It should also include adequate contractual protection, either in the form of a comprehensive data protection agreement or by data protection provisions in the service agreement itself. 2 Office of the Privacy Commissioner of Canada, Guidelines for processing personal data across borders, January 2009 PIPEDA received an update to its consent policy in 2015 that consent of an individual is valid only if it is reasonable to expect that a person who the organization`s policed to be understand the nature, purpose and consequences of the collection, use or disclosure of the personal information that they are consenting to. This essentially means that organizations can choose between seeking tacit consent or explicit consent. The appropriate form of consent is often assessed on the basis of the sensitivity of the personal data collected and the reasonable expectations of the person concerned. The RGPD`s transparency requirements are extensive and a data protection policy in accordance with the RGPD should cover virtually all information on how a processor handles personal data. 3. Prohibited data. This authority does not apply to sensitive data. Under no circumstances will the entity be responsible for the sensitive data voluntarily provided by the customer, either in the context of a security incident or in any other way.