Skip to main content
Data & privacy rights

What happened to your data? Start here.

Pick what happened and see the deadline that matters, what to do first, and the privacy law that applies.

βœ“ Federal & provincial lawβœ“ 100% freeβœ“ No accountβœ“ Legal information, not advice

A company had a data breach

PIPEDA s. 10.1 (breach of security safeguards)

Organizations must report breaches of real risk of significant harm

The deadline that matters

ASAP
org must notify without delay
Under PIPEDA, an organization that suffers a breach posing a "real risk of significant harm" must report it to the Privacy Commissioner and notify affected individuals as soon as feasible, and keep records of all breaches. As an affected person, you can ask what was exposed and what is being done.

Do this first

  1. 1
    Get the breach details in writing
    Ask what data was exposed, when, and what protective steps the organization is taking.
  2. 2
    Protect your accounts
    Change passwords, enable two-factor, and watch for fraud on affected accounts.
  3. 3
    You can complain to the OPC
    If the response is inadequate, the Office of the Privacy Commissioner accepts complaints.

The law that protects you

PIPEDA s. 10.1 (breach of security safeguards)

"An organization shall report to the Commissioner any breach of security safeguards… if it is reasonable… to believe that the breach creates a real risk of significant harm to an individual."

PIPEDA s.10.1s.10.2s.10.3
Read the full guide β†’

Legal information, not legal advice. Privacy law varies by sector and province and is being reformed; confirm what is in force against the current statute or a licensed professional.

πŸ›‘οΈ You have privacy rights

Protections that apply to your data

Held by a business
You can access your data
PIPEDA s.8

You can ask what personal information a company holds about you and how it was used β€” usually answered within 30 days.

After a breach
You must be told
PIPEDA s.10.1

Breaches posing a real risk of significant harm must be reported to the Commissioner and to you.

In your inbox
Spam needs consent
CASL

Commercial messages generally require your consent and a working unsubscribe honoured within 10 business days.

Your health records
You can access & correct
PHIPA

Provincial health-privacy law gives strong rights to see your records and request corrections.

Browse by topic

Data breachesAccess requestsDeletion & consentSurveillanceSpam & CASLIdentity theftWorkplace privacyHealth records

Tools

Access-request builder

Draft a PIPEDA access request

Breach response steps

What to do after a breach

CASL complaint helper

Report a spam message correctly

Which privacy law?

PIPEDA vs provincial vs PHIPA

Not sure which law applies?
Ask about your situation and get an answer grounded in Canadian privacy law, with its sources shown.
Ask about your situation

Did This Help You?

MyPrivacyRights.ca is free for every Canadian. Your support helps keep legal information accessible to everyone.

$2$3$4Custom Amount

Donations processed securely via KnowMyRights.ca

Ask AI