Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Rules of consent and information protection also apply to transfers to service providers and the transferring organization has obligations to ensure the protection of the information. Data transfer requirements in Canada vary by province.
In British Columbia, when personal information is used to make decisions that directly affect the individual, the employer must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.
In Alberta, specific privacy policies and practices must be put in place to protect personal that is being transferred to service providers outside of Canada. The employees must also be provided with information about the transfer in advance, such as how the employee can obtain access to information about the organization’s policies and practices as well as the name and contact information for the person(s) they can reach out to with questions.
In Quebec, employers transferring personal data outside of the province must take reasonable steps to ensure that the information will not be used for purposes not relevant to the reason for the collection or communication to the third parties without consent from the employee, except when allowed by law.
EU-Transfers: A Canadian organization, with part of its workforce in the European territory, is authorized to perform employee personal data transfers since Canada is one of the countries considered to have an adequate level of protection by the European Commission.