Your Privacy Rights
From January 1, 2004, all Ontario organizations engaged in commercial activities must comply with the federal Personal Information Protection and Electronic Documents Act, also known as PIPEDA.
GR is responsible for the personal information we collect, use and disclose. To ensure this accountability, we have developed this policy and educated our lawyers and staff about our policies and practices.
"Personal Information" means information about an identifiable individual but does not include the name, title, business address, or telephone number of any employee of any organization.
Why Does GR Collect Personal Information From You?
We collect personal information from our clients to:
- provide legal services to you, in accordance with your instructions;
- bill you for legal services rendered;
- provide information to you about developments in the law; and
- advise you of upcoming firm events, or market our legal services to you, help us make credit decisions about clients, prevent fraud, check the identity of new clients and prevent money-laundering.
How Do We Collect Your Personal Information?
We collect information only by lawful and fair means and not indiscriminately. We may collect personal information directly from you at the start of a retainer, or in the course of our representation.
Sometimes we may obtain information about you from other sources such as
- your insurance company;
- your real estate agent, mortgage brokers or lenders in a property transaction;
- credit bureaus or consumer reporting agencies;
- a government agency or registry;
- your employer, if we are acting for you at your employer’s request;
- your accountant;
- other consultants retained by you to assist with your legal concerns;
- other parties involved in the same matter in which we are assisting you.
Consent for the collection, use and/or disclosure of personal information may be obtained orally or in writing and may be expressly given or implied. We may also from time to time when we are providing services to you ask us to give your written consent to the use and disclosure of specific personal information. In determining how we obtain your consent, we will take into account the sensitivity of your personal information that we are collecting, using and/or disclosing.
If You Don’t Consent
The choice to provide GR with personal information is always up to you. Upon request, we will explain your options of refusing or withdrawing consent to the collection, use and disclosure of your personal information and will record and respect your written choices. However, your decision to withhold particular details may limit GR’s ability to provide our services to you. This measure is necessary to protect the integrity of the services offered by GR. Furthermore, any refusing or withdrawing of consent is always subject to any overriding legal requirements or commitments.
Disclosure Of Your Personal Information
Under certain circumstances GR may disclose your personal information:
- when we are required or authorized by law to do so;
- when the legal services we are providing require us to give your information to third parties (for example, to a lender or the other party in a real estate or mortgage transaction) your consent will be implied unless you tell us otherwise;
- where it is necessary to establish or collect fees;
- if we engage expert witnesses on your behalf;
- if we retain other law firms in other jurisdictions on your behalf;
- if we are involved in negotiations for the merger or transfer of our practice;
- if the information is already publicly known.
Updating Your Information
Since we use your personal information to provide legal services to you, it is important that the information be accurate and up-to-date. If, during the course of the retainer, any of the information changes, or if you should become aware that the personal information which we have is incorrect, please inform us so that we can make the necessary changes.
Is My Personal Information Secure?
GR takes all reasonable precautions to ensure that your personal information is kept safe from loss, unauthorized access, modification or disclosure. Among the steps taken to protect your information are:
- premises security;
- restricted access to personal information;
- deploying technological safeguards such as security software and firewalls to prevent hacking or unauthorized computer access;
- internal password and security policies;
- obligation of each lawyer to maintain client confidentiality under the Rules of Professional Conduct of the Law Society of Ontario;
- where necessary or appropriate, by requiring third parties to sign a confidentiality agreement.
As GR is responsible for any personal information under its control, including personal information that GR may transfer to a third party for processing, we will use contractual or other means to provide a comparable level of privacy protection when personal information is being processed by a third party on GR's behalf.
Access to Your Personal Information
You may request access to any personal information we hold about you. Summary information is available on written request. More detailed requests that require archive retrieval or copying costs may be subject to reasonable reimbursement for our actual costs.
Can I Be Denied Access To My Personal Information?
Your rights to access your personal information are not absolute. We may deny access when:
- denial of access is required or authorized by law (for example, when a record containing personal information about you is subject to a claim of legal professional privilege by one of our clients);
- information relates to existing or anticipated legal proceedings against you;
- granting you access would have an unreasonable impact on other people’s privacy;
- to do so would prejudice negotiations with you;
- to protect our firm’s rights and property;
- the request is frivolous or vexatious.
If we deny your request for access, or refuse a request to correct information, we will explain why.
GR does not use your Social Insurance Number as a way of identifying or organizing the information we hold about you, but we may need it for income tax reporting purposes if we hold or invest funds for you in our trust accounts.
How Long Do You Keep My Personal Information?
We retain your personal information for as long as is reasonably necessary for us to complete our dealings with you, or as may be required by law or for purpose of compliance with our professional obligations.
Although PIPEDA does not apply to our employee information, we have elected to follow privacy “best practices” in this area. If you apply to GR for a job we need to consider your personal information as part of our review process. We normally retain information from candidates after a decision has been made, unless you ask us not to retain your information. If you accept a job with us, the information will be retained in accordance with our privacy procedures for personnel records. We may also disclose this information to our payroll and employee benefits providers.
Communicating With Us
Email is not a 100% secure medium and you should be aware of this when contacting us to send personal or confidential information.
If you have any questions or wish to review your personal information, please write to our privacy officer at:
Bay Adelaide Centre – East Tower
22 Adelaide Street West, Suite 3600
Toronto, ON M5H 4E3
If you are not satisfied with our response you may contact the Privacy Commissioner of Canada at:
112 Kent Street
Ottawa, ON K1A 1H3
European Union General Data Protection Regulation (the “GDPR”)
EU Personal Data that is collected by us may have been obtained directly from you, or implicitly from your use of our services, or from a third party.
For the purposes of this Schedule, the term “processing” has the meaning ascribed to it under the GDPR and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of EU Personal Data.
2. GDPR Principles
To the extent we process EU Personal Data, EU Personal Data will be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; reasonable steps will be taken to ensure that EU Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the EU Personal Data are processed;
- processed in a manner that ensures appropriate security of the EU Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Lawful Bases for Processing
We will only process EU Personal Data where we have a lawful basis which may include:
- you have given your consent to us for processing your EU Personal Data for one or more specific purposes);
- if processing is necessary for the performance of a contract with you (e.g., providing the services you have requested or that have been requested on your behalf) or to perform any steps you require from us before entering into a contract;
- if processing is necessary for compliance with a legal obligation to which we are subject;
- if processing is necessary to protect your vital interests or those of another natural person; or
- if processing is necessary for the purposes of the legitimate interests of our firm (for example, in establishing, managing or concluding our business relationship with you or establishing, exercising or defending our legal rights) or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms as the data subject which require protection of EU Personal Data, in particular where the data subject is a child.
We do not use automatic decision making, such as profiling, to make a decision that may produce a legal effect concerning a data subject of EU Personal Data.
4. Rights of Data Subjects under the GDPR
Under certain specified circumstances you have the following rights, in accordance with the GDPR, regarding your EU Personal Data
- Right to withdraw consent (GDPR Article 7): Where processing of your EU Personal Data has been based on your consent, you have the right to withdraw your consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal). This includes cases where you wish to opt out from marketing messages that you receive from us.
- Right to be informed (GDPR Articles 12 to 14): You have the right to be informed about the processing of your EU Personal Data.
- Right to access (GDPR Article 15): You have the right to view and request copies of your EU Personal Data.
- Right to rectification (GDPR Article 16): You have the right to request your EU Personal Data that is incomplete, inaccurate or outdated be updated or corrected.
- Right to erasure (GDPR Article 17): You have the right to request that your EU Personal Data be deleted. Note that this is not an absolute right and may be subject to exemptions under the GDPR or based on certain laws.
- Right to restriction of processing (Article 18): You have the right to request the restriction or suppression of processing of your EU Personal Data.
- Right to data portability (GDPR Article 20): You have the right to ask for your EU Personal Data that you have provided to us to be transferred to another controller or provided to you. The data must be provided in a machine-readable electronic format.
- Right to object (GDPR Article 21): You have the right to object to the processing of your EU Personal Data.
- Right to object to automated processing (GDPR Article 22): You have the right to object to decisions being made with your EU Personal Data solely based on automated decision making or profiling.
- Right to lodge a complaint (GDPR Article 77): You have the right to lodge a complaint with a supervisory authority, in particular in the member state of the EEA where you reside or work, or where the alleged infringement occurred, if you consider that the processing of your EU Personal Data infringes the GDPR.
5. Our responsibilities as a “data controller” and a “data processor”
We may act as the “data controller”, the “data processor” or simultaneously as both the data collector and data processor in relation to EU Personal Data.
Under the GDPR, we are a data controller where we determine the purposes and means of the processing of EU Personal Data alone or jointly with others.
Under the GDPR, we are a data processor where we process EU Personal Data on behalf of a data controller.
6. Disclosure to Third Parties
7. Transfer of your EU Personal Data
Providing us with your EU Personal Data for the purposes described above will result in the transfer of your EU Personal Data to Canada and may involve the transfer of your EU Personal Data to third parties located in other countries outside the EEA, where data protection laws may be of a lower or different standard than in the EEA.
Your EU Personal Data will be transferred to Canada based on the European Commission’s adequacy decision of the Canadian Personal Information Protection and Electronic Documents Act adopted on 20 December 2001 or otherwise may be based on your consent.
We will take steps that are reasonably necessary to ensure that a transfer of your EU Personal Data to countries outside the EEA is carried out in accordance with the GDPR, including where we have obtained your consent to do so.
8. Changes to this Schedule
We may update this Schedule from time to time. Any changes to this Schedule will take effect immediately upon their posting on this website.
9. Inquiries and Complaints