Compliance

This Registry is operated by the AtoM Foundation, custodian of the platform.

This Registry is hosted in Canada and operates under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, and where applicable the EU/UK General Data Protection Regulation (GDPR). Visitors from other jurisdictions can find equivalent rights summarised on the international compliance page.

1. Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA governs how Canadian organisations collect, use, and disclose personal information in the course of commercial activity. As a Canadian-hosted Registry we comply with the ten Fair Information Principles in Schedule 1 of the Act.

• Accountability. A designated privacy officer is responsible for our compliance. Contact details are on the Privacy Policy.
• Identifying purposes. We collect personal information only for the purposes set out at the point of collection (account creation, listing submission, newsletter opt-in).
• Consent. Account creation is opt-in. Newsletter is double opt-in. Cookies: a single session cookie is used to keep you signed in; the cookie banner on first visit is your acknowledgement.
• Limiting collection, use, disclosure, and retention. We collect the minimum required to operate the directory. Account data is kept while the account is active and deleted on request. Database backups age out after 30 days. Reset tokens expire after 1 hour and are pruned within 7 days.
• Accuracy. You can correct your profile at any time via My Preferences. Listing data can be corrected by the institution / vendor that owns the entry.
• Safeguards. TLS in transit, bcrypt for passwords, rate-limited authentication, brute-force lockout, optional two-factor authentication, content security policy, daily backups, malware scanning on uploads.
• Openness. Our practices are documented on this page and on the Privacy Policy.
• Individual access. You can download a JSON archive of your data at any time at /registry/my-account/export.
• Challenging compliance. Concerns can be raised by emailing the privacy officer. Unresolved concerns can be escalated to the Office of the Privacy Commissioner of Canada.

2. Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information)

If you are a resident of Quebec, you have additional rights:

• Right of access to personal information held about you, with response within 30 days.
• Right of rectification of inaccurate, incomplete, or equivocal information.
• Right of de-indexing - we will, on request, cease the dissemination of personal information when one of the conditions in section 28.1 of the Act is met.
• Right to data portability - you can receive your computerised personal information in a structured, commonly used technological format. Use the JSON export at /registry/my-account/export.
• Right to be informed of automated decisions - we do not currently use automated decision-making in the Registry. If we ever introduce it, we will inform affected users.
• Right to refuse processing for non-essential purposes - declining the newsletter or cookie banner does not affect your ability to use the Registry.

Quebec users may also file a complaint with the Commission d'accès à l'information du Québec.

3. GDPR / UK GDPR (visitors from EU and UK)

European and UK users browsing this Registry have rights under GDPR / UK GDPR including access, rectification, erasure, portability, restriction, and objection. The lawful basis for processing public catalogue entries is legitimate interest (running a global GLAM directory); for account holders the basis is contract performance.

We do not transfer personal data to processors outside Canada other than transactional email delivery (the SMTP provider configured by the operator) and font / CDN hosting (jsDelivr, cdnjs, Google Fonts) for static UI assets. No personal data is sent to any of those services.

4. Record of Processing Activities (ROPA)

A summary of our processing activities (categories of personal data, retention periods, processors) is available on request. The full ROPA is maintained internally as required by GDPR Article 30 and PIPEDA Principle 4.1.4 and is not published in full here for security reasons.

5. Subprocessors

• Hosting: your hosting provider (Canadian data centre)
• Email delivery: the SMTP provider configured at /registry/admin/email
• CDN / fonts: jsdelivr.net, cdnjs.cloudflare.com, fonts.googleapis.com (static assets only; no user data sent)

6. Breach notification

In the event of a confirmed breach of security safeguards involving personal information, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA s. 10.1 and Quebec Law 25 s. 3.5, where the breach poses a real risk of significant harm.

7. Contact

Privacy access requests, corrections, deletions, complaints: johan@theahg.co.za with subject line "Privacy Request". We respond within 30 days.