PIPEDA Findings #2020-001: Bank ensures openness and comparable protection for personal information transferred to third party
A former employee of TD Canada Trust (TD) complained that TD had outsourced fraud claims processing to a third-party provider in India without customer consent or an opt-out option. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. The OPC also found TD was sufficiently open about its outsourcing practices and remained accountable by ensuring comparable protection through contractual and monitoring measures.
- Requirement for consent to transfer personal information to a third-party processor for the same purpose
- Sufficiency of openness regarding outsourcing of personal information to foreign jurisdictions
- Accountability for personal information transferred to a third-party processor and ensuring comparable protection
Complaint not well-founded
The OPC found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. Furthermore, TD was sufficiently open in its privacy disclosures and maintained accountability through robust contractual and monitoring measures, ensuring a comparable level of data protection.
AI-generated summary for reference only. Always verify against the official decision ↗
- Principle 4.3 PIPEDA
- Principle 4.8 PIPEDA
- Principle 4.1.3 PIPEDA
- Principle 4.7 PIPEDA
- Principle 4.4 PIPEDA
- Principle 4.5 PIPEDA
This summary is for informational purposes only and does not constitute legal advice.