GGT Chartered Professional Accountants PRIVACY POLICY PRIVACY PHILOSOPHY GGT Chartered Professional Accountants (the “Organization”) values its relationship with its customers and is committed to protecting the privacy rights of its customers. We are, therefore, committed to maintaining the accuracy, confidentiality and security of personal information. This privacy policy explains how we collect, use, disclose and safeguard the personal information you provide to us. By providing personal information to us, you consent to our collection, use and disclosure of your personal information in accordance with this privacy policy. INTRODUCTION For the purposes of this privacy policy, “personal information” shall mean information that is, or can be, about or related to an identifiable individual. PRINCIPLES As part of the Organization’s commitment to treat your personal information with respect, we follow these 10 fair information principles (the “Principles”) as set out in Generally Accepted Privacy Principles (GAPP) developed by the Chartered Professional Accountants of Canada and the American Institute of Certified Public Accountants. Principle 1 – Management Principle 2 – Notice Principle 3 – Choice and Consent Principle 4 – Collection Principle 5 – Use, Retention and Disposal Principle 6 – Access Principle 7 – Disclosure to Third Parties Principle 8 – Security for Privacy Principle 9 – Quality Principle 10 – Monitoring and Enforcement Each of the Principles apply to the Organization’s practices as follows: Principle 1 – Management We will maintain and protect the personal information under our control. We have policies and procedures for ensuring privacy and security of data, which are strictly enforced to protect the individuals from whom we may collect personal information. We have a Privacy Officer who is responsible for ensuring our compliance with the Principles and this privacy policy. If you have questions about this privacy policy or our use of your information, or if you need help changing your personal information, please contact the privacy officer by email at [privacyofficer@yourorganization.ca] or contact us at: Drew Tellier, CPA, CA GGT Chartered Professional Accountants 230 – 5010 Richard Road SW Calgary, Alberta T3E 6L1 Phone: 403-475-8033 Fax: 403-475-0931 We have implemented policies and procedures that implement this Privacy Policy, which includes communication and providing training to our employees on these policies and procedures. Principle 2 – Notice The Organization will identify to you the purposes for which it will collect or use personal information before or at the time the information is collected. The Organization collects the personal information of customers for purposes of [whatever your organization uses the personal information for, such as providing goods and services to customers]. In addition, the Organization also collects, uses and discloses your personal information: ▪ [Provide information to customers on other goods and services that may be of interest to them.] ▪ [Provide additional details, if applicable.] If a new purpose is identified for the use of the information collected, the new purpose will be explained prior to its new use. Unless the new purpose is required by law, your consent is required before information can be used for that purpose. This consent will usually be obtained in writing; however, it may on occasion (depending on the circumstances) be obtained verbally, in person or by telephone. Principle 3 – Choice and Consent Except where required or permitted by law, your informed consent is required for the collection, use or disclosure of your personal information. Should we wish to make use of your personal information for a secondary purpose (such as a mailing list), your consent will be obtained and you may opt-out of this secondary use whenever you wish. By providing personal information to us, you consent to the collection, use and disclosure of your personal information in accordance with this privacy policy. You may withdraw your consent at any time; however, by doing so, the Organization may not be able to provide you with the goods and services that you requested. Principle 4 – Collection The personal information collected by us shall be limited to those details necessary for the purposes identified to you. We may collect this information from you [via the Internet, over the telephone, in person or from third-party sources, such as credit reporting agencies]. What Types of Personal Information May We Collect? The type of personal information we may collect depends on, and is related to, the reason (or purpose) such personal information was provided to us. The following is a description of the types of personal information that we may request: ▪ ▪ [contact information, such as your name, mailing and/or email address, and home telephone number] [credit card or other billing information] Note: Specify what additional information will be collected, if any, and clarify if the above-noted circumstances are accurate. Further, please consider the extent to which it is necessary for certain forms of personal information to be collected for the stated purpose. Principle 5 – Use, Retention and Disposal We will only use or disclose your personal information in accordance with the purposes for which it was originally collected unless you have otherwise consented, or when required or permitted by law. We will keep your personal information only for as long as is required to fulfill the purpose for which it was collected or as required by law. We will use your personal information to: ▪ [process business transactions] ▪ [addressing inquiries or complaints about goods and services] ▪ [purchase of goods and services] ▪ [participation in marketing promotions] Principle 6 – Access Upon your written request, we shall inform you of: (i) the type of personal information we have collected; (ii) how we have used your personal information in the past, and how we may in the future; and (iii) whether or not we have disclosed your personal information to any third parties (and, if so, to whom). You may ask about the accuracy and completeness of your personal information, and you may request that it be changed, if appropriate. Please note that before we are able to provide you with any information or correct any inaccuracies, we may ask you to confirm your identity and provide additional information to help us to respond to your request. Please submit your request to: Customer Service [GGT Chartered Professional Accountants] [Address] [Telephone number] [Fax number] Principle 7 – Disclosure to Third Parties Except as explained in this privacy policy, as required by law or regulation or as otherwise consented to by you, we do not disclose any personal information to third parties. The following are the limited instances where we may disclose your personal information to the following third parties for the following uses: ▪ ▪ [to marketing firms to conduct marketing and sales promotions or customer surveys] [to our fulfillment centre that processes and ships sales orders] Note to Draft: We have provided a few generic reasons why information may be disclosed to third parties; however, please describe in as much detail as possible all other circumstances under which the Organization would disclose any personal information to a third party. Principle 8 – Security for Privacy The security of your personal information is a priority to the Organization. The Organization is responsible for protecting personal information under its control, including personal information that has been transferred to, or received from, a third party. In the event that personal information is transferred to a third party, the Organization will take steps to ensure that such recipients safeguard the Personal Information and use the information only for authorized purposes. Some examples of such measures are as follows: ▪ ▪ ▪ ▪ [physical security measures, such as restricted access facilities and locked filing cabinets] [electronic security measures for computerized personal information, such as password protection, database encryption and personal identification numbers] [organizational processes, such as limiting access to such personal information to a selected group of individuals] [contractual obligations with third parties that require access to personal information, by agreements stipulating the confidentiality of the information and requiring them to protect and secure the personal information] Note to Draft: Please indicate if the foregoing is accurate, and clarify and correct details where appropriate. Please describe in as much detail as possible all other methods of protection that the Organization has in place, if applicable, including anonymization of data, etc. Only employees with a business need to know, or whose duties reasonably so require, are granted access to personal information and shall be required to respect the privacy of that information. Our Employees and Your Personal Information In the course of daily operations, access to private, sensitive and confidential information is restricted to authorized employees who have a legitimate business purpose and reason for accessing it. As a condition of their employment, all employees of the Organization are required to follow this policy. Employees are informed about the importance of privacy and they are required to agree to a code of conduct that prohibits the disclosure of any personal information to unauthorized individuals or parties. Unauthorized access to and/or disclosure of personal information by an employee of the Organization is strictly prohibited. All employees are expected to maintain the confidentiality of personal information at all times, and failing to do so will result in appropriate disciplinary measures, which may include dismissal. Principle 9 – Quality We shall make every reasonable effort to ensure your personal information is accurate, complete and up-to-date. You are responsible for advising the Organization of any inaccuracies or changes to your personal information. Any such inaccuracies or changes may be reported to Customer Service. Principle 10 – Monitoring and Enforcement If you have questions about this policy or our use of your information, or if you need help changing your personal information, please contact the privacy officer by email at [privacyofficer@yourorganization.ca], or contact us at: Privacy Officer [GGT Chartered Professional Accountants] [Address] [Telephone number] [Fax number] Websites Governed by this Privacy Policy The website that is governed by the provisions and practices stated in this privacy policy is: [www.yourorganization.ca]. The Organization’s website may contain links to other third party sites that are not governed by this privacy policy. Although we endeavour to only link to sites with high privacy standards, our privacy policy will no longer apply once you leave the Organization’s website. Additionally, we are not responsible for the privacy practices employed by other third-party websites. Therefore, we suggest that you examine the privacy statements of those sites to learn how your information may be collected, used, shared and disclosed. Updating this Privacy Policy Any changes to our privacy policy and information handling practices will be acknowledged in this policy in a timely manner. We may add, modify or remove portions of this policy when we feel it is appropriate to do so. You may determine when this policy was last updated by referring to the date at the bottom of this page. BY PROVIDING PERSONAL INFORMATION TO US, YOU SIGNIFY YOUR CONSENT TO OUR COLLECTION, USE AND DISCLOSURE OF YOUR PERSONAL INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY. Last revised Wednesday, March 9, 2016 3758382.2