Burgundy Asset Management Ltd. (Burgundy) is a discretionary investment manager domiciled in Canada. In Canada, privacy legislation has been enacted at both the federal and provincial levels, and Burgundy is subject to each of these laws, depending on the province of residence of its Clients. Burgundy also adheres to the privacy legislation in the United States and Europe. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been recognized by the European Commission as providing an “adequate level of protection” for personal data that is transferred from the European Union (EU) to organizations domiciled in Canada and subject to PIPEDA. If you reside in the EU, Burgundy will be the data controller of your Personal Information provided to us for our services.
We are committed to protecting our Clients’ privacy and the confidentiality of their personal information in our possession. This includes personally identifiable information and personal data such as name, address, date of birth, email, tax identification number, etc. of Clients or their directors, officers, beneficial owners, employees, agents, or representatives (Personal Information). Here are the ways we fulfill these commitments.
1. We only ask Clients for necessary Personal Information
We collect Personal Information about you from applications or forms you may complete, agreements you enter into with us or in the course of your establishing or maintaining a client relationship with us regarding the discretionary investment management services we provide. All of our forms and the information obtained from Clients are designed to collect only information needed for contractual, income tax reporting, transaction and regulatory requirements, including but not limited to know-your-client requirements and anti-money laundering rules which are applicable to us as an adviser and fund manager. We are legally required to collect Clients’ Personal Information as a result of providing discretionary investment management services to Clients. We determine how to use your Personal Information and how it may be processed so that we can provide you with our services. For example, we use the information Clients provide to us to thoroughly understand the Client’s investment goals and objectives. This helps us to determine the appropriate investments for the Client.
To help us keep our records accurate and complete, we ask Clients to consent to our use of their Personal Information in our investment management agreement, client profile application form and each annual client profile renewal form. Clients are asked to notify us of any Personal Information changes, deletions or corrections. Clients may decline to share certain Personal Information with us, in which case we may not be able to provide you with our services. At any time, you may object to the processing of your Personal Information, on legitimate grounds, except if otherwise permitted by applicable law.
2. We safeguard and limit access to Clients’ Personal Information
We keep Clients’ Personal Information in a computer system, which can only be accessed by authorized employees using secure passwords. We have installed anti-hacking hardware to prevent unauthorized access to the computer system. For disaster recovery purposes, we maintain a duplicate computer system in an offsite location. This system has the same privacy and security measures as are in our main offices. We may also keep paper copies of Personal Information in filing cabinets in our office. When we need to store information offsite, the storage firm is under contract to adhere to our privacy and security measures.
3. We prevent unauthorized disclosure of Clients’ Personal Information
All Burgundy personnel are trained to keep Clients’ Personal Information private and confidential. We require all of our staff to sign our Code of Conduct, which contractually obliges them to respect and protect Clients’ Personal Information. We prohibit disclosure of any Client’s Personal Information to a third-party without the Client’s explicit consent, or unless Burgundy is, by law, required or permitted to do so. We shred paper documents containing Clients’ Personal Information before discarding such documents. When electronically stored Personal Information is no longer required for contractual or regulatory purposes, we delete the information from our computer systems.
4. Requests for access to Personal Information
Upon request, Burgundy will provide Clients with the Personal Information we hold or process on their behalf. To protect our Clients’ Personal Information, we follow strict storage and disclosure procedures prior to disclosing such information. If Burgundy receives a notification from a Client requesting deletion or return of Personal Information, to the extent permitted by law, Burgundy will remove such data from our records and evidence its removal or return of information in a manner consistent with regulatory requirements. Our retention periods for Personal Information are based on business needs and legal requirements. We retain Personal Information for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose.
5. Outside Service Suppliers
6. Use of information collected via the Internet
If you use the internet to communicate with us or you access our website, the Client Portal or Mobile Application, certain information about your computer or device may automatically be generated, collected and logged by Web servers or applications. This information may include the Internet Protocol (IP) Address assigned to your computer by your Internet Service Provider (ISP), the type of browser you are using, the general location of your computer, record device models, iOs version, click rates, manufacture and Web pages visited. We may, from time to time, use this information to monitor website usage, resolve technical issues, improve functionality and evaluate website or application popularity.
7. Client Website Portal and Mobile Application
The Internet is not a secure medium and complete privacy, security and confidentiality cannot always be assured. While Burgundy implements reasonable and effective security controls to protect its data assets, you acknowledge that any improper use of the Client Portal and Mobile Application or your failure to protect any related usernames and passwords may lead to unauthorized access or disclosure of your Personal Information. Burgundy shall not be responsible or liable for any harm that you or any other person may suffer in connection with any such breach of confidentiality or security.
Burgundy has implemented a number of security measures and processes to help protect against the loss, misuse, theft and unauthorized access of the Personal Information under our control. Only Burgundy employees and authorized third parties who have a legitimate business need or legal requirement to access and/or process your Personal Information will be permitted to do so. General entry to our offices is secured and cannot be accessed by unauthorized personnel.
Please exercise care and judgement whenever sending Personal Information to us or any other parties via email. Because of the inherent risks associated with the electronic transmission of information on the internet or otherwise, Burgundy does not guarantee the security and integrity of any electronic communications sent or received in relation to the services provided to you.
9. We have a Privacy Officer
10. Reporting privacy breaches
A privacy breach is the loss of, unauthorized access to, or disclosure of, Personal Information resulting from a breach of an organization’s security safeguards. Upon the occurrence of a privacy breach or a potential privacy breach, Burgundy will investigate and evaluate the implications of the breach of security safeguards. Burgundy will report the breach to the appropriate regulatory body and/or applicable organization as soon as feasible after we have determined the breach occurred and such reporting will occur within the prescribed timelines for certain jurisdictions (i.e. Europe). We will also notify affected individuals if the breach creates a real risk of significant harm to an individual as soon as feasible after the organization determines that the breach has occurred, unless giving notice is otherwise prohibited by law. Burgundy will take immediate steps to prevent future breaches after taking all necessary steps to mitigate the risks associated with a breach of security safeguards.
11. We disclose information to regulators and government agencies only when required by law
We may be required to disclose your Personal Information to domestic and international governments, government agencies, tax authorities, law enforcement agencies, securities regulators and other regulators, and will only do so when required by law.
12. Raising a complaint about how we have handled your Personal Information
If you wish to raise a complaint on how we have handled your Personal Information, you can contact our Privacy Officer as set out above, who will then investigate the matter. If you are not satisfied with our response or believe we are not processing your Personal Information in accordance with applicable law you may make a complaint to your local Privacy Commissioner’s Office.