{"id":1332,"slug":"control-accountability-third-party-processor","title":"PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this","kind":"reference","scope":"business","status":"current","audiences":["kevin","smb-owner","candid-team"],"topics":["regulatory-compliance","privacy-pipeda","build-vs-buy-software"],"reference_body":"**Claim:** Under PIPEDA, the **principal organisation that controls the data remains accountable** even when a third-party processor (e.g., a SaaS host) holds it; contracts must address this.\n\n**Source:** priv.gc.ca ; Thomson Reuters Practical Law\n\n**Confidence:** Verified.\n\n**Why this matters for Candid:** The single most-elided cost in the bought-portal pitch. Buying a portal does **not** transfer PIPEDA accountability to the vendor — only the *operational* security work. The SMB still owns: consent language, breach response, the 24-month record, processor contracts. Pair with [[rule-treat-data-custody-as-line-item]].","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"pipeda-core-duties-consent-safeguarding-access","title":"PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights","kind":"reference","scope":"business","link_type":"depends-on"}],"incoming":[{"slug":"research-brief-client-portals-smb-june-2026","title":"Research brief: client portals for SMBs — the honest case (June 2026)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"rule-treat-data-custody-as-line-item","title":"R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch","kind":"rule","scope":"business","link_type":"depends-on"}]},"created_at":"2026-06-20T17:57:32.195Z","updated_at":"2026-06-20T17:57:32.195Z"}