top of page

PRIVACY POLICY

Procedure for Retention, Destruction, and Anonymization of Personal Information

1. Overview
It is essential to establish a procedure for the retention, destruction, and anonymization of personal information to ensure the protection of individuals’ privacy, comply with personal data protection laws, prevent privacy incidents and security breaches, maintain customer trust, and protect the organization’s reputation.

 

2. Purpose
The purpose of this procedure is to ensure the protection of individuals’ privacy and to comply with legal obligations related to the protection of personal information.

3. Scope
This procedure applies to the entire lifecycle of personal information, from collection to destruction. It concerns all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal data in accordance with legal requirements and best practices for privacy protection.

4. Definitions

  • Personal information: Any data that can directly or indirectly identify an individual.

  • Retention: Secure storage of personal data for the required duration.

  • Destruction: Permanent deletion, elimination, or removal of personal data.

  • Anonymization: A process that modifies personal data so it can no longer, at any time and irreversibly, be used to directly or indirectly identify individuals.

 

5. Procedure

5.1 Retention Period
5.1.1 Personal information is categorized as follows:

  • Information related to company employees

  • Information related to organization members

  • Information related to clients

5.1.2 Retention periods for each category are as follows:

  • Employees: 7 years after the end of employment

  • Members: Variable depending on the type of personal information

  • Clients: Variable depending on the type of personal information

For more details, refer to the complete inventory of personal data held.
Note: Specific retention periods may apply.

5.2 Secure Storage Methods
5.2.1 Personal data is stored in the following locations: OneDrive, Wix
5.2.2 The sensitivity level of each storage location has been assessed.
5.2.3 These storage locations, whether paper-based or digital, are adequately secured.
5.2.4 Access to these storage locations is restricted to authorized personnel only.

5.3 Destruction of Personal Information
5.3.1 Paper documents must be fully shredded.
5.3.2 Digital personal data must be completely deleted from devices (computers, phones, tablets, external drives), servers, and cloud-based tools.
5.3.3 A destruction schedule must be created based on the established retention period for each data category. Planned destruction dates must be documented.
5.3.4 Destruction must be carried out in such a way that the data cannot be recovered or reconstructed.

5.4 Anonymization of Personal Information
5.4.1 Anonymization should only occur if the organization wishes to retain and use the data for serious and legitimate purposes.
5.4.2 The chosen method of anonymization is as follows: data will be deleted after the retention period.
5.4.3 The remaining data must no longer allow, in any way, the direct or indirect identification of the individuals concerned. Regular assessments of the risk of re-identification must be conducted through testing and analysis to ensure the effectiveness of anonymization.

Note: As of the date of this template, anonymization of personal information for serious and legitimate purposes is not yet permitted. A government regulation must be adopted to establish the criteria and terms.

5.5 Staff Training and Awareness
5.5.1 Regular training must be provided to employees regarding the procedures for retaining, destroying, and anonymizing personal data, as well as the risks related to privacy breaches.
5.5.2 This also includes raising staff awareness of best practices for data security and the importance of following established procedures.

Last updated: February 1, 2024

 

Procedure for Access Requests and Complaint Handling Regarding Personal Information

 

Last updated: February 1, 2024

1. Overview

Since individuals may request access to personal information held about them by an organization—or may file complaints—it is essential to have clear guidelines in place to address such requests appropriately.

 

2. Purpose

The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.

3. Scope

This procedure applies to internal personnel responsible for handling access requests and complaints, as well as individuals who wish to access their own personal information.

4. Access Request Procedure

4.1 Submitting the Request

4.1.1 Individuals must submit a written request to the organization’s Privacy Officer. The request may be sent by email or by postal mail.

4.1.2 The request must clearly state that it is an access to personal information request and include sufficient details to identify the individual and the requested information.

4.1.3 This may include the individual's name, address, and any other relevant information necessary to reliably identify the requester.

4.2 Receipt of the Request

4.2.1 Once received, an acknowledgment of receipt will be sent to confirm that the request is being processed.

4.2.2 The request must be processed within thirty (30) days of receipt.

4.3 Identity Verification

4.3.1 Before proceeding, the individual's identity must be reasonably verified. This may involve requesting additional details or verifying identity in person.

4.3.2 If identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.

4.4 Incomplete or Excessive Requests

4.4.1 If a request is incomplete or excessive, the Privacy Officer will contact the individual to request clarification or further information.

4.4.2 The organization reserves the right to reject any request that is clearly abusive, excessive, or unjustified.

4.5 Processing the Request

4.5.1 Once identity has been verified, the Privacy Officer collects the requested personal information.

4.5.2 Relevant records will be consulted to retrieve the information, ensuring compliance with applicable legal restrictions.

4.6 Review of the Information

4.6.1 Before disclosing any personal information, the Privacy Officer reviews the data to ensure that it does not contain confidential third-party information or data that may infringe on the rights of others.

4.6.2 If third-party information is present, the officer will assess whether it can be separated or must be excluded from disclosure.

4.7 Communication of the Information

4.7.1 After all verifications, the information is disclosed to the individual within a reasonable timeframe, in compliance with legal requirements.

4.7.2 Disclosure may be done electronically, by secure postal mail, or in person, depending on the individual’s preference and appropriate security measures.

4.8 Tracking and Documentation

4.8.1 Each step of the process must be documented clearly and thoroughly.

4.8.2 A tracking log must include the following details:

  • Date the request was received

  • Date the acknowledgment was sent

  • Date identity was verified

  • Method of verification

  • Decision (approved or denied)

  • Date of disclosure (if applicable)

4.9 Confidentiality Protection

4.9.1 All personnel involved in the access request process must uphold strict confidentiality and data protection standards.

4.10 Complaint Handling and Recourse

4.10.1 If an individual is dissatisfied with the response, they must be informed of available complaint procedures and recourse via the Commission d’accès à l’information.

4.10.2 Complaints must be handled in accordance with the organization’s internal complaint management policies (next section).

5. Complaint Handling Procedure

5.1 Receiving Complaints

5.1.1 Complaints may be submitted in writing, by phone, email, or any other official communication channel. They must be recorded in a centralized registry accessible only to designated personnel.

5.1.2 Employees must immediately notify the designated complaint handler upon receipt.

5.2 Preliminary Assessment

5.2.1 The designated officer evaluates the relevance and seriousness of each complaint.

5.2.2 Frivolous, defamatory, or obviously unfounded complaints may be dismissed, with a justification provided to the complainant.

5.3 Investigation and Analysis

5.3.1 The designated officer conducts a fair investigation by collecting evidence, interviewing relevant parties, and reviewing all pertinent documents.

5.3.2 The officer must act impartially and have the authority to resolve the complaint.

5.3.3 Confidentiality must be maintained, and all parties must be treated fairly.

5.4 Complaint Resolution

5.4.1 The officer proposes appropriate actions to resolve the complaint as quickly as possible.

5.4.2 Solutions may include corrective actions, financial compensation, or other necessary measures.

5.5 Communication with the Complainant

5.5.1 The officer keeps the complainant informed of the progress of the investigation and resolution.

5.5.2 All communications must be professional, empathetic, and respectful.

5.6 Closing the Complaint

5.6.1 Once resolved, a written summary of actions and outcomes is provided to the complainant.

5.6.2 All documents and records related to the complaint must be stored in a confidential file.

Procedure for Deindexing and Deletion Requests of Personal Information


Last updated: February 1, 2024

1. Overview

This procedure addresses our clients’ concerns regarding privacy and the protection of their personal information.

 

2. Purpose

The purpose of this procedure is to provide a structured mechanism for managing client requests to deindex or delete their personal information.

 

3. Scope

This procedure applies to our internal team responsible for handling deindexing and deletion requests. It covers all information published on our online platforms, including our website, mobile applications, databases, or any other digital media used by our clients.

4. Definitions

  • Deletion of personal information: The complete erasure of data, making it unavailable and unrecoverable.

  • Deindexing of personal information: The removal of information from search engine indexing, reducing visibility but not direct accessibility.

Deletion permanently removes data, while deindexing limits its online visibility.

5. Procedure

5.1 Receiving Requests

5.1.1 Deindexing and deletion requests must be submitted to the designated responsible team.

5.1.2 Clients may submit their requests via specific channels such as an online form, dedicated email address, or phone number.

5.2 Identity Verification

5.2.1 Before processing a request, the individual’s identity must be reasonably verified.

5.2.2 This may involve requesting additional information or verifying identity in person.

5.2.3 If identity cannot be satisfactorily verified, the organization may decline to process the request.

5.3 Request Evaluation

5.3.1 The responsible team must carefully assess the request and the personal information concerned to determine eligibility for deindexing or deletion.

5.3.2 All requests must be handled confidentially and within the required timeframes.

5.4 Grounds for Refusal

5.4.1 There are valid reasons why we may decline to delete or deindex personal information, such as:

  • To continue providing goods or services to the client

  • To meet employment law requirements

  • For legal reasons in the event of a dispute

5.5 Deindexing or Deleting Personal Information

5.5.1 The responsible team must take the necessary actions to deindex or delete the personal information in accordance with eligible requests.

5.6 Follow-Up Communication

5.6.1 The responsible team is in charge of maintaining communication with the requester throughout the process, providing acknowledgment of receipt and regular status updates.

5.6.2 Any delay or issue encountered in processing the request must be communicated to the requester with clear explanations.

5.7 Tracking and Documentation

5.7.1 All deindexing and deletion requests, along with the actions taken in response, must be logged in a dedicated tracking system.

5.7.2 Records must include request details, actions taken, dates, and outcomes.

Security Incident and Personal Information Breach Management Procedure


Last updated: February 1, 2024

1. Overview

An incident response plan is essential for managing cybersecurity incidents effectively. In moments of crisis, it can be difficult to know how to act and which actions to prioritize. A response plan helps reduce the risk of overlooking critical aspects and minimizes stress.

2. Purpose

The purpose of this procedure is to ensure the organization is prepared to respond to cybersecurity incidents and resume operations as quickly as possible.

 

3. Scope

This procedure applies to all networks and systems, as well as stakeholders (clients, partners, employees, contractors, suppliers) who access those systems.

 

4. Identifying a Cybersecurity Incident

Cyber incidents are not always immediately recognized or detected. However, certain indicators may signal a security breach, system compromise, or unauthorized activity. It is important to remain alert for signs that an incident has occurred or is in progress.

Possible indicators include:

  • Unusual or excessive login and system activity, especially involving inactive user accounts

  • Excessive or abnormal remote access activity by staff or third-party vendors

  • The appearance of unknown or unauthorized wireless networks (Wi-Fi)

  • Suspicious malware activity or unknown/unapproved executable files and programs

  • Lost, stolen, or misplaced devices containing payment data, personal information, or other sensitive data

 

5. Contact Information

Julie Béland
14680 Serge-Deyglun Street
Montreal, QC, Canada
H1A 5J6
Phone: 514-464-8880

6. Personal Information Breach – Specific Response

If a confirmed security incident involves a breach of personal information, the following steps must be taken:

  • Complete the Privacy Incident Log to document the breach

  • Assess whether personal information was lost due to unauthorized access, use, or disclosure, and determine if there is a real risk of serious harm to the individuals involved

  • If such risk exists, report the incident to the Commission d’accès à l’information (Quebec)

  • Notify any affected individuals whose personal information was compromised

 

7. Ransomware – Specific Response

If a ransomware attack is confirmed, follow these steps:

  • Immediately disconnect affected devices from the network

  • Do NOT delete anything from your devices (computers, servers, etc.)

  • Investigate how the ransomware infected the device to understand how to remove it

  • Report the incident to local authorities and cooperate fully with the investigation

  • After removal, perform a full system scan using the latest antivirus, anti-malware, and other security software to confirm the ransomware has been eradicated

  • If the ransomware cannot be removed (common with stealthy malware), reset the device using original installation media or system images

  • Before restoring from backups, verify that backup files are malware-free

  • If critical data must be recovered but is unavailable from clean backups, consult available decryption tools at nomoreransom.org

  • The organization’s policy is not to pay the ransom, subject to the specific circumstances. It is strongly recommended to engage a cyber breach coach for expert guidance

  • Apply patches and updates to prevent reinfection

 

8. Account Hacking – Specific Response

If an account has been compromised:

  • Inform clients and suppliers that they may receive fraudulent emails appearing to be from your organization, and advise them not to respond or click any links

  • Check whether access to the compromised account is still available

  • If access is lost, contact the platform’s support team to recover the account

  • Change the password for the compromised account

  • If the same password is used elsewhere, change it on all other platforms

  • Enable two-factor authentication (2FA)

  • Remove unauthorized sessions or devices from the login history

 

9. Lost or Stolen Device – Specific Response

If a device is lost or stolen:

  • Immediately report the theft or loss of the asset (e.g., laptop, mobile phone) to local law enforcement, including outside business hours or on weekends

  • If the device contains sensitive or unencrypted data, assess the type and volume of data potentially compromised (e.g., payment card numbers, personal data)

  • If possible, lock or disable the lost/stolen mobile devices remotely, and initiate a remote wipe of the data

 

10. Legal Compliance

We are committed to complying with the legal requirements outlined in:

Province of Quebec

11. Amendments – Law 25

This security and privacy policy may be updated periodically to ensure compliance with the law and to reflect any changes in our data handling practices.
Users are encouraged to review the policy periodically. If necessary, updates will be communicated by email.

bottom of page