WilGlobo Logo

Data Protection Policy

Last Updated: April 11, 2025

This Data Protection Policy outlines how WilGlobo ("we," "us," or "our") protects personal data and ensures compliance with applicable data protection laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws in Canada.

1. Data Protection Principles

We adhere to the following principles when processing personal data:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
  • Data Minimization: We limit personal data collection to what is necessary for the purposes for which it is processed.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date.
  • Storage Limitation: We keep personal data in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed.
  • Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • Accountability: We are responsible for and can demonstrate compliance with these principles.

2. Technical and Organizational Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Personal data is encrypted during transmission and at rest where appropriate.
  • Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
  • Authentication: Multi-factor authentication is required for accessing systems containing sensitive personal data.
  • Backup and Recovery: Regular backups are performed to prevent data loss, with secure storage and tested recovery procedures.
  • Network Security: Firewalls, intrusion detection systems, and other network security measures are in place to protect against unauthorized access.
  • Physical Security: Physical access to data processing facilities is restricted and monitored.
  • Secure Development: Security is integrated into the development lifecycle of our systems and applications.
  • Vendor Management: Third-party service providers are assessed for security and privacy compliance before engagement.

3. Data Breach Response Procedures

In the event of a data breach, we will:

  • Detection and Reporting: Promptly identify and internally report suspected breaches.
  • Assessment: Assess the nature and scope of the breach, including the types of data affected and the number of individuals impacted.
  • Containment: Take immediate steps to contain the breach and minimize its impact.
  • Investigation: Conduct a thorough investigation to determine the cause of the breach.
  • Notification: Notify affected individuals and relevant authorities as required by law, typically within 72 hours of becoming aware of the breach when feasible.
  • Remediation: Implement measures to address the breach and prevent similar incidents in the future.
  • Documentation: Maintain records of all data breaches, including facts, effects, and remedial actions taken.

4. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in a high risk to individuals' rights and freedoms, particularly when:

  • Implementing new technologies
  • Processing sensitive personal data on a large scale
  • Systematically monitoring publicly accessible areas
  • Profiling individuals on a large scale
  • Processing data related to vulnerable individuals (e.g., children)

Our DPIA process includes:

  • Describing the processing operations and purposes
  • Assessing necessity and proportionality
  • Identifying and assessing risks to individuals
  • Identifying measures to mitigate those risks
  • Documenting the assessment and implementing recommendations

5. Data Retention and Deletion Practices

Our data retention practices include:

  • Retention Schedule: We maintain a data retention schedule that specifies how long different categories of personal data should be kept.
  • Regular Reviews: We periodically review the personal data we hold and delete or anonymize data that is no longer needed.
  • Secure Deletion: When personal data is no longer needed, it is securely deleted or anonymized using appropriate methods.
  • Backup Deletion: Personal data is also removed from backup systems according to our backup retention schedule.
  • Documentation: We maintain records of data deletion to demonstrate compliance.

Typical retention periods include:

  • Account information: For as long as the account is active, plus a reasonable period thereafter
  • Transaction data: 7 years for tax and accounting purposes
  • Communication records: 2 years after the last interaction
  • Marketing preferences: Until the individual opts out or requests deletion

6. Data Subject Rights

We respect and facilitate the exercise of data subject rights, including:

  • Right to Access: Individuals can request confirmation of whether we process their personal data and access to that data.
  • Right to Rectification: Individuals can request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure: Individuals can request deletion of their personal data under certain circumstances.
  • Right to Restrict Processing: Individuals can request restriction of processing under certain circumstances.
  • Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Individuals can object to processing of their personal data under certain circumstances.
  • Right to Withdraw Consent: Individuals can withdraw consent at any time where processing is based on consent.

We respond to data subject requests within 30 days, with a possible extension of up to 60 additional days for complex requests.

7. Employee Training on Data Protection

We ensure that all employees who handle personal data receive appropriate training on data protection, including:

  • Initial Training: All new employees receive data protection training as part of their onboarding.
  • Regular Updates: Employees receive regular updates on data protection requirements and best practices.
  • Role-Specific Training: Employees with specific data protection responsibilities receive additional specialized training.
  • Awareness Programs: Regular awareness initiatives to maintain a privacy-conscious culture.
  • Testing and Verification: Periodic assessments to verify understanding of data protection principles.

8. Data Protection Officer Responsibilities

Our Data Protection Officer (DPO) is responsible for:

  • Informing and advising on data protection obligations
  • Monitoring compliance with data protection laws and policies
  • Providing advice on Data Protection Impact Assessments
  • Cooperating with supervisory authorities
  • Acting as a contact point for data subjects
  • Maintaining expertise in data protection
  • Reporting directly to the highest level of management

Our DPO can be contacted at privacy@wilglobo.com.

9. Third-Party Data Processor Requirements

When engaging third-party data processors, we:

  • Conduct due diligence to ensure they provide sufficient guarantees to implement appropriate technical and organizational measures
  • Enter into written data processing agreements that include specific requirements under applicable data protection laws
  • Require processors to assist us in ensuring compliance with our obligations
  • Require processors to obtain our authorization before engaging sub-processors
  • Regularly audit and review processor compliance
  • Require processors to delete or return all personal data after the end of services

10. International Data Transfer Safeguards

When transferring personal data outside of Canada, we implement appropriate safeguards, including:

  • Standard contractual clauses approved by relevant authorities
  • Binding corporate rules for transfers within a corporate group
  • Adequacy decisions where the recipient country provides adequate protection
  • Explicit consent from the data subject after being informed of the risks
  • Contractual commitments from recipients to provide adequate protection
  • Regular assessments of the effectiveness of transfer mechanisms

11. Compliance Monitoring and Audits

We maintain a comprehensive compliance monitoring program that includes:

  • Regular Internal Audits: Periodic reviews of our data protection practices and procedures.
  • Compliance Documentation: Maintenance of records to demonstrate compliance with data protection principles.
  • Risk Assessments: Regular assessments to identify and address data protection risks.
  • Incident Monitoring: Systems to detect and respond to data protection incidents.
  • Policy Reviews: Regular reviews and updates of data protection policies and procedures.
  • Vendor Assessments: Regular reviews of third-party service providers' compliance.

12. Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date.

13. Contact Information

If you have any questions or concerns about this Data Protection Policy or our data protection practices, please contact our Data Protection Officer at:

Email: privacy@wilglobo.com

WilGlobo
Calgary, Alberta
Canada

Return to Home