Data Protection and Privacy

Overview

Privacy compliance doesn’t have to be complicated. For Canadian businesses, navigating a mix of federal, provincial, and even international privacy laws can feel overwhelming — but it’s also an opportunity to build trust with your customers. At Pragmatica, we make privacy and data protection a priority in everything we do. Our team works continuously to align with Canadian regulations like PIPEDA, BC PIPA, and Quebec’s Law 25, while also meeting global standards such as GDPR for clients who serve international audiences. By partnering with Pragmatica, you can feel confident that your digital platforms are built with compliance in mind — helping you protect personal data, reduce risk, and strengthen your reputation.

We have engaged privacy experts to assist us with our privacy and data protection compliance efforts, and with their assistance, we are actively engaged in ensuring our own compliance with applicable data protection laws and having solutions to enable our customers to comply with their own obligations as data controllers under the applicable data protection laws. Read on to learn a few things we have done to help you make our use of our service as compliant as possible.

What Are the EU GDPR and UK GDPR?

The GDPR is the European Union’s, comprehensive privacy and data protection law that took effect on May 25, 2018. The primary aim of the GDPR is to regulate how the personal data of individuals in the EU is processed – even by businesses that have no physical or legal presence in the EU. Organizations can face hefty fines for non-compliance: up to €20 million or 4 percent of annual global revenue, whichever is higher. The UK GDPR largely mirrors the GDPR and was adopted by the UK as part of Brexit.

Is Pragmatica GDPR certified?

There is not yet any kind of recognized GDPR global certification scheme in the EU, but we’ve been working hard to ensure that we’re in compliance with the GDPR. We spend a considerable amount of time and energy to ensure that our data protection practices meet or exceed the highest standards, so that individuals who disclose personal data to us can rest assured that their data is protected. Read on to learn how we work to make your use of our service compliant.

How Can I Enter into a Data Processing Addendum (DPA) with Pragmatica?

When applicable, the DPA amends our standard terms of service to reflect obligations required by the GDPR. This is the instrument that legally binds us to complying with our responsibilities under the GDPR and other applicable data protection laws, such as the CCPA.

The DPA governs the terms by which we, as a data processor, process data on behalf of you, our customers, (who are typically data controllers) in accordance with Article 28 of the EU GDPR and other data protection and privacy laws that may be applicable.

According to Article 28 of the GDPR, data processors must act only upon the documented instructions of the data controller unless otherwise required by law. This, however, does not relieve us of any of our obligations or liabilities under the GDPR. We are still required to ensure that we comply with the GDPR.

What Does Pragmatica Do to Ensure that Its Vendor Relationships Meet Applicable Data Protection Requirements?

Before transferring any personal data to service providers, we conduct due diligence on the recipient of the data (including reviewing security reports). We also ensure that robust contractual protections are in place. Our vendor management procedures require that such contracts be in line with the highest common denominators when it comes to data protection laws (the GDPR and the CCPA). We have developed a detailed DPA that all service providers must sign in addition to their standard contract. We can also sign the service providers’ DPAs if they meet the legal and contractual requirements.

When we need to transfer personal data governed by the GDPR outside the European Economic Area (“EEA”) or the UK to a country that has not been deemed to provide an adequate level of data protection by the European Commission or the UK Secretary of State, we ensure to strengthen the protection of the data through SCCs or other approved transfer mechanisms.

We require our service providers to share with us recent third-party audit security reports such as SOC 2 reports and ISO 27001 certifications security documentation or respond to detailed security questionnaires.

GDPR and You

So Pragmatica is focused on compliance with the GDPR. Does that mean that I’m automatically compliant too? If not, where can I learn more about my own obligations?

No. Controllers need to address their own practices to ensure that they meet applicable requirements.

Much of how you collect, use, and dispose of personal data is not determined by Pragmatica (your data processor). Thus, each organization should get its own professional guidance on the topic to help ensure compliance. In addition to our Readiness Guide, here’s an additional resource from the UK Information Commissioner’s Office: https://ico.org.uk/for-organisations/sme-web-hub/checklists/data-protection-self-assessment/

Pragmatica’s Commitment to Privacy and Data Protection in Canada

Typically, a Pragmatica customer will be considered a data controller (i.e., an organization that determines the purposes and means of the processing of personal data) and Pragmatica will be considered a data processor under the law.

Controllers and processors each have their own respective obligations under the law. Therefore, our GDPR compliance plan looks a bit different from what yours will look like. This doesn’t mean we can’t be used by data controllers – quite the opposite. When a data controller engages a service provider like us, the service provider is typically a data processor acting on behalf of the controller, and the processor acts at the behest of the controller. As stated above, our DPA will govern the relationship, and the nature of the processing activities, between Pragmatica and its customers.

At Pragmatica (Pragmatica Web Solutions Inc.), we are committed to building, reviewing, and continuously improving the policies, processes, and procedures required to comply with Canada’s privacy and data protection laws.

We regularly evaluate our exposure to Canadian and international regulations to make any necessary adjustments to our privacy program. In Canada, this includes:

• PIPEDA (Personal Information Protection and Electronic Documents Act) – Canada’s federal privacy law governing how private-sector organizations collect, use, and disclose personal information in commercial activities.
• Provincial Legislation, such as British Columbia’s PIPA (Personal Information Protection Act), Alberta’s PIPA, and Quebec’s Law 25 (modernizing the Act respecting the protection of personal information).
• International Frameworks, such as the EU/UK GDPR or U.S. privacy laws (like CCPA), when we process personal data of individuals in those jurisdictions.

Our goal is to meet or exceed the highest standards of data protection so that our customers and their users can trust that personal data is handled responsibly and securely.

Our Privacy Program and Expertise

We engage privacy experts to help us assess compliance risks, implement controls, and keep pace with evolving laws. Together, we ensure:

• Our own operations comply with applicable Canadian privacy regulations.
• We provide solutions that enable our customers to meet their data controller obligations under PIPEDA, provincial laws, and international frameworks.
• We monitor developments such as Law 25’s phased requirements (e.g., mandatory breach reporting, privacy impact assessments, and appointing a privacy officer) and incorporate them into our processes.

Data Processing Agreements (DPAs)

When required, Pragmatica provides a Data Processing Agreement (DPA) that amends our standard terms of service. This legally binding document reflects obligations under PIPEDA, Quebec Law 25, and other applicable laws, ensuring that we, as a data processor, only process personal data according to our customers’ documented instructions.

This agreement clarifies:

• The roles of controller (our customer, who decides how and why data is processed) and processor (Pragmatica, who processes data on their behalf).
• Our obligations, including implementing appropriate security measures, cooperating with breach reporting requirements, and deleting or returning data when instructed.

Vendor and Cross-Border Data Management

Before sharing any personal data with third-party vendors or partners, we perform due diligence on their privacy and security practices. Our vendor management process includes:

• Reviewing SOC 2 reports, ISO 27001 certifications, or detailed security questionnaires.
• Requiring vendors to sign agreements that meet or exceed Canadian privacy law requirements.
• Using approved cross-border data transfer mechanisms when data leaves Canada — for example, contractual clauses to ensure equivalent protection when transferring data to the U.S. or Europe.

Personal Information under Canadian Law

Under PIPEDA, “personal information” includes any information about an identifiable individual — such as names, email addresses, IP addresses, or demographic data.

Within your Pragmatica account, this could include your customers’ contact details. If an individual requests correction or deletion of their data, you are legally required to respond within statutory timelines (usually 30 days).

Consent and Opt-Ins

Canadian privacy law (PIPEDA, CASL, and Law 25) generally requires meaningful consent before collecting personal information. This means:

• Opt-in forms cannot be pre-checked.
• Individuals must be told what data is being collected, why, and how it will be used.
• For marketing communications, CASL (Canada’s Anti-Spam Legislation) also applies — requiring express or implied consent to send commercial electronic messages.

Security and PCI Compliance

Pragmatica’s Data Security Statement outlines the measures we use to protect customer data, including encryption, access controls, and incident response procedures.

For customers handling payments, we are audited annually for PCI DSS compliance, ensuring we meet the strict standards required to protect payment card data.

Social Media, Third-Party Apps, and International Users

Canadian privacy law applies to all personal information you process — including that collected through social media campaigns, third-party integrations, or web tracking pixels.

When you integrate Pragmatica with third-party apps, ensure those providers are also compliant with PIPEDA or other applicable laws and that your contracts contain breach notification and data protection clauses.

‍