Request a Consultation

Home Guides

PIPEDA

PIPEDA and Canadian privacy questionnaires: answering as a vendor

A Canadian buyer has sent you a questionnaire that looks like a security review but keeps asking about consent, retention, and where the data lives. That is a PIPEDA questionnaire — built on the Personal Information Protection and Electronic Documents Act — and it follows a structure you can learn once. This guide covers why Canadian buyers send these, how the ten fair-information principles map to the rows, and the answers that take the longest to write.

Why Canadian buyers questionnaire their vendors

PIPEDA's first principle is accountability: an organization remains responsible for personal information it transfers to a third party for processing, and must use contractual or other means to ensure comparable protection. Your buyer cannot outsource their PIPEDA obligations to you — which means before they hand you their customers' personal information, they have to satisfy themselves that you protect it the way they are required to. The questionnaire is how they document that diligence. Understand that and the strange rows make sense: they are not auditing your product, they are building the file that shows their regulator they vetted their processor.

The ten principles are the question structure

PIPEDA's substantive obligations live in Schedule 1 as ten fair-information principles, and most Canadian privacy questionnaires are organized around them, whether or not they say so:

  • Accountability — who is responsible, and is there a designated Privacy Officer
  • Identifying purposes — why personal information is collected, stated before or at collection
  • Consent — knowledge and consent for collection, use, and disclosure
  • Limiting collection — only what the identified purposes require
  • Limiting use, disclosure, and retention — no repurposing, and deletion when the purpose is spent
  • Accuracy — information kept accurate, complete, and current as needed
  • Safeguards — security appropriate to the sensitivity of the information
  • Openness — published policies and practices, usually your privacy policy
  • Individual access — people can see and correct their information
  • Challenging compliance — a channel to complain to your designated person

For a vendor, the safeguards and accountability rows are the hardest to answer well. Consent and purposes usually belong to your customer — they collected the data; you process it on instruction — so those rows are one sentence each. Safeguards is where the reviewer wants named controls: encryption at rest and in transit, access control, logging, the specific tools and cadences. Accountability is where they want a named Privacy Officer, a processor contract, and evidence that someone owns the program rather than the program owning itself.

Breach of security safeguards: the report, the notice, and the register

PIPEDA's breach regime has three parts, and questionnaires test all three. Where a breach of security safeguards creates a real risk of significant harm, you report to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals — both as soon as feasible. The third part is the one vendors miss: you must keep a record of every breach of security safeguards, whether or not it met the harm threshold, and the regulations set a minimum retention period of 24 months for those records. A questionnaire row asking "describe your breach register" is checking for that duty specifically — "we have never had a reportable breach" is not an answer to it, because the register must capture the non-reportable ones too.

Cross-border rows: where does the data live

Most Canadian privacy questionnaires include some version of "where is personal information stored and processed?" If you run on US cloud regions, say so plainly. PIPEDA does not prohibit cross-border processing; it requires accountability and openness about it — the OPC's position is that individuals should be told their information may be processed in a foreign jurisdiction and may be accessible to that jurisdiction's courts and law enforcement. Your questionnaire answer should mirror what your own privacy policy already discloses — our own privacy policy states that data is stored in the United States and subject to lawful access by US authorities, and our questionnaire answers say the same thing. An answer that contradicts your published policy is the kind of inconsistency reviewers are paid to find. If the buyer requires Canadian data residency, that is a contractual requirement on their side, not a PIPEDA one — flag it as a scoping conversation, not a compliance failure.

How to answer a PIPEDA questionnaire, step by step

  1. Establish your role first. Are you processing personal information on the buyer's instructions, or collecting it for your own purposes? Most vendor rows assume the former, and saying so up front lets you answer the consent and purposes principles in one line each instead of inventing obligations you do not have.
  2. Stand up an answer library keyed to the ten principles. Start from our free answer-library template and tag each row with the Schedule 1 principle it serves. PIPEDA questionnaires vary in wording but not in structure — a library organized by principle answers all of them.
  3. Name your Privacy Officer. The accountability principle requires a designated individual, and the questionnaire will ask for the name or at least the role. If nobody holds it, appoint someone before answering — an empty accountability row colours how the rest of the questionnaire is read.
  4. Document the breach register before describing it. Write down the format, the fields, where it lives, and who maintains it. The record-keeping duty applies to every breach of security safeguards, not just reportable ones, and reviewers increasingly ask to see the mechanism rather than the assertion.
  5. Write the safeguards rows against what you actually run. Named tools, named policies, real cadences — appropriate to the sensitivity of the data you handle. "Industry-standard security" is the answer that generates follow-up questionnaires.
  6. Align the cross-border answers with your privacy policy. State hosting jurisdictions, subprocessors, and the contractual protections in place, in the same terms your public policy uses. Then have one person read the whole response for consistency before it goes out.

When the answer is no: closing PIPEDA-specific gaps

PIPEDA "no" answers cluster around the safeguards and accountability principles — the rows that assume monitoring, access control, and a documented program exist. Each is deployable as an open-source component you keep:

  • No breach register or detection behind it: Managed Wazuh — the detection and log retention the record-keeping duty quietly assumes; you cannot register breaches you never see.
  • No access-control accountability: Managed Teleport — recorded, audited access to the systems holding personal information, which is the evidence the accountability rows want.
  • No documented safeguards story: Managed Security — the monitored stack and the documentation that turns "appropriate safeguards" from a claim into an answer.

The general method — triage, answer honestly, build the library as you go — is covered in our guide to answering security questionnaires; everything above is what PIPEDA adds on top. If the response is due and nobody on the team has mapped controls to the ten principles before, ThinSky's Questionnaire Rescue drafts the whole thing for you.

Common questions.

Does PIPEDA apply to our company?

PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity, and to personal information that crosses provincial or national borders in commerce. Alberta, British Columbia, and Quebec have their own substantially similar private-sector laws that apply within those provinces — but if you sell to customers across Canada, your buyer will usually questionnaire you against PIPEDA regardless.

What counts as a real risk of significant harm under PIPEDA?

It is the threshold that triggers breach reporting. PIPEDA defines significant harm broadly — bodily harm, humiliation, damage to reputation, financial loss, identity theft, and more — and the risk assessment weighs the sensitivity of the information and the probability of misuse. A lost encrypted laptop with managed keys may fall below the threshold; exfiltrated plaintext customer records almost never do.

Do we need a DPA to comply with PIPEDA?

PIPEDA does not use the term "data processing agreement," but the accountability principle requires organizations to use contractual or other means to provide comparable protection when personal information is transferred to a third party for processing. In practice Canadian buyers expect a DPA-equivalent: a contract covering permitted use, safeguards, breach notice to the customer, and return or destruction of data.

Can we host Canadian customer data in US cloud regions under PIPEDA?

Generally yes. PIPEDA does not prohibit cross-border transfers; it makes you accountable for personal information you send to a processor anywhere, and the OPC expects transparency that data may be processed in a foreign jurisdiction and may be accessible to its courts and law enforcement. Some buyers — notably public-sector and certain provincial health contexts — impose Canadian-residency requirements by contract, which is a separate question from PIPEDA itself.

Or skip the spreadsheet entirely.

Email us the questionnaire, the deadline, and a sentence about the deal — we reply with scope and a fixed quote within one business day.

Get questionnaire rescue →