ClearBreach
Get early access

Guides

PIPEDAAB PIPABC PIPAAll sectors

Sample Privacy Complaint Handling Procedure

By Yong Du

A free sample complaint handling procedure for Canadian private-sector organizations under PIPEDA, Alberta PIPA, and BC PIPA — ready to adapt for your organization.

[ORGANIZATION NAME] Privacy Complaint Handling Procedure

Version: 1.0 Effective date: [DATE] Privacy contact: [NAME OR TITLE] | [EMAIL] | [PHONE] Next review date: [DATE — review annually]

1. Purpose

This procedure describes how [ORGANIZATION NAME] receives, investigates, and responds to complaints about its handling of personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA) and [Alberta's Personal Information Protection Act (AB PIPA) / British Columbia's Personal Information Protection Act (BC PIPA) — retain applicable legislation, delete the other].

This procedure covers PIPEDA (for federally-regulated activities and organizations in provinces without substantially similar legislation), Alberta PIPA (for organizations registered in Alberta), and BC PIPA (for organizations registered in British Columbia). It does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64).

2. Scope

This procedure applies to all personal information collected, used, or disclosed by [ORGANIZATION NAME] in the course of its commercial activities.

3. How to submit a complaint

Individuals may submit a privacy complaint:

  • By email to [PRIVACY CONTACT EMAIL]
  • By mail to [MAILING ADDRESS], Attention: [PRIVACY CONTACT TITLE]

All complaints must be submitted in writing. If a complaint is received verbally, [ORGANIZATION NAME] will ask the individual to confirm it in writing before the formal investigation begins.

4. Acknowledgement

[ORGANIZATION NAME] will acknowledge receipt of a written complaint promptly. Acknowledgement confirms the complaint has been received and identifies the privacy contact responsible for the investigation.

5. Investigation

The privacy contact will:

  • Review the specific allegation — what personal information is at issue and which practice is being challenged
  • Collect relevant records, including any applicable privacy policy provisions, procedures, or communications
  • Assess whether [ORGANIZATION NAME]'s practices comply with PIPEDA and applicable provincial PIPA for the area at issue
  • Record each investigation step, the date it was completed, and the findings

6. Response

[ORGANIZATION NAME] will provide a written response to the complainant within [ORGANIZATION TARGET — e.g. 30 business days] of acknowledgement. This is an internal organizational target. PIPEDA and provincial PIPA set no fixed statutory deadline for complaint responses.

If additional time is required due to the complexity of the investigation, [ORGANIZATION NAME] will notify the complainant and provide an estimated response date.

The written response will:

  • Address the specific allegation
  • State whether the complaint is founded or not founded, with reasons
  • Describe any corrective action taken or planned if the complaint is founded

7. Escalation to a privacy commissioner

If the complainant is not satisfied with [ORGANIZATION NAME]'s response, they may file a complaint with the applicable privacy commissioner:

Legislation Regulator How to file
PIPEDA (federal) Office of the Privacy Commissioner of Canada priv.gc.ca/en/report-a-concern
AB PIPA Office of the Information and Privacy Commissioner of Alberta oipc.ab.ca
BC PIPA Office of the Information and Privacy Commissioner for BC oipc.bc.ca

Retain only the rows applicable to your organization's registered province.

8. Record keeping

[ORGANIZATION NAME] maintains a complaint log recording:

  • Date complaint received
  • Name of complainant (or anonymous if not provided)
  • Nature of the allegation
  • Investigation steps and dates
  • Findings
  • Response date and outcome
  • Corrective action taken (if applicable)

Complaint records are retained for a minimum of [7 years — recommended practice; confirm with legal counsel for your sector].

9. Annual review

[PRIVACY CONTACT TITLE] reviews this procedure annually to confirm it reflects current organizational practices and any changes to applicable privacy legislation. The review date in the header is updated on each review.

This template does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64) — organizations registered in Quebec or conducting business primarily in Quebec are subject to different complaint handling obligations and should consult Quebec-specific guidance.

If your organization handles personal health information under provincial health legislation such as Alberta's Health Information Act, additional obligations may apply that are not covered here.

ClearBreach Technologies Inc. — Sample Privacy Complaint Handling Procedure — clearbreach.ca

This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.