horninc

A data protection officer here. There is a Commission Adequacy Decision regarding Canada's compliance with GDPR which refers to "the Canadian Personal Information Protection and Electronic Documents Act". The implication is that Canadian data protection laws and regulations offer "equal protection" to individual rights of the data subject (in terms of balancing between individual interest and public interest). This, however, fully applies only to data transfers, and does not rule out the application of GDPR in general. As a result, the forum can legally transfer data between EU and Canada, and perform their data processing activities of EU citizen personal data in Canada. However, that does not exclude the possibility that any EU citizen can ask for his GDPR rights to be enforced referring to the EU legislation, and not the Canadian one. What is interesting, however, is that at a quick glance I noticed the same principles and also rights in the Canadian version, so I might be wrong, but I think the implementation guidelines should be quite similar. In terms of being user-friendly and privacy-centric the current Privacy Policy is taking big steps towards that, but it should not be "complied and now done" approach, but instead a process. For instance: a) Clarification on data retention periods and if applicable their legal basis b) You further send data to the USA (IPS, Inc), where do they send it to? c) Do you have data processing agreements with these companies? So, a really good start, but definitely not the finish line as far as compliance goes.