PRIVACY CODE – Blissed Out Yoga & Fitness

 

PRIVACY CODE – SEPTEMBER 2021

 

INTRODUCTION

 

Blissed Out Yoga & Fitness (“Blissed Out”) is a BC company that offers its regional engineering, procurement and contracting services in Western Canada and Pacific Northwest.

This Privacy Code sets out our privacy commitment to the protection of personal information of our employees, and personal information obtained through individuals accessing website or through engaging us to provide customized e-learning solutions and how we manage personal information, safeguards privacy in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) of Canada, Protection of Personal Information (B.C.) and comply with Canada’s international obligations for data protection under General Data Protection Regulation (“GDPR”).

This Privacy Code is also intended to assist us to meet our obligations under respecting the personal information of our employees and service providers PIPEDA, PIPA and GDPR.[1]

PIPEDA and PIPA are built on the following principles of fair information principles:   Accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, challenging compliance.  Compliance with PIPEDA is under the authority of the Privacy Commissioner of Canada and PIPA is under the authority of the BC Privacy Commissioner.

The GDPR applies to organizations that have an established presence in the EU, offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU.  The GDPR applies when personal data is “processed” and defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”  Data controllers or processors must also respect the principle of data minimization, meaning that the processing of personal data must be limited to that which is adequate, relevant, and necessary to achieve the specified purpose. Personal data must be accurate, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary, and must be processed in a manner that ensures appropriate security of the personal data.

The Privacy Code is also intended to provide open and transparent principles, policies, practices and procedures by which Blissed Out can meet its privacy commitment to the protection of personal information.  It is also intended to set out the choices available for individuals regarding our collection, use or disclosure and processing of their personal information.

The purpose of this Privacy Code is to articulate clearly our privacy practices respecting the management of personal information collected and used by Blissed Out and to ensure compliance with the federal and international privacy laws.  At the same time, it recognizes the needs of Blissed Out to collect, use or disclose personal information for legitimate business purposes versus the right of individuals to protect their personal information.  The standard for the collection of personal information by Blissed Out is one of what a reasonable person would consider appropriate in the circumstances and complies with applicable laws.

 

GUIDING PRINCIPLES

 

The following ten principles are the basis of Blissed Out Privacy Code and shall guide Blissed Out’s management of personal information and its privacy practices together with the statutory requirements of PIPEDA and PIPA.

  1. Accountability – Blissed Out is responsible for personal information under its control including personal information not in the custody of Blissed Out. Blissed Out shall designate one or more individuals to be responsible for ensuring that Blissed Out complies with this Privacy Code and shall make the position name or title and contact information of each individual so designated.
  1. Identifying Purposes for Collection of Personal Information – Blissed Out shall identify the purposes for which personal information is collected or before personal information is collected.
  1. Obtaining Consent for Collection, Use or Disclosure of Personal Information – Blissed Out shall ensure that consent is obtained from each individual for the collection, use or disclosure or processing of their personal information unless inappropriate. Blissed Out shall recognize and act on any withdrawal of consent by an individual to collect their personal information.
  1. Limiting Collection of Personal Information – Blissed Out shall limit the collection of personal information to the purposes identified by Blissed Out and shall only collect personal information using appropriate, fair and lawful means.
  1. Limiting Use, Disclosure and Retention of Personal Information – Blissed Out shall not use or disclose personal information for purposes other than for the purpose it was collected unless Blissed Out has the consent of the individual or as provided by law. Blissed Out shall retain personal information for only as long as necessary to meet the purposes of the collection of the personal information.
  1. Accuracy of Personal Information – Blissed Out shall ensure that personal information collected, used and disclosed shall be as accurate, complete and up-to date as possible for the purposes for which it has been collected used and disclosed.
  1. Security Safeguards – Blissed Out shall take all appropriate steps to protect the personal information collected, used and disclosed and use security measures appropriate to sensitivity of the personal information.
  1. Openness Concerning Policies and Practices – Blissed Out shall ensure that information is made available to clients and employees regarding this Privacy Code and our privacy practices regarding personal information.
  1. Client Access to Personal Information – Blissed Out shall inform an individual of the collection, use and disclosure and processing of his/her personal information at the individual’s request and shall grant access to the individual to such personal information. An individual shall be entitled to challenge the accuracy and completeness of the personal information collected, used or disclosed by Blissed Out and have it amended and or corrected as necessary or appropriate.
  1. Challenging Compliance – This Privacy Code and our privacy practices shall include a clear process for responding to complaints that may arise with respect to our handling and managing of personal information of customers and employees. A client or employee may make a complaint regarding Blissed Out’s compliance with its privacy policies and practices to the designated individual in accordance with our complaint process.

 

APPLICATION OF THE PRIVACY CODE

1.1       Blissed Out as a private sector organization is required to comply with the purposes of the PIPEDA, PIPA and GDPR and therefore this Privacy Code sets out Blissed Out’s policies and practices for managing personal information of individuals being collected, used and disclosed or processed from our clients, employees and or services providers or through our Blissed Out Website whether collected, used or disclosed or processed orally, electronically or in writing in compliance with PIPEDA, PIPA and GDPR.

Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: ʶ age, name, ID numbers, income, ethnic origin, or blood type; ʶ opinions, evaluations, comments, social status, or disciplinary actions; and ʶ employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

There are some instances where PIPEDA and PIPA do not apply. Some examples include: ʶ Personal information collected, used or disclosed by federal government organizations listed under the Privacy Act. ʶ Provincial or territorial governments and their agents. ʶ Business contact information–including an employee’s name, title, business address, telephone number facsimile number or email addresses–which an organization collects, uses or discloses solely for the purpose of communicating with a person in relation to their employment, business or profession. ʶ an individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list). ʶ an organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.

PIPEDA and PIPA each set out the principles of fair information practices, which form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. These principles give individuals control over how their personal information is handled in the private sector. In addition to the principles set out under PIPEDA and PIPA, the Acts contains an overriding obligation that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider are appropriate in the circumstances. This overarching standard of appropriateness of purposes continues to apply under PIPEDA and PIPA for the collection, use and disclosure of personal information.

Blissed Out strives as an organization to be responsible for the protection of personal information and the fair handling of it at all times, throughout the organization and in dealings with third parties.

 

1.2       The following categories of personal information are exempt from the PIPEDA and PIPA privacy practices and policies of our Privacy Code:

  • Personal information handled by federal government organizations listed under the Privacy Act;
  • Provincial or territorial governments and their agents;
  • Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession;
  • An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list); and
  • An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.

 

PRIVACY POLICIES AND PRACTICES

 

Accountability

2.1       In order to meet its responsibilities for personal information under its possession or control, Blissed Out appoints Tony Harrison and or his designate to be accountable for   Blissed Out’s compliance with this Privacy Code and its statutory requirements under PIPEDA and PIPA and GDPR.

2.2       The contact information of persons designated to be accountable for Blissed Out’s compliance with the Privacy Code shall be made known upon request.

2.3       Blissed Out does not provide personal information to third parties except as compelled by law or as part of its online automated broker-agent services that match a client’s electric vehicle specifications and needs for an electric vehicle to their electric vehicle dealer directory listings which listings have been approved by each individual electric vehicle dealer.

2.4       Blissed Out has put in place procedures and practices to give effect to this Privacy Code and shall include:

  • Procedures and practices to protect personal information and to oversee compliance with this Privacy Code;
  • Procedures and practices to receive and respond to requests for personal information, inquiries and complaints under PIPEDA, PIPA and GDPR;
  • Methods and means for training and communicating our privacy procedures and practices to employees; and
  • Methods and means for communicating our privacy procedures and practices to our clients and the public.

2.5       Blissed Out shall continue to update and enhance its privacy policies and practices on and as and when basis.

 

Purposes of Collection

3.1       Blissed Out collects, uses and discloses personal information from clients and employees for the provision of its online automated broker-agent services that match a client’s electric vehicle specifications and needs for an electric vehicle to their electric vehicle dealer directory listings which listings have been approved by each individual electric vehicle dealer and for legitimate business interests only.

3.2       In using, processing and disclosing personal information as part of its contractual agreement(s), such personal information shall only be collected, used, processed and disclosed as necessary for the performance of Blissed Out’s business and contractual obligations.

3.3       Blissed Out also collects uses and discloses personal information of its clients, employees or visitors to its Website but such personal information shall only be collected, used or processed and disclosed for legitimate business interests that a reasonable person would consider appropriate in the circumstances and that fulfill the purposes that Blissed Out has disclosed to the individual in accordance with PIPEDA and PIPA.

3.4       Blissed Out shall identify and specify orally, electronically or in writing to the client, employee or visitor to its Blissed Out Website the purposes for which personal information is collected, used. processed and disclosed at or before the time the personal information is collected.

3.5       Blissed Out shall not collect, process, disclose or use personal information for any purpose not identified or specified to an individual without obtaining their consent. 

 

Consent

4.1       Blissed Out will obtain consent from an individual when collecting, using, processing or disclosing personal information of its clients, individuals, employees, and contractors for the purposes outlined above.

4.2       Consent will be explicit for EU individuals and may be explicit (orally or in writing) or implied. Consent may be implied by Blissed Out where at the time consent is deemed as follows:

4.2.1    the purpose would be considered obvious to a reasonable person;

4.2.2    the individual has freely and voluntarily provided the personal information for that purpose; or

  • Blissed Out has given notice of the collection of personal information for a specified period in a form that can be reasonably understood of its intention to collect, use, process or disclose the personal information and the individual is given a reasonable period of time to decline or revoke and does not decline or revoke and it is reasonable to collect, use, process or disclose having regard to the sensitivity of the personal information and that it is collected solely for legitimate business purposes.

4.3       Consent will always be obtained for EU individuals where it is not for legitimate business purposes and EU individuals will have the ability to revoke such consent at any time.  Consent is not required for the following personal information which is permitted to be collected and used from an individual or from a source other than an individual without limitations:

  • is clearly in the interest of the individual and consent cannot be obtained in a timely way;
  • is necessary for medical treatment of the individual and individual is unable to give consent;
  • it is reasonable to expect that the collection or use with the consent of individual would compromise the availability or accuracy of the personal information and the collection is reasonable for an investigation or a proceeding;
  • organization is credit reporting agency and collection is for a credit report and individual consents at the time the original collection occurs;
  • is required or authorized by law;
  • personal information is necessary to facilitate collection of debt owed or payment of debt to an organization;
  • collection or use of employee personal information is reasonable for establishing, managing or terminating an employment relationship; and
  • for any other category identified under PIPEDA and PIPA.

4.4       With respect to EU individuals, Blissed Out shall obtain explicit consent from the individual to the disclosure of personal information. With respect to the disclosure of personal information for all other individuals, Blissed Out shall obtain consent from the individual, with the exception of the following personal information which is permitted to be disclosed from an individual or from a source other than an individual without limitations:

  • is clearly in the interest of the individual and consent cannot be obtained in a timely way;
  • is necessary for medical treatment of the individual and individual is unable to give consent;
  • it is reasonable to expect that the disclosure with the consent of individual would compromise the availability or accuracy of the personal information and the collection is reasonable for an investigation or a proceeding;
  • organization is credit reporting agency and disclosure is for a credit report and individual consents at the time the original collection occurs;
  • is required or authorized by law;
  • personal information is necessary to facilitate collection of debt owed or payment of debt to an organization;
  • personal information is disclosed in accordance with a provision of a treaty that authorizes or requires its disclosure or is made under an enactment of Canada;
  • disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
  • the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation;
  • there are reasonable grounds to believe that compelling circumstances exist that affect the health and safety of any individual and if notice of disclosure is mailed to the last known address of the individual to who the personal information relates;
  • the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
  • the disclosure is to an archival institution if the collection of personal information is reasonable for research or archival purposes; and
  • disclosure of employee personal information is reasonable for establishing, managing or terminating an employment relationship.

4.5       Wherever possible, Blissed Out shall seek consent to collect, use, process or disclose personal information from an individual, client, employee or service provider at the time in which the personal information is collected.  In the event that this is not possible, Blissed Out will seek consent after the personal information is collected but prior to it being used, processed or disclosed for a different purpose that has not been identified or specified.

4.6       When determining whether express or implied consent is required for all individuals other than EU individuals where there must be explicit consent, Blissed Out shall take into account the sensitivity of the personal information and the reasonable expectations of the client/customer, individual, employee or service provider.

4.7       With the exception of EU individuals where explicit consent is required, Blissed Out will, generally, imply consent to collect, use or disclose personal information for its purposes, where an employee accepts employment or receives benefits.

4.8       When seeking consent for the collection of personal information from a client/customer, individual, employee or service provider, Blissed Out shall set out the choices available to individuals regarding Blissed Out’s collection, use, processing or disclosure of the personal information at the time of collection or prior to the use or disclosure of such personal information.

4.9       Upon obtaining consent, Blissed Out may record such consent as via phone, by mail, the Internet, a note to file, copy of an email, copy of a check off box or entry in database field.

 

Withdrawal of Consent

5.1       Blissed Out will honour a request of an individual to revoke or withdraw his or her consent to the collection, use, processing or disclosure of personal information by email and when it receives email notice will immediately stop collecting, using, processing or disclosing that personal information unless it meets one of the exceptions noted above or would frustrate the performance of a legal obligation or consent was given to a credit reporting agency or is for legitimate business purposes.

 

Limiting Collection of Personal Information

6.1       When collecting personal information of a client, individual, employee or subcontractors, Blissed Out shall disclose to the individual verbally or in writing, the purposes for the collection of the personal information and shall limit the collection to the identified and specified purposes.

6.2       Blissed Out shall only collect personal information by reasonable, fair and lawful means.

6.3       Blissed Out generally, collects personal information from its clients, employees and subcontractors although in certain circumstances, Blissed Out may collect personal information from third parties, such as credit bureaus, employers or personal references but only from those third parties that represent that they have a right to disclose such personal information.

 

Limiting Use, Disclosure and Retention of Personal Information

7.1       Other than where Blissed Out has explicit or implied consent of the individual or third party or by operation of law, Blissed Out shall not use or disclose personal information for purposes other than those identified and specified.

7.2       Blissed Out shall only retain personal information of an individual for the period necessary to fulfill the purposes identified and specified, by operation of law or where making a decision regarding a client/customer, employee or vendor or service provider as long as is reasonable to give such individuals the opportunity to access the personal information concerning the making of the decision.

7.3       Blissed Out shall limit the access of its employees to personal information to those who are participating in the collection, use, processing or disclosure of personal information as part of their duties or to those who have a need to know within Blissed Out.

7.4       Blissed Out shall maintain the means via reasonable controls, systems and practices whereby personal information that no longer is necessary to retain is destroyed, erased or rendered anonymous.

 

Accuracy and Security of Personal Information

8.1       Blissed Out shall make all reasonable effort to ensure that personal information collected is accurate and complete for the purposes in which it is collected particularly where the personal information is likely going to affect the individual to who the personal information relates or is likely to be disclosed to another organization.

8.2       All personal information used by Blissed Out shall be as accurate and complete as possible and where such personal information is being used to make a decision that directly affects an individual, such personal information will where applicable be retained by Blissed Out for no more than one year in order to provide a reasonable opportunity for access by the individual.

8.3       Blissed Out shall take reasonable security arrangements to prevent the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal information in its custody and control in whatever form it is held.  Such security arrangements will include protection from loss or theft and physical measures, such as, technological tools, such as passwords, encryption, firewalls and anonymizing software, and, limiting access on a need to know basis, staff training and confidentiality agreements.

8.4       Blissed Out shall destroy its documents containing personal information or remove the means by which personal information can be associated with the individual as soon as the purpose for which the personal information was collected is no longer being served by its retention or retention is no longer necessary for legal or business purposes.

8.5       Blissed Out shall not use deceptive or coercive means to collect personal information and shall not dispose of personal information with intent to evade a request for access to personal information.

8.6       Blissed Out shall protect personal information by ensuring that confidentiality provisions bind both third parties in which personal information is disclosed and employees who have access to personal information.

8.7       Blissed Out shall regularly review and update security measures for personal information where applicable.

 

Access to and Correction of Personal Information

9.1       Where Blissed Out has collected, used, processed or disclosed personal information of an individual that is within the statutory authority of PIPEDA and PIPA or GDPR, an individual shall have the right to access and correct their personal information in accordance with the following access and correction procedure:

  • the individual may, in writing, make a request to Blissed Out or their designate concerning his or her personal information under the control of Blissed Out;
  • Blissed Out shall provide information concerning the ways in which personal information of the individual has been and is being used by Blissed Out or has been disclosed by Blissed Out;
  • the names of individuals and organizations to whom the personal information has been requested;
  • with the exception of the following personal information, Blissed Out will provide access to an individual’s personal information:

(i) personal information is protected by solicitor-client privilege; (ii) disclosure would reveal confidential commercial information that if disclosed could in the reasonable opinion of a reasonable person harm the competitive position of Blissed Out ; (iii) personal information was collected where consent is not required for the purposes of an investigation or where proceedings have not been completed; (iv) where personal information was collected by a credit organization 12 months prior to the request from the individual; (v) where the disclosure would threaten the safety, physical or mental health of an individual, cause immediate or grave harm to the safety or physical or mental health of an individual, or would reveal personal information about another individual;

  • having reviewed the personal information requested, the individual may request Blissed Out to correct an error or omission in that personal information that is: (i) about the individual and (ii) is under the control of Blissed Out;
  • Blissed Out shall respond to an individual’s request no later than 30 days from the date of an individual’s request unless the individual has not given sufficient detail to enable Blissed Out to identify the personal information being requested or more time is needed given the large volume of personal information being requested  which would unreasonably interfere with Blissed Out’s operation or there is a need for more time to consult with another organization or public body to determine whether to give access to the requested document.  In those circumstances, Blissed Out may extend the time an additional 30 days or seek a longer period of time to respond from the privacy commissioner and will advise the individual of the extension in time, the time period of the extension and the rights of the individual to complain about the extension;
  • in responding to an individual’s request, Blissed Out shall advise the individual when access to personal information in whole or in part is being refused, the reasons for the refusal and the contact information of the officer or employee of Blissed Out who can answer the individual’s questions concerning the refusal;
  • Blissed Out shall make a reasonable effort to assist each applicant to respond accurately and completely as is reasonably possible to their request;
  • Blissed Out shall make the correction as soon as reasonably possible or send the corrected personal information to each organization which the personal information was disclosed during the year prior to the date the correction was made, where Blissed Out is satisfied that there are reasonable grounds for the request; and
  • where Blissed Out does not make a correction, it shall annotate the personal information under its control that a request was made but the request was not implemented.

 

Challenging Compliance

10.1     Blissed Out shall maintain a process for addressing and responding to complaints or inquiries regarding its compliance with this Privacy Code including where appropriate a process for seeking external advice prior to responding to individual complaints or inquiries.

10.2     A client, individual or employee or contractor may make a complaint or inquiry regarding     Blissed Out’s compliance with this Privacy Code as follows:

  • An individual shall file a written complaint or inquiry to Blissed Out and or its designate outlining the failure of Blissed Out to comply with this Privacy Code and the specified section and or principle.
  • Blissed Out shall investigate all written complaints or inquiries regarding its compliance with this Privacy Code.
  • Where an investigation determines that a complaint is justified or action is required regarding an inquiry, Blissed Out shall take all appropriate steps to resolve the complaint or take appropriate action to address the inquiry including where applicable amending the policies, practices and procedures of this Privacy Code.
  • Wherever possible, Blissed Out shall respond to a written complaint within 30 days provided the written complaint or inquiry provides sufficient information to respond to. This response shall include details regarding the outcome of the investigation and individual’s complaint or inquiry.
  • In the event that Blissed Out seeks external advice, the period to respond may be extended for a reasonable period necessary to obtain such external advice.

10.3     In the event that an individual is not satisfied with handling of its complaint by Blissed Out, the individual may seek the assistance of the Office of the Privacy Commissioner of Canada or British Columbia.

 

Transparency of Privacy Policies, Practices and Procedures

11.1     Blissed Out shall make its privacy policies, practices and procedures available on its Blissed Out Website and readily available to individuals in person, in writing, by telephone or as applicable in Blissed Out publications.

11.2     Blissed Out shall also make its policies, practices and procedures understandable for its individuals, employees and the public by identifying who within Blissed Out is responsible for compliance with this Privacy Code, how personal information can be accessed by individuals, what personal information is held by Blissed Out and how it is used.

 

The contact information for Blissed Out is as follows:

Karen Peterson, CEO < blissedoutyogaandfitness@gmail.com>

www.blissedoutyogaandfitness.com

Current contact information can also be found on Blissed Out’s website.

 

To review the Protection of Privacy Act and Personal Information Protection Act, access to the Act can be found at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/ or Protection of Personal Information Act, access to the Act can be found at oipc.bc.ca and General Data Protection Regulation can be found at: https://eugdpr.org/.

 

A comparison of GPDR and PIPA has been prepared by Office of the Information and Privacy Commissioner of British Columbia.

 

 

[1]  This Privacy Code is built on the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information which was published in March 1996 as a National Standard of Canada Federal and these principles are now incorporated in the federal Personal Information Protection and Electronic Documents Act.

 

 

 

Follow Us
Phone

(250) 644-8490

Address

Birch Ave above Didi's Salon

100 Mile House, BC

Contact Us