About
Who we areWhat we doCOVID-19
Careers
Life at LoblawWorking with usFind jobs(Open in a new tab)
News
Our storiesReleases and statements
Real Talk - Tariffs
Real Talk - Let’s talk about the price you pay for meat
Investors
OverviewFinancial reportsEvents and presentationsStock information
Responsibility
Our purpose
Environment
Climate action and carbon footprintFood wastePlastics and product sustainabilityBiodiversity
Social
Diversity, equity and inclusion Community investmentColleagues
Governance
Human rightsSupply chain accountabilityResponsible sourcingGovernance approach
Reports & data
2023 ESG Report
(Open in a new tab)
Suppliers
FR

Issue date

January 2022

Supplier Privacy Policy

Supplier Privacy Policy

Who does this policy apply to?

The Supplier Privacy Policy (the “Policy”), applies to Suppliers, service providers, vendors or manufacturers who manufacture, package and/or supply (i) goods and services for resale (GFR); (ii) goods and services not for resale (GNFR); and (iii) agents, brokers and other third-parties (collectively, “Suppliers”) who conduct business with Loblaws Inc., its affiliates, subsidiaries, and operating divisions and/or customers (collectively, “Loblaw” or the “Company”).

1.0 What is this Policy about?

This Policy sets out minimum standards applicable to Suppliers that supply products and provide services to Loblaw. The Policy must be followed by all such Suppliers when collecting, using, disclosing, accessing, destroying or otherwise processing Personal Information, and with respect to any Loblaw information such Suppliers may receive in the course of our business dealings.

2.0 How We Define Personal Information

Personal Information is any information that identifies or could reasonably be associated with a Loblaw customer or colleague. Personal Information may also include:

  • Personal transactional information such as account transactions,

  • Personal financial information such as account balances, account numbers, payment history, and

  • Personal health information which includes any information that identifies or can identify a customer or colleague and relates to the state of their physical or mental health. Personal health information includes diagnostic, treatment, and care information.

In this policy, “Personal Information” refers collectively to “personal information”, “personal health information”, “personal transactional information”, and “personal financial information”.

3.0 Why your conduct matters

The protection of Personal Information is of the utmost importance and compliance with privacy laws and meeting our regulatory obligations is a priority for Loblaw. This Policy and your adherence to it is an important component of risk mitigation.

The Policy sets out our expectations of how Suppliers, their employees and subcontractors must treat Personal Information provided to or received from Loblaw, its customers, colleagues or its other suppliers. All Suppliers and their personnel who engage with Loblaw are expected to adhere to the Policy as provided to you, and as may be amended from time to time.

By entering into any standard terms and conditions or other contractual agreements with Loblaw (the “Governing Terms”), you are accepting the terms of the Policy, as may be amended from time to time, and are affirming ongoing compliance with its terms. The Policy is not to be read in lieu of but in addition to your obligations as set out in the Governing Terms.

Violations of applicable privacy laws can create legal, regulatory and reputational risks for both Loblaw and our Suppliers. As a result, your adherence to this Policy protects you as well as Loblaw from serious consequences of non-compliance. Adherence to this policy will also ensure that Loblaw’s customer and colleague Personal Information is adequately protected to mitigate against potential privacy breaches and associated risk of harm.

4.0 Your responsibility

Suppliers who transact with Loblaw are responsible for ensuring all their employees and subcontractors who have or may have access to Personal Information and/or other Loblaw information, are aware of and comply with this Policy. This includes, but is not limited to the following obligations:

  • Advising all Supplier employees, on an ongoing basis of their responsibilities, and ensure they understand and acknowledge the terms of this Policy;

  • Sharing this Policy with contractors, agents, sub-contractors and sub-agents who are engaged to assist with the provision and performance of the products or services for Loblaw, so they can also uphold the terms in this Policy;

  • Seek clarification on the meaning of any of the terms contained in the Policy, as required, by reaching out to your primary Loblaw contact or via loblawprivacy@loblaw.ca(Open in a new tab) or privacy@pcfinancial.ca(Open in a new tab) (if your relationship is with PC Financial).

5.0 Supplier Privacy Principles

Loblaw is committed to upholding the ten fair information principles reflected in Canadian privacy laws. In particular, with respect to its Suppliers, Loblaw limits the collection, use, disclosure and retention of Personal Information, and is committed to the following privacy principles (the “Principles”):

5.1 Accountability

  • Suppliers are expected to have a privacy program in place to ensure the protection of any Personal Information provided by Loblaw in a manner consistent with this Policy and the Governing Terms. Loblaw may verify at its discretion the adequacy of the Supplier’s privacy program and compliance of the Supplier with its privacy program through a right to audit mechanism. The Supplier shall identify to Loblaw the individual accountable for privacy matters with whom Loblaw may engage should there be matters to be addressed.

5.2 Identified Purpose

  • Suppliers shall only collect Personal Information from Loblaw for the purposes set out in the Governing Terms.

5.3 Consent

  • Any Supplier providing Loblaw with Personal Information or aggregate information must ensure that they are able to provide Loblaw with the appropriate consents to use and disclose the information for the purposes set out in the Governing Terms.

  • In no circumstances will Suppliers be permitted to process Loblaw Personal Information for their own purposes without the express consent of the individual(s) and Loblaw.

5.4 Limited Collection

  • Suppliers shall only collect the information necessary from Loblaw or third parties to fulfill the terms of the engagement and as stipulated in the Governing Terms. An over-collection of information under the guise of a Loblaw engagement will not be tolerated.

  • Any acquisition or ingestion of any third-party data related to a Supplier contract will be governed and managed by Loblaw.

5.5 Limited Use, Disclosure and Retention

  • Suppliers shall only use, disclose and/or retain Personal Information for the specific purpose of the engagement with Loblaw as stipulated in the Governing Terms. No secondary use or disclosure will be permitted unless specifically provided for in the Governing Terms.

  • Where Loblaw engages with a Supplier on a project that will involve matching or aggregation to enhance Personal Information, such matching and aggregation will be done internally by Loblaw, and not by Suppliers or other third parties, in order to maximize the privacy and security of this data.

  • Data containing Personal Information shall be stored and managed by Loblaw. Suppliers may access this data when required through an application programming interface (API) or equivalent communication technology as agreed by both parties, to be developed as part of the engagement.

  • Any and all healthcare data (regardless of whether such data constitutes Personal Information) to which a Supplier will have access can only be used or otherwise processed as directed or permitted by Loblaw as set out in the Governing Terms.

  • Suppliers shall delete and destroy all Personal Information received from, or developed or acquired for Loblaw when the engagement is complete, unless otherwise required by law or regulation. Destruction of all information includes physical and digital files and back-up files, in addition to those that may be held by cloud providers and subcontractors.

5.6 Accuracy

  • Suppliers must ensure any Personal Information provided to Loblaw is accurate as of the date of transfer. Processing of inaccurate Personal Information may have unintended, negative consequences and poses a risk to Loblaw and its customers and colleagues.

  • Where a Supplier is made aware of inaccurate information, insights or analytics provided to Loblaw, it is obligated to notify Loblaw immediately and provide the accurate data set.

5.7 Safeguards

  • Suppliers must ensure that they and any of their subcontractors have the required privacy and security controls to protect Personal Information in a manner consistent with the Governing Terms and as determined by regulatory obligations stated in legislation and/or by the appropriate federal and provincial privacy regulators.

5.8 Openness

  • All Suppliers must be open to undertake the appropriate risk assessments, audits and provide associated documentation relating to the privacy and/or security program a Supplier maintains at the request of Loblaw. Suppliers must be forthcoming with all documentation relevant to their privacy and security risk posture, including (without limitation) certifications, audits, negative media attention, and previous and ongoing legal or regulatory investigations.

5.9 Access

  • As a rule, Loblaw manages and stores all Personal Information internally, and will only permit Suppliers to access, use, store or otherwise process Personal Information where there is no feasible option for Loblaw to manage the information required to provide the service, where there is a regulatory obligation or as set out in the Governing Terms.

  • Should a Supplier provide a service on behalf of Loblaw that requires the processing of Personal Information, the Supplier must enable Loblaw to readily access this Personal Information as set out in the Governing Terms to meet its regulatory and legal obligations. Any hinderance or prevention of Loblaw being able to meet its regulatory obligations will not be tolerated.

6.0 The bottom line

Failure to comply with this Policy may adversely impact a Supplier’s continuing business with Loblaw, up to and including discontinuation of the Supplier relationship. Where Suppliers fail to adhere to the Policy, issues will be reported to the Loblaw Privacy Office.

7.0 Deviations

Any proposed deviations from these Principles will be reviewed internally and requires approval by Legal and Privacy.

8.0 Questions

If you have any questions, need clarity or have feedback with respect to this Policy, please reach out to your primary Loblaw contact or the applicable privacy office.

For all other privacy related questions:

Loblaw Privacy Office:

Phone: 1-855-416-1244(Open in a new tab)

Email: loblawprivacy@loblaw.ca(Open in a new tab)

Address: Loblaw Privacy Office, 1 President’s Choice Circle, Brampton, ON L6Y 5S5

PC Financial Privacy Office:

Phone: 1-866-639-0012(Open in a new tab)

Email: privacy@pcfinancial.ca(Open in a new tab)

Address: President’s Choice Financial, 600-500 Lakeshore Blvd. West, P.O Box 600 Toronto, ON M5V 2V9

Have supplier questions?

Contact us

vendorcomm@loblaw.ca(Open in a new tab)
Find us on Facebook.(Open in a new tab)Find us on Instagram.(Open in a new tab)Find us on LinkedIn.(Open in a new tab)

®/TM Trademarks of Loblaws Inc., used under license. © Loblaw Companies Ltd.

About
Careers
News
Investors
Responsibility
EN   FR
AccessibilityPrivacyLegalCorporate governance
EN   FR