Explore the power of PSA today! Book a demo now.

Your cart

Canada Data Protection Addendum

Canam Systems (2002) Inc.

Canada Data Protection Addendum

This Data Protection Addendum (“Addendum”) sets forth the terms and conditions, as applicable, relating to the processing of Canam Systems (2002) Inc. customers’ (hereinafter, “Company”) Canadian Personal Information in connection with the products, services or activities provided, or to be provided, by Canam Systems (2002) Inc. (hereinafter, “Service Provider”) pursuant to agreements, product supplements, and together with any statements of work, purchase orders, or other instruments issued thereunder in effect between the parties (hereinafter collectively, “Agreement(s)”) as of the last updated date indicated above.

In the event of a conflict between any Agreements and this Addendum, the Addendum shall control regarding the subject matter thereof.

  1. Definitions

1.1. “Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Information.

1.2. “Data Processor” or “Service Provider” means a person who Processes Personal Information on behalf of the Data Controller.

1.3. “Information Security Incident” means, with respect to Personal Information in Service Provider’s or its agents’ or its Subprocessors’ custody or control: (i) loss, theft, damage or unauthorized access to or use, disclosure, acquisition of, any Personal Information; or (ii) any other breach in the protection of Personal Information.

1.4. “Personal Information” means any information relating to an identified or identifiable individual (including information that could, alone or in combination with other information, be used to identify an individual) that is provided or made available to Service Provider by Company for the provision of Services contemplated by the Agreement(s) or the Services Agreement and excludes Anonymous Data as defined by the Agreement(s) or the Services Agreement.

1.5. “Applicable Law” means Canada’s laws, rules, and regulations that are applicable to Personal Information including the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), applicable provincial and territorial laws in Canada, and Canada’s Anti-Spam Legislation (“CASL”).

1.6. “Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, managing, storing, adapting, altering, modifying, retrieving, consulting, using, de-identifying, pseudonymizing, anonymizing, disclosing, deleting or destroying the data.

1.7. “Subprocessor” means any third party engaged by or on behalf of Service Provider to Process Personal Information.

  1. Anticipated Roles and Authority to Process Personal Information

2.1. Pursuant to the Agreement(s), Company shall have exclusive authority to determine the purposes for and means of Processing Personal Information. Service Provider shall Process Personal Information only on behalf of and for the benefit of Company in accordance with the Agreement(s) or Services Agreement.

2.2. The parties agree that Company will act as a Data Controller and Service Provider will act as a Data Processor with respect to the Processing of Personal Information under the Agreement(s) or Services Agreement.

2.3. Any Personal Information will at all times be and remain the sole property of Company and Service Provider will not have or obtain any rights therein, except as may otherwise be agreed to by the parties.

2.4. Service Provider shall not send any commercial electronic messages (“CEMs”), as such term is defined under Canada’s Anti-Spam Legislation (Statutes of Canada 2010, c 23) and its associated regulations (collectively, “CASL”), on behalf of Company, or cause or permit the sending of CEMs on behalf of Company, or otherwise in connection with the Agreement(s) or Services Agreement without the prior written consent of Company or as otherwise agreed to or in accordance with the Agreement(s) or Services Agreement. If Company provides consent, Service Provider represents, warrants and agrees that it fully complies, and will cause any of its permitted Subprocessors or agents to fully comply, with all applicable consent, notice, unsubscribe and other requirements under CASL.

  1. Disclosure and Storage of and Access to Personal Information

3.1. Service Provider shall (i) limit access to Personal Information to its employees, agents, and contractors who have a need to know the Personal Information as a condition to Service Provider’s performance of the Services and who are subject to comparable obligations of privacy and security as applicable to Service Provider under this Addendum.

3.2. Service Provider may share, transfer, disclose, make available or otherwise provide access to Personal Information to Subprocessors and in order to provide the Services contemplated by the Agreement(s) or Services Agreement, and to any third party as required by law. A list of current Subprocessors is available upon request.

3.3. Service Provider shall only transfer, access, store or otherwise Process Personal Information in Canada or the United States or as otherwise agreed to by the parties.

3.4. Service Provider shall promptly, unless prohibited by applicable law, inform Company of any: (i) requests received relating to an individual’s exercise of rights under applicable law or (ii) individual’s complaint relating to the Processing of Personal Information, with respect to any Personal Information received from Company in accordance with the Services contemplated by the Agreement(s) or Services Agreement, to the extent Service Provider is able to associate such individual request or complaint with Company. Service Provider shall reasonably cooperate with Company with respect to any such request or complaint.

3.5. Service Provider shall notify Company, unless prohibited by applicable law, of the receipt of any subpoena, demand, warrant, or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Information.

3.6. Service Provider shall reasonably assist Company in complying with its obligations under Applicable Law, in particular Company’s obligation to implement appropriate security measures, to carry out a data protection or privacy impact assessment, and to consult the competent data protection authority.

  1. Compliance with Privacy and Information Security Requirements

4.1. Service Provider shall comply with Applicable Law and represents and warrants that no applicable law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim prohibits Service Provider from (i) fulfilling its obligations under this Addendum or (ii) complying with instructions it receives from Company concerning Personal Information.

4.2. In case of any conflict between this Addendum and the Agreement(s) or Services Agreement, this Addendum shall prevail with regard to the Processing of Personal Information covered by it.

  1. Personal Information Security Safeguards

5.1. Service Provider shall develop, maintain, implement and ensure ongoing compliance with a comprehensive written information privacy and security program that includes policies and procedures, risk management, monitoring, backup, disaster recovery and audit processes as necessary to comply with this Addendum and Applicable Law.

5.2. Service Provider shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum to all Service Provider’s employees with access to Personal Information.

5.3. Company may, upon 30 days’ prior written notice and no more than once per calendar year, request to monitor or audit Service Provider’s compliance with the terms of this Addendum with respect to Company’s Personal Information provided or made available to Service Provider under the Agreement(s) or Services Agreement. Service Provider may supply Company with evidence of the most recent opinion from Service Provider’s independent auditor in lieu of such audit. Any audit requested or performed by Company pursuant to this section shall be at Company’s sole cost and expense.

5.4. Service Provider shall inform Company of any Information Security Incident without undue delay once confirmed by Service Provider.

5.5. Promptly upon the expiration or earlier termination of the Agreement(s) or Services Agreement, and upon Company’s request, Service Provider shall securely destroy Personal Information in Service Provider’s custody or control subject to applicable law and record retention obligations.