Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Rules of consent and information protection also apply to transfers to service providers and the transferring organization has obligations to ensure the protection of the information.
Under Canada’s Income Tax Information Circular IC78-10R5 and IC05-1R1, books and records required to be retained under the Income Tax Act must be kept at the person's place of business in Canada (unless otherwise approved by the Minister). These records must be made available to Canada Revenue Agency (CRA) Officers upon request for audit purposes. Where records are maintained electronically outside of the country, the CRA may accept a copy of the records, provided they are made available in Canada in an electronically readable and useable format for officials and the records contain adequate details to support the tax returns filed with the CRA.
Data transfer requirements in Canada vary by province. In British Columbia, when personal information is used to make decisions that directly affect the individual, the employer must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.
In Alberta, specific privacy policies and practices must be put in place to protect personal that is being transferred to service providers outside of Canada. The employees must also be provided with information about the transfer in advance, such as how the employee can obtain access to information about the organization’s policies and practices as well as the name and contact information for the person(s) they can reach out to with questions.
In Quebec, employers transferring personal data outside of the province must take reasonable steps to ensure that the information will not be used for purposes not relevant to the reason for the collection or communication to the third parties without consent from the employee, except when allowed by law.
EU-Transfers: A Canadian organization, with part of its workforce in the European territory, is authorized to perform employee personal data transfers since Canada is one of the countries considered to have an adequate level of protection by the European Commission.