As a data processor, Viafoura is committed to ensuring the security and protection of the personal information that we process on behalf of our clients, and to provide a GDPR compliant approach to data protection on an ongoing basis. Our existing data protection policies are already fully compliant with current applicable data protection laws. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). We are happy to continue to work to protect all stakeholder’s best interests with regards to data integrity, while complying with any regulatory changes that come up in the future.
Policies & Procedures
We have implemented data protection policies and procedures to meet the requirements and standards imposed on data processors by the GDPR guidelines, and any relevant data protection laws.
- Data Protection: Our standard policy and procedure for data protection has now been amended to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities, with a dedicated focus on privacy by design and the rights of individuals.
- Data Retention & Erasure: We have updated our retention policy to ensure that we can effectively assist our clients to meet their ‘data minimisation’ and ‘storage limitation’ principles, and erasure procedures in place to meet the new ‘Right to Erasure’ obligation. All personal information is stored, archived and destroyed compliantly and ethically, and we are ready to act upon instruction of the client to comply with the data subject’s request at their discretion.
- Data Breaches: Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow. In the event of a breach, we have a policy in place to notify our clients as soon as possible and to allow them to notify the Data Protection Authority in turn.
- International Data Transfers: As a data processor located in Canada, Viafoura receives and stores personal information of EU data subjects outside the EU. Under the EU Directive 95/46/EC, certain third countries were considered by the European Commission to have data protection laws offering an equivalent level of protection of the rights of individuals. These third countries were issued so-called adequacy decisions. Canada was the subject of such an adequacy decision in 2001 (Decision 2002/2/EC). The effect of such a decision is that personal data can flow from all EU and EEA States to that non-EU country, without any further safeguards.
Data Subject Rights
In addition to the policies and procedures mentioned above, we provide all of the required assistance to our clients so they can meet their obligations regarding users’ rights. Viafoura is committed to processing any such requests from clients in a timely and efficient manner.
Information Security & Technical and Organisational Measures
Viafoura takes every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures already in place.
Data Protection Roles and Employees
Viafoura has a designated Privacy Officer responsible for implementing the measures described above in order to maintain operational GDPR compliance. The Privacy Officer reviews our roadmap and technical architecture for compliance with the new data protection regulations, and ensures the appropriate measures are followed to promote awareness of the GDPR across the organisation. The Privacy Officer periodically assesses our GDPR readiness, identifies any gaps and implements all new policies, procedures and measures that are required.
Viafoura understands that continuous employee awareness and understanding is vital to our continued compliance of the GDPR, so we involve our employees in our preparation plans to keep them informed. We have also implemented a mandatory GDPR training program company-wide for all Viafoura team members.
In addition, we have appointed an EU Representative in accordance with Article 27 of the GDPR. Our EU Representative is responsible for liaising with local data protection authorities in the EU and answering data subjects’ questions in relation to their rights.