authority within the organization, must be published on the organization’s website or by any other appropriate means.
Response to Confidentiality Incidents
If a security incident involves personal information, it is mandatory to take reasonable measures to reduce the risk of harm to the individuals concerned, notify the Commission and the individual concerned if there is a risk of serious harm, and maintain a record of incidents.
Entering into a Written Contract in Case of Subcontracting
To communicate information to a subcontractor, the company must have a written contract and specify measures to protect the transmitted personal information.
Other obligations will be applicable from September 22, 2023:
Establishing Governance Policies
The person managing personal information must establish policies and practices guiding the governance of personal information and inform the public on its website or through any other appropriate means.
Conducting a Privacy Factors Assessment
Conducting a privacy factors assessment involves analyzing the risks and guarantees governing a specific processing, for example, when information is transmitted outside Québec.
Limiting the Retention Period of Information
Personal information held by a company must be destroyed or anonymized when no longer necessary for the initial collection purpose or if there is no serious and legitimate purpose for their use.
Respecting the Rights of the Individuals Concerned
Individuals concerned have numerous rights, including the right to stop the dissemination, re-indexing, or de-indexing of personal information.
Obtaining Consent from Individuals
Consent for the collection, communication, or use of personal information must be explicit, free, informed, and given for specific purposes.
Finally, from September 22, 2024, companies will need to be able to respond to requests for the portability of personal information.
New Obligations Arising from the C-27 Bill
The C-27 bill is currently being adopted by Canadian governmental and parliamentary bodies. It includes, like Bill 25, new obligations for companies to comply with:
Appointment of a Personal Information Protection Officer
Every organization must designate one or more persons responsible for matters related to the processing of personal information. The contact details of these persons must be provided to anyone upon request.
Response to Confidentiality Incidents
Any breach of security measures related to personal information must be reported to the Privacy Commissioner if the breach presents a real risk of serious harm to an individual concerned. This report must also be made to the individual concerned, and the breach must be recorded.
Entering into a Written Contract in Case of Subcontracting
The transfer of personal information by an organization to a service provider is subject to verification and guarantee, including contractually, that the service provider offers protection equivalent to that which the organization is required to offer.
Informing the Individuals Concerned
The organization must make accessible to individuals a set of information about how it uses personal information: type of information, explanation of their use, including in cases of profiling, the existence or not of interprovincial or out-of-Canada transfers, duration of sensitive information retention, how to exercise their rights, and the contact details of the internal officer responsible for matters related to the processing of personal information.
Limiting the Retention Period of Information
Personal information held by an organization must no longer be retained if it is no longer necessary either for the initial collection purpose or to comply with a legal or contractual obligation.
Respecting the Rights of the Individuals Concerned
Individuals concerned have numerous rights, including the right of access and rectification, the right to file a complaint, or to withdraw their consent.
Obtaining Consent from Individuals
Unless otherwise provided, the organization that collects, uses, or communicates personal information must first obtain the explicit valid consent of the individual concerned, which presupposes providing them with a set of information. Exceptions to this principle can be the existence of a business activity, a legitimate interest in using the information, or in the case of a collection clearly in the interest of the person whose consent cannot be obtained.
The Impact on Key Marketing Processes
What is now prohibited in terms of consent collection
Passive opt-out: refers to having to unsubscribe after being automatically enrolled when registering for a service.
Passive opt-in: involves pre-selecting boxes such as “I wish to receive advertising solicitations” or a drop-down menu that defaults to yes.
What is Allowed and Required in Data Protection
Opt-in and double opt-in: to obtain legally valid express consent, it is necessary to make a clear and concise request. And double confirmation to receive your campaigns is better!
Minimal collection: under certain conditions, the use of attendance or performance statistics can be considered essential for managing a site, but it is necessary to inform the individuals concerned and limit the data retention period.
The unsubscribe link: visible in every email you send.
Storing proof of consent: you must be able to trace the consent obtained from each individual according to the accountability principle required by the GDPR.
How Eulerian Supports You in 4 Key Steps
We ensure that internet users have the right and thus can oppose at any time the processing of their personal data by Eulerian Technologies.
We provide an unsubscribe link, available on our interface so that you can later distribute it on your website. In case of need or assistance with this type of action, our Account Management teams are available.
The “Privacy manager” tool allows you to set the retention period of cookies and information collected by cookies within the limit of 13 months from the collection (or new collection) of the individual’s consent.
We recommend respecting this limited data retention period to regularly remind your clients of the existence of cookies and, if necessary, respect their right to oppose tracking or the right to withdraw their consent.
Minimize your “useless” or “expired” data by deleting what you no longer need.
One of the impacts of the GDPR on companies is to adopt a new data philosophy, rationalizing their collection and processing. Therefore, we recommend not keeping inactive or unsubscribed contacts as they are data you will no longer use.
It is up to each company to appoint a Personal Information Protection Officer.
To contact them, it is possible at the email address: dpo@eulerian.com