EU Privacy (GDPR) for companies from Canada

Data protection has become an undisputedly important issue for digital businesses. What should a Canadian business know about compliance with privacy laws in 2022? First, privacy legislation in Canada consists of two main acts: 

Please click here to read the details.

Seems easy: if you are a business operating in Canada, all you need to worry about is compliance with the PIPEDA. Is that all? Unfortunately, it’s not. The other thing you need to worry about is the European Union (“EU”) main data protection legislative act: General Data Protection Regulation (“GDPR”). Why? 

The answer is that GDPR has an extraterritorial power. What does it mean? Even companies      established in Canada must comply with GDPR if it processes personal data of individuals located in the EU. In the world of digital business, it is a rare case when a company aims only on a local market, so for most of the worldwide companies it is quite important to know about all GDPR requirements before entering the market. 


Let’s imagine a case. You have a Canadian company, and you are already aware of PIPEDA rules. What else do you have to do to be in compliance with GDPR too? Have a look at the table!





Canadian law has no definition of a controller or processor and applies to all bodies which process personal data. 

GDPR distinguishes subjects who process personal data as controllers and processors which have different status and responsibilities. Thus, sometimes it’s important to perform legal research regarding the company’s status under GDPR to know exactly about its obligations.

International data transfer

PIPEDA allows cross-border data transfer, and the transferring party remains responsible for the safety of such information. Also, parties of a cross-border transfer shall use contractual privacy clauses to ensure a comparable level of data protection.

GDPR has a special procedure for international data transfers. Countries inside the EU may transfer data freely. Moreover, there is a list of countries adopted by the European Commission that allows transfers to countries which have an “adequate” level of data protection: Canada is one of these countries, therefore, there are no additional requirements for processing EU data by Canadian companies. However, if a Canadian company transfers data to a “third-country” (non-EU country, or any country without “adequacy” decision), such transfer would be subject to additional safeguards. For example, if you collect data from EU users and then store it on the servers in the U.S., it will be treated as transfer to the so called “third country” and you need to apply mentioned safeguards, i.g., data processing agreement with standard contractual clauses adopted by the European Commission. 

Data subject rights

PIPEDA does not prescribe an individual’s      right to be informed about the processing of his/her personal data.

Under GDPR, a data subject may know about details of the processing, his/her rights, purposes of processing, recipients of his/her personal data, contact details of the data controller and the Data Protection Officer.

PIPEDA does not provide right to data portability.

GDPR prescribes a right to receive data processed based on a contract or consent and processed by automated means, in a ‘structured, commonly used, and machine-readable format’ and to transmit such data to another controller. 

PIPEDA does not provide individuals with the right to erasure. It states that when the information is no longer required it shall be deleted.

GDPR allows data subjects to exercise the right to request erasure of their personal data via data subject request in the particular cases: when the data subject withdraw consent for processing and there is no other legal ground for processing, or the personal data is no longer needed. 


PIPEDA has a procedure of Privacy Impact Assessment (“PIA”) but there are no established requirements for such assessment.  It is recommended to perform PIA in case of taking place in new processing operations, i.g., using new services or systems.  

GDPR states that companies must conduct Data Protection Impact Assessment (“DPIA”) whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:

  • a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
  • processing of sensitive data on a large scale;
  • systematic monitoring of public areas on a large scale.


Depending on the violation, the penalty may be up to either: 2% of the global annual turnover or €10 million, whichever is higher; or 4% of the global annual turnover or €20 million, whichever is higher.

For offens     es punishable on summary conviction, fines do not exceed CAD 10,000 (approx. €6,610). For indictable offenses, fines do not exceed CAD 100,000 (approx. €66,140)

Roadmap to success! If your company is already in compliance with GDPR, we highly recommend you learn about GDPR requirements and be in full compliance with one of the strictest data protection laws, which opens a bigger market for your company and also may help you to avoid huge fines from EU supervisory authorities. What do you need?  As was mentioned in the table, most important points are the following: 

  • Performance of a legal research on the status of your company under GDPR, your obligations and further actions to become compliant, preparation of data maps which show how data flows during the company’s processing operations.
  • Concluding a data processing agreement with your partners to whom you transfer personal data will ensure balance in the contractual relations and will be a sign of high data protection standards. 
  • Preparation of an effective mechanism for data subjects to exercise their rights under GDPR: creation of a special form/email for such requests, performance of GDPR trainings of your team to make them ready to face and response to data subject requests.
  • Data Protection Impact Assessment: a document which describes risks which may arise during processing operation and means to minimize such risks. 

These tasks seem quite complicated, thus it’s important to attract privacy specialists for achieving GDPR-compliance for your company. Legal IT Group has competence to complete mentioned tasks, as it has already worked with a wide range of international companies, including Canadian ones. Therefore, if you need our support, we will be happy to help at any time ☺

Reminder: to make a donation please click here.

    Your question to IT lawyers