Menu

1. Introduction and Scope

1.1 Commitment to Privacy

Instowiz (1000443301 Ontario Inc. refers as “Instowiz” in this document) is committed to protect personal data that we handle and works closely with its clients and third-party suppliers to address the challenges of the evolving data protection regulatory landscape.

We maintain this Data Privacy policy detailing our privacy principles, standard and practices and how we protect all personal data as part of our operations.

1.2 Principles

Instowiz is committed to maintaining level of protection of personal data aligned to best practices, the Applicable Data Protection Legislation and Instowiz’s contractual obligations. Instowiz will implement effective security measures to safeguard the Personal Data and avert data breaches. Instowiz’s Data protection principles are explained in this document (section 3).

1.3 Scope

This policy forms an integral part of Instowiz management foundation and is binding on all Instowiz legal entities and employees (including third parties and subcontractors) regardless of their location. Any third-party suppliers and subcontractors that processes personal data on Instowiz’s behalf is required to implement appropriate technical and organizational measures to ensure compliance with the principles and requirements of this policy. When Instowiz processes personal data on behalf of a client, any contractual commitments or other obligations of Instowiz towards its client need to be passed down to all engaged Third-Party Suppliers. Any commitment or obligation must be expressly reflected in agreements entered between Instowiz and Third-party suppliers by including copy of this policy.

2. Definitions

Personal Data (PD) / PII

Any information relating to an identified or identifiable natural person (e.g., name, address, ID number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity).

Processing

Any operation performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or destruction.

3. Data Protection Principles

Instowiz adheres to the following core principles when processing Personal Data:

Principle

Description

 

Lawfulness, Fairness, & Transparency

Data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data Minimization

Data processed must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

Data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure inaccurate data is corrected or deleted.

Storage Limitation

Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

Integrity & Confidentiality

Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4. Data Subject Rights

Instowiz is committed to supporting the rights of data subjects, which may include (but are not limited to):

  • Right of Access: The right to request a copy of their Personal Data. 
  • Right to Rectification: The right to have inaccurate or incomplete Personal Data corrected.
  • Right to Erasure (‘Right to be Forgotten’): The right to request the deletion of their Personal Data, subject to legal and contractual obligations. 
  • Right to Restrict Processing: The right to limit the way we use their Personal Data.
  • Right to Data Portability: The right to receive their Personal Data in a structured, commonly used, and machine-readable format.

All requests regarding data subject rights must be directed to the Instowiz Management and Security Office (SO) and handled within the legally mandated timeframe.

5. Client Data Protection

When Instowiz processes client’s personal data, Instowiz ensures that Personal Data is processed for the client’s sole expressed purpose, and according to the client’s written instructions, including in respect of the duration, set out in the terms and conditions agreed between Instowiz and the client.  

The client remains solely responsible for ensuring that there is a valid legal basis for the Processing performed by Instowiz and that the instructions given to Instowiz in respect of the Processing comply with Applicable Data Protection Legislation, including the retention period to be applied. Nonetheless, Instowiz will promptly inform the client if, in its opinion, any such instructions contravene Applicable Data Protection Legislation.

Unless otherwise instructed by the client, Instowiz will apply (as a minimum) Instowiz’s security baseline as prescribed in Instowiz’s privacy policy. Any deviation to this baseline requires relevant risk reviews and the approval of Instowiz’s Security Officer in accordance with Instowiz’s Principals

6. Third-Party and Subcontractor Management

  • Contractual Requirements: All third-party vendors and subcontractors who process Personal Data on our behalf must sign a Data Processing Agreement (DPA) and be subject to security reviews to ensure they provide adequate data protection safeguards. 
  • Due Diligence: We will perform due diligence on all data processors to ensure compliance with our security and privacy standards before engaging their services.

7. Communication and Training

Instowiz continually promotes a data protection policy within its organization.  Instowiz deploys an annual data privacy learning and awareness campaign within its organization an regularly updated to reflect technological and legislative changes.  Such training and awareness is mandatory for all Instowiz partners, subcontractors, and freelancers. 

8. Data Breach Management

A documented Data Breach Response procedure is maintained. All personnel must immediately report any suspected or actual data breach (loss, unauthorized access, or disclosure of PD) to the SO. The SO is responsible for assessment, containment, remediation, and statutory notification procedures.

9. Policy Enforcement

Non-compliance with this policy may result in disciplinary action up to and including termination of employment or contract and may also result in individual civil or criminal liability.

© All Rights Reserved By Instowiz

Privacy Policy | Code of Conduct and Ethics Policy