[COMPANY NAME] Privacy Statement

[NOTE: This ‘template’ Privacy Statement is intended as a guideline only. Canadian privacy statements are not standard-form documents, and are highly context-specific. The descriptions of your organization’s personal information practices in this document should be as accurate as possible, and should be based on the results of a comprehensive audit and investigation of your organization’s collection, use and disclosure of personal information.

While this template document leaves many blank areas for your organization to complete based on the particular practices of your organization, the wording that we have provided below is also not standard form, and should be carefully reviewed and modified to ensure it accurately describes those practices.

Once a draft Privacy Statement is completed based on the guidance provided below, we strongly recommend it be reviewed by legal counsel prior to distributing the statement to persons outside your organization.

Please also note that preparing and publishing a privacy statement will not, by itself, bring any organization into compliance with Canadian privacy laws, nor will it achieve “consent” for many personal information practices by itself. Further steps that may be required include:

  • Reviewing forms or other means of collecting personal information, including providing appropriate consent language
  • Sending out notices to individuals whose information your organization already possesses, or making notices available at the time of collection, which may be an essential element of obtaining consent going forward
  • Entering into data protection agreements with service providers
  • Revising practices and procedures (including information and document retention, destruction, security policies and procedures), and administration of privacy compliance (including appointing a privacy officer, ensuring that access and complaints procedures are adequate)

Please contact the Blakes Privacy Group at the addresses below if your organization requires further information about its privacy compliance obligations.]

XXX (“XXX”, “we”, “us” or “our”) takes steps intended to meet privacy principles and requirements with respect to personal information under applicable Canadian privacy legislation. The purpose of this statement is to inform our customers and other individuals we deal with (“you” or “your”) how we collect, use, disclose and protect your personal information. [If desired, insert a brief description of the classes of individual your organization deals with.] Personal information is information about an identifiable individual, as more particularly described under applicable privacy legislation. This statement applies to our collection, use and disclosure of personal information in Canada. This statement does not apply to information about our employees or to information that is not personal information.

Personal Information We Collect

XXX and its agents and representatives collect personal information in a number of circumstances in the course of [insert brief description of the nature of the business]. Personal information we collect includes:

  • name, address, telephone number, and other contact information;
  • [INSERT types of personal information collected by your organization in various circumstances. It may be helpful to group these by category (e.g. contact (as above), financial, biographical information, information that may be compiled by the organization such as transaction or usage history, purchase history, customer profiles, etc., or information collected through particular types of forms), and provide a more complete description of the information these categories may include.]
  • such other information we may collect with your consent or as permitted or required by law.

Use of Personal Information

XXX generally uses personal information for the following purposes:

  • [INSERT here an account of how information is used by your organization in various circumstances. The descriptions need not be finely detailed and specific, but must not be stated so generally as to not be meaningful. Uses of personal information must be sufficiently detailed so that an individual can meaningfully understand how their information is used.
  • Also, where a particular use of personal information is secondary to the main purpose for which the information was collected (e.g. marketing, compiling customer profiles, etc.), the description should be qualified so the individual understands that it is optional (e.g. “if you consent”, “if you choose this option”, “if you opt in”, “if you opt out”).
  • Some very general/common uses are included below, but these should not be used as “catch all” uses where a more particular description is available. Descriptions of how information is used should generally be more specific than those below.]
  • managing, administering, collecting or otherwise enforcing accounts;
  • maintaining business records for reasonable periods, and generally managing and administering our business including defending and bringing legal actions;
  • meeting legal, regulatory, insurance, security and processing requirements; and
  • otherwise with consent or as permitted or required by law

Disclosure of Your Personal Information

XXX discloses personal information in the following circumstances:

  • [INSERT a description of the circumstances in which personal information will be disclosed, and (by class or category) to whom it will be disclosed in those circumstances. This should be a reasonably detailed and descriptive account of the types of disclosures of personal information particular to your business or day-to-day operations, with particular. This should include both disclosures that are common and expected in your industry, as well as those that might not be reasonably anticipated or obvious. This includes disclosures to affiliates, particularly where the affiliate will have access to personal information for its own secondary purposes, e.g. marketing, beyond involvement in administrative functions or where it acts as in a service provider capacity (each of which are described below). As part of describing the circumstances in which information is disclosed, provide an explanation of the purposes of disclosure.]

[Some additional recommended, general wording is provided below. Again, these are not “catch all” statements, and should be included after having provided a more particular description above of the disclosures more particularly relevant to your business.]

In addition to the above, personal information may be disclosed to our affiliates [(including outside of Canada)] for internal audit, management, billing or administrative purposes [amend these categories of activity as appropriate or relevant] including defending and bringing legal actions.

Service Providers. XXX may transfer personal information to outside agents or service providers [(including affiliates of XXX acting in this capacity)] that perform services on our behalf, for example [insert types of data processing services that might be performed by third party agents/service providers on your behalf, e.g. mailing, call center, billing, marketing, information technology and/or data hosting or processing services] or similar services, or otherwise to collect, use, disclose, store or process personal information on our behalf for the purposes described in this Privacy Statement. [Some of these service providers or affiliates may be located outside of Canada, including in the United States [or identify other jurisdictions], and your personal information may be collected, used, disclosed, stored and processed in [the United States] or elsewhere outside of Canada for the purposes described in this Privacy Statement. Reasonable contractual other measures we may take to protect your personal information while processed or handled by these service providers are subject to legal requirements in Canada, [the United States] and other foreign countries applicable to our affiliates, agents and service providers, for example lawful requirements to disclose personal information to government authorities in those countries.

[Alternate service provider language:

Service Providers: We may transfer personal information to outside agents or service providers [(including our affiliates acting in this capacity)] ("service providers") that perform services on our behalf, for example call centre, mailing, billing, marketing, information technology and/or data hosting or processing services [anything else?]or similar services, or otherwise collect, use, disclose, store or process personal information on our behalf for the purposes described in this Privacy Code. Some of these service providers may be located outside of Canada, including in the United States [or identify other jurisdictions], and your personal information may be collected, used, disclosed, stored and processed in the United States or elsewhere outside of Canada for the purposes described in this Privacy Code. We take reasonable contractual or other measures to protect your personal information while processed or handled by these service providers.  While your personal information is located outside Canada it will be subject to legal requirements in those foreign countries applicable to our service providers, for example, lawful requirements to disclose personal information to government authorities in those countries.]

Business Transactions. Personal information may be used by XXX and disclosed to parties connected with the proposed or actual financing, securitization, insuring, sale, assignment or other disposal of all or part of XXX or our business or assets, for the purposes of evaluating and/or performing the proposed transaction. These purposes may include, as examples:

  • permitting those parties to determine whether to proceed or continue with the transaction
  • fulfilling reporting, inspection or audit requirements or obligations to those parties

Assignees or successors of XXX or our business or assets may use and disclose your personal information for similar purposes as those described in this Privacy Statement.

Legal, Regulatory, etc. XXX may disclose your personal information as necessary to meet legal, regulatory, [industry self-regulatory,] insurance, audit, and security requirements, and as otherwise with your consent or as permitted or required by law [(including as required by applicable Canadian and foreign laws applicable XXX or our agents and service providers, and including lawful requirements to disclose personal information to government authorities in those countries).]

[Our Website/The Internet]

[If your organization operates or controls particular website(s), a section should be included here setting out a description of its or their functions, the types of information collected, how used and disclosed (unless already addressed in the body of the Statement above). It should also include a description of any active or passive IP or clickstream collection, browsing patterns, etc., and whether or not this information is linked to identifiable individuals, and how cookies are used. It should also include a disclaimer of links to other sites, with a caution that the privacy policies of those sites should be reviewed, and a general description of Internet security measures employed.

Alternatively, it may be possible to refer to a website-specific privacy policy that is limited to the Internet context (though this should also be reviewed for compliance with Canadian privacy laws). If the organization is part of an international family of companies that share a website or Internet-based services hosted and operated outside of Canada, it may be appropriate to include a reference to this fact as suggested below. However, whether a Canadian organization may expressly or implicitly disclaim responsibility for a foreign-hosted website that provides information or services in respect of the Canadian organization (in addition to foreign affiliates) is not clear, and it may be necessary to consider reviewing the personal information practices and/or privacy policy of such foreign-hosted websites.]

XXX does not directly operate the website [XXX.Com], which is made available through its affiliates [consider specifying the country]. For more information on the personal information and privacy practices associated with [URL], please visit [LINK TO WEBSITE PRIVACY POLICY].

Your Consent

Consent to the collection, use and disclosure of personal information may be given in various ways. Consent can be express (for example, orally, electronically or on a form you may sign describing the intended uses and disclosures of personal information) or implied (for example, when you provide information necessary for a service you have requested). You may provide your consent in some circumstances where notice has been provided to you about our intentions with respect to your personal information and you have not withdrawn your consent for an identified purpose, such as by using an “opt out” option provided, if any. Consent may be given by your authorized representative (such as a legal guardian or a person having a power of attorney). Generally, by providing us with personal information, we will assume that you consent to our collection, use and disclosure of such information for the purposes identified or described in this privacy statement, if applicable, or otherwise at the time of collection.

You may withdraw your consent to our collection, use and disclosure of personal information at any time, subject to contractual and legal restrictions and reasonable notice. Note that if you withdraw your consent to certain uses of your personal information, we may no longer be able to provide certain of our products or services. [NOTE: Consider including, and modify as applicable:][Note also that where we have provided or are providing services to you, your consent will be valid for so long as necessary to fulfil the purposes described in this Privacy Statement or otherwise at the time of collection, and you may not be permitted to withdraw consent to certain necessary uses and disclosures (for example, but not limited to, maintaining reasonable business and transaction records, disclosures to Canadian and foreign government entities as required to comply with laws, and reporting on credit information after credit has been granted, if applicable).]

XXX collects, uses and discloses your personal information with your consent, except as permitted or required by law. We may be required or permitted under statute or regulation to collect, use or disclose personal information without your consent, for example to comply with a court order, to comply with local or federal regulations or a legally permitted inquiry by a government agency, or to collect a debt owed to us.

Security

We take reasonable steps to protect your personal information using physical, electronic or procedural security measures appropriate to the sensitivity of the information in our custody or control, which may include safeguards to protect against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Authorized employees, agents and mandataries of XXX who require access to your personal information in order to fulfil their job requirements will have access to your personal information.

Access, Correction and Contacting Us

XXX may establish and maintain a file of your personal information for the purposes described above, which will be accessible at [INSERT ADDRESS OR OTHER DESCRIPTION OF LOCATION]. If you wish to request access or correction of your personal information in our custody or control, you may write to the above address, attention [INSERT TITLE]. Your right to access or correct your personal information is subject to applicable legal restrictions. We may take reasonable steps to verify your identity before granting access or making corrections. If you wish to make inquiries or complaints or have other concerns about our personal information practices, you may write to us as described above, e-mail us at [INSERT E-MAIL] or telephone us at [INSERT TOLL-FREE NUMBER].

Privacy Statement Changes

This Privacy Statement may be revised from time to time. If we intend to use or disclose Personal Information for purposes materially different than those described in this statement, we will make reasonable efforts to notify affected individuals, if necessary, including by revising this Privacy Statement. If you are concerned about how your personal information is used, you should contact us as described above [If this Statement will be available at a website link, consider including “or checking at our website periodically at [INSERT URL]”] to obtain a current copy of this statement. We urge you to request and review this Privacy Statement frequently to obtain the current version. Your continued provision of Personal Information or use of our services following any changes to this Privacy Statement constitutes your acceptance of any such changes. This privacy statement is effective as of [DATE].