This Personal Information Processing Agreement (“PIPA”) is hereby incorporated into and governed by the Terms and Conditions and applies to the extent that Client processes Personal Information (as defined herein) on behalf of Drake International Inc. (“Drake”) in the performance of Services thereunder. If there is any inconsistency or conflict between the Terms and Conditions and this PIPA as it relates to the processing of Personal Information on behalf of Drake by Client, this PIPA shall prevail.
1. Definitions and Interpretation
“Business Purpose” means the services described in the Terms and Conditions or any other purpose specifically identified in Appendix A.
“Data Subject” means an individual who is the subject of Personal Information.
“Personal Information” means any information which relates to a natural person and allows, directly or indirectly, that person to be identified.
“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
“Privacy and Data Protection Requirements” means all applicable Canadian federal and provincial laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the Personal Information Protection and Electronic Documents Act (S.C. 2000, c.5) “PIPEDA”, Personal Information Protection Act (SA 2003, c P-6.5) “Alberta PIPA”, Personal Information Protection Act (SBC 2003, c 63) “BC PIPA”, and An Act Respecting the Protection of Personal Information in the Private Sector (CQLR c. P-39.1) “Québec Act.”
“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.
2. Personal Information Types and Processing Purposes
2.1. Drake retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Client.
2.2. Appendix A describes the general Personal Information categories and Data Subject types the Client may process to fulfill the Business Purposes as set forth in Appendix A. Drake discloses Personal Information to the Client only for the limited and specified Business Purposes.
3. Client’s Obligations
3.1. The Client will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes as set forth in Appendix A. The Client will not process the Personal Information for any other purpose or in a way that does not comply with this PIPA or the Privacy and Data Protection Requirements. The Client must promptly notify Drake if, in its opinion, Drake’s instructions will not comply with the Privacy and Data Protection Requirements.
3.2. The Client must promptly comply with any Drake request or instruction requiring the Client to amend, transfer, or delete the Personal Information, or to stop, mitigate or remedy any unauthorized processing.
3.3. The Client will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless Drake or this PIPA specifically authorizes the disclosure in compliance with Privacy and Data Protection Requirements, or as otherwise required by law. If a law requires the Client to process or disclose Personal Information, the Client must first inform Drake of the legal requirement and give the Drake an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4. The Client will reasonably assist Drake with meeting Drake’s compliance obligations under the Privacy and Data Protection Requirements, considering the nature of the Client’s processing and the information available to the Client.
3.5. The Client must promptly notify Drake of any changes to Privacy and Data Protection Requirements that may adversely affect Drake’s performance of services.
3.6. The Client is responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements.
4. Client’s Employees
4.1. The Client will limit Personal Information access to:
(a) those employees who require Personal Information access to meet the Client’s obligations under this PIPA and the Terms and Conditions; and
(b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
4.2. The Client will ensure that all employees:
(a) are informed of the Personal Information’s confidential nature and use restrictions;
(b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
(c) are aware both of the Client’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this PIPA.
4.3. The Client will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks consistent with applicable law on, all of the Client’s employees with access to the Personal Information.
5. Security
5.1. The Client must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction or damage [including, but not limited to, the security measures set out in Appendix B.
5.2. The Client will immediately notify Drake if it becomes aware of any advance in technology and methods of working, which indicate that the Parties should adjust their security measures.
5.3. The Client must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures in compliance with Privacy and Data Protection Requirements or other applicable laws.
6. Security Breaches and Personal Information Loss
6.1. The Client will promptly notify Drake if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Client will restore such Personal Information at its own expense.
6.2. The Client will immediately notify the other Party if it becomes aware of:
(a) any unauthorized or unlawful processing of the Personal Information; or
(b) any Security Breach.
6.3. Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the Parties will coordinate with each other to investigate the matter. The Client will reasonably cooperate with Drake in Drake’s handling of the matter, including:
(a) assisting with any investigation;
(b) providing Drake with physical access to any facilities and operations affected;
(c) facilitating interviews with the Client’s employees, former employees, and others involved in the matter; and
(d) making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by Drake.
6.4. The Client will not inform any third party of any Security Breach without first obtaining Drake’s prior written consent, except when Privacy and Data Protection Requirements, or other laws or regulations, require it.
6.5. The Client agrees that Drake has the sole right to determine:
(a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies or others, as required by Privacy and Data Protection Requirements or other laws or regulations, or at Drake’s discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6. The Client will cover all reasonable expenses associated with the performance of the obligations under Section 6.2 and Section 6.3, unless the matter arose from Drake’s specific instructions, negligence, willful default or breach of this Processing Agreement, in which case Drake will cover all reasonable expenses.
6.7. The Client will also reimburse Drake for actual reasonable expenses Drake incurs when responding to and mitigating damages, to the extent that the Client caused a Security Breach, including all costs of notice and any remedy as set out in Section 6.5.
6.8. The Client will maintain records of any Security Breach in accordance with Privacy and Data Protection Requirements.
7. Subcontractors
7.1. The Client may only authorize a third party (subcontractor) to process the Personal Information if:
(a) Drake provides prior written consent and is given an opportunity to object within fourteen (14) days after the Client supplies Drake with full details regarding such subcontractor;
(b) the Client enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this PIPA and, upon Drake’s written request, provides Drake with copies of such contracts;
(c) the Client maintains control over all Personal Information it entrusts to the subcontractor; and
(d) the subcontractor’s contract terminates automatically on termination of this PIPA for any reason.
7.2. The Client must list all approved subcontractors in Appendix A and include any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.
7.3. Where the subcontractor fails to fulfill its obligations under such written agreement, the Client remains fully liable to Drake for the subcontractor’s performance of its agreement obligations.
7.4. Upon Drake’s written request, the Client will audit a subcontractor’s compliance with its obligations regarding Drake’s Personal Information and provide Drake with the audit results.
8. Complaints, Data-Subject Requests and Third-Party Rights
8.1. The Client must notify Drake immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either Party’s compliance with the Privacy and Data Protection Requirements.
8.2. The Client must promptly notify Drake if it receives a request from a Data Subject for access to their Personal Information or a request to correct, delete, or withdraw its consent from any use by Drake or Client of same.
8.3. The Client will give Drake its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.
8.4. The Client must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at Drake’s request or instruction, permitted by this PIPA, or is otherwise required by law.
9. Term and Termination
9.1. This Processing Agreement will remain in full force and effect until the later of the following:
(a) the Terms and Conditions remains in effect; or
(b) the Client retains any Personal Information related to this PIPA in its possession or control (the “Term”).
9.2. Any provision of this PIPA that expressly or by implication should come into or continue in force on or after termination of the Terms and Conditions to protect Personal Information will remain in full force and effect.
9.3. The Client’s failure to comply with the terms of this PIPA is a material breach of the Terms and Conditions. In such event, Drake may terminate the Terms and Conditions effective immediately upon written notice to the Client without further liability or obligation.
9.4. If a change in any Privacy and Data Protection Requirement prevents either Party from fulfilling all or part of its Terms and Conditions obligations, the Parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the Parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement, they may terminate the Terms and Conditions upon written notice to the other Party.
10. Data Return and Destruction
10.1. At Drake’s request, the Client will give Drake a copy of or access to all or part of Drake’s Personal Information in its possession or control in the format reasonably specified by Drake.
10.2. On termination of the Terms and Conditions for any reason or expiration of its term, the Client will securely destroy or, if directed in writing by Drake, return and not retain, all or any Personal Information related to this Processing Agreement in its possession or control.
10.3. If any law, regulation, or government or regulatory body requires the Client to retain any documents or materials that the Client would otherwise be required to return or destroy, it will notify Drake in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Client may only use this retained Personal Information for the required retention reason or audit purposes.
11. Records
11.1. The Client will keep detailed, accurate, and up-to-date records regarding any Personal Information processing it carries out for Drake, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
11.2. The Client will ensure that the Records are sufficient to enable Drake to verify the Client’s compliance with its obligations under this PIPA.
12. Audit
12.1. The Client will permit Drake and its third-party representatives to audit the Client’s compliance with its PIPA obligations during the Term. The Client will give Drake and its third-party representatives all necessary assistance to conduct such audits in compliance with Privacy and Data Protection Requirements or other laws. The assistance may include, but is not limited to:
(a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Client’s premises or on systems storing Personal Information;
(b) access to and meetings with any of the Client’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
(c) inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment, or application software used to store, process, or transport Personal Information.
12.2. If a Security Breach occurs or is occurring, or the Client becomes aware of a breach of any of its obligations under this PIPA or any Privacy and Data Protection Requirements, the Client will:
(a) promptly conduct its own audit to determine the cause;
(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
(c) provide Drake with a copy of the written audit report; and
(d) remedy any deficiencies identified by the audit within ten (10) days.
13. Representations and Warranties
13.1. The Client represents and warrants that:
(a) it and its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements;
(b) it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this PIPA and all applicable Privacy and Data Protection Requirements and any other applicable laws, enactments, regulations, codes, orders, standards, and other similar instruments;
(c) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Terms and Condition’s contracted services; and
(d) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
(i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage;
(ii) the nature of the Personal Information protected; and
(iii) comply with all applicable Privacy and Data Protection Requirements and its information and security policies, including the security measures required in Section 5.1.
13.2. Drake represents and warrants that the Client’s expected use of the Personal Information for the Business Purpose and as specifically instructed by Drake under this PIPA will comply with all Privacy and Data Protection Requirements.
14. Indemnification
14.1. The Client agrees to indemnify, keep indemnified and defend at its own expense Drake against all costs, claims, damages, or expenses incurred by Drake or for which Drake may become liable due to:
(a) any failure by the Client or its employees, subcontractors, or agents to comply with any of its obligations under this PIPA or applicable Privacy and Data Protection Requirements and any other applicable laws, enactments, regulations, codes, orders, standards, and other similar instruments; and
(b) any breach of its representations warranties, covenants, and other obligations under this PIPA.
14.2. Any limitation of liability set forth in the Terms and Conditions will not apply to this PIPA’s indemnity or reimbursement obligations.
APPENDIX A
Personal Information Processing Purposes and Details
Business Purposes:
The business purposes for the transfer are to fulfill Drake’s obligations under the Terms and Conditions and to provide the Client with temporary staffing or permanent placement services. This includes recruiting, screening, interviewing, and assigning temporary workers according to the Client’s job descriptions and performing the specified duties and responsibilities under the Client’s supervision at designated locations.
Personal Information Categories:
The Personal Data transferred concern the following categories of data, to the extent that the data are relevant to the purposes of the transfer as described above:
For Permanent Placement:
· Identification Data: Name, address, phone number, email, date of birth, Social Insurance Number (SIN)
· Employment Data: Resume
· Background Check Data: Name, email, phone, date of birth, SIN, address
For Candidates/Temporary Workers:
· Identification Data: Name, date of birth, SIN, address, email, phone number, title, company, primary identification (which may include: Driver’s Licence, Passport, Canadian Citizenship Card, Permanent Resident Card, Certificate of Indian Status, Student identity card, Military Identification Card, or Ontario Photo Card), secondary identification (which may include: any form of identification with complete name pre-printed on it)
· Employment Data: Language information, Legal work eligibility in Canada, business references (name, title, company, phone, email).
· Financial Data: Bank account details.
· Emergency Contact Data: Emergency contact name and phone number.
Data Subject Types:
The Personal Data transferred concern the following categories of Data Subjects:
· Temporary Staff
· Permanent Placement Candidates
Approved Subcontractors (if applicable):
APPENDIX B
Security Measures
Client will use commercially reasonable efforts to implement and maintain appropriate measures designed to: (1) ensure the security and confidentiality of Personal Data; (2) protect against any foreseeable threats or hazards to the security or integrity of Personal Data; (3) protect against unauthorized access to or use of Personal Data; and (4) ensure Client’s employees are appropriately trained to maintain the confidentiality and security of Personal Data, consistent with the terms of this PIPA and applicable Privacy and Data Protection Requirements. Client shall promptly notify Drake of any breach or attempted breach of information confidentiality and shall permit Drake to conduct any verifications related to these obligations.
These measures include the application of Industry Standard Safeguards to protect Client’s systems used to store, transmit, and/or process Personal Data, and to limit access to Personal Data to only those employees or approved subcontractors who need the information to carry out the purposes for which Personal Data was disclosed Client.
Client represents that it has and shall maintain a written comprehensive information security program. Client shall establish and maintain safeguards against the destruction, loss, alteration or misuse of Personal Data in the possession of Client using safeguards that are no less rigorous than those used by Client for its own information of a similar nature.
Client represents and warrants that it will bind its employees and approved subcontractors with access to Personal Data to privacy and security obligations consistent with those in the Terms and Conditions, PIPA, and this Appendix B prior to any such access taking place.
Upon request, Client will designate an individual who will serve as Drake’s ongoing single point of contact for purposes of addressing issues with respect to the use and security of Personal Data during the term and following the termination or expiration of this PIPA. Such individual will be accessible to Drake and will cooperate with Drake to address such issues.