All Countries
Compliance
Data Protection Addendum

Data Protection Addendum Template for Canada

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Protection Addendum

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Protection Addendum

"I need a Data Protection Addendum for my Canadian software company based in Ontario that will be using a local cloud storage provider to process customer data, with the agreement starting January 2025."

Celebrated by
Collaborations with
Investors
Document background
The Data Protection Addendum serves as a critical supplement to existing service agreements where one party processes personal information on behalf of another. This document is essential when organizations engage service providers, vendors, or processors who will handle personal information of Canadian residents. The DPA ensures compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, while also considering international privacy requirements where relevant. It outlines specific obligations regarding data security, breach notification, sub-processing, audit rights, and data subject rights. This document is particularly important given the increasing focus on privacy protection in Canada, recent legislative developments, and potential penalties for non-compliance with privacy laws.
Suggested Sections

1. Parties: Identification of the data controller (typically the business entity) and data processor (service provider), including full legal names and addresses

2. Background: Context of the existing relationship, reference to the main agreement this DPA supplements, and purpose of the addendum

3. Definitions: Key terms including Personal Information, Processing, Data Subject, Security Breach, and other relevant terminology aligned with PIPEDA and applicable privacy laws

4. Scope and Purpose of Processing: Detailed description of what personal information will be processed and for what specific purposes

5. Data Processor Obligations: Core obligations including processing only on documented instructions, confidentiality commitments, and security measures

6. Security Measures: Technical and organizational measures required to protect personal information

7. Sub-processing: Rules and requirements for engaging sub-processors, including notification and approval processes

8. Data Subject Rights: Procedures for handling data subject requests and providing assistance to the controller

9. Data Breach Notification: Procedures and timelines for reporting and handling personal information breaches

10. Audit Rights: Controller's rights to audit processor's compliance and processor's obligations to demonstrate compliance

11. Data Return and Deletion: Obligations regarding the return or deletion of personal information upon contract termination

12. Limitation of Liability: Specific liability provisions related to data protection obligations

13. Term and Termination: Duration of the DPA and specific termination rights related to data protection

14. Governing Law and Jurisdiction: Specification of Canadian law as governing law and jurisdiction for disputes

Optional Sections

1. Cross-border Transfers: Required if personal information will be transferred outside of Canada, including specific safeguards and compliance mechanisms

2. Special Categories of Data: Required if sensitive personal information (as defined by PIPEDA) will be processed

3. Industry-Specific Requirements: Required for regulated industries such as healthcare or financial services

4. GDPR Compliance: Required if the processing activities fall under GDPR scope

5. Provincial Law Compliance: Required when operating in provinces with specific privacy laws (Quebec, Alberta, British Columbia)

6. Data Protection Impact Assessment: Required for high-risk processing activities

7. Privacy Shield Compliance: Required if transferring data to U.S.-based processors

Suggested Schedules

1. Schedule A - Description of Processing Activities: Detailed matrix of data processing activities, including categories of data subjects, types of personal information, and purposes

2. Schedule B - Technical and Organizational Security Measures: Comprehensive list of security measures implemented by the processor

3. Schedule C - Approved Sub-processors: List of pre-approved sub-processors and their processing activities

4. Schedule D - Data Transfer Mechanisms: Details of mechanisms used for international data transfers, if applicable

5. Schedule E - Security Breach Response Plan: Detailed procedures for handling and reporting security breaches

6. Appendix 1 - Standard Contractual Clauses: If required for international transfers, particularly if GDPR applies

7. Appendix 2 - Compliance Checklist: Checklist ensuring compliance with PIPEDA and other applicable privacy laws

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Privacy Laws
Personal Information
Processing
Data Subject
Controller
Processor
Sub-processor
Data Protection Laws
Security Breach
Security Measures
Confidential Information
PIPEDA
Provincial Privacy Laws
Cross-border Transfer
Data Protection Requirements
Documented Instructions
Personnel
Technical and Organizational Measures
Third Party
Authorized Persons
Business Purpose
Consent
Data Protection Impact Assessment
Security Incident
Sensitive Personal Information
Records of Processing
Privacy Shield
Standard Contractual Clauses
Transfer Mechanism
Data Subject Rights
Privacy Notice
Data Protection Officer
Regulatory Authority
Supervisory Authority
Audit
Commercially Reasonable
Material Change
Jurisdiction
Governing Law
Force Majeure
Term
Termination Date
Effective Date
Relevant Industries

Technology

Healthcare

Financial Services

E-commerce

Retail

Professional Services

Education

Telecommunications

Insurance

Manufacturing

Transportation and Logistics

Marketing and Advertising

Real Estate

Non-profit Organizations

Government Services

Relevant Teams

Legal

Compliance

Information Security

Information Technology

Privacy

Risk Management

Procurement

Vendor Management

Data Governance

Information Management

Operations

Corporate Security

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Privacy Counsel

Legal Counsel

Compliance Manager

Information Security Manager

IT Director

Chief Information Security Officer

Chief Technology Officer

Risk Manager

Procurement Manager

Vendor Management Officer

Chief Legal Officer

Privacy Manager

Data Governance Manager

Information Management Director

Industries
Personal Information Protection and Electronic Documents Act (PIPEDA): Canada's federal privacy law for private-sector organizations. It sets the ground rules for how businesses must handle personal information in the course of commercial activity.
Provincial Privacy Laws (PIPA Alberta, PIPA BC, Quebec's Act 25): Provincial privacy laws that may apply depending on the jurisdiction within Canada. These laws often have specific requirements for data protection and may be stricter than PIPEDA.
Digital Charter Implementation Act (Bill C-27): Proposed legislation to modernize Canada's private sector privacy law, including the Consumer Privacy Protection Act (CPPA). Although not yet in force, it should be considered for future-proofing the agreement.
General Data Protection Regulation (GDPR): While this is EU legislation, it should be considered if the Canadian organization handles data of EU residents or does business with EU entities, due to its extraterritorial scope.
Privacy Act: Federal legislation that governs how federal government institutions must handle personal information. Relevant if the agreement involves any interaction with government entities.
Canada's Anti-Spam Legislation (CASL): Relevant if the data processing involves electronic communications, as it regulates commercial electronic messages and the installation of computer programs.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Data Privacy Agreement

A Canadian-law governed agreement establishing terms for personal data handling and privacy compliance under PIPEDA and provincial privacy laws.

find out more

Joint Controller Data Processing Agreement

A Canadian-law governed agreement establishing roles and responsibilities between joint controllers for personal information processing under PIPEDA and provincial privacy laws.

find out more

DPA Data Protection Agreement

A Canadian Data Protection Agreement governing the processing of personal information under federal and provincial privacy laws, establishing data handling requirements between organizations.

find out more

Joint Controller Data Sharing Agreement

A Canadian law-compliant agreement establishing shared responsibilities between joint controllers for personal data processing and protection.

find out more

Data Protection Addendum

A Canadian-law governed Data Protection Addendum that establishes privacy compliance requirements between parties processing personal information under PIPEDA and provincial privacy laws.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.