Purpose Burke Consulting Data Breach Notification Policy (“Policy”) has been developed to provide for a reasonable and consistent response to data breach incidents involving Personal Data. The objective of this Policy is to ensure that Burke Consulting responds appropriately to data breaches and ensures that the appropriate notifications are made when necessary, in compliance with Applicable Laws. Compliance with this policy is in place to both minimize potential damages that could result from a data breach and to ensure that parties affected by a data breach are properly informed of how to protect themselves. 2. Definitions 2.1 "Data Beach" is an unintended exposure of users Personal Identifying Information or credentials which can be used to gain such 2.2 “Customer” means a third party that has entered into a binding, written agreement with Burke Consulting the provision of Services. 2.3 "Customer Personal Data" means any Personal Data Processed by Burke Consulting on behalf of a Customer pursuant to or in connection with a customer agreement; 2.4 “Employee” means a natural person employed by Burke Consulting for wages or salary. 2.5 "Employee Personal Data" means any Personal Data of natural persons Processed by Burke Consulting in connection with the performance of a contract of employment or for purposes of recruitment. 2.6 "GDPR" means EU General Data Protection Regulation 2016/679; 2.7 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly 2.8 "3rd Party" mean an entity which Burke Consulting does not have a business relationship with. 2.9 "Disclosure Period" means a 30 calendar day period where Burke Consulting will not publicaly disclose the existance of the "Data Breach" in order to give the "3rd Party" a chance to remedy the "Data Breach" and notify it's users. 3. Scope This Policy applies to any "Data Breach" that is discovered by Burke Consulting on any "3rd Party" This Policy applies in the event of a Personal Data Breach under Article 33 of the GDPR – Notification of a personal data breach to the supervisory authority – and Article 34 – Communication of a personal data breach to the data subject. 
 
 This Policy is applicable to all owners, and employees of Burke Consulting and any other individual or entity acting for or on behalf of Burke Consulting, whether operating inside or outside the Canada (collectively “Covered Persons”). Third parties, including but not limited to consultants, agents, intermediaries, and joint-venture partners, must be informed about this Policy and agree to comply with its tenets. 4. DATA BREACH RESPONSE TEAM The following positions/individuals will constitute Burke Consulting’s Data Breach Response Team (or “Team”) for purposes of this Policy: Darryl Burke 5. Personal Data Breach 5.1 Customer Personal Data. Burke Consulting shall notify Controller without undue delay after becoming aware of a Personal Data Breach. Such notification shall at least: (i) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the personal data breach; and (iv) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. 5.1 Employee/User Personal Data 5.1.1 To the Data Subject. Burke Consulting may, under its descretion, where feasible, communicate/post the personal data breach to the data subject. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3). 5.1.2 To the Supervisory Authority. Burke Consulting shall, without undue delay and, where appropriate, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the supervisory authority competent in accordance with Article 55. 2 Such notification shall at least: (i) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the personal data breach; and (iv) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 6. Last Updated This Policy was last updated on May 19, 2019.