Canada: Data Protection 2008/09

Last Updated: October 13 2008
Article by Martin P.J. Kratz and Stephen Burns


1. What national law(s) apply to the collection and use of personal data? If applicable, has Directive 95/46/EC on data protection (Data Protection Directive) been implemented?

Personal information protection is governed by:

  • Federal law.

  • Laws of the ten provinces and three territories.

  • Industry practice.

Privacy laws protect:

  • Personal information in the public sector.

  • Personal information in the private sector (generally, such laws apply to either sector specific activities or information or to personal information that is collected, used or disclosed in the course of commercial activities and, in some circumstances, in the course of employment).

  • Health information.

This chapter considers only generally-applicable legislation that regulates the commercial use of personal information in the private sector.

Specific legislation may also apply to a particular category of information or activity. Different activities and categories of information are regulated by different federal and provincial laws so that obligations can be complex, varied and sometimes overlapping, depending on the nature of the information and the location of the activities associated with it. This means that an organisation collecting, using or disclosing personal information in more than one jurisdiction may be required to comply with more than one law and should therefore analyse the nature of the information, and the nature and location of the activities relating to it, to be sure that it meets all applicable requirements.

At the federal level, personal information protection in the private sector is governed by the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA), which came fully into force on 1 January 2004. PIPEDA applies to all regulated activities, except to the extent that the federal government determines that a province has enacted substantially similar legislation. Provincial counterparts to PIPEDA which are currently in force for personal information in the private sector are the:

  • Personal Health Information Protection Act, 2004, in Ontario (limited to health information).

  • Personal Information Protection Act 2003, in Alberta.

  • Personal Information Protection Act 2003, in British Columbia.

  • Health Information Act 1999, in Alberta (different style of legislation limited to health information, not currently subject of a substantial similarity order. This Act is not discussed further in this chapter).

  • Act Respecting the Protection of Personal Information in the Private Sector 1993 (as amended), in Québec.

Personal information is, at the federal level, the responsibility of the Office of the Privacy Commissioner of Canada, headed by the federal Privacy Commissioner. Some provincial equivalent authorities are:

  • Office of the Information and Privacy Commissioner of Alberta.

  • Office of the Information and Privacy Commissioner for British Columbia.

  • Office of the Information and Privacy Commissioner/Ontario.

  • Québec Access to Information Commission (Commission d'acces a l'information du Québec). (See box, The regulatory authorities.)

2. To whom do the rules apply (EU: data controller)?

At the federal level, the personal information protection rules apply to every organisation collecting, using or disclosing personal information in the course of commercial activities. At the provincial level, the federal law applies unless the province has enacted substantially similar legislation (namely, Alberta, British Columbia, Quebec and Ontario (limited to health information)). In Alberta, British Columbia and Quebec, the legislation applies to every organisation and all personal information, unless otherwise specified. Generally, an organisation includes:

  • Corporations.

  • Unincorporated associations.

  • Partnerships.

  • Individuals acting in a commercial capacity.

  • Trade unions.

The privacy laws may also apply to employment relationships where an organisation collects, uses or discloses the personal information of its employees in one of the following circumstances:

  • In connection with the operation of a federal work, undertaking or business.

  • In the course of a commercial activity.

  • In Alberta or British Columbia.

Obligations vary depending on the nature of the organisation and where its activities relating to the personal information of its employees occur.

Organisations may also be held accountable for personal information in their control and for the activities of third parties undertaken on the organisation's behalf (see Question 15).

As the language used in the different federal and provincial laws varies, an organisation should take care to ensure that all necessary obligations are met under each applicable law.

3. What data is regulated (EU: personal data)?

Private sector privacy laws apply to personal information. The definition of personal information varies between the applicable legislation:

  • Federal. Personal information means information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organisation (PIPEDA).

  • Alberta and British Columbia. Personal information means information about an identifiable individual and excludes business contact information (such as an individual's name, title, business telephone number, address, e-mail address or fax number) where it is used for contacting the individual in their capacity as an employee or official of an organisation (Personal Information Protection Acts).

  • Québec. Personal information includes any information that relates to a natural person and allows that person to be identified (Act Respecting the Protection of Personal Information in the Private Sector).

  • Ontario. Personal health information includes identifying information about an individual that relates to the physical or mental health of the individual or the provision of healthcare to the individual. It includes identifying information contained in a record containing such information (Personal Health Information Protection Act).

Although these definitions are very broad, each law only applies to certain categories of activities relating to personal information. Other activities may be regulated by separate legislation (for example, health information or personal information in the public sector) or not regulated at all (for example, certain non-commercial, personal or domestic activities).

4. What acts are regulated (EU: processing)?

Generally, the following activities relating to personal information are regulated:

  • Collection.

  • Use.

  • Disclosure (including transfer, lease or sale).

  • Retention.

  • Storage.

  • Safeguarding.

  • Destruction.

An individual has the right (subject to specific exceptions) to:

  • Know what personal information is being collected.

  • Know the purpose for which personal information is collected.

  • Consent to the collection, use or disclosure of personal information.

  • Access, and request the correction of, personal information held by an organisation.

5. What is the jurisdictional scope of the rules?

PIPEDA applies to regulated activities that occur within Canada or between Canada and another jurisdiction.

Where an activity occurs in a province that has enacted private sector privacy legislation, that activity may be governed by both PIPEDA and by provincial law, or just the provincial law if the activity occurs only in the province.

6. What are the main exemptions (if any)?

Most federal and provincial private sector privacy legislation exclude categories of, and certain activities relating to, personal information that:

  • Is used in relation to an emergency that threatens an individual's life, health or security.

  • Is publicly available (this is narrowly defined by the legislation and is not the same as being in the public domain).

  • Is collected solely for journalistic, artistic or literary purposes.

  • Is disclosed to a barrister or solicitor representing an organisation.

  • Is used for debt collection.

  • Must be disclosed to comply with a subpoena, warrant or court order, or court rules relating to the production of records.

  • Must be disclosed to a provincial or federal government institution if it relates to national security or defence.

  • Must be disclosed to a provincial or federal government institution if it relates to the conduct of international affairs, law enforcement or the administration of any law.

  • Is required for a statistical or scholarly study, and it is impractical to obtain consent from the individuals concerned (or meet other specific requirements).

  • Was recorded at least 100 years before disclosure.

  • Is disclosed more than 20 years after the death of the relevant individual.

  • Must be disclosed by law.

In addition, in Alberta and British Columbia, personal information can be transferred in the context of certain business transactions (such as the sale of shares in, or assets of, a business) without the need for consent from the individuals whose information is being transferred, provided the parties to the transaction have complied with the specific requirements of the applicable legislation. In British Columbia, this includes the provision of notice of such transfer. The definition of business transaction and the types of information that can be collected, used or disclosed in a business transaction varies between the jurisdictions.

7. I s notification or registration required before processing data? If so, please provide brief details.

There are no requirements to notify, or register with, a government body to collect, use or disclose personal information, except when using certain personal information for a statistical or scholarly study in Alberta or Québec (in which case, consent is required).

Consent and notification rights depend on the applicable legislation:

  • Federal. Generally, an individual must consent to the collection, use or disclosure of personal information, for a specified purpose, by an organisation either before or at the time of collection.

  • Alberta and British Columbia. Generally, an individual must consent to an organisation collecting, using or disclosing personal information for a specified purpose either before, or at the time of, collection. Where personal information is collected, used or disclosed for the purpose of establishing, managing or terminating an employment relationship, an employer may, in some circumstances, only be required to provide notice to its employees of the nature of the information and the purpose for which it is to be collected.


8. What are the main obligations imposed on data controllers to ensure that data is processed properly?

An organisation can only collect, use or disclose personal information for a reasonable purpose and only to the extent that is necessary to meet that purpose. Once this threshold is met, an organisation must then ensure that it complies with all necessary obligations in relation to the information that it has collected. These are generally based on ten key privacy principles:

  • Accountability. An organisation is responsible for the personal information in its custody or under its control and must designate an individual or individuals who are accountable for its compliance with the applicable legislation. Organisations are responsible for their agents and employees, including third parties to whom they entrust personal information or who collect, use or disclose personal information on their behalf.

  • Identifying purposes. The purposes for which personal information is collected must be identified by the collecting organisation at or before the time the information is collected. Organisations can only collect personal information for reasonable purposes.

  • Consent. Individuals must be notified of, and consent to, the collection, use or disclosure of their personal information, unless a statutory exemption applies.

  • Limiting collection. The collection of personal information must be limited to that which is necessary for the purposes identified by the organisation, and information must be collected by fair and lawful means.

  • Limiting use, disclosure and retention. Personal information cannot be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information can only be retained for as long as necessary to fulfil the purposes for which it was collected.

  • Accuracy. Personal information must be kept as accurate, complete and up to date as is necessary for the purposes for which it is to be used.

  • Safeguards. Personal information must be protected by safeguards appropriate to the sensitivity of the information.

  • Openness. Certain specific information about the organisation's policies and practices relating to the management of personal information must be made readily available to individuals.

  • Individual access. If they request, individuals have the right (subject to certain exemptions) to be informed of the existence, use and disclosure of, and be given access to, their personal information. Individuals can challenge the accuracy and completeness of their information and have it amended as appropriate.

  • Challenging compliance. Individuals must be able to submit a complaint to the person(s) responsible for the organisation's compliance, challenging its adherence to the obligations.

The various privacy laws may contain exceptions to these requirements, impose additional specific obligations or present the key principles in such a way that their scope varies from that set out above

9. I s the consent of data subjects required before processing personal data? If so:

  • What rules are there regarding the form and content of consent? Would online consent suffice?

  • Are there any special rules regarding the giving of consent by minors?

Form and content of consent

Depending on the sensitivity of the personal information being collected, consent can be:

  • Express. Consent can be given orally, electronically or in writing. It can also be given online but, as with any other form of consent, must meet the requirements of the applicable privacy legislation and, in some circumstances, the applicable electronic commerce legislation).

  • Implied. Consent can reasonably be inferred from an individual's actions or inaction. For example, when an individual enters into an agreement with an organisation, it can be implied that he has consented to the collection, use and disclosure of his personal information for purposes related to the performance of that agreement and for any other purposes identified to him at the relevant time.

  • Deemed. Consent can be deemed using an opt-out mechanism. The requirements for such mechanisms are either established in the privacy laws or the Commissioners' decisions and generally include:

  • the personal information must be clearly non-sensitive in nature and context;

  • the information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed, and the extent of the intended use or disclosure;

  • the organisation's purposes must be limited and welldefined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected;

  • the organisation must establish a convenient procedure for easily, inexpensively and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.

The consent requirements apply to information already in the custody or control of an organisation when the applicable legislation came into force (legacy information), as well as to all future collection activities. The various laws differ in their treatment of legacy information. Some provincial laws provide for consent to be deemed so that an organisation can continue using or disclosing legacy information for the purpose for which it was collected. This is not the case under PIPEDA.

Consent by minors

Consent rules depend on the applicable legislation:

  • Federal. Consent from minors is not expressly prohibited in PIPEDA but, as consent from a guardian is described as an acceptable form of consent for information relating to minors, it is generally advisable to seek consent from a guardian rather than a minor.

  • Alberta. Minors can give consent provided they understand the nature and consequences of doing so. Otherwise, consent must be obtained from the minor's guardian.

  • British Columbia. Guardians can consent on behalf of a minor if the minor is incapable of exercising his right to consent.

10. I f there is no consent, on what other grounds (if any) can processing be justified?

There are several exemptions to the need for consent (see Question 6). In addition, in Alberta and British Columbia, certain personal information about employees that is collected, used or disclosed solely for the purposes of establishing, managing or terminating the employment relationship does not require consent provided that the required notices have been provided to the employees.

11. Do special rules apply in the case of certain types of personal data, for example sensitive data? If so, please provide brief details.

Generally, the more sensitive the personal information, the more onerous the requirements to show that:

  • It is being collected, used or disclosed for a reasonable purpose, and only to the extent necessary to meet such purpose.

  • The individual has consented to the collection, use or disclosure of their personal information (express consent is more likely to be required and deemed consent is less likely to be effective (see Question 9)).

Whether personal information is sensitive depends on individual circumstances (for example, the names and addresses of subscribers to periodicals are not normally considered sensitive personal information, except in the case of certain special-interest periodicals). Social insurance numbers and health and financial information are almost always considered sensitive personal information. In addition, information from which it is possible to determine an individual's beliefs and/or interests is often considered sensitive.


12. What information should be provided to data subjects at the point of collection of the personal data?

Before, or at the time that, personal information is collected, individuals must (unless otherwise provided by legislation) be made aware of the:

  • Nature of the personal information being collected.

  • Purposes for which their personal information is to be collected, used or disclosed.

  • Name of a person who is able to answer, on behalf of the collecting organisation, the individual's questions about the collection.

For the consent to be valid, it must be given voluntarily and without reliance on deceptive or misleading collection practices. Consent to purposes beyond what is reasonably necessary to supply a product or service cannot be a precondition to the supply of that product or service.

In Québec, consent must be manifest, free and enlightened and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.

As consent given for one purpose is not valid for other purposes, organisations should anticipate their use and disclosure requirements in advance and develop their consent practices to ensure that all eventualities are covered.

13. What other specific rights (such as a right of access to personal data or the right to object to processing) are granted to data subjects?

Right of access

Generally, individuals have the right, subject to certain exceptions and restrictions, to:

  • Be informed of the existence, use and disclosure of their personal information.

  • Have access to their personal information.

Organisations can, if permitted or required by the applicable legislation, refuse to grant access to some or all personal information. When this is possible depends on the applicable law but, generally, organisations can refuse access if:

  • The information contains references to other individuals that cannot reasonably be removed.

  • The information is subject to a legal privilege.

  • Disclosure of the information would reveal confidential commercial information that it is reasonable to withhold.

  • The information was collected for an investigation or legal proceeding.

  • The disclosure of the information might result in that type of information no longer being provided to the organisation when it is reasonable to expect that that type of information should be provided.

  • The information was collected by a mediator or arbitrator, or created in the conduct of a mediation or arbitration, provided for by an agreement, enactment or court appointment.

  • The information may be used in the exercise of prosecutorial discretion.

  • The disclosure of the information can reasonably be expected to threaten the life or security of another individual.

  • The information would reveal the identity of an individual who has provided an opinion about another individual in confidence and who has not consented to the disclosure of their identity.

Organisations may be required to respond to an individual's request in a relatively short time frame (between 30 and 45 days, depending on the legislation) and without any, or only a minimal, fee. Extensions of response time periods may be available depending on the circumstances and the applicable law.

If an individual can demonstrate that his information is inaccurate or incomplete, the organisation may be required to make appropriate changes and inform any third parties that have received this information of the changes. In certain circumstances an organisation can refuse to make a requested correction, but may be required to annotate the applicable records to indicate that a correction was requested but not made.


14. What security requirements are imposed in relation to personal data?

Organisations must implement safeguards to protect personal information against:

  • Loss or theft.

  • Unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction.

  • Other similar risks.

Generally, the nature of the safeguards required varies depending on the:

  • Sensitivity of the information collected (organisations must protect personal information with safeguards appropriate to the sensitivity of the information).

  • Amount, distribution and format of the information.

  • Method of storage.

When considering the nature of the safeguards to be employed, organisations should consider:

  • Physical protection, such as locked cabinets and restrictedaccess areas.

  • Organisational safeguards, such as security clearances or limiting access on a need-to-know basis.

  • Technological measures, such as passwords and encryption.


15. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Generally, an organisation is responsible for ensuring that third parties acting on its behalf comply with privacy laws if:

  • The third party collects, uses, processes or discloses personal information on behalf of the organisation.

  • Personal information collected by or for the organisation is in the custody of the third party.

This applies whether the third party is within or outside of Canada.

The risks associated with these obligations are often addressed through contractual arrangements with the third parties to ensure that they:

  • Comply with all applicable laws.

  • Apply the same standards and care as the organisation.


16. What rules govern the transfer of data outside your jurisdiction?

Personal information collected in Canada and transferred to another jurisdiction is subject to the same privacy rules as personal information collected and disclosed within Canada.

Canada's privacy commissioners are likely to assert jurisdiction over foreign disclosures and require the disclosing organisation to follow all the applicable Canadian rules, particularly those relating to use and disclosure (that is, that use or disclosure must be for a reasonable purpose and limited to the extent necessary to meet this purpose, and an individual must consent to, or be notified of, the collection, use or disclosure of his personal information).

17. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Although data transfer or privacy compliance agreements are used in Canada, no standard forms or precedents have been approved by national authorities.

18. I s a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A data processing agreement should ensure that the transferee will comply with privacy laws, as the transferring organisation remains responsible for privacy obligations (see Question 15).

Generally, any transfer of personal information within Canada or to another jurisdiction will only be permitted if:

  • The disclosure is for a reasonable purpose and limited to the extent necessary to meet this purpose.

  • The individual has consented to, or been notified of, the disclosure of his personal information, in the manner required by the applicable law.

  • All other requirements for disclosure specified in the applicable legislation have been met.

19. Does the relevant national regulator need to approve the data transfer agreement? If so, please provide brief details.

Data transfer agreements do not need to be approved by privacy commissioners.


20. What are the enforcement powers of the national regulator?


Individuals can submit written complaints to the Federal Privacy Commissioner about any activity that they believe contravenes PIPEDA. The Federal Privacy Commissioner can also initiate a review.

When conducting an investigation, the Federal Privacy Commissioner can:

  • Summon and compel a witness to give evidence under oath, and to produce records and things, in the same manner as a superior court.

  • Administer oaths.

  • Accept evidence that would not be admissible in a court.

  • Enter premises other than a dwelling house, provided any security requirements of the organisation are met.

  • Converse in private with anyone on any premises that is entered for investigation.

  • Examine or obtain copies of, or extracts from, records held on investigated premises.

Within one year of receiving a complaint or initiating an investigation, the Privacy Commissioner must prepare a report unless she determines any of the following:

  • Other grievance procedures need to be exhausted first.

  • Another legal procedure would be more appropriate to deal with the complaint.

  • A report would not be useful.

  • The complaint is frivolous.

The report includes:

  • Findings and recommendations.

  • A description of any settlement.

  • If appropriate, a request that the Privacy Commissioner be given notice of any action taken to implement the recommendations or reasons why action is not taken.

After a report is issued, a complainant can then apply to the relevant court for a hearing in respect of any matter relating to the complaint.

The Privacy Commissioner can also audit the privacy practices of an organisation subject to her jurisdiction on reasonable notice.


The provincial privacy commissioners generally have the same or stronger powers of enforcement as the federal Privacy Commissioner. In particular, they can:

  • Conduct investigations to ensure compliance with their legislation.

  • Initiate investigations of their own accord.

  • Receive, investigate and resolve complaints.

  • Mediate settlements.

  • Make binding orders.

  • Give advice to organisations on compliance.

  • Give advance rulings on issues arising under the legislation.

  • Conduct a formal inquiry.

21. What are the sanctions and remedies for non-compliance with the data protection laws? To what extent are the laws actively enforced?


Fines of up to Can$10,000 (about US$10,000) on summary conviction or Can$100,000 (about US$100,000) on indictment can be issued for:

  • Obstructing an investigation or audit by the Privacy Commissioner.

  • Unlawfully destroying evidence.

  • Retaliating against an employee for initiating a complaint or inquiry.

The Federal Court can order an organisation to:

  • Correct its practices.

  • Publish a notice of any action taken, or proposed to be taken, to correct its practices.

  • Pay civil damages to a complainant, including damages for any humiliation suffered.


In addition to the various Commissioners' broad order-making powers, fines can be imposed, the amount of which vary depending on the province:

  • Alberta. Individuals can be fined up to Can$10,000 and entities can be fined up to Can$100,000.

  • British Columbia. Individuals can be fined up to Can$10,000 and entities can be fined up to Can$100,000.

  • Québec. The maximum fine is Can$20,000 (about US$20,000).

Organisations can also face civil liability for the breach of provincial privacy legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Martin P.J. Kratz
Stephen Burns
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.