Complete Privacy Statement

Thank you for your interest in the personal information protection practices of the Greater Toronto Airports Authority. Before you begin reading our Privacy Statement, there are a few things we would like you to know:

The Greater Toronto Airports Authority is also referred to as the “GTAA” or “we”, “our” or “us”.
The GTAA is a non-governmental, private corporation that operates Toronto Pearson International Airport.
This Privacy Statement applies only to the GTAA. Not all of the information in this Privacy Statement will apply to you. What applies to you depends on how you interact with the GTAA and the services provided by the GTAA.
As you navigate our website and engage with GTAA’s services, you may receive additional privacy notices relevant to specific services.
By interacting with the GTAA and engaging with the services provided by the GTAA, you acknowledge that we may collect, use, disclose, and otherwise handle your Personal Information in accordance with this Privacy Statement.
We may update this Privacy Statement from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. The date of the latest revision will be posted at the top of this Privacy Statement, enabling you to know when it was last updated.
Many businesses are located at Toronto Pearson International Airport. When you deal with those businesses your personal information is governed by the privacy policies of those businesses. This Privacy Statement does not apply.
This Privacy Statement does not apply to government agencies, such as the Canadian Air Transport Security Authority, the Canada Border Services Agency and the U.S. Department of Homeland Security (including the U.S Customs and Border Protection Agency).

You can click on the sections below to learn more about what interests you.

The legal basis for processing this personal data is as follows:

Legitimate business interests in responding to your inquiries, maintaining the safety and security of Toronto Pearson and GTAA’s online services, improving our business and marketing, evaluating your suitability for employment (if you are an applicant for employment).
Performing our contractual obligations to you if you purchase a product or service from us, including parking, amenities or gift cards.
With your consent if you sign up for marketing communications.
Complying with legal obligations in maintaining corporate records.

Understanding the Personal Information We Collect

We collect personal information to provide you with and to improve our services as well as to protect your safety and the security of the GTAA, Toronto Pearson and occupants of Toronto Pearson. Below you will find examples of the types of personal information that you can expect that we may collect depending on the nature of your interactions with the GTAA:

Understanding Why We Use Personal Information

The personal information we collect serves multiple purposes, including providing and enhancing our services, complying with our legal and contractual obligations, and ensuring a safe, efficient airport experience for travellers, employees, our vendors and service providers, and our tenants. Below you will find examples of the purposes for which we collect and use personal information depending on the nature of your interactions with us at Toronto Pearson. For information on the types of personal information, please see “Understanding the personal information we collect”.

Visitor Analysis: Assessing the number of visitors, number of visits, visit duration, visitor flow, visitor characteristics, and use of Toronto Pearson services and amenities. Examples of types of data used: Anonymous Video Analytics and Traffic Counters, Wi-Fi Usage Information, Online Advertising Interactions, Survey Response Details, Transaction Details, and Travel Details.
Online Services Analysis: Assessing the effectiveness of Wi-Fi and other online services and developing and improving those services. Examples of types of data used: Wi-Fi Usage Information, Online Advertising Interactions, Survey Response Details, Transaction Details, Cookies and other Tracking Data.
Marketing and Advertising: Engaging travelers and others through marketing and advertising and measuring and improving the effectiveness of marketing communications and advertisements, including developing target audiences based on actual or inferred characteristics. Examples of data used: Subscription Details, Contest and Promotion Details, Survey Response Details, Social Media Interactions, Online Advertising Interactions, Online Interactions, Wi-Fi Usage Information, Cookies and other Tracking Data, and Transaction Details.
Recruitment: Evaluating applicant suitability for employment and managing and improving the recruitment process. Examples of types of data used Employment Applicant Data and Optional Diversity and Inclusion Data. Optional Diversity and Inclusion Data help us assess and enhance our diversity initiatives, ensuring equal employment opportunities and fostering an inclusive workplace environment.
Innovation and Improvement: Analyzing our business operations and identifying areas to improve the efficiency and quality of our services and opportunities to provide new services. Examples of data used: Call Recordings, Service Requests and Complaint Details, Transaction Details, Subscription Details, Survey Response Details, Online Interactions, Online Advertising Interactions, Wi-Fi Usage Information, and Anonymous Video Analytics and Traffic Counters.
Risk Management: Conducting regular assessments and monitoring to identify and address potential risks, ensuring the integrity of our operations and safeguarding against fraud or other illegal activities. Examples of data used: Contact Details, Vehicle Information, Images, Security Incident Data, Pass Card Data, and Health and Safety Incident Data.
Legal Compliance: Maintaining necessary business records. We may use all forms of personal information we collect for this purpose as required by law.
Property and Business Sales: Transferring personal information relevant to the sale of all or a portion of our business operations.
Other Consent-Based Purposes: Using personal information for other purposes for which you have given consent.

Privacy Beyond Our Direct Services to You

At Pearson Airport, you will find a variety of services and amenities provided by other businesses, including lounges and spas, gyms, shops, banking and currency exchanges, restaurants, meet and greet or porter services, and baggage storage. Canadian and U.S. border control agencies also operate at Toronto Pearson. For your convenience, our website may provide information about and link to these businesses and agencies. However, they operate independently of the GTAA and have their own privacy policies. The GTAA does not control and is not responsible for their privacy practices.

Pre‑Arranged Taxi and Limo Service Providers

Companies and drivers who provide pre‑arranged taxi and limo services at Toronto Pearson must register and provide information about their drivers and pick‑up reservations online. Registered drivers will provide their first and last name, email address, driver’s licence details, mobile number, and language. Vehicles used for pickups must be registered by providing licence plate number, vehicle type, make, model, year and verification of insurance coverage and municipal licence.

Fire & Emergency Services Training Institute

The GTAA operates the Fire & Emergency Services Training Institute, which is a private career college that provides training for fire and emergency service professionals. We collect information relevant to creating an online account for you, registering you for training courses, and managing and improving our training programs. This information may include your first and last name, mailing address, email address, date of birth, phone number, online account username and password, and course progression and completion information.

Third parties involved in our business

The GTAA shares personal information with third parties who assist us in our business by providing services to the GTAA or on behalf of the GTAA. In some limited cases, we are also required to share personal information with third parties such as government agencies or pursuant to an enforceable legal obligation.

Examples of third parties we share your personal information with:

Technology Service Providers: Companies providing the technology infrastructure and services that support our applications, including cloud hosting, software services, and those offering data analytics, machine learning, business intelligence, and AI services.
Payment and Financial Services: Entities processing payments or providing financial services.
Gift Card Issuer and Gift Card Manager and Merchants: The financial institution issuing our gift cards and our third‑party gift card program manager will receive and process your personal information when you participate in our gift card program. You have a direct relationship with the gift card issuer and the merchants where you use your gift card. The privacy policies of these organizations will apply and not this Privacy Statement.
Event and Promotional Partners: Collaborators on events and promotional activities.
Marketing and Advertising Agencies: To promote our business activities and properties.
Advertising Networks and Publishers: Digital advertising platforms, including social media platforms where our ads appear.
Customer Relationship Management (CRM) Providers: Providers that manage customer, tenant and prospect data.
Email Marketing Services: Platforms that manage and execute email campaigns, promotions, and communications.
Social Media Management Tools: Services that help manage interactions and content across social media platforms, streamlining engagement and content distribution.
Feedback and Survey Platforms: Tools that collect and analyze tenant feedback, aiding in service improvement and tenant satisfaction strategies.
Background Check Services: Agencies providing credit reporting, reputation, and background verification services.
Analytics Service Providers: Firms offering data analytics services.
Security Personnel: Contracted security firms and their personnel.
Insurance Companies: Providers of insurance coverage related to our operations.
Law Enforcement and Government Agencies: Police and other governmental authorities in compliance with legal obligations.
Professional Advisors: Lawyers, auditors, and management consultants offering legal, financial, or strategic advice.

About AI and Automated Decisions

GTAA and the third parties involved in our business may incorporate artificial intelligence and machine learning tools to process your personal information, including using it to train and refine algorithms. We and our service providers may also use these tools to make automated decisions using your personal information.

These tools help with internal business activities, such as automating tasks, evaluating data, developing new products and services, securing business systems, and other business purposes.

GTAA is committed to the ethical use of your personal information in using these tools. If we use automated decision‑making exclusively to make a decision about you, we will provide you with additional information.

About Cookies and Other Online Trackers

Cookies are small data files we place on your internet browser when you visit our websites. These are essential for ensuring our websites operate efficiently and remember your preferences (like language or login details) for future visits. Cookies also help us analyze site usage—tracking visitor numbers, traffic patterns, and assessing website performance. Additionally, we use cookies to identify potential interest in our advertisements, allowing us to show our ads to you on social media platforms and other websites.

We may use pixels on our websites and in emails to gain insights into how you interact with our content. A pixel, often referred to as a "tracking pixel" or "web beacon," is a tiny image file that is embedded within an email or webpage. When you open an email or visit a webpage containing a pixel, it communicates with the server, allowing analytics and advertising service providers to track certain activities such as whether you have opened an email, clicked on links within it, or how you engage with our website content or advertising. This data helps us to improve your browsing experience and customize our advertising to better match your interests. You can prevent tracking by disabling automatic image loading in your email settings or employing browser extensions designed to block tracking technologies.

Storage, Retention and Security

The GTAA is located in Ontario, Canada. Your personal information may be transferred and stored outside of Ontario. Any transfer of personal information will comply with data protection laws applicable to GTAA. If your information is transferred outside of Ontario, it may be subject to the laws of those other regions, including access by courts, law enforcement, or regulatory agencies.

We store personal information for as long as necessary to achieve the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider factors such as the amount, nature, and sensitivity of the personal information, the risk of unauthorized use or disclosure, the purposes of processing and whether these purposes can be achieved by other means, and applicable legal requirements.

We implement various measures with the intent to keep your personal information safe and secure. We use technical measures and policies and procedures that are designed to keep your personal information secure. These technical measures, policies and procedures take into account the sensitivity of personal information. Our security measures will depend on the sensitivity of personal information. Examples of security measures are:

Physical Protections: Secure access to premises and data storage areas.
Technical Safeguards: Firewalls and, for sensitive data, secure data transmission and encryption.
Policy and Training: Employee training programs.
Risk Management: Assessment and mitigation of reasonably foreseeable and likely security risks.
Incident Response: Protocols for addressing and recovering from data breaches.
Data Management: Principled data collection, retention, and secure destruction practices.
Third‑Party Oversight: Standards for third parties involved in our business.

You have a shared responsibility to protect your personal information when you use our websites, any mobile apps and online services. You should ensure your device is up to date and protected by anti‑virus and anti‑malware software. You should use the latest version of browsers. If you are using one of our online services that requires an account, you should not use the same password you are using on other sites. Keep your password secure and do not share your password with others.

Your Privacy Rights Explained

You have the following rights respecting your personal information. These rights may be subject to legal and jurisdictional limitations.

Right of access. You have the right to access your personal information. Please note that we may decline access to information that we have collected for security purposes. For example, we will not provide copies of closed‑circuit video surveillance without a court order or other legally enforceable request.
Right to correction. You have the right to correct any personal information that we hold about you that you demonstrate is inaccurate or incomplete for the purpose for which it was collected.
Right to deletion. You have the right to require us to delete your personal information if the continued processing of that personal information is not justified. For example, we will not delete information if it is required for complying with legal obligations, retaining records for audit purposes, defending or asserting our legal rights, or providing you with services that you are still using.

In some jurisdictions, you may also have the following rights subject to some legal limitations:

Right of portability. You may have the right to receive a copy of the personal information you have provided to us in a structured, commonly used, machine‑readable format that supports re‑use, or to request the transfer of your personal information to another person. (Applicable only if the data was collected from you in the United Kingdom, the European Economic Areas and certain other jurisdictions.)
Right to restriction. You may have the right to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you. (Applicable only if the data was collected from you in the United Kingdom, the European Economic Areas and certain other jurisdictions.)
Right to object. You may have a right to object to any processing based on our legitimate interests where there are grounds relating to your situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You can object to marketing activities for any reason. (Applicable only if the data was collected from you in the United Kingdom, the European Economic Areas and certain other jurisdictions.)

If you would like to exercise any of these rights, contact our Privacy Office.

You may also have a right to complain to the privacy commissioner or data protection authority in the place where you interact with us. Before exercising that right, we encourage you to contact our Privacy Officer to permit us to investigate your concerns and address them if they are well‑founded.

Controlling the Collection and Use of Your Personal Information

You can control the collection and use of your personal information in the following ways:

Opting Out of Marketing Communications: You have the option to unsubscribe from our marketing emails by following the unsubscribe instructions in any marketing email you receive. To opt out of promotional text messages, reply with "STOP". Opting out does not apply to non‑promotional messages.
Managing Mobile Location Analytics: You can opt‑out of our foot‑traffic data collection that uses mobile analytics by visiting https://smart-places.org.
Interest‑Based Advertising and Analytics: You can use your browser settings to manage cookies. To opt‑out of personalized advertising content, please visit Digital Advertising Alliance of Canada Opt-Out Page.

Contact the Privacy Office

We have appointed a Chief Privacy Officer. Our Privacy Officer and other staff in our Privacy Office are responsible for overseeing our compliance with applicable privacy laws. If you wish to access and/or change any personal information you have given us, please submit a formal request by completing our Information Request Form.

For general questions regarding privacy laws, contact the office of the Privacy Commissioner of Canada at 112 Kent Street, Ottawa, Ontario, K1A 1B3, or visit their website at https://www.priv.gc.ca

Complete Privacy Statement

Notice to Quebec Residents

Notice to EEA and UK Residents

Understanding the Personal Information We Collect

General Dealings

Marketing, Contests and Surveys

Online Services

Taxi and Limo Services

Building and Security Operations

Health and Safety

Recruitment

Fire & Emergency Services Training Institute

Understanding Why We Use Personal Information

Visitor Management and Operations

Safety, Health and Incident Management

Business Development and Improvement

Privacy Beyond Our Direct Services to You

Pre‑Arranged Taxi and Limo Service Providers

Fire & Emergency Services Training Institute

Third parties involved in our business

About AI and Automated Decisions

About Cookies and Other Online Trackers

Storage, Retention and Security

Your Privacy Rights Explained

Controlling the Collection and Use of Your Personal Information

Contact the Privacy Office