Zscaler and PIPEDA

Introduction

The Personal Information Protection and Electronic Documents Act (PIPEDA), which became effective April 13, 2000, is Canada’s federal privacy law applying to private sector organizations across Canada that collect, use or disclose personal information in the course of a “commercial activity.” The law defines a “commercial activity” as any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character.

Consistent with the European Union's General Data Protection Regulation (GDPR), PIPEDA grants individuals the right to access personal information held by an organization, to know the purposes for which personal information is being collected, and to challenge its accuracy. In fact PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the GDPR, which allows for the free flow of personal information from the EU to Canadian organizations. However, unlike the GDPR, PIPEDA does not restrict cross-border transfers of personal information.

Certain Canadian provinces, including Alberta, British Columbia and Quebec, have their own private sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province. However, all businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).

Zscaler is committed to our customers’ success, including compliance with PIPEDA, and will assist our customers in satisfying their PIPEDA obligations.

What is Personal Information Under PIPEDA?

Personal information under PIPEDA includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

• Age, name, ID numbers, income or ethnic origin;

• Opinions, evaluations, comments, social status or disciplinary actions; and

• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

However, PIPEDA does not apply to business contact information, such as an employee’s name, title, business address, telephone number or email address that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession.

How Does Zscaler Comply with PIPEDA?

PIPEDA requires that businesses follow ten fair information principles. These principles, and a brief summary of Zscaler’s compliance efforts with respect to each of these principles, are as follows:

1. Accountability. Zscaler Legal, Compliance, and CISO teams work together to ensure Zscaler’s compliance with data protection laws, including PIPEDA. Zscaler employees are regularly trained to comply with applicable data protection requirements.

2. Identifying Purposes. Zscaler identifies and documents its purposes for collecting personal information and explains those purposes to its customers.

3. Consent. Zscaler obtains the consent of its customers before collecting personal information from them.

4. Limiting Collection. Zscaler only collects the personal information that it needs to fulfill the legitimate purposes of providing its services to customers.

5. Limiting Use, Disclosure and Retention. Zscaler uses or discloses personal information only for the identified purposes for which it was collected, and Zscaler retains personal information only as long as it is needed to serve those purposes.

6. Accuracy. Zscaler keeps personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the customer.

7. Safeguards. Zscaler has developed and implemented security policies to protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use or modification, taking into account the sensitivity of the information and other factors. Zscaler reviews its security safeguards regularly to ensure they are up to date, and addresses any vulnerabilities through regular security audits and/or testing. Further, Zscaler ensures that its employees are aware of the importance of maintaining the security and confidentiality of personal information, and Zscaler conducts regular staff training on security safeguards. If there’s a breach of security involving customer personal information, Zscaler will promptly notify the customer.

8. Openness. Zscaler makes its privacy-related policies readily available on its website and strives to make these policies easily understandable.

9. Individual Access. Zscaler recognizes that individuals have a right to access the personal information that an organization holds about them. They also have the right to challenge the accuracy and completeness of the information, and have that information amended as appropriate. Zscaler assists its customers in fulfilling their obligations to provide right of access to and right to amend personal information.

10. Challenging Compliance. Zscaler will promptly investigate any challenges to Zscaler’s compliance with fair information principles and has developed internal complaint handling and investigation procedures