Purpose

CGI (“we or our”) has issued this myAutoPlus Data Privacy Policy (“Policy”) to inform you, as the requesting consumer (“you” or “your”) about how and why we collect and Process your Personal Information, CGI privacy practices, and your rights with respect to the Processing of your Personal Information.

This Policy sets out the general standard that CGI has implemented when Processing Personal Information within the Application.

1. Definitions

For the purposes of this Policy, the following definitions apply:

“Application” means the myAutoPlus application downloaded and used by you to access your myAutoPlus Report.

“Applicable Data Protection Legislation” refers to applicable Canadian privacy laws and any applicable local laws relating to the Processing of Personal Information.

“myAutoPlus Report” means the report requested by you through the Application containing your automobile insurance and claims history report data held by CGI. This report will contain your personal information only, but not the personal information of other parties related to your insurance policy.

“Personal Information” means the personally identifiable information about you contained in a myAutoPlus Report and as supplied by you in the use of this Application.

“Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Information, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

2. Context and Scope

As part of CGI’s agreements with the Canadian Property & Casualty (P&C) Insurers, CGI acts as a service provider to process and manage automobile insurance data provided to it by such P&C Insurers. As CGI provides reports to P&C Insurers to be used for insurance underwriting purposes, CGI is registered as a consumer reporting agency in applicable jurisdictions, whereupon a consumer’s request, CGI must provide their respective automobile insurance and claims history report (the myAutoPlus Report) to that requesting consumer. This report will contain your personal information only but not the personal information of other parties related to your insurance policy. Such other related parties must obtain their own reports.

This Policy governs the supply and management of a myAutoPlus Report to you as a requesting consumer, pursuant to applicable consumer protection and privacy laws. You may also request a paper copy to be delivered to your residential address by contacting the CGI help desk at insurance.helpdesk@cgi.com.

Access to a myAutoPlus report is not currently offered in all provinces and territories. You acknowledge that a myAutoPlus Report and access to automobile insurance data is not available to requesting consumers in British Columbia, Quebec, Manitoba or Saskatchewan.

This Privacy Policy does not affect or govern CGI’s existing agreements or data processing obligations with respect to its role as service provider to Canadian Property & Casualty (P&C) Insurers.

3. Which Personal Information do we use about you?

Subject to Applicable Data Protection Legislation, some or all of the following Personal Information categories may be Processed by CGI and any third party engaged by CGI for providing services to CGI:

1. Data provided by you during registration, including e-mail address, contact phone number, and certain information derived from a Driver License scan;
2. Insurance data contained within your myAutoPlus Report pertaining to you;
3. Any additional data provided by you or entered into the Application by you;
4. Data related to logging and IP address, and application use metrics;

Third party advertising partners may collect certain data from you, based on your consent.

All data collected and required to be stored for the purposes of operating the Application will be stored in Ontario and/or Quebec.

4. Why do we use your Personal Information?

CGI will Process Personal Information as strictly necessary to fulfil the purposes and functions of the Application relative to your receipt and management of your myAutoPlus Report and other personal information supplied by you, and in conformance with consents to Processing given by you.

4.1 Processing Principles

Transparency, fairness and lawfulness: CGI will Process Personal Information lawfully, fairly and in a transparent manner in accordance with the requirements of this Policy and as necessary for compliance with the Applicable Data Protection Legislation.

Purpose: CGI will Process Personal Information as strictly necessary to fulfil the purposes and functions of the Application relative to your receipt and management of your AutoPlus data and other personal information supplied by you, and in conformance with the consents to Processing given by you.

Data minimization: when the purpose for Processing Personal Information is established, CGI will only collect Personal Information to the extent required for accomplishing such purpose.

Accuracy of Personal Information: CGI manages your myAutoPlus Report data as provided to it by industry sources, including insurance companies and their service providers, and from organizations having legal or regulatory jurisdiction or oversight of such insurance industry data (the “Data Providers"). CGI stores and reports such automobile insurance data but is not authorized to make changes to it. Every reasonable step will be taken to ensure that Personal Information that is reproduced accurately from our Data Providers. CGI will provide means for you to inform CGI, the Data Providers and/or a relevant agency or regulatory body in case of any errors in their Personal Information. You acknowledge that CGI cannot unilaterally make changes to the myAutoPlus Report data without the approval of the relevant Data Providers.

Any information otherwise provided to CGI directly by you can be subject to correction or updating based on your direction and notification.

Data retention limitation: CGI will ensure that it does not keep your Personal Information for a longer period than strictly necessary to achieve the purpose for which your Personal Information is collected. Consequently, CGI will determine before the performance of the Processing an appropriate retention period. In doing so, CGI will consider the time during which the Personal Information is necessary to achieve the purpose of the Processing.

Technical and Organizational Measures: CGI will implement appropriate technical and organizational measures, consistent with prevailing industry standards adopted by CGI, to guard against unlawful access or Processing of Personal Information.

4.2 Sensitive Personal Information

If CGI collects and processes information which is deemed to be Sensitive Personal Information under CGI will do so only where strictly necessary and will ensure appropriate technical measures are in place to protect such data as required by applicable privacy laws. Currently CGI does not intend to or need to collect sensitive personal information from you.

“Sensitive Personal Information” refers to specific categories of Personal Information that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

5. Management of Data Incidents and Breaches

5.1 Incident Management

CGI has a mature, industry standards-based security incident response and management process designed to handle privacy and security incidents. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution.

High-priority incidents are managed through a 24x7 Global Security Operations Centre, where trained, full-time incident response professionals coordinate response efforts. CGI’s Data Privacy team is engaged in the incident management process whenever Personal Information is suspected to be involved.

5.2 Notification of Personal Information Breach

If CGI reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise Processed has occurred, CGI will provide security incident notification and status updates to the relevant regulatory body(ies) and to you, as required by Applicable Data Protection Legislation.

6. Who do we share your Personal Information with?

As part of CGI operations, we may collect your Personal Information and disclose it on an as needed basis to third parties engaged by CGI and providing services as part of the Application or performing services on our behalf (e.g. suppliers and subcontractors). Whenever CGI relies on third parties to Process Personal Information, CGI ensures that such third parties provide an adequate level of protection to the Personal Information they process as required by Applicable Data Protection Legislation.

Based on your consent, we may also share your Personal Information with third parties providing authentication services to CGI. On a regular basis, CGI conducts due diligence and third-party privacy and security risks assessments with all third parties engaged by CGI, to establish their corporate capabilities and maturity with respect to security and data protection.

CGI will disclose your Personal Information if the disclosure is reasonably necessary to protect CGI’s rights and pursue available remedies, enforce CGI’s terms and conditions, investigate fraud, or protect CGI’s operations or users.

CGI may also disclose your Personal Information to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and after careful review, the legality of any order to disclose such Personal Information. CGI will challenge the order if there are legal grounds to do so.

7. What are your rights and how can you exercise them?

Individuals have several rights under the Applicable Data Protection Legislation to request access to their Personal Information held by CGI and/or information about how CGI Processes their Personal Information. If you have any questions regarding the Processing of your Personal Information, please send your formal request to privacy@cgi.com.

Under Applicable Data Protection Legislation you have the following rights:

1. to access your Personal Information;
2. to rectify any of your inaccurate or incomplete Personal Information;
3. to object to the Processing of your Personal Information at any time;
4. to delete your Personal Information, except where its retention is still necessary for the purposes for which it was collected; necessary to protect CGI’s rights; or required by Applicable Data Protection Legislation
5. to restrict the Processing of your Personal Information that is no longer accurate or necessary;
6. to receive your Personal Information in a structured, commonly used and machine-readable format; or
7. to withdraw your consent given for the Processing of your Personal Information.

CGI will act in accordance with the Applicable Data Protection Legislation and other relevant legal and contractual obligations in the search for and provision of relevant Personal Information. You may be required to deal directly with your insurance company to exercise these rights. CGI may need to ask you further questions in relation to your Personal Information or to verify your identity.

If you do not agree with the information on your myAutoplus Report please contact the Complaint Officer or Ombudsperson of your insurer.

For Ontario:

A list of these individuals can be found on the Financial Services Regulatory Authority of Ontario website How to Resolve an Auto Insurance Complaint | Financial Services Regulatory Authority of Ontario (fsrao.ca) and select “Find your insurance company’s complaint officer”.

Account deletion:

To initiate the process of myAutoPlus account deletion please email our Helpdesk at insurance.helpdesk@cgi.com. In the header of the email please mention "myAutoPlus Account Deletion" to help process your request. You may be required to provide proof of your identity and confirmation of the original email used to create the account.

8. Changes to this Policy

This Policy may be amended from time to time to comply with Applicable Data Protection Legislation or changes in the data management or processing practices of CGI. CGI will ensure that you are notified of any material changes to the Policy promptly, through an update or notification in the Application and/or myAutoPlus.ca, by email or other appropriate method of communication. Should you require a status update, you may raise a request by sending an email to privacy@cgi.com.

9. Data Privacy Organization - Questions

CGI has designated a Chief Privacy Officer (CPO) to oversee CGI’s global data protection strategy, enterprise- wide data protection policies and procedures, and data protection regulatory compliance, and a network of Privacy Business Partners may also be appointed as Data Protection Officers in accordance with Applicable Data Protection Legislation. In case of questions or concerns related to the interpretation or operation of this Policy, please send an email to privacy@cgi.com or contact CGI's Chief Privacy Officer at Paris – Carré Michelet, 10-12 Cours Michelet, 92800 Puteaux, France.