GDPR & PIPEDA Compliance
Last Updated: December 3, 2025
Our Commitment to Data Protection
ThinSky is fully committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable privacy regulations. This page outlines our compliance practices and your rights under these frameworks.
GDPR Compliance
The General Data Protection Regulation applies to all organizations processing personal data of EU/EEA residents. ThinSky ensures GDPR compliance through:
Lawful Basis for Processing
- Contractual Necessity: Processing required to deliver our services
- Legitimate Interests: Business operations that don't override your rights
- Legal Obligation: Compliance with applicable laws
- Consent: Explicit permission for marketing communications
Your GDPR Rights
- Right to Access (Art. 15): Obtain a copy of your personal data
- Right to Rectification (Art. 16): Correct inaccurate data
- Right to Erasure (Art. 17): Request deletion ("Right to be Forgotten")
- Right to Restrict Processing (Art. 18): Limit data processing
- Right to Data Portability (Art. 20): Receive data in machine-readable format
- Right to Object (Art. 21): Object to certain processing activities
- Rights Related to Automated Decision-Making (Art. 22): Challenge automated decisions
Data Protection Measures
- Privacy by Design and by Default principles
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- Appointed Data Protection Officer
- 72-hour breach notification commitment
- Standard Contractual Clauses for international transfers
PIPEDA Compliance
The Personal Information Protection and Electronic Documents Act governs how private-sector organizations in Canada handle personal information. ThinSky adheres to PIPEDA's 10 Fair Information Principles:
The 10 PIPEDA Principles
- Accountability: We are responsible for personal information under our control
- Identifying Purposes: We identify why we collect information before or at the time of collection
- Consent: We obtain meaningful consent for collection, use, and disclosure
- Limiting Collection: We collect only what is necessary for identified purposes
- Limiting Use, Disclosure, and Retention: Information is used only for stated purposes and retained only as needed
- Accuracy: We keep personal information accurate, complete, and up-to-date
- Safeguards: We protect information with appropriate security measures
- Openness: We make our policies readily available
- Individual Access: Individuals can access their information and challenge its accuracy
- Challenging Compliance: Individuals can challenge our compliance with these principles
Your PIPEDA Rights
- Request access to your personal information
- Challenge the accuracy of your information
- Withdraw consent (subject to legal or contractual restrictions)
- File a complaint with the Privacy Commissioner of Canada
How We Protect Your Data
Technical Safeguards
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Multi-factor authentication (MFA)
- Role-based access controls
- Continuous security monitoring
- Regular penetration testing
Organizational Safeguards
- Employee background checks
- Mandatory security awareness training
- Confidentiality agreements
- Documented security policies
- Incident response procedures
- Regular compliance audits
International Data Transfers
When transferring personal data internationally, we ensure compliance through:
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
- Adequacy Decisions: Transfers to countries with adequate protection
- Binding Corporate Rules: Where applicable
- Transfer Impact Assessments: Evaluating destination country laws
Data Processing Agreements
For clients using our managed services, we provide comprehensive Data Processing Agreements (DPAs) that include:
- Clear definition of processing scope and purposes
- Sub-processor lists and change notification procedures
- Security obligations and audit rights
- Data deletion and return procedures
- Breach notification commitments
Exercising Your Rights
To exercise any of your data protection rights, please contact us:
Data Protection Officer
Email: dpo@thinsky.com
Privacy Inquiries: privacy@thinsky.com
Response Time: Within 30 days (or 72 hours for breach notifications)
Please include sufficient information to verify your identity and specify your request clearly.
Supervisory Authorities
If you believe your data protection rights have been violated, you may file a complaint with:
- Canada: Office of the Privacy Commissioner of Canada (OPC) - www.priv.gc.ca
- EU/EEA: Your local Data Protection Authority
- UK: Information Commissioner's Office (ICO)
Helping You Achieve Compliance
Beyond our own compliance, ThinSky helps organizations achieve and maintain GDPR and PIPEDA compliance through:
- Security assessments and gap analysis
- Policy development and documentation
- Technical controls implementation
- Employee security awareness training
- Incident response planning
- Ongoing monitoring and compliance support
Updates to This Page
We may update this compliance information as regulations evolve. Material changes will be communicated to clients and posted on our website. We encourage you to review this page periodically.