How to Comply with Canadian Laws?

The C-27 bill is currently being adopted in Canada, while a part of Bill 25 has been in effect in Québec since September 22, 2022.

The processing of personal data in the province of Québec is governed by Bill 25 and in Canada by the C-27 bill.

Alert

All the information you’ll find on this page is for informative purposes only and is limited to those aspects that apply to our solutions.

New Obligations Arising from Bill 25

Bill 25 includes a number of new obligations to be complied with, applicable from September 22, 2022:

Professionnal

Appointment of a Personal Information Protection Officer

The identification and contact details of the Personal Information Protection Officer, the person with the highest authority within the organization, must be published on the organization’s website or by any other appropriate means.

Influenceur

Response to Confidentiality Incidents

If a security incident involves personal information, it is mandatory to take reasonable measures to reduce the risk of harm to the individuals concerned, notify the Commission and the individual concerned if there is a risk of serious harm, and maintain a record of incidents.

Contrat

Entering into a Written Contract in Case of Subcontracting

To communicate information to a subcontractor, the company must have a written contract and specify measures to protect the transmitted personal information.

Other obligations will be applicable from September 22, 2023:

Autoguidage

Establishing Governance Policies

The person managing personal information must establish policies and practices guiding the governance of personal information and inform the public on its website or through any other appropriate means.

Analyse audience

Conducting a Privacy Factors Assessment

Conducting a privacy factors assessment involves analyzing the risks and guarantees governing a specific processing, for example, when information is transmitted outside Québec.

Temps

Limiting the Retention Period of Information

Personal information held by a company must be destroyed or anonymized when no longer necessary for the initial collection purpose or if there is no serious and legitimate purpose for their use.

Justice

Respecting the Rights of the Individuals Concerned

Individuals concerned have numerous rights, including the right to stop the dissemination, re-indexing, or de-indexing of personal information.

Consentement

Obtaining Consent from Individuals

Consent for the collection, communication, or use of personal information must be explicit, free, informed, and given for specific purposes.

Finally, from September 22, 2024, companies will need to be able to respond to requests for the portability of personal information.

New Obligations Arising from the C-27 Bill

The C-27 bill is currently being adopted by Canadian governmental and parliamentary bodies. It includes, like Bill 25, new obligations for companies to comply with:

Professionnal

Appointment of a Personal Information Protection Officer

Every organization must designate one or more persons responsible for matters related to the processing of personal information. The contact details of these persons must be provided to anyone upon request.

Influenceur

Response to Confidentiality Incidents

Any breach of security measures related to personal information must be reported to the Privacy Commissioner if the breach presents a real risk of serious harm to an individual concerned. This report must also be made to the individual concerned, and the breach must be recorded.

Contrat

Entering into a Written Contract in Case of Subcontracting

The transfer of personal information by an organization to a service provider is subject to verification and guarantee, including contractually, that the service provider offers protection equivalent to that which the organization is required to offer.

Analyse audience

Informing the Individuals Concerned

The organization must make accessible to individuals a set of information about how it uses personal information: type of information, explanation of their use, including in cases of profiling, the existence or not of interprovincial or out-of-Canada transfers, duration of sensitive information retention, how to exercise their rights, and the contact details of the internal officer responsible for matters related to the processing of personal information.

Temps

Limiting the Retention Period of Information

Personal information held by an organization must no longer be retained if it is no longer necessary either for the initial collection purpose or to comply with a legal or contractual obligation.

Justice

Respecting the Rights of the Individuals Concerned

Individuals concerned have numerous rights, including the right of access and rectification, the right to file a complaint, or to withdraw their consent.

Consentement

Obtaining Consent from Individuals

Unless otherwise provided, the organization that collects, uses, or communicates personal information must first obtain the explicit valid consent of the individual concerned, which presupposes providing them with a set of information. Exceptions to this principle can be the existence of a business activity, a legitimate interest in using the information, or in the case of a collection clearly in the interest of the person whose consent cannot be obtained.

The Impact on Key Marketing Processes

What is now prohibited in terms of consent collection

Opt-out

Passive opt-out: refers to having to unsubscribe after being automatically enrolled when registering for a service.

Opt-in

Passive opt-in: involves pre-selecting boxes such as “I wish to receive advertising solicitations” or a drop-down menu that defaults to yes.

What is Allowed and Required in Data Protection

Opt-double

Opt-in and double opt-in: to obtain legally valid express consent, it is necessary to make a clear and concise request. And double confirmation to receive your campaigns is better!

Collect

Minimal collection: under certain conditions, the use of attendance or performance statistics can be considered essential for managing a site, but it is necessary to inform the individuals concerned and limit the data retention period.

Desinsciption

The unsubscribe link: visible in every email you send.

Save Consentement

Storing proof of consent: you must be able to trace the consent obtained from each individual according to the accountability principle required by the GDPR.

How Eulerian Supports You in 4 Key Steps

We ensure that internet users have the right and thus can oppose at any time the processing of their personal data by Eulerian Technologies.

We provide an unsubscribe link, available on our interface so that you can later distribute it on your website. In case of need or assistance with this type of action, our Account Management teams are available.

The “Consent Management Platform” tool allows you to set the retention period of cookies and information collected by cookies within the limit of 13 months from the collection (or new collection) of the individual’s consent.

We recommend respecting this limited data retention period to regularly remind your clients of the existence of cookies and, if necessary, respect their right to oppose tracking or the right to withdraw their consent.

Minimize your “useless” or “expired” data by deleting what you no longer need.

One of the impacts of the GDPR on companies is to adopt a new data philosophy, rationalizing their collection and processing. Therefore, we recommend not keeping inactive or unsubscribed contacts as they are data you will no longer use.

It is up to each company to appoint a Personal Information Protection Officer.

To contact them, it is possible at the email address: dpo@eulerian.com