Burgundy Asset Management Ltd. (Burgundy) is a discretionary investment manager domiciled in Canada. In Canada, privacy legislation has been enacted at both the federal and provincial levels, and Burgundy is subject to each of these laws, depending on the province of residence of its Clients. Burgundy also adheres to the privacy legislation in the United States and Europe. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been recognized by the European Commission as providing an “adequate level of protection” for personal data that is transferred from the European Union (EU) to organizations domiciled in Canada and subject to PIPEDA. If you reside in the EU, Burgundy will be the data controller of your Personal Information provided to us for our services.

We are committed to protecting our Clients’ privacy and the confidentiality of their personal information in our possession. This includes personally identifiable information and personal data such as name, address, date of birth, email, tax identification number, etc. of Clients or their directors, officers, beneficial owners, employees, agents, or representatives (Personal Information). Additionally, we are committed to ensuring that anyone who accesses our website understands what data may be collected, how we may use it, and how to opt out of sharing any information. Here are the ways we fulfill these commitments.

1. We only ask Clients for necessary Personal Information

We are legally required to collect Clients’ Personal Information as a result of providing and in order to provide discretionary investment management services to Clients. We collect Personal Information about you from applications or forms you may complete, agreements you enter into with us, and in the course of you establishing or maintaining a client relationship with us. All of our forms and the information obtained from Clients are designed to collect only information needed for contractual, income tax reporting, transaction, and regulatory requirements, and for no other purpose. Regulatory requirements include but are not limited to know-your-client requirements and anti-money laundering rules which are applicable to us as an adviser and fund manager.

We determine how to use your Personal Information and how it may be processed so that we can provide you with our services. For example, we use the information Clients provide to us to thoroughly understand each Client’s investment goals and objectives. This helps us to determine the appropriate investments for the Client.

To help us keep our records accurate and complete, we ask Clients to consent explicitly to our use of their Personal Information in our investment management agreement, client profile application form, and each annual client profile renewal form. Clients are asked to notify us of any Personal Information changes, deletions, or corrections. Clients may decline to share certain Personal Information with us, in which case we may not be able to provide you with our services. At any time, except if otherwise permitted by applicable law, you may object to the processing of your Personal Information, on legitimate grounds, or withdraw consent to its usage.

2. We safeguard and limit access to Clients’ Personal Information

We keep Clients’ Personal Information in our computer system, which can only be accessed by authorized employees using secure passwords. We have installed anti-hacking hardware to prevent unauthorized access to the computer system. For disaster recovery purposes, we maintain a duplicate computer system in an offsite location. This system has the same privacy and security measures as are in our main offices. We may also keep paper copies of Personal Information in filing cabinets in our office, which premises are only accessible to employees, visitors who are accompanied while in our offices, and limited service providers under contract with us who are required to adhere to our privacy and security measures. When we need to store paper copies of information offsite, the storage firm is under contract to adhere to our privacy and security measures.

For Clients in Quebec, your personal information will be communicated outside of the province as our servers and our back office operational functions are located in Ontario. In addition, employees in our B.C. office may have access to your records via their access to our computer systems. Finally, certain service providers located outside of Quebec may have access to your personal information, as described in more detail below under Outside Service Suppliers.

3. We prevent unauthorized disclosure of Clients’ Personal Information

All Burgundy personnel are trained to keep Clients’ Personal Information private and confidential. We require all of our staff to sign our Code of Conduct annually, which contractually obliges them to respect and protect Clients’ Personal Information. We prohibit disclosure of any Client’s Personal Information to a third-party who is not a contracted Burgundy service provider without the Client’s explicit consent, or unless Burgundy is, by law, required or permitted to do so. We shred paper documents containing Clients’ Personal Information before discarding such documents. When electronically stored Personal Information is no longer required for contractual or regulatory purposes, we delete the information from our computer systems.

4. We honour requests for access to Personal Information

Upon request by a Client, Burgundy will provide the Client with their Personal Information that we hold or process on their behalf. To protect our Clients’ Personal Information, we follow strict storage and disclosure procedures prior to disclosing such information. If Burgundy receives a notification from a Client requesting correction, deletion, or return of Personal Information, to the extent permitted by law, Burgundy will correct such data or remove such data from our records and evidence its removal or return of information in a manner consistent with regulatory requirements. Our retention periods for Personal Information are based on business needs and legal requirements. We retain Personal Information for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose.

5. We share necessary information with outside service suppliers

We do not provide directly all the services related to your relationship with us. We may use service providers to perform specialized services on our behalf including, but not limited to, issuing cheques, preparing your income tax slips, completing client profiles or profile renewals, storing of Personal Information including cloud services, processing transactions, or other data processing. Our service providers may at times be responsible for handling and processing your Personal Information and as such, are considered to be data processors. Some of these third parties may be located outside of Quebec (for Quebec residents), Canada, or the U.S. and/or may house some of the Personal Information outside of Quebec (for Quebec residents), Canada, or the U.S. As a result, your Personal Information may be accessible to foreign regulatory authorities and subject to foreign laws. However, our service providers are given only the information necessary to perform the required services and are subject to regulatory requirements imposing data security obligations on the ways in which they process Personal Information. In addition, we require our service providers and data processors to protect the information in a manner that is consistent with our Privacy Policy as well as the security practices and regulations applicable in their province or country of jurisdiction.

6. We collect information via cookies on our Website, Client Portal, or Mobile Application

If you access our website, the Client Portal or Mobile Application, certain information about your computer or device will automatically be generated, collected and logged by technological means such as cookies and related technologies like pixel, tags or beacons (collectively referred to as “cookies”). This information may include the type of browser you are using, your general geographic location, device models, iOs version, click rates, and web pages visited. Note that these cookies by themselves do not identify you personally or tell us your email address, and your Internet Protocol (IP) Address is anonymized by default. The data collected is aggregated and used to analyze the number of unique visitors to our site and geographic origin trends, but not to identify individual site visitors.

A notification banner will appear on our website allowing you to manage your consent to collect cookies. Below are the types of cookies we collect and how withholding your consent would affect certain features of the site:

  • Strictly necessary and functional cookies – these are essential to enable users to navigate the website and use its features. They must be enabled and cannot be blocked, or the site will not function properly.
  • Analytics and performance cookies – these gather data to enhance performance of the site. You can manage your consent for performance cookies by using the cookie banner or by updating your browser’s setting (generally under the Tools or Preferences menu) to decline cookies.
  • Advertisement cookies – these are rarely used but may be activated as part of Burgundy promotional campaigns on LinkedIn, for example.

We may, from time to time, use cookies and the information they generate to:

  • Improve your user experience – for example, make certain content or pages more readily accessible.
  • Enable certain website functions – for example, set your language preferences.
  • Provide us with analytics – we use Google Analytics, a third-party analytics tool that helps us understand how visitors use our site, which allows us to improve our content. The data is aggregated and covers things such as total visits or page views.

If you would like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browse. Note that if you delete or refuse to accept cookies, you might not be able to use all of our website features or to store your preferences, and some of our site pages may not display properly.

7. Client Portal and Mobile Application

The Internet is not a secure medium and complete privacy, security and confidentiality cannot always be assured. While Burgundy implements reasonable and effective security controls to protect its data assets, you acknowledge that any improper use of the Client Portal and Mobile Application or your failure to protect any related usernames and passwords may lead to unauthorized access or disclosure of your Personal Information. Burgundy shall not be responsible or liable for any harm that you or any other person may suffer in connection with any such breach of confidentiality or security.

8. We have implemented security measures

Burgundy has implemented a number of security measures and processes to help protect against the loss, misuse, theft and unauthorized access of the Personal Information under our control. Only Burgundy employees and authorized third parties who have a legitimate business need or legal requirement to access and/or process your Personal Information will be permitted to do so. General entry to our offices is secured and cannot be accessed by unauthorized personnel.

Please exercise care and judgement whenever sending Personal Information to us or any other parties via email. Because of the inherent risks associated with the electronic transmission of information on the internet or otherwise, Burgundy does not guarantee the security and integrity of any electronic communications sent or received in relation to the services provided to you.

9. We have a Privacy Officer

Our Privacy Officer is responsible for monitoring the fulfillment of our privacy commitments and for training our employees in Privacy Policy matters. At any time, Clients can request that our Privacy Officer inform them of what Personal Information of the Client exists in our records, and how we use such Personal Information. Clients have access to their Personal Information and can make requests to have their Personal Information corrected, updated, erased, or transferred. If Clients wish to review their Personal Information, they should email privacyofficer@burgundyasset.com.

10. We may report privacy breaches

A privacy breach is the loss of, unauthorized access to, or disclosure of, Personal Information resulting from a breach of an organization’s security safeguards. Upon the occurrence of a privacy breach or a potential privacy breach, Burgundy will investigate and evaluate the implications of the breach of security safeguards. Burgundy will report the breach to the appropriate regulatory body and/or applicable organization as soon as feasible after we have determined the breach occurred and is reportable, and such reporting will occur within the prescribed timelines for certain jurisdictions (i.e., Europe). We will also notify affected individuals if the breach creates a real risk of significant harm to an individual as soon as feasible after the organization determines that the breach has occurred, unless giving notice is otherwise prohibited by law. Burgundy will take immediate steps to prevent future breaches after taking all necessary steps to mitigate the risks associated with a breach of security safeguards.

11. We disclose information to regulators and agencies when required by law

We may be required to disclose your Personal Information to domestic and international governments, government agencies, tax authorities, law enforcement agencies, securities regulators and other regulators, and will only do so when required by law.

12. Raising a complaint about how we have handled your Personal Information

If you wish to raise a complaint on how we have handled your Personal Information, you can contact our Privacy Officer as set out above, who will then investigate the matter. If you are not satisfied with our response or believe we are not processing your Personal Information in accordance with applicable law you may make a complaint to your local Privacy Commissioner’s Office.