Policy Framework

1. Preamble

As part of its activities and its mission, Les Produits du Québec ("the Organization") processes the personal information of website visitors, clients and staff members, including employees. As such, they recognize the importance of respecting privacy and protecting personal information in their possession.

In order to fulfill their obligations in this regard, the Organization has adopted the following policy. It sets out the framework principles applicable for the protection of personal information that the Organization holds throughout its life cycle as well as the roles and responsibilities of stakeholders in the protection of personal information and the exercise of the rights of concerned individuals.

The protection of personal information held by the Organization is the responsibility of any person dealing with such information.

2. Subject

This policy:

  • sets out the Organization's governing principles with regard to personal information 322333.00013/300447892.2throughout its life cycle ;
  • regulates the exercise of the rights of the individuals concerned ;
  • details for the process for handling complaints related to the protection of personal information ;
  • defines the Organization's privacy roles and responsibilities ;
  • describes the training and awareness-building activities that the Organization offers to its staff members.

3. Standard framework

This policy is governed by the Act respecting the protection of personal information in the private sector.

4. Definitions

For the purposes of this policy, the following terms are defined as:

"CAI" refers to the Commission d'accès à l'information du Québec.

"life cycle" refers to all steps involved in the processing of personal information, i.e. the collection, use, communication, conservation and destruction of personal information.

"professional contact details" refers to personal information that relates to the exercise of a function within a company, such as names, titles and functions, as well as postal addresses, emails and telephone numbers at a workplace.

"privacy impact assessment" or "PIA" refers to the preventive approach that aims to better protect personal information and respect the privacy of individuals. This assessment considers all factors that could entail positive and negative consequences pertaining to the respect of the privacy of concerned individuals.

"privacy incident" refers to any consultation, use or communication unauthorized by law, or any loss or other breach of the protection of this information.

"law" denotes the Act respecting the protection of personal information in the private sector.

"concerned individual" refers to a natural person associated with particular personal information.

"profiling" refers to the collection and use of personal information in order to evaluate certain characteristics of a natural person, like analyzing work performance, economic situation, health, personal preferences, interests or behaviour.

"personal information" refers to any information that concerns a natural person and makes it possible to directly identify them — either by using this information on its own — or indirectly — or in combination with other information.

"sensitive personal information" refers to any personal information that — by its nature, like medical, biometric or otherwise intimate information, or because of the way in which it is used or communicated — raises a higher expectation of privacy.

"privacy officer" or "PO" designates an individual who, within the Organization, ensures the compliance and implementation of the act concerning the protection of personal information.

5. Scope of application

This policy applies to personal information held by the Organization and to any person who processes personal information for the Organization.

6. Guiding principles

The protection of personal information is ensured throughout its life cycle in compliance with the following principles, except as provided for by law.

6.1. Collection
6.1.1.

The Organization only collects personal information as necessary to carry out its activities. The Organization must have serious and legitimate reasons to warrant the collection and processing of personal information.

6.1.2.

Personal information is directly collected from the individual concerned unless the law allows for third party collection.

6.1.3.
At the time of collection, and upon request, the Organization must inform concerned individuals:
  • the purpose(s) of collecting information ;
  • the means through which information is collected ;
  • access and rectification rights as provided for by law ;
  • of their right to withdraw consent to the communication or use of information collected ;
  • where applicable, the name of the third party for which personal information is being collector for ;
  • where applicable, on behalf of the third parties or categories of third parties to whom it is necessary to communicate the information for the declared purposes ;
  • where applicable, disclose the possibility that the information may be shared outside of Quebec ;
  • where applicable, disclose the use of technology ;
  • the means offered to activate functions making it possible to identify, locate or perform profiling.
6.1.4.

The information listed in paragraph 6.1.3 is outlined in simple and clear terms, by means of a privacy policy or a "just-in-time" notice.

6.1.5.

A concerned individual who provides their personal information after paragraph 6.1.3 is presumed to consent to its use and communication as outlined by the declared purposes.

6.1.6.
At the request of a concerned individual, the Organization will inform them of:
  • the personal information collected from them ;
  • the categories of persons who have access to this information within the Organization ;
  • the retention period for this information ;
  • the contact details of the Organization's PO.
6.1.7.

When the law requires consent to be obtained, consent must be explicit, free, and informed. Consent is requested for each purpose, in simple and clear terms. This consent is only valid for the time necessary to achieve the purposes for which it was requested.

6.2. Use
6.2.1.

The Organization only uses personal information for the purposes for which the information was collected. However, upon obtaining consent from the individual concerned, the Organization may modify these purposes.

6.2.2.
In the following cases, the organization may use personal information for secondary purposes without the consent of concerned individuals:
  • when the use is for purposes compatible with those for which the information was originally collected (compatible purposes, however, exclude commercial or philanthropic prospecting) ;
  • when the use is manifestly for the benefit of the individual concerned ;
  • when its use is necessary for the purposes of preventing and detecting of fraud or evaluating and improving protection and security measures ;
  • when its use is necessary for the purposes of providing or delivering a product or providing a service requested by the concerned individual ;
  • when used for study, research or statistical production purposes and the information is depersonalized.
6.3. Communication
6.3.1.

Subject to exceptions provided for by law, the Organization may not disclose personal information without obtaining the consent of the individual concerned. Consent must be given expressly when sensitive personal information is involved.

6.3.2.
The Organization may disclose personal information without consent to an agent or a service provider as part of a mandate or a service contract, including technical tools hosted on a cloud platform. To this end, the Organization must have a written agreement with the agent or the service provider stipulating, at the very least, the measures that the agent or service provider must take to ensure:
  • the confidential protection of the personal information communicated ;
  • this information is only used in the exercise of the mandate or the execution of a contract ;
  • personal information is not kept beyond the duration authorized.
In addition, the agreement must outline how:
  • the agent or the supplier must notify the PO without delay any violation or attempted violation relating to the confidentiality of the information communicated ;
  • the Organization's PO reserves the right to carry out any audit relating to this confidentiality.
6.3.3.

When personal information is communicated outside Quebec, the Organization carries out a PIA in accordance with article 7 of the present document.

6.4. Storage
6.4.1.

The Organization takes all reasonable measures to ensure that the personal information it stores is up-to-date, accurate and complete in relation to the purposes for which it is collected or used.

6.4.2.

The Organization retains personal information for as long as necessary to carry out its activities and is subject to specific retention periods.

6.5. Destruction and anonymization
6.5.1.

When the purposes for which the personal information collected are achieved, the personal information is destroyed or anonymized, according to the Organization's retention periods.

7. Privacy impact assessment

7.1.
The Organization carries out a PIA in the following contexts:
  • before undertaking a project for the acquisition, development and redesign of an information system or electronic provision of services that involves personal information ;
  • when it intends to communicate personal information outside of Quebec.
7.2.

In carrying out a PIA, the Organization takes into account the sensitivity of the information to be processed, the purposes regarding its use, the quantity, distribution and medium, as well as the proportionality of the measures proposed to protect personal information.

7.3.

In addition, when personal information is communicated outside of Quebec, the Organization ensures that it is adequately protected, in alignment with best practices regarding the protection of personal information.

7.4.

The completion of a PIA serves to demonstrate that the Organization has complied with all obligations regarding the protection of personal information and that all measures have been taken to effectively protect this information.

8. Rights of concerned individuals

8.1.
Subject to what is provided for by law, any concerned individual the Organization has collected personal information on, holds the following rights:
  • the right to access personal information held by the Organization and to obtain a copy of it, whether in electronic or non-electronic format ;
    • unless this raises serious practical difficulties, computerized personal information collected from an individual, and not created or inferred from personal information concerning them, is communicated to them in a structured and commonly used technological format, at their request. This information is also communicated, at their request, to any person or organization authorized by law to collect such information ;
  • the right to have any incomplete or inaccurate personal information held by the Organization rectified ;
  • the right to request the deletion of outdated or unjustified information, or to make written comments to the Organization's privacy policy ;
  • the right to ask the Organization to stop disseminating information or to de-index any hyperlink attached to their name by technological means, when the dissemination of this information violates the law or a court order ;
  • the right to ask the Organization to stop disseminating information or to de-index or re-index any hyperlink attached to their name, when the following conditions are met :
    • the dissemination of this information entails serious prejudice with respect to their reputation or their private life ;
    • this prejudice surpasses public interest or that of any person to express themselves freely ;
    • the requested cessation of dissemination, reindexing or deindexing does not exceed what is necessary to prevent ongoing harm, taking into account whether or not the person concerned is a public figure, the fact that the information concerns a minor, the fact that the information is up to date and accurate, the sensitivity of the information, the context in which the information is disseminated, the time elapsed between the dissemination of the information and the request made to the Organization ;
  • the right to be informed, where applicable, that personal information is being used to make a decision based on automated processing.
8.2.

Although the right of access can be exercised at any time, access to documents containing this information is subject to certain exceptions identified in the law.

8.2.1.
The Organization may refuse to communicate personal information concerning an individual when the disclosure of the information could likely risk:
  • interfering with an investigation carried out by the internal security service with the aim of preventing, detecting or repressing crime or violations of the law or, on their behalf, by an external service with the same object or a holder of a security agency permit or investigation agency issued in accordance with the Act on private security ;
  • having an effect on a legal proceeding in which one or the other of these persons has an interest.
8.2.2.
The Organization must refuse to communicate personal information:
  • to an individual when its disclosure would likely reveal personal information about a third party or the existence of such information and that such disclosure would be likely to seriously harm that third party, unless the latter consents to its communication or if it is an emergency case endangering the life, health or safety of the individual ;
  • to the liquidator of the estate, to the beneficiary of a life insurance or a death benefit, to the heir or successor of the person concerned by this information, unless this communication involves the interests and rights of the person requesting it as liquidator, beneficiary, heir or successor, all subject to the rights of the spouse or parent of a deceased person mentioned above.
8.3.

The request for access to personal information must be sufficiently precise to allow the PO to identify said personal information. The right of access applies only to existing personal information.

8.4.

Organization staff members who wish to have access to their employment documents can do so directly through the PO.

8.5.

The PO responds in writing to requests for access or rectification, with diligence and at the 322333.00013/300447892.2latest within 30 days of the date of receipt of the request.

8.6.

Access to the personal information contained in a file is free of charge. However, the Organization may charge a reasonable fee for the transcription, reproduction or transmission of this information, after informing the applicant of the approximate amount payable, before proceeding with the transcription, reproduction or transmission of this information.

8.7.

When the PO acquiesces to a request for rectification or deletion, it notifies this rectification or deletion to any person who has received the information within the previous six months and, if necessary, to the person who holds it. In addition, it provides the applicant, free of charge, with a copy of any modified or added personal information or, as the case may be, a certificate of the personal information deleted.

8.8.

Failing to respond within 30 days of receipt of the request, the Organization will be deemed to have refused to comply with it. That said, the PO must justify any refusal to grant a request and indicate the provision of the law on which this refusal is based, the remedies available to the applicant under the law and the deadline within which they can be exercised. Upon request, they must also provide assistance to help applicants understand the reason for the refusal.

9. Complaint handling procedure

Any complaint relating to the Organization's personal information protection practices or their compliance with requirements of the law concerning personal information is sent to the PO, who responds within 30 days.

Les Produits du Québec

[email protected]

10. Security of personal information

10.1.

The Organization implements reasonable security measures to ensure the confidentiality, integrity and availability of personal information collected, used, disclosed, stored or destroyed. These measures take into account in particular the degree of sensitivity of the personal information, the purpose of their collection, their quantity, their location and their medium.

10.2.

The Organization manages the access rights of its staff members so that only those who need access as part of their duties have access to personal information.

11. Privacy incidents

11.1.

Any confidentiality incident involving personal information must be reported to the PO. The Organization then takes reasonable measures to reduce the risks of harm being caused and prevent new incidents of the same nature from occurring.

11.2.

Any confidentiality incident is recorded in the register of confidentiality incidents, in accordance with Article 12.1 of this policy.

11.3.

If the confidentiality incident poses a risk of serious harm to the concerned individuals, the Organization promptly notifies them as well as the CAI, in accordance with its terms of reference.

12. Registry of privacy incidents

12.1.

In accordance with the law, the Organization maintains up-to-date a registry of confidentiality incidents.

12.2.

The PO is responsible for maintaining the registry and updating it.

12.3.

The registry is kept for a minimum of five years following the date of the last known confidentiality incident.

13. Roles and responsibilities

13.1.

The protection of personal information that the Organization holds is based on the commitment of all those who process this information such as:

13.2.
The Privacy Officer:
  • ensures compliance and implementation of the law ;
  • ensures the establishment and implementation of policies and practices governing the governance of the company with regard to personal information and specific to ensuring the protection of this information, in particular by approving them ;
  • is consulted, for the purposes of a PIA, from the beginning of any project of acquisition, development and redesign of information systems or electronic provision of services involving the collection, use, communication, retention or destruction of personal information ;
  • at any stage of a project referred to in the previous point, the PO may suggest measures to ensure the protection of the personal information involved by the project, such as :
    • the appointment of a person responsible for the implementation of protective measures ;
    • personal information protection measures in any document relating to the project ;
    • a description of the responsibilities of the project participants in relation to the protection of personal information ;
    • the holding of training activities on the protection of personal information for project participants ;
  • is responsible for maintaining the confidentiality incident registry ;
  • participates in the assessment of the risk of serious harm related to a confidentiality incident, in particular with regard to the sensitivity of the information concerned, the anticipated consequences of its use and the probability that this information will be used for malicious purposes ;
  • if necessary, records the communication of a confidentiality incident to a person or an organization likely to reduce a risk of harm ;
  • if necessary, carries out checks of confidentiality obligations in connection with the communication of personal information as part of mandates or service contracts entrusted to third parties in accordance with Article 6.3.2 of this policy ;
  • receives written requests for the exercise of rights from the concerned individuals and ensures that the paragraphs 8.5 to 8.8 of this policy.
13.3.
Any person, including a supplier, who processes personal information that the Organization holds:
  • acts with care and integrates the principles set out in this policy into its activities ;
  • accesses only the information necessary for the performance of their duties ;
  • integrates and retains information only in files intended for the performance of their duties ;
  • keeps these files in such a way that only authorized persons have access to them ;
  • protects access to personal information in their possession or to which they have access by a password ;
  • refrains from communicating the personal information that they become aware of in the exercise of their duties, unless they are duly authorized to do so ;
  • refrains from retaining, at the end of their employment or contract, personal information obtained or collected in the course of their duties and maintain their confidentiality obligations ;
  • destroys any personal information in accordance with the Organization's retention periods ;
  • reports any breach, confidentiality incident or any other situation or irregularity that could compromise in any way the security, integrity or confidentiality of personal information in accordance with the procedure established by the Organization.

14. Sanctions

Any person who violates this policy is liable to disciplinary or contractual sanctions, including the termination of employment or business relationship(s).

15. Updates

This policy may be updated to follow best practices as it pertains to the protection of personal information and the practices of the Organization.

16. In effect

This policy comes into effect once signed by the Privacy Officer.