THE APPLICATION OF THE EUROPEAN DATA PROTECTION REGULATION TO CANADIAN COMPANIES

The General Data Protection Regulation (” GDPR “) concerns the protection of individuals’ personal data within the European Union (” EU “) and has been applicable since May 25, 2018. Canadian companies are subject to it if they have an establishment within the EU or if they process personal data of EU residents as part of activities aimed at tracking the behavior of EU residents through profiling or aimed at offering them goods or services. In particular, companies subject to the law have the following obligations:

  • they must take personal data protection requirements into account right from the design stage of products and services using personal data, and have a secure information system;
  • they must be able to demonstrate that the individual concerned has given manifest, free, informed consent for specific purposes;
  • in certain cases, they are required to appoint a data protection officer;
  • all activities that may have a significant impact on the protection of personal data must be preceded by a privacy impact assessment, which must also include measures to reduce the possible consequences of potential damage to the protection of personal data;
  • they are required to notify the relevant national data protection authority as soon as possible in the event of a serious data breach.

In order to comply with the RGPD and, thus, avoid financial penalties amounting to either up to 4% of the company’s annual worldwide sales or 20 million euros (whichever is higher), it is recommended that companies subject to:

  • develop internal codes of conduct and confidentiality policies;
  • to revise their employment contracts;
  • appoint a personal data protection representative within the EU;
  • keep a detailed register of personal data processing;
  • identify the processing of personal data likely to give rise to high risks for the rights and freedoms of the individuals concerned, and carry out a data protection impact assessment for each such processing operation; and
  • set up procedures to deal with security incidents.

Non-regulated Canadian companies will, all the same, be contractually obliged to comply with the RGPD if their customers are subject to it. It is also highly likely that Canadian laws will evolve in this direction.

By Mélanie Masson

Share this publication