Knowledge Base
Legal Compliance (GDPR, PIPEDA)
Legal Compliance (GDPR, PIPEDA)
Canvass Global is designed to comply with the world’s strictest privacy and data protection laws. This comprehensive guide explains how we ensure compliance with GDPR, PIPEDA, CCPA, and other privacy regulations, and what this means for your data protection rights.
Compliance Overview
Our platform adheres to multiple privacy frameworks to protect users worldwide:
- GDPR (General Data Protection Regulation): European Union privacy law
- PIPEDA (Personal Information Protection and Electronic Documents Act): Canadian privacy law
- CCPA (California Consumer Privacy Act): California state privacy law
- COPPA (Children’s Online Privacy Protection Act): US children’s privacy law
- Provincial Privacy Laws: Additional Canadian provincial requirements
GDPR Compliance
General Data Protection Regulation (GDPR)
Applicable to: All users in the European Union and European Economic Area
π Legal Basis for Processing
- Consent: Explicit consent for footage sharing and community participation
- Legitimate Interest: Platform operation and security measures
- Legal Obligation: Compliance with law enforcement assistance laws
- Vital Interests: Emergency response and public safety situations
GDPR Rights Implementation
| GDPR Right | How We Implement | Access Method | Response Time |
|---|---|---|---|
| Right to Information | Clear privacy notices and data usage explanations | Privacy policy, account dashboard | Immediate |
| Right of Access | Download all your personal data and processing history | Account settings β Data Export | 30 days |
| Right to Rectification | Update incorrect personal information | Account settings β Profile | Immediate |
| Right to Erasure | Delete account and all associated data | Account settings β Delete Account | 30 days |
| Right to Restrict Processing | Pause data processing while maintaining account | Privacy settings β Restrict Processing | 7 days |
| Right to Data Portability | Export data in machine-readable formats | Account settings β Data Export | 30 days |
| Right to Object | Opt out of specific processing activities | Privacy settings β Processing Preferences | 7 days |
PIPEDA Compliance
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applicable to: All users in Canada (federal jurisdiction)
PIPEDA Fair Information Principles
- Accountability: Designated privacy officer responsible for compliance
- Identifying Purposes: Clear explanation of why we collect personal information
- Consent: Meaningful consent for all personal information collection and use
- Limiting Collection: Collect only information necessary for stated purposes
- Limiting Use, Disclosure & Retention: Use information only for stated purposes
- Accuracy: Keep personal information accurate and up-to-date
- Safeguards: Protect personal information with appropriate security measures
- Openness: Make privacy policies readily available
- Individual Access: Provide access to personal information upon request
- Challenging Compliance: Provide recourse for privacy concerns
CCPA Compliance
California Consumer Privacy Act (CCPA)
Applicable to: California residents
CCPA Consumer Rights
- Right to Know: What personal information we collect and how it’s used
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: Opt out of sale of personal information (we don’t sell data)
- Right to Non-Discrimination: Equal service regardless of privacy choices
- Right to Limit: Limit use of sensitive personal information
Data Processing and Storage
π Compliance-First Data Handling
Data Minimization
Collect only information necessary for platform operation and safety
Purpose Limitation
Use data only for explicitly stated and consented purposes
Storage Limitation
Retain data only as long as necessary for stated purposes
Accuracy Principle
Maintain accurate, complete, and up-to-date information
Security by Design
Implement technical and organizational security measures
Data Retention Compliance
β° Retention Periods by Data Type
Account Information
Active + 2 years
Personal details, contact info
Shared Footage
30 days
Unless court order extends
Communication Logs
1 year
Platform messages, notifications
Access Logs
2 years
Who accessed what footage when
Technical Data
90 days
IP addresses, device information
Backup Data
30 days
Automatically purged
Cross-Border Data Transfers
π International Data Transfer Safeguards
- Adequacy Decisions: Transfer only to countries with adequate protection
- Standard Contractual Clauses: EU-approved contracts for international transfers
- Data Localization: Option to keep data within specific jurisdictions
- Transfer Impact Assessments: Evaluate risks before international transfers
- Encryption in Transit: All international transfers encrypted
Regional Data Storage Options
- European Union: Data stored within EU/EEA for GDPR compliance
- Canada: Data stored in Canada for PIPEDA compliance
- United States: Data stored in secure US facilities
- Hybrid Storage: Metadata local, footage cross-border with safeguards
Consent Management
Granular Consent Controls
- Specific Consent: Separate consent for each processing purpose
- Informed Consent: Clear explanation of what you’re consenting to
- Freely Given: No penalty for refusing consent
- Withdrawable: Easy withdrawal of consent at any time
- Documented: Record of when and how consent was given
Managing Your Consent
- Access “Privacy Settings” β “Consent Management”
- Review all current consent preferences
- Withdraw consent for specific processing activities
- Update consent preferences as needed
- Download consent history for your records
Consent Tip: You can withdraw consent at any time, but this may limit platform functionality. We’ll clearly explain the impact before you make changes.
Children’s Privacy Protection
Enhanced Protection for Minors
- Age Verification: Verify users are 16+ (18+ in some jurisdictions)
- Parental Consent: Required for users under age of consent
- Limited Data Collection: Minimal data collection for minor users
- Enhanced Security: Additional security measures for minor accounts
- Special Deletion Rights: Fast-track deletion for minor user data
Breach Notification Procedures
Data Breach Response
Detection and Assessment (0-24 hours)
Identify breach scope, assess risk to individuals, contain the incident
Regulatory Notification (24-72 hours)
Notify relevant data protection authorities within legal timeframes
Individual Notification (72 hours)
Notify affected users if high risk to rights and freedoms
Remediation and Prevention
Fix vulnerabilities, implement additional safeguards, monitor for reoccurrence
Privacy by Design Implementation
Built-in Privacy Protection
- Proactive Protection: Prevent privacy invasions before they occur
- Privacy as Default: Maximum privacy settings by default
- Privacy Embedded: Privacy built into system design, not added later
- Full Functionality: Accommodate user needs without compromising privacy
- End-to-End Security: Secure data throughout its entire lifecycle
- Visibility and Transparency: Clear privacy practices for all stakeholders
- Respect for User Privacy: User interests paramount in design decisions
Compliance Monitoring and Auditing
π Continuous Compliance Monitoring
- Regular Privacy Audits: Internal and external privacy assessments
- Data Protection Impact Assessments: Evaluate privacy risks of new features
- Compliance Dashboards: Real-time monitoring of privacy metrics
- Staff Training: Regular privacy training for all employees
- Vendor Assessments: Ensure third-party vendors meet privacy standards
- Annual Compliance Reports: Transparent reporting on privacy compliance
Independent Oversight
- Data Protection Officer (DPO): Independent privacy oversight
- Privacy Advisory Board: External privacy experts provide guidance
- Regulatory Cooperation: Work with data protection authorities
- Third-Party Audits: Independent verification of privacy practices
Exercising Your Rights
How to Make Privacy Requests
- Online Portal: Submit requests through your account dashboard
- Privacy Email: Contact privacy@canvassglobal.com
- Identity Verification: Verify your identity to protect your data
- Request Processing: We’ll process your request within legal timeframes
- Follow-up: Receive confirmation and completion notifications
Common Privacy Requests
- Access Request: “What personal data do you have about me?”
- Deletion Request: “Please delete all my personal data”
- Correction Request: “Please correct this incorrect information”
- Portability Request: “Please provide my data in a portable format”
- Objection Request: “I object to this specific data processing”
Important: Some privacy requests may affect platform functionality. We’ll always explain the consequences before processing requests that might limit your account features.
Legal Basis Changes
When Legal Basis May Change
- Emergency Situations: Vital interests may override consent requirements
- Legal Obligations: Court orders may require data sharing
- Service Changes: New features may require different legal basis
- Regulatory Updates: Law changes may affect processing basis
Your Rights Are Absolute: Regardless of legal basis, you always maintain your core privacy rights including access, correction, and deletion (subject to legal limitations).
Complaints and Recourse
If You Have Privacy Concerns
- Contact Our DPO: dpo@canvassglobal.com for privacy-specific issues
- Internal Resolution: We’ll work to resolve concerns directly
- Regulatory Complaint: Contact your local data protection authority
- Legal Action: Pursue legal remedies if necessary
Data Protection Authorities
- European Union: Your national data protection authority
- Canada: Office of the Privacy Commissioner of Canada
- California: California Attorney General’s Office
- Other Jurisdictions: Relevant privacy regulators