Skip to Content Skip to Navigation
!
Browser upgrade recommended: Improve your Grainger.ca experience by upgrading your browser to Edge or Chrome. Learn more about our supported browsers.

Privacy Code

Acklands-Grainger Inc. (“Grainger Canada”), its subsidiaries, parent company, affiliates, successors and assigns are committed to ensuring personal information is processed in accordance with our standards to strive for an effortless customer experience and further our commitment to responsible stewardship.

Grainger Canada is directly subject to and committed to compliance, in both letter and spirit, with Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any applicable substantially similar provincial legislation, such as British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, and Quebec’s Act respecting the protection of personal information in the private sector (collectively, the “Privacy Laws”). Depending on the jurisdiction, Privacy Laws may not strictly apply to employee personal information; however, Grainger Canada endeavours to safeguard such information in accordance with this Privacy Code and applicable corporate policies.

Grainger Canada has implemented this Privacy Code and has updated its Privacy Policy to comply with applicable Privacy Laws. This Privacy Code integrates the requirements of the privacy and fair information principles set out in Schedule 1 to PIPEDA and reflected in the Privacy Laws, and includes guidelines on the collection, storage, use, disclosure and retention of personal information.

This Privacy Code, and any other documents referred to in it, sets out the basis on which our employees, agents, and representatives, including our third party service providers (as applicable) who have access to the personal information we hold, will process any personal information we collect from individuals, or that is provided to us from other sources.

Compliance with this Privacy Code, and any other documents referred to in it, is a condition of employment for each Grainger Canada employee. This Privacy Code is to be read in conjunction with and forms part of Grainger Canada’s other policies but does not rescind, replace or otherwise override any specific agreement an employee has entered into with Grainger Canada, including any agreement concerning the confidentiality of information.

Personal information is defined as information about an identifiable individual in any form, including but not limited to:

  • Name, age, salary, address, identity numbers;
  • Employment particulars, performance, references.
  • Health status, ethnic origin, opinions, background.
  • Images and likenesses.
  • Virtually all other information unique to a person.

For a customer, this will include information about the individual’s use of our products and services, credit information, purchase orders, invoices, online tracking information (including cookies), and any records of dealings with us.

For an employee, as permitted by applicable laws, such information may include, but is not limited to:

  • Name, home address and telephone number;
  • Date of birth, gender, nationality, citizenship, marital and family status and languages spoken;
  • Beneficiary and emergency contact information;
  • Resumes and/or applications;
  • Third party references (if recorded) and interview notes;
  • Background credit checks and criminal records;
  • Photographs and video;
  • Letters of offer and acceptance of employment;
  • Mandatory policy acknowledgement sign-off sheets;
  • Payroll information, including but not limited to social insurance number (SIN), pay cheque deposit information, and RRSP/ESP information;
  • Employee number and classification;
  • Wage/salary and benefit information;
  • Forms relating to the application for, or in respect of changes to, employee health and welfare benefits, including short and long term disability, medical and dental care;
  • Performance appraisal including workplace performance statistics and discipline record information;
  • Information obtained during workplace investigations conducted pursuant to Grainger Canada’s Code of Conduct or other lawful investigation;
  • Employee monitoring information based on use of or access to Grainger Canada assets, such as recorded e-mails, voicemails, telephone calls, web access logs, internet activities and key stroke logging, premise access logs;
  • Other information that employees voluntarily provide in the course of employment that is necessary to hold or use for the business purposes of Grainger Canada.

Personal information generally does not include:

  • Business contact information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession.
  • Aggregated, unidentifiable information presented in a way that no individual can be identified.

Use of business contact information to send marketing or promotional emails or text may nonetheless be subject to Canada’s Anti-Spam Laws (“CASL”) and therefore marketing communications should not be sent without prior approval.

Management and Accountability

Grainger Canada is responsible for all personal information in its possession and under its control. Grainger Canada has designated a Privacy Officer to oversee the organization’s compliance with its Privacy Code and applicable Privacy Laws. There are other individuals within Grainger Canada who are designated with the responsibility for day-to-day collection and management of customer and employee personal information.

Grainger Canada has established policies and procedures to implement and comply with its Privacy Code, including procedures relating to the collection, handling, storage and destruction of personal information (these policies are available on the Intranet). Grainger Canada’s employees have been provided the requisite training to protect personal information and to deal with complaints on privacy issues. All employees are encouraged to report to the Privacy Officer any violations of this Privacy Code.

Grainger Canada maintains a Data Inventory of structured personal information elements that are processed within Grainger Canada’s technical environments. This Data Inventory provides insight into the record of business purposes for which personal information is processed.

Grainger Canada identifies the business purposes for which it may process personal information. Records of these identified business purposes are maintained on an ongoing basis by integrating purpose identification and specification activities into core business processes (i.e. Privacy-By-Design). As set forth fully within NOTICE AND PERSONAL INFORMATION ACCESS REQUESTS below, Grainger Canada provides notice of the business purposes for which it processes personal information via its Privacy Policy available here.

Grainger Canada will perform Privacy Impact Assessments (“PIAs”) as appropriate to evaluate the potential privacy risks to individuals. Grainger Canada will exercise its judgment as to when PIAs may be performed in a manner that is commensurate with the level of privacy risk. Examples of when Grainger Canada will perform a PIA include:

  • Grainger Canada collects a new type of sensitive personal information.
  • Grainger Canada processes personal information it has already collected for a new purpose that may be sensitive from a privacy standpoint.
  • Grainger Canada engages a new third-party to process personal information in a manner that may be sensitive from a privacy standpoint.

Collection

Grainger Canada limits its collection of the amount and type of personal information to the extent necessary to achieve its business purposes. Personal information is only collected by fair and lawful means.

Grainger Canada generally collects personal information directly from customers and employees. Grainger Canada also collects personal information from prospective customers, prospective employees, and dependents of current employees. However, Grainger Canada may at times collect personal information from other sources, including credit bureaus and other third parties who represent that they have the right to disclose the information.

Grainger Canada collects personal information reasonably related to the employment of its employees through a variety of means and from different sources, including personal information that employees provide to Grainger Canada (e.g., in the application process, in conversations, in correspondence, through office and computer equipment and software, application and other forms) or personal information generated by employees and/or Grainger Canada management throughout the employee’s employment (e.g., performance appraisals, skills records and records of projects on which an employee has worked).

Generally, Grainger Canada collects personal information for the following purposes:

  • to establish and maintain responsible commercial relations with customers and to provide ongoing service and offers;
  • to understand customer needs and create an effortless customer experience;
  • to develop, enhance, market or provide products and services;
  • to manage and develop Grainger Canada’s business and operations, including the management and administration of personnel and employment matters, and more specifically (but not limited to):
  • determining eligibility for initial employment, including the verification of references and qualifications, as permitted by applicable laws;
  • performing credit or security checks for security-sensitive positions;
  • performing drug testing on individuals in safety-sensitive positions, discipline cases or insurance matters
  • managing the virtual/remote access workplace for off-site employees (working from home, business trips, etc.);
  • monitoring the productivity of customer interactions for quality assurance purposes;
  • administering pay, leave benefits and insurance benefits;
  • establishing training and/or development requirements;
  • assessing qualifications for a particular job or task;
  • investigating workplace accidents, injury claims, harassment claims, or customer complaints;
  • verifying employee absences for medical reasons;
  • meeting obligations to accommodate an employee under human rights legislation;
  • processing of work-related claims (e.g., worker compensation, insurance claims, etc.);
  • gathering evidence for disciplinary action, should it be necessary;
  • establishing a contact point in the case of an emergency (next of kin);
  • compiling directories;
  • complying with human rights statutes and/or other laws that may require employers to collect workplace statistics, prevent harassment or discrimination, and stop the dissemination of hateful or obscene materials;
  • ensuring the security of company-held trade secrets or other proprietary information;
  • ensuring a safe workplace for employees and others and upholding statutory health and safety record keeping and reporting requirements;
  • reducing risks of copyright infringement or defamation by employees through email and internet use;
  • preventing theft or vandalism;
  • obtaining and maintain policies of insurance; and
  • to meet legal and regulatory requirements including requirements or requests of government agencies or pursuant to a subpoena or other legal proceeding.

Grainger Canada may collect, use and disclose personal information about minors for the purposes of personnel and benefit administration. Such personal information shall only be collected from the parent(s) or guardians who are employees, or with their consent.

In the event that customer or employee personal information is required to be used or disclosed for a purpose that is not listed above and in respect of which the customer or employee has not previously granted his or her consent, the personal information will not be used or disclosed without first identifying the new purpose and obtaining the customer's or employee’s consent, unless an exception to consent applies.

Grainger Canada has identified the personal information it gathers via its website and that is typically required to provide individuals with our services, and how this information is used and disclosed within our Privacy Policy available here..

Please note that Grainger Canada shall only collect, use or disclose (and limit the authority of its services providers in a similar manner) identification numbers issued by government entities (such as SIN or similar identifiers) where required or permitted by the laws of the applicable jurisdiction.

Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where there is an exception to the consent requirement that allows for personal information to be collected, used, or disclosed without the knowledge and consent of the individual.

The consent may be express, implied, or given through an authorized representative. In determining the appropriate form of consent, the sensitivity of the information and reasonable expectations of the individual is taken into account. Implied consent is generally appropriate when the information is less sensitive. Any consent, including any implied consent, will apply to information already in the possession of Grainger Canada as of the date of the consent. As noted earlier, this does not apply to marketing or other communications subject to CASL, which defines specific requirements regarding the form and format of express and implied consent, as specifically identified in Grainger Canada’s CASL Policy.

When obtaining the consent of the individual, Grainger Canada makes reasonable efforts to inform its customers, employees, and other individuals how personal information will be collected, used, and disclosed.

Generally, consent to use and disclose personal information is sought at the same time as it is collected. Sometimes, however, Grainger Canada may identify a new purpose and seek consent to use and disclose the personal information after it has been collected.

An individual can withdraw consent to use personal information at any time, subject to any legal or contractual restrictions and reasonable notice. Grainger Canada will inform individuals of the implications, if any, of withdrawing consent and how to do so. The individual may contact Grainger Canada for more information regarding the implications of withdrawing consent. Inquiries regarding withdrawal of consent must be directed to the Privacy Officer.

Exceptions for collection, use and disclosure without consent:

  • Personal information may be collected without the knowledge or consent of the individual if:
  • the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
  • it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or
  • the information is publicly available and is specified by the regulations.
  • Personal Information may be used without the knowledge or consent of the individual if:
  • in the course of its activities, Grainger Canada becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention;
  • it is used for the purpose of acting in respect of an emergency that threatens the life, health, safety, or security of an individual;
  • it is used for statistical, or scholarly study or research purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and Grainger Canada informs the Privacy Commissioner of the use before the information is used;
  • it is publicly available and is specified by the regulations; or
  • it was collected under paragraph (a)(i) or (ii) above.
  • Personal information may be disclosed without the knowledge or consent of the individual if the disclosure is:
  • made to, in the Province of Quebec, an advocate or notary or, in any other province, a barrister or solicitor who is representing the organization;
  • for the purpose of collecting a debt owed by the individual to Grainger Canada;
  • required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
  • made to a government institution or part of a government institution or an investigative body that has made a request for the information and identified its lawful authority to obtain the information.
  • made to a person who needs the information because of an emergency that threatens the life, health, safety, or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure; to the extent reasonably practical;
  • of information that is publicly available and is specified by the regulations;
  • made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or
  • required by law.
  • As outlined above, Grainger Canada collects personal information about its employees (current, prospective, and former) consensually through the employment process. In most jurisdictions (except Quebec) employee personal information may be collected, used and disclosed without consent in order to establish, maintain or terminate an employment relationship, if notice of collection is given in advance. Consent and/or notice is obtained and provided through this Policy, employees’ execution of such items as Employment Agreements or benefits applications or background check processes; and implicitly, through the job interview process and other contexts in which employees provide personal information with knowledge as to how it will be used. Not all privacy laws apply to employee personal information such that employees may not, for example, have the right to request access to their employee personal information.

Employee Background Checks

Grainger Canada engages third parties to conduct background checks on its behalf, for all new hires upon acceptance of offer and for all existing employees to determine their eligibility for promotion or reassignment. In some cases, employees may have to pass background checks on a periodic basis throughout their tenure with Grainger Canada even where there is no promotion or reassignment. Employees must agree to execute the necessary consent forms (to be provided by Grainger Canada) which shall permit the third party engaged by Grainger Canada to complete the background and reference checks.

A comprehensive background check may include verifying the employee’s Social Insurance Number (SIN), work history, education, criminal record, professional references, as well as the employee’s right to work in Canada. Additional checks such as a driving record or credit report may be required for certain job categories if appropriate. All offers of employment are conditional and contingent upon the completion of a reference and background check satisfactory to Grainger Canada.

If Grainger Canada is not satisfied with the final results of the background check(s), to the extent permitted by applicable provincial laws, the offer of employment may be revoked. In the event the offer is revoked prior to the employee’s start date, including after the employee has accepted the offer, the terms contained in the offer with respect to termination of employment, including any probationary clause, will apply. Where the employee has already commenced employment, the employee’s employment may be terminated.

Right to Monitor or Review Employee Use of Grainger Canada Electronic Communications Systems, Equipment or Software

Grainger Canada provides electronic communications systems, equipment and software for the use of employees and contractors in conducting company business. Data, files, messages and other media created or stored on Grainger Canada’s electronic communications systems or equipment are considered the property of Grainger Canada.

In their use of Grainger Canada’s systems, equipment, mobile devices or software, Grainger Canada reserves the right to monitor or review without advance notice all employee use of Grainger Canada systems, equipment of software, including all emails sent or received and internet usage. This does not mean that they will be monitored but to bring to the employees’ attention the fact that such monitoring may occur. Therefore, when using Grainger Canada equipment or software, employees should not have any expectation of privacy with respect to their use of such equipment or software.

Passwords to Grainger Canada’s email systems and communications equipment are utilized to protect the employees’ systems from being viewed by other employees. However, passwords do not shield email, voicemail, or other systems (including mobile devices) from review by Grainger Canada. Please refer to Grainger Canada’s Mobile Device and Media Policy for more detail.

Incidental personal use of Grainger Canada’s email systems or equipment may be authorized by management, provided that it does not interfere with the employee’s professional duties, is of minimal duration and frequency, and does not use the company time and resources for personal gain.

Work areas, desks, file cabinets, break areas, lunchrooms, cafeterias, equipment and parking areas, and other areas provided for the employee’s convenience by Grainger Canada remain the sole property of Grainger Canada and may be subject to inspections or searches. In addition, items of personal property utilized at work or carried by an employee when entering or exiting Grainger Canada premises may be inspected or searched without prior notice if Grainger Canada has a reasonable belief that such property contains illegal or prohibited items, including but not limited to stolen merchandise, illegal substances, or weapons, or other illegal items.

It is the responsibility of the employees to immediately report any misuse of company-provided email, asset, or other equipment to management, Human Resources, or Grainger Canada Information Security.

Video and GPS Monitoring Systems

Grainger Canada maintains various video monitoring systems in the public areas of its premises. These systems are used for building security. Grainger Canada will not use the information collected from these systems for any other purpose, other than personal or public safety concerns.

Video surveillance will only be used when it is necessary to meet specific needs, is likely to be effective in meeting those needs, the loss of privacy is proportional to the benefit gained and there is no less privacy invasive manner to achieve the same goal.

Use, Retention, and Disposal

The personal information Grainger Canada collects is used for the business purposes it has identified or for which it was collected on the basis of implied or express consent, as appropriate, unless the individual gives consent or as required by law. Grainger Canada uses personal information only for reasonable purposes, and to the extent necessary to achieve its business purposes.

Only employees or contractors with a business need-to-know, or whose duties so require, are granted access to personal information.

Grainger Canada will retain personal information only as long as necessary to fulfill the identified purposes or as may be required under applicable laws and regulations. Depending on the circumstances, personal information used to make a decision about a customer or employee is kept long enough to allow the customer or employee access to the information after the decision has been made, where rights of access exist. With respect to employee personal information, the period of retention may extend beyond the end of the employee’s employment with Grainger Canada.

Grainger Canada has established reasonable guidelines and procedures for information and records retention, and any personal information no longer needed for its identified purposes or for legal requirements will be destroyed, erased, made anonymous, or otherwise appropriately disposed within a reasonable period of time; see Record Retention Policy.

Disclosure to Third-Parties

The personal information Grainger Canada collects is disclosed only for the business purposes it has identified or for which it was collected on the basis of express or implied consent, unless the individual gives consent or as required by law. Grainger Canada may disclose personal information without consent when it is required to do so by law, e.g. subpoenas, search warrants, other court and government orders, or demands from other parties who have a legal right to personal information, or to protect the security and integrity of its network or system or as otherwise permitted by Privacy Laws. In such circumstances, the interests of the individual is protected by ensuring that:

  • orders or demands appear to comply with the laws under which they were issued; and
  • Grainger Canada discloses only the personal information that is legally required, and nothing more.

The customer or employee may be notified that an order requiring disclosure has been received, if the law allows it.

Grainger Canada discloses personal information to third-parties to achieve its business purposes where it has implied or express consent to do so or where permitted/required by Privacy Laws. Disclosures of personal information to third-parties is limited to the minimum extent necessary to achieve Grainger Canada’s business purposes or to comply with a legally required disclosure request.

Where access to personal information processed by Grainger Canada may be granted to a third-party, Grainger Canada ensures that such access is limited on a need to know basis.

Grainger Canada is responsible for any personal information disclosed to third parties for processing on its behalf. Grainger Canada will conduct Privacy Impact Assessments where appropriate and generally uses contracts to provide an appropriate level of protection for personal information it may disclose, which may include provisions relating to confidentiality, data limitations, and data security. Examples of third-parties with which Grainger Canada may disclose personal information include:

  • Sales agents
  • Digital marketing companies
  • Transportation companies
  • Invoice printing and mailing suppliers
  • Employee benefits and pension providers
  • Product suppliers
  • Collection agencies

Where third-parties are engaged, Grainger Canada will consider the appropriate means to review the third party’s privacy and security standards, assess risk, and consider appropriate controls.

Grainger Canada may disclose personal information regarding a Grainger Canada employee to its customers where required by applicable laws and regulations or for other legitimate purposes, including business and employment communications, facility and equipment management, video monitoring, accommodation management, travel or transportation management, health, safety and security management, social communications and expense and invoice payment processing.

Grainger Canada may disclose any personal information it processes to a third party who purchases all or substantially all of Grainger Canada’s assets where such information is relevant to the assets so sold or in connection with related mergers and acquisitions. Privacy Laws include specific provisions governing agreements and notices that are required in such circumstances, which will be strictly followed by Granger Canada.

Grainger Canada is not prohibited from transferring personal information to service providers outside of Canada but may only do so when the following conditions apply:

  • The country to which we transfer the information ensures an adequate level of protection for the individual’s personal information;
  • The individual is provided with notice regarding that transfer and that their information may be subject to access by law enforcement or other authorities in the foreign jurisdiction (which notice may be provided in the Grainger Canada Privacy Policy); and
  • The Privacy Officer concludes that the transfer meets the above conditions and approves it in writing.

Transfer of data includes transfer by mail, e-mail, ability to access data online or cross border transport of laptops on which data is stored.

Accuracy

Personal information collected by Grainger Canada will be kept as accurate, complete and as current as necessary for the identified purposes. Grainger Canada will rely exclusively on the representation provided by individuals in determining the completeness, accuracy, and timeliness of the personal information and will have no obligation to seek independent verification of any personal information supplied by the individual.

Security Safeguards

Grainger Canada will protect personal information with safeguards appropriate to the sensitivity of the information. Grainger Canada has implemented safeguards to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. Grainger Canada’s security safeguards are outlined in various security policies available on the Grainger Intranet.

Grainger Canada’s employees and contractors are made aware of the need to maintain these security safeguards regarding personal information via training and awareness activities.

In the event of a security incident, Grainger Canada follows the appropriate Incident Response Plan. In Canada, if a security incident results in a breach affecting personal information, notification obligations depend on whether the personal data breach is likely to result in a real risk of significant harm (“RROSH”) to affected individuals (i.e. result in bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property).

Notifying the Office of the Privacy Commissioner of Canada (“OPC”) and Information and Privacy Commissioner of Alberta: If it is not reasonable to expect the personal data breach to result in a RROSH to individuals, then a notification to the OPC is not required. However, if a RROSH is reasonably expected to result, Grainger Canada must notify the OPC as soon as feasible even if not all information is known or confirmed. Information can be added or corrected when available.

Specific guidance on what to include in a breach report and how to file reports (including proper PIPEDA breach report form) is available on the OPC website.

Alberta has its own, separate, mandatory notification requirement that applies where “a reasonable person would consider that there exists a real risk of significant harm”, to an Alberta resident. Notification instructions and a notification form are available on the website of the Office of the Information and Privacy of Alberta.

Notifying Individuals: Notification must be given to individuals as soon as possible after it is determined it is reasonable to believe that the breach of security safeguards involve a RROSH to the individual. The notification must be conspicuous and must be given directly to the individual, except in the following circumstances where indirect notification is permitted:

  • Direct notification would be likely to cause further harm to the affected individual;
  • Direct notification would be likely to cause undue hardship for Grainger Canada; or
  • Grainger Canada does not have contact information for the affected individual.

Indirect notification must be given by public communication or similar measures (i.e., advertisements in online or offline newspapers, prominent website notices) that could reasonably be expected to reach the affected individuals.

The notification must include enough information to allow the individual to understand the significance of the breach and to take any possible steps to mitigate the harm from the breach. The notification must include the following information:

  • A description of the circumstances of the breach;
  • The day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
  • A description of the personal information that is the subject of the breach to the extent that the information is known;
  • A description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
  • A description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
  • Contact information that the affected individual can use to obtain further information about the breach

Specific requirements for notification of Alberta residents apply under the Alberta mandatory breach reporting regime.

Notifying Organizations: If Grainger Canada notifies an individual of a breach of security safeguards involving a RROSH, Grainger Canada must also notify any government institutions or organizations that Grainger Canada believes can reduce the risk of harm that could result from the breach or mitigate the harm. In determining whether any organizations or government institutions need to be notified, Grainger Canada will consider their legislative obligations and contractual obligations (such as insurers, auditors, professional or other regulatory bodies, financial institutions, third party contracts or service providers, and business partners). If the activity is criminal in nature, law enforcement will be notified.

Record-Keeping Requirements: Grainger Canada retains records of all breaches of security safeguards of personal information under our control whether the breach involved a RROSH or not. These records will contain sufficient details for the OPC to verify compliance with breach of security safeguards reporting and notification requirements in sections 10.1(1) and (3) of PIPEDA, including requirements to assess RROSH. At a minimum, Grainger Canada maintains breach records which include:

  • Date or estimated date of the breach;
  • General description of the circumstances of the breach;
  • Nature of information involved in the breach;
  • Whether or not the breach was reported to the OPC/individuals were notified; and
  • If the breach was not reported to the OPC/individuals, a brief explanation of why the breach was determined not to pose a RROSH.

Records must be maintained for minimum of two (2) years, regardless of whether notification is required.

Notice and Personal Information Access Requests

Grainger Canada provides notice regarding how it collects, uses, discloses, and retains personal information. This notice is generally made available to the public via the Privacy Policy on Grainger Canada’s website.

Grainger Canada’s customers are provided with a link to the Privacy Policy on Grainger Canada’s website upon registration. When material changes to the Privacy Policy are made, Grainger Canada provides its customers with an email notification to this effect.

As appropriate, and where required by law, Grainger Canada will respond to requests by individuals to access the personal information Grainger Canada processes about them (“Data Subject Requests”). Some but not all jurisdictions allow employees to make requests for employee personal information held by their employer. Grainger Canada also will amend inaccuracies and delete personal information that is no longer needed in light of Grainger Canada’s business purposes and applicable retention requirements. Grainger Canada will maintain records regarding disputes over amending personal information, and details of disputed data will be provided to third-parties, as appropriate.

In certain situations, Grainger Canada may not be able to comply with Data Subject Requests. In such cases, Grainger Canada will explain the reasons for denying access in writing to the extent possible and provide the recourse available to the requestor. Examples of where Grainger Canada may not be able to comply with Data Subject Requests include:

  • The individual does not have a right to request access under Privacy Laws.
  • The individual does not provide Grainger Canada with information necessary to verify the identity of the individual.
  • The personal information is unreasonably costly to provide.
  • The personal information contains references to other individuals.
  • The personal information cannot be disclosed for legal, security or commercial proprietary reasons.
  • The personal information is subject to solicitor-client or litigation privilege.
  • The personal information would reveal confidential commercial information.
  • The personal information could reasonably be expected to threaten the life or security of another individual.
  • The personal information was generated in the course of a formal dispute resolution process.
  • The personal information would likely reveal a third-party’s personal information, unless (i) the information about the third-party can be redacted; (ii) the third-party consents to the access; or (iii) the requestor needs the personal information because an individual’s life, health, or security is threatened.

Grainger Canada will make reasonable efforts to respond to a Data Subject Request no later than 30 days after receipt of the written request and at minimal or no cost. Grainger Canada may reasonably extend this time limit but will inform the requestor of any extensions and their right to complain to the Privacy Commissioner.

If a right to request access exists under Privacy Laws, customers and employees can submit a Data Subject Request via the portal available within the Privacy Policy posted on the Grainger Canada Website.

Monitoring and Complaints

Grainger Canada employees will, as appropriate, report improper processing of or unauthorized access to personal information.

As appropriate, individuals may challenge Grainger Canada’s compliance with its Privacy Code. Grainger Canada ensures that appropriate personnel will be notified of, investigate and respond to complaints and questions regarding privacy issues.

All privacy complaints and questions will be responded to in a timely manner under the circumstances. All complaints will be investigated and appropriate measures taken to correct deficient policies and practices. Individuals have the right to contact the federal Privacy Commissioner in the event of any dispute and/or Provincial Commissioner in Alberta, British Columbia or Quebec, as applicable.

Any complaints or concerns regarding personal information and this Privacy Code may be addressed, in writing, to Grainger Canada’s Privacy Officer at the following address:

Privacy Officer 
Grainger Canada
123 Commerce Valley Drive East, Suite 700
Thornhill, Ontario L3T 7W8
Tel.: 1 (847) 535-9016 
Email: privacyofficer@grainger.ca

If the Privacy Officer is unable to resolve the issue, a written complaint may be filed with the federal Privacy Commissioner at the following address:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Québec K1A 1H3
Tel: 1-800-282 1376

or online at:

https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-business/

Contact information for the Provincial Commissioner is available at:

Commission d’accès à l’information: https://www.cai.gouv.qc.ca/english/

Alberta Office of the Information and Privacy Commissioner: https://www.oipc.ab.ca/

British Columbia Office of the Information: https://www.oipc.bc.ca

Related Policies

This Privacy Code is supported by additional, specific policies. Grainger Canada’s external facing Privacy Policy is available on our website.

Other relevant policies include Grainger Canada’s security policies (e.g. Information Security and Protection Policy, Corporate Privacy Incident Response Plan, and Corporate Cyber Security Incident Response Policy) and Record Retention Policy. These policies are accessible on the Grainger Intranet.

© 2020 Acklands-Grainger Inc. All rights reserved.