Employee Data Privacy

Canada - Cross-Border Data Transfer

 Download as a PDF

Are there any restrictions on transferring personal data and how can these be overcome?


Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Rules of consent and information protection also apply to transfers to service providers and the transferring organization has obligations to ensure the protection of the information.

Under Canada’s Income Tax Information Circular IC78-10R5 and IC05-1R1, books and records required to be retained under the Income Tax Act must be kept at the person's place of business in Canada (unless otherwise approved by the Minister). These records must be made available to Canada Revenue Agency (CRA) Officers upon request for audit purposes. Where records are maintained electronically outside of the country, the CRA may accept a copy of the records, provided they are made available in Canada in an electronically readable and useable format for officials and the records contain adequate details to support the tax returns filed with the CRA.


Data transfer requirements in Canada vary by province. In British Columbia, when personal information is used to make decisions that directly affect the individual, the employer must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.


In Alberta, specific privacy policies and practices must be put in place to protect personal that is being transferred to service providers outside of Canada. The employees must also be provided with information about the transfer in advance, such as how the employee can obtain access to information about the organization’s policies and practices as well as the name and contact information for the person(s) they can reach out to with questions.


In Quebec, employers transferring personal data outside of the province must take reasonable steps to ensure that the information will not be used for purposes not relevant to the reason for the collection or communication to the third parties without consent from the employee, except when allowed by law. Effective September 2023, new rules will replace the existing requirements in Quebec. The new rules will require organizations to conduct a privacy impact assessment to evaluate whether the information would receive an equivalent level of protection to the requirements provided under Quebec’s law (including when outsourcing data), prior to disclosing information outside of Quebec.


EU-Transfers: A Canadian organization, with part of its workforce in the European territory, is authorized to perform employee personal data transfers since Canada is one of the countries considered to have an adequate level of protection by the European Commission.


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk