GDPR compliance

Introduction

BEMSB ("we", "us", or "our") is committed to protecting the privacy and personal data of individuals in the European Economic Area (EEA) and the United Kingdom. This page explains how we comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR when processing personal data of European clients and website visitors.

This document supplements our Privacy policy. In the event of any conflict, our Privacy policy prevails.

1. Data Controller

BEMSB
Office 723, 145 1/2 Church Street, Unit 5
Toronto, Ontario, M5B 1Y4, Canada
admin@bemsb.com

2. Lawfulness, Fairness, and Transparency

We only collect and use your personal data where there is a clear and lawful basis to do so. We rely on the following legal grounds:

• Consent - where you have given explicit consent to the processing of your data for one or more specific purposes
• Contractual necessity - where processing is necessary for the performance of a contract or to take steps at your request before entering into a contract
• Legal obligation - where processing is required to comply with applicable laws, including anti-money laundering and counter-terrorism financing regulations
• Legitimate interests - where processing is necessary for our legitimate business interests, provided those interests do not override your fundamental rights and freedoms

We present all data-processing information in clear, plain language and keep our privacy documentation accessible and up to date.

3. Purpose Limitation

Personal data is collected only for specified, predetermined, and lawful purposes, about which you are informed at or before the time of collection. We do not further process personal data in a manner incompatible with those purposes without obtaining additional consent or establishing a separate legal basis.

4. Data Minimisation

We collect only the personal data that is strictly necessary for the stated processing purposes. Unnecessary data fields are eliminated from our forms and processes. We periodically review the data we hold to ensure ongoing compliance with this principle.

5. Accuracy

We take reasonable steps to ensure your personal data is accurate and current:

• We maintain procedures for regular updates reflecting changes in personal information
• We provide mechanisms for you to correct errors in your data
• We verify critical data used for regulatory and compliance purposes
• Inaccurate data that cannot be corrected is securely deleted

We encourage you to notify us promptly of any changes to your personal information so we can keep our records accurate.

6. Storage Limitation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Client records are retained for a minimum of five years in accordance with FINTRAC record-keeping obligations. Once the applicable retention period has expired, personal data is anonymised or securely erased.

Exceptions apply only where data is lawfully kept for archival purposes in the public interest, scientific or historical research, or statistical purposes under Article 89(1) GDPR, subject to appropriate safeguards.

7. Integrity and Confidentiality

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or damage:

• Technical measures: data encryption in transit and at rest, firewalls, intrusion detection systems, antivirus software, regular vulnerability assessments, and timely security updates
• Organisational measures: access controls based on the principle of least privilege, confidentiality agreements with staff and contractors, and regular training on data protection practices
• Incident response: documented breach response procedures, including assessment, containment, and mandatory notification to supervisory authorities and affected individuals where required by law

8. Your Rights Under the GDPR

If you are located in the EEA or the United Kingdom, you have the following rights regarding your personal data:

• Right of access - request a copy of the personal data we hold about you
• Right to rectification - request correction of inaccurate or incomplete data
• Right to erasure - request deletion of your personal data, subject to legal retention obligations
• Right to restrict processing - request that we limit how we use your data in certain circumstances
• Right to data portability - receive your data in a structured, commonly used, machine-readable format
• Right to object - object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent - withdraw your consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal
• Right to lodge a complaint - file a complaint with your local data protection supervisory authority

To exercise any of these rights, please contact us at admin@bemsb.com. We will respond within the timeframe required by the GDPR, typically within one month of receiving your request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

9. International Data Transfers

As a Canadian company, personal data collected from individuals in the EEA or United Kingdom may be transferred to and processed in Canada. Canada has been recognised by the European Commission as providing an adequate level of data protection for commercial organisations subject to PIPEDA.

Where data is transferred to jurisdictions that have not received an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data remains protected.

10. Accountability

We demonstrate our commitment to GDPR compliance through:

• Integrating data protection requirements into all business processes and service delivery
• Conducting regular internal reviews of our data protection practices
• Training staff on privacy obligations and data handling procedures
• Maintaining documentation to demonstrate compliance upon request by supervisory authorities

11. Cookies and Tracking

Our website uses essential cookies required for basic functionality. Non-essential technologies, including Google Analytics and our live chat tool (Tawk.to), are loaded only after consent is provided through our cookie banner. You can update your preference at any time via Cookie Settings. We do not use cookies for targeted advertising.

12. Changes to This Policy

We may update this GDPR compliance page from time to time. Any changes will be posted here with an updated modification date. We encourage you to review this page periodically.

13. Contact Us

For any questions regarding our GDPR compliance or to exercise your data protection rights, please contact:

BEMSB
Office 723, 145 1/2 Church Street, Unit 5
Toronto, Ontario, M5B 1Y4, Canada
admin@bemsb.com