As a global IT and business consulting services organization, CGI is committed to maintaining levels of protection of Personal Data aligned to best practices in the industry which, as a minimum, comply with the requirements of the Applicable Data Protection Legislation and CGI’s contractual obligations.

As part of this commitment, CGI requires its Members and any third party engaged by CGI or providing goods and/or services to CGI (including third party suppliers, subcontractors and freelancers) to take appropriate measures to safeguard Personal Data in the execution of their functions.

Being transparent about the Personal Data we Process, CGI has issued this Data Privacy Policy (“Policy”) to inform you about its commitments to protect your Personal Data, CGI privacy practices and your rights as Data Subjects with respect to the Processing of your Personal Data, aligned with Applicable Data Protection Legislation and CGI’s contractual obligations.

CGI is committed to Process Personal Data to the same level of protection regardless of whether it Processes Personal Data for its own needs (Employee data, etc.) or for the needs of its Clients, allowing the free flow of Personal Data between the CGI Legal Entities.

 Download privacy policy

CGI Data Privacy Policy - Public version

1 – Definitions

For the purposes of this Policy, the following definitions apply:

Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data and (ii) any implementing laws of the EU Data Protection Regulation and (iii) any applicable local laws relating to the Processing of Personal Data.

CGI Legal Entities” refers to all legal entities controlled directly or indirectly by CGI Inc. that handle Personal Data, excluding any legal entities that are within the operational scope of CGI Federal.

Data Controller” refers to any entity (i.e. natural or legal person, public authority, agency or other body) that, alone or jointly with other Data Controllers, determines the purposes and means of the Processing of Personal Data.

Data Processor” refers to any entity (i.e. natural or legal person, public authority, agency or other body) acting on behalf of and under instructions from a Data Controller or another Data Processor to Process Personal Data.

Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed, which could include e.g. a CGI member or an external consultant in a CGI internal context, or the employees or end users of a client in a business context.

EEA” refers to European Economic Area, which consists of the European Union (EU) member countries, as well as Iceland, Liechtenstein and Norway, hereinafter also referred to as “Member States”.

Employee” - for the purpose of this Policy only, this means an employee, staff member, worker, individual consultant, agent, officer or director, and “employment” shall be construed accordingly. CGI employees are referred to as “Member” or “Members”.

Local Legislation” means local regulations, statutes, court orders or mandatory standards.

Personal Data” refers to any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as the natural person’s name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.

Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

2 – Scope

This Policy sets out the general standard that CGI has implemented when Processing Personal Data. This Policy applies when CGI acts as a Data Controller or as a Data Processor. It applies to the Processing of all Personal Data, irrespective of the nature or category of the Personal Data, regardless of the media on which that data is stored.

Further details for specific Processing activities are made available in the relevant privacy information notices.

3 – Categories of Data Subjects

As part of its operations, CGI shall collect and Process Personal Data relating to:

  • Employment candidates,
  • Employees and former Employees,  
  • Public and private clients and prospects,
  • Public and private clients and prospects customers,
  • Shareholders,
  • Service providers, professional advisors, suppliers, contractors and subcontractors,
  • Any other third parties.
4 – Which Personal Data do we use about you?

Subject to Applicable Data Protection Legislation, some or all of the following Personal Data categories may be Processed by CGI and any third party engaged by CGI or providing goods and/or services to CGI:

  • identity and contact information (e.g. first name, last name, title, username or similar identifier)
  • professional life / business information (e.g. email address, employer, department, job title, telephone numbers, billing or delivery address),
  • personal information (e.g. date of birth, personal contact details, biographies, memberships, declared conflicts of interests, health data, diversity information),
  • economic and financial data,
  • data related to location, logging, traffic and tracking and demographic data.

4.1 Personal Data of our Members or former employees

When Processing Personal Data relating to our Members or former employees, acting as Data Controller, we will comply with Applicable Data Protection Laws (including where necessary any requirement to obtain consent from a Data Subject or the competent employee representative body – e.g. Works Council). In addition to this Policy, CGI's standard employment contracts, the CGI Member Privacy Information Notice, applicable policies and Member communications may specify the precise and detailed purposes for which CGI may, from time to time, collect and Process Personal Data.

The main purposes for Processing Personal Data (including Sensitive Personal Data) relating to Members may include the following:

Payroll, Pension, Finance and Shares - CGI may share relevant Personal Data with pensions and share scheme administrators, scheme providers, insurance companies, tax authorities and other similar service providers in relation to employment obligations and Member benefits. CGI will also Process Personal Data for the purpose of identifying and paying Members.

Commercial Administration and Management - CGI may use Personal Data for managing its commercial activities such as paying invoices, communicating with its business partners and potential business partners, arranging meetings, business travel, visa applications, asset management, and complying with and managing business partner contractual obligations (including Member placement/assignment with clients).

Employee Administration and Management - CGI may process Personal Data (including where appropriate, and subject to this Policy and the Applicable Data Protection Legislation, Sensitive Personal Data) about Members and (where relevant) their dependents and next of kin, for purposes related to their employment with CGI. This may include recruitment, general management, performance management, career development, health and safety compliance, provision of health insurance, life insurance, sickness monitoring/compliance, diversity monitoring, disciplinary procedures, security checks (if and where required), background screening, visa applications and other immigration requirements, communications to and from Members, Member contact directories, sensitive/secure area access controls, IT system administration and management, payment of taxes, expense processing and Member benefits. From time to time, and subject to local requirements, CGI may offer its Members a range of benefits and discounts that it has negotiated with other companies and may supply relevant Personal Data to carefully screened third-party organizations to offer and provide such benefits.

Enterprise Security and Quality Control - CGI provides its Members with digital equipment (computers, laptops, mobile devices, tablets) enabling access to the Internet, e-mail and social media, CGI Intranet and various software applications and tools. Besides this digital equipment, CGI may also provide cars and physical workspaces (all being company property). CGI trusts that each Member acts responsibly and lawfully when using company property and strictly abides by all applicable codes of conduct that are issued in that respect like, but not limited to, the Code of Ethics and Business Conduct, Security and Acceptable Use Policy and the policy governing the use of third- party software. For security reasons only, CGI may monitor its premises with cameras. CGI may have good and legally justifiable reasons to monitor the use of digital equipment/devices and digital traffic through the equipment and devices used by Members taking into consideration the necessity for monitoring and the Member’s privacy. Incidental investigations will only be conducted for substantial reasons in targeted situations and CGI Global Security will always be involved in such investigations, taking into account the security incident investigation and reporting processes. CGI organization-wide monitoring and recording of Internet usage history and e-mail correspondence will only be implemented following a collective consultation process with the Works Council.

Corporate Finance, Mergers and Acquisitions – From time to time, CGI buys, sells and/or transfers group companies, business assets, financial instruments/arrangements, and contracts. In relation to such opportunities, operations and arrangements, CGI may share relevant Personal Data with potential buyers, sellers, professional advisors and regulatory authorities (incl. make regulatory filings with relevant governmental authorities), subject to obligations of confidentiality and local legal restrictions.

Regulatory, Professional and Membership Requirements – CGI may process Personal Data about Members, and transfer Personal Data to relevant regulatory bodies, governmental authorities and professional/trade/industry organizations in relation to membership applications and renewals, regulatory requirements (including security, regulatory/legal reporting requirements), professional standards, etc.

Health, Safety, Law and Insurance – CGI may Process and transfer Personal Data to appropriate third parties (including CGI facilities’ managers, event organizers, insurers, advisors and business partners) to comply with health, safety, legal, insurance, travel and emergency requirements.

Compliance with local legal requirements and agreed practices – CGI may process and transfer Personal Data to other entities within the CGI Group and/or appropriate third parties, as and when local laws require or permit it or where local practices have been agreed upon with Members, employee representatives, data protection officers, and/or data protection authorities/regulators.

4.2 Personal Data of our clients

When Processing Personal Data of our clients, we will act as a Data Processor, following duly documented instructions of the relevant clients for the following purposes:

Management of governance, delivery and closing for client projects and services including recruitment operations, training, suppliers and subcontractor management, billing, invoicing, reporting and audit activities;

Management of client projects and services cross-industries such as banking, utilities, manufacturing, insurance, government, retail, consumer and services, health and life sciences, transportation and logistics, oil and gas or communications and media, including Personal Data entry, correction and consolidation, storage, record-keeping and back-up, data management and analysis, individual enquiry management, application and infrastructure management, development and testing, correspondence, delegated/consolidated/outsourced IT system administration, hosting and management including access control and audit, asset management, expense Processing, marketing and research analysis.

4.3 Personal Data relating to other Data Subjects

CGI may also Process Personal Data relating to other Data Subjects (e.g. enquirers, website visitors, marketing/business contacts, prospective candidates, CGI offices’ visitors, etc.) for the purposes described below:

  • Planning and administration,
  • Human Resources, recruitment (including background screening where applicable)
  • Finance,
  • IT/Security
  • Communication/Marketing,
  • Business engineering and operations
  • Legal

CGI will usually act as a Data Controller in relation to such Processing operations and any third party engaged by CGI or providing goods and/or services to CGI will act as Processor.

5 – Why do we use your Personal Data?

CGI will Process Personal Data only when strictly necessary and apply further principles on the basis of whether CGI acts as a Data Controller or as a Data Processor.

5.1 Principles when CGI acts as a Data Controller

Transparency, fairness and lawfulness: CGI will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of this Policy through the use of data privacy notices clearly setting out information necessary for compliance with the Applicable Data Protection Legislation.

Defining a purpose: any Processing of Personal Data by CGI, particularly the collection thereof, will be preceded by the identification of the specific purpose for such Processing. Such purpose must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.

Data minimization: once the purpose for Processing Personal Data has been established, CGI will only collect Personal Data to the extent required for accomplishing such purpose. Each instance of Data Processing detail is to be reviewed as part of the early solution design phases and included in the Data Privacy and Security review and approval process or otherwise in order to ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed.

Quality of Personal Data: throughout the life cycle of any Personal Data Processing, CGI will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay including but not limited to self-service options for Data Subjects. In particular, CGI will provide adequate means for Data Subjects to inform CGI in case of any change in their Personal Data.

Data retention limitation: CGI will ensure that it does not keep your Personal Data for a longer period than strictly necessary to achieve the purpose for which your Personal Data is collected. Consequently, CGI will determine before the performance of the Processing an appropriate retention period. In doing so, CGI will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing while taking into account the following factors:

  • Period after which maintenance of such Personal Data may have an impact on Data Subjects’ rights to be forgotten; and
  • Any legal obligations imposing a minimum data retention period, as may be defined in the CGI Records Retention Policy and Records Retention Schedule or otherwise.

Defining a legal basis: in addition to the above principles, any Processing may be performed only where it falls under one of the circumstances identified below:

  • It is necessary to comply with a legal obligation applicable to CGI (e.g., report data to tax authorities); or
  • It is necessary for the execution of a contract (e.g. services agreement with a client); or
  • It is necessary for the legitimate interest of CGI, being understood that this legitimate interest of CGI must be assessed against the interests of the Data Subjects:
    • The Processing is necessary to achieve the interest pursued by CGI without adversely impacting the Data Subject’s interest and/or privacy;
    • CGI’s interest is not overridden by the fundamental rights or interests of the Data Subjects; and
    • CGI’s interest shall be determined in light of CGI’s core business but shall comply with any Applicable Data Protection Legislation in a transparent manner;
  • It is necessary to the vital interest of the Data Subject, or
  • It is necessary for the performance of a task carried out in the public interest.

If none of the above legal basis apply, CGI will seek and retain the Data Subjects’ prior consent before Processing its Personal Data, being understood that Data Subject’s consent is valid when (i) it is freely given by a clear affirmative act; and (ii) it represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her Personal Data.

Technical and Organizational Measures: CGI will implement appropriate technical and organizational measures, at least equivalent to those prescribed in CGI’s Enterprise Security Management Framework (ESMF), to guard against unlawful access and/or Processing of Personal Data. In particular, CGI will grant access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed. Where CGI uses a third party to undertake Processing on its behalf it will ensure that equivalent measures are put in place by that third party through contractual agreements. In the event of unlawful access and/or Processing, CGI will comply with its Information Security Policy and related procedures.

Data Protection Impact Assessment (DPIA): CGI shall be responsible for monitoring Data Processing compliance with Applicable Data Protection Legislation. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the protection of your data, CGI shall implement a data protection impact assessment procedure that shall enable CGI to:

  • identify which Processing presents any specific risk for the protection of Personal Data;
  • assess the level of compliance with the Applicable Data Protection Legislation Processing principles;
  • assess the level of severity or likelihood of risk associated with the Processing; and
  • determine the corrective measures to be implemented to ensure that Personal Data is Processed with risks that are mitigated and performed in compliance with the Applicable Data Protection Legislation. If, after mitigation, the risks to the Data Subjects remain significant and when required by Applicable Data Protection Legislation, the competent Data Protection Authority will be consulted prior to the start of the intended Processing.

Data Privacy Impact assessment document will be retained for the duration of Data Processing to which they apply.

5.2 Principles when CGI acts as a Data Processor

CGI will ensure that it Processes Personal Data solely in accordance with the documented instructions of the Data Controller.

In particular, such Processing shall be:

  • For the Data Controller sole expressed purposes;
  • Made under the conditions agreed to between CGI and the Data Controller;
  • For no longer than is expressly prescribed by the Data Controller; and
  • According to the Data Controller’s written instructions as set out in the Data Processing agreement entered into between CGI and the Data Controller.

The Data Controller remains solely responsible for ensuring a valid legal basis for the Processing performed by CGI and that the required Processing complies with Applicable Data Protection Legislation including the retention period to be applied. Nonetheless, CGI will promptly inform the Data Controller if, in its opinion, an instruction of the latter infringes the Applicable Data Protection Legislation.

Unless otherwise instructed by the Data Controller, CGI will apply (as a minimum) the same security baseline as it applies when it is acting as a Data Controller. Security measures which do not comply with the security baseline (as a minimum) will require the approval of CGI Privacy and Security representatives.

CGI will provide reasonable assistance to the Data Controller to support it in undertaking its obligations under Applicable Data Protection Legislation. The assistance to be provided by CGI to Data Controller for compliance purposes in accordance with this section will be subject to the financial, technical and organizational conditions agreed between CGI and Data Controller in the relevant agreement. Upon termination of the relevant Data Processing agreement, CGI and any third party engaged by CGI will either destroy or return all Personal Data to the client according to its instructions and Applicable Data Protection Legislation. In case of destruction, CGI will certify to the Data Controller that such deletion took place. In case of a return, CGI will ensure the confidentiality of the Personal Data transferred to the Data Controller by adhering to client’s instructions.

For the avoidance of doubt, nothing in this Policy limits CGI’s right to keep Personal Data for the purpose of existing litigation or to bring or defend future claims, in accordance with applicable legal statutes of limitation applicable to CGI.

5.3 Principles when CGI Processes Sensitive Personal Data

CGI, when acting as a Data Controller, will Process Sensitive Personal Data if and only if it is strictly required.

In such case, CGI shall ensure that at least one of the following conditions is met:

  • The Data Subject has given his/her prior consent;
  • The Processing is required for the purposes of carrying out the obligations and exercising specific rights of the Data Controller or of the Data Subject in the field of employment and social security and social protection law (including background check screening where applicable);
  • If the Data Subject is not in a position to give his/her consent (e.g., for medical reasons), the Processing is necessary to protect the vital interests of the Data Subject or of another person;
  • The Processing is required in the context of preventive medicine or medical diagnosis by a health professional under Local Legislation;
  • The Data Subject has already manifestly placed the relevant Sensitive Personal Data in the public domain;
  • The Processing is essential for the purpose of establishing, exercising or defending legal claims, provided that there are no grounds for assuming the Data Subject has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not Processed; or
  • The Processing is explicitly permitted by Local Legislation (e.g., registration/protection of minority groups).

Where CGI, as a Data Processor, is required to Process Sensitive Personal Data, CGI will follow the Data Controller’s written instructions and apply the measures agreed to between parties, which shall be at least equivalent to the CGI Security Baseline.

The Data Controller shall ensure a valid legal basis for the Processing performed by CGI.

In any case CGI will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation and comply with any mandatory specific hosting and Processing conditions.

5.4 Privacy by design/Privacy by default

As demonstrated by the commitments made under this Policy, CGI is committed to providing the appropriate level of protection for the Personal Data it processes. To ensure that the principles defined in this Policy are effectively considered when CGI processes Personal Data, CGI will identify and address any data protection constraints at the beginning of a new project so that the principles contained herein are reflected in the design of the project and appropriately implemented.

Where CGI acts as Data Processor, the Data Privacy organization, shall review and approve the Privacy aspects of the proposal and / or services developed for a client. Where CGI acts as Data Controller, the Data Privacy organization will have to provide approval of any new CGI internal project prior to the commencement of its development and subsequently implemented.

Where a solution is developed to become a CGI Intellectual Property to be proposed to clients as part of CGI’s services, the Data Privacy organization shall provide its approval.

6 – Management of Data Incidents and Breaches

6.1 Incident Management

CGI has a mature, standards-based security incident response and management process designed to handle all phases of a security incident. Members’ responsibilities are clearly defined at all levels. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution.

Incident records are maintained and reported to senior management as required. High-priority incidents are managed through CGI’s 24x7 Global Security Operations Centre (SOC), where highly trained, full-time incident response professionals coordinate response efforts. CGI’s Data Privacy team is immediately engaged in the incident management process whenever Personal Data is suspected to be involved.

6.2 Notification of Personal Data Breach

Whether acting as a Data Controller or as a Data Processor, if CGI reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed has occurred, CGI will provide security incident notification and status updates to the relevant Data Protection Authority, to Data Subjects and/or to the Data Controller, in accordance with Applicable Data Protection Legislation or any other local applicable laws.

Similarly, and for the sake of clarity, in the event a Personal Data breach is identified by a third party engaged by CGI, the third party will have to inform CGI as agreed upon in the relevant agreement.

7 – Who do we share your Personal Data with?

As part of CGI operations, we may collect your Personal Data and disclose them to:

  • CGI Legal Entities since you can benefit from our full range of solutions and services as part of our global delivery model;
  • third parties engaged by CGI and providing goods to CGI or performing services on our behalf (e.g. suppliers, subcontractors and freelancers);
  • certain regulated professionals (e.g. banks, lawyers, notaries and auditors),

CGI will disclose your Personal Data if the disclosure is reasonably necessary to protect CGI’s rights and pursue available remedies, enforce CGI’s terms and conditions, investigate fraud, or protect CGI’s operations or users.

CGI may also disclose your Personal Data to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and Local Legislation, and after careful review, the legality of any order to disclose data. CGI will challenge the order if there are grounds under the law of the country of destination to do so.

8 – Transfer of Personal Data

Transfer of EU Personal Data shall refer to Personal Data of EU citizens or Personal Data of Data Subjects located within the EU being Processed (e.g. accessed, sent, used, viewed, copied, deleted) in a third country outside the EEA.

8.1 Within CGI

CGI acting as a Data Controller or Data Processor will Transfer EU Personal Data in accordance with the Applicable Data Protection Legislation and in accordance with CGIs’ Binding Corporate Rules (“BCR”), approved under GDPR by the French Supervisory Authority on July 22nd, 2021. This means that your rights as Data Subject remain the same no matter where your Personal Data is Processed.

Should you require any information on CGI’s BCRs, please consult the Register of the European Data Protection Board or Binding corporate rules (BCR) |

When CGI acts as Data Processor, prior specific or general consent is required in writing from the Data Controller before such transfer may be initiated.

Transfers of non-EU Personal Data shall take place in accordance with the Applicable Data Protection Legislation.

8.2 To third parties

Transfers of Personal Data to third parties shall take place in accordance with the Applicable Data Protection Legislation.

On a regular basis, CGI conducts due diligence and third party privacy and security risks assessments with all third parties engaged by CGI, to establish their corporate capabilities and maturity with respect to security and data protection.

Whenever CGI relies on such third parties to process Personal Data, CGI ensures that such third parties provide an adequate level of protection to the Personal Data they process as per Applicable Data Protection Legislation.

9 – What are your rights and how can you exercise them?

Data subjects have several rights under the Applicable Data Protection Legislation to request access to their Personal Data held by CGI and/or information about how CGI Processes their Personal Data. If you have any requests regarding the processing of your Personal Data, please send your formal request to or complete the online form.

When acting as a Data Processor, upon request, CGI will provide its clients with relevant information enabling such clients to comply with their own obligations toward Data Subjects. Unless otherwise indicated in any contractual agreement, CGI shall not be required to inform Data Subjects directly thereof, as this remains the responsibility of the Data Controller.

As per Applicable Data Protection Legislation, where CGI acts as the Data Controller, you have the following rights:

  • to access to your Personal Data;
  • to rectify or delete any of your inaccurate or incomplete Personal Data;
  • to object on legitimate grounds to the Processing of your Personal Data at any time, unless such Processing is required by Applicable Data Protection Legislation or any Local Legislation;
  • to restrict the Processing of your Personal Data that is no longer accurate or necessary;
  • to receive your Personal Data in a structured, commonly used and machine-readable format;
  • to withdraw your consent given for the Processing of your Personal Data.

CGI will act in accordance with the Applicable Data Protection Legislation and other relevant legal and contractual obligations in the search for and provision of relevant Personal Data. CGI will require Data Processors that Process Personal Data to do the same. CGI may need to ask you further questions in relation to your Personal Data or to verify your identity.

Upon termination of employment contracts for whatever reason, CGI shall maintain the Personal Data of former employees for such time as shall be permissible in accordance with applicable laws and regulations and necessary for the provision of appropriate ongoing benefits and services (for example, Member share schemes and pension administration).

10 – Compliance with the Policy

10.1 Compliance by Members

Members acknowledge the requirements and annually confirm acceptance of this Policy. In addition to this Policy, Members must also comply with other applicable confidentiality and privacy obligations, including those set out in any Applicable Data Protection Legislation, their employment agreements and CGI policies, processes and standards or client’s instructions.

Members must follow any mandatory CGI’s privacy training and awareness programs. These include, among other topics, mandatory web-based data privacy, information security, anti-corruption, and records management training, communication campaigns and specific trainings adapted to the different functions within the organization.

These trainings and awareness programs are regularly updated to reflect changes to the Applicable Data Protection Legislation.

CGI maintains a dedicated privacy page on CGI Intranet where policies, standards, guidance, information and other materials related to the global privacy program are made available to all Members.

To the extent permitted by law, any violation of this Data Privacy Policy may result in administrative and/or disciplinary action by CGI (including monetary penalties, suspension or termination).

10.2 Compliance by any third party engaged by CGI

In the event that any third party Processes Personal Data on behalf of CGI, such third party shall:

  • ensure that its personnel accessing CGI confidential information and Processing Personal Data on behalf of CGI, complete all CGI compliance mandatory trainings (including Security and Data Privacy awareness e-learnings) in the 30 days following the effective date of the agreement signed between CGI and the third party;
  • comply with this Policy and CGI’s security policies and standards in addition to any other security controls included within contractual agreements between CGI and its clients and/or partners.
  • process Personal Data in accordance with CGI's documented instructions and for no other purpose than the one expressly defined in writing by CGI, unless it is required to do so under any mandatory law. In such case, the third party shall inform immediately CGI of this legal obligation prior to processing.
  • implement and maintain appropriate technical, organizational and contractual measures to ensure appropriate level of protection of Personal Data and to prevent any unauthorized or unlawful processing of Personal Data and any accidental loss, destruction or damage to Personal Data. These measures shall (i) take into account the highest standards and the risks posed by the Processing activities, (ii) be designed to implement the data protection principles in an effective manner and provide the Processing activities with the necessary safeguards in order to meet the requirements of the Applicable Data Protection Legislation.
  • notify, to the extent permitted by law, CGI of any request for disclosure of CGI Personal Data that it receives from a third party, public authority or court, as well as of any action and/or measure regarding the processing of CGI Personal Data that is under investigation by the authorities;
  • comply with any request from CGI for access, rectification, blocking, restoration, deletion and objection of CGI Personal Data and ensure portability and the right to be forgotten of CGI Personal Data;
  • notify CGI immediately of any changes that may affect the Processing of CGI Personal Data;
  • actively cooperate with CGI to assess and document the compliance of CGI's Personal Data Processing, including providing CGI with any information that CGI may need or require to comply with Applicable Data Protection Legislation (including any information required for the Transfer Impact Assessment (TIA));
  • immediately inform CGI in writing if, in its opinion, any instruction from CGI regarding the Processing of CGI's Personal Data constitutes a violation of the Applicable Data Protection Legislation.

10.3 EU-US Data Privacy Framework (DPF), the UK Extension and the Swiss-US DPF

As per the approval granted by the US Department of Commerce, the following CGI Legal Entities are self-certified under EU-US DPF, the UK Extension, and the Swiss-US DPF:

  • CGI Technologies and Solutions Inc.
  • CGI Information Systems and Management Consultants (New York) Inc.
  • CGI Group Holdings USA Inc.
  • Accounts Receivable Automated Solutions Inc.

These Data Privacy Frameworks provide the above-mentioned CGI Legal Entities with reliable mechanisms for Personal Data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss Applicable Data Protection Legislation.

CGI complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CGI has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. CGI has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit

The Federal Trade Commission has jurisdiction over CGI’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

In the context of an onward transfer, CGI has responsibility for the processing of Personal Data it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. CGI shall remain liable under the DPF Principles if any third party engaged by CGI processes such Personal Data in a manner inconsistent with the DPF Principles, unless CGI proves that it is not responsible for the event giving rise to the damage.

Data Subjects may, under certain conditions, invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms as detailed in the DPF ANNEX I.

11 – Record of Processing activities

CGI maintains records of Processing activities carried out as a Data Controller or as Data Processor. CGI will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. CGI shall make a record(s) of Processing available to the supervisory authority on request.

12 – Changes to this Policy

This Policy may be amended from time to time to comply with Applicable Data Protection Legislation. CGI will ensure that Data Subjects are notified of any material changes to the Policy promptly, through an “update” on, by email or other appropriate method of communication. Should you require a status update, you may raise a request by sending an email to

13 – Data Privacy Organization

CGI has designated a Chief Privacy Officer (CPO) overseeing CGI’s global data protection strategy, enterprise- wide data protection policies and procedures, and data protection regulatory compliance, and a network of Privacy Business Partners who may also be appointed as Data Protection Officers in accordance with Applicable Data Protection Legislation.

14 – Questions and Recourse

14.1 Questions

In case of questions related to the interpretation or operation of this Policy, please send an email to or contact CGI's Chief Privacy Officer at Paris – Carré Michelet, 10-12 Cours Michelet, 92800 Puteaux, France.

14.2 Independent recourse mechanism

If your question is not addressed by contacting CGI Privacy Office or you believe that you have evidence of misconduct that could harm CGI, its members, clients or shareholders, you can reach out to CGI’s Ethics Hotline.

14.3 Data Protection Authorities

Should you require assistance from any competent data protection authority, please reach out to the relevant one by using the useful resources below:

14.4 Data Protection Review Court

As per the EU-U.S. Data Privacy Framework (EU-U.S. DPF) validated by the European Commission on July 10,  2023, the Data Protection Review Court is the second level of a two-level redress mechanism that provides for the review of qualifying complaints by individuals, filed through appropriate public authorities in designated foreign countries or regional economic integration organizations, alleging certain violations of United States law concerning United States, signals intelligence activities.