Personal Information Protection Policy

  1. Statement and Objectives

Under Law 25, which is the Act respecting the protection of personal information in the private sector, CAM Mécanique Inc. is implementing its personal information protection policy. We are committed to doing everything possible to protect your personal information and aim to regulate the way in which this confidential information will be processed.

  1. Definition

Personal information: Information which concerns a natural person and which allows, directly or indirectly, to identify them. For example, this could be a person's name, address, email address, telephone number, gender or banking information, health information, ethnic origin, language, etc.

This very broad definition includes most types of information collected, including race, medical, criminal, employment and financial history.

Sensitive personal information: Personal information is sensitive when, by its nature, the context of its use or communication, its level of awareness is very high and requires particular attention to its protection. In particular, the following information is considered sensitive: medical information, biometric, genetic or financial information, or, even, information on life or sexual orientation, religious beliefs or ethnic origin.

Consent: Consent is the authorization of the person holding the personal information to collect and use their personal information. Consent is not presumed. It must be manifest, free, informed and given for specific purposes, in simple and clear terms, for the duration necessary to achieve the purposes for which it was requested.

Minor: Person under the age of 18.

Major: Person aged 18 and over or emancipated person under 18 years of age.

  1. Types of Information
  • Identification information (last name and/or first name, date of birth, address, email, marital status, contact details, identification document information such as driving license, passport, or social insurance number, etc.);
  • Information to confirm identity (username, signature, account information, etc.);
  • Personal information relating to you (racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, sexual orientation, gender identity, etc.);
  • Information related to recruitment (curriculum vitae, education, professional history, training, medical file, etc.)
  • Biographical information (job title, name of employer, locations, etc.)
  • Photos, video content, audio content;
  • Billing information (billing address, bank account information, payment data);
  • Financial information (salary, income, balances, credit reports and credit rating, professional and financial history, etc.);
  • Service information, such as details of the services we have provided to you;
  • Information relating to marketing (comments, responses to surveys, interactions on social networks, email lists, etc.);
  • General information (why you are doing business with us, preferences in terms of language of communication).
  1. Purposes for which personal information is collected
  • Establish and manage relationships with our clients.
  • Provide our services in terms of subcontractor in the field of air conditioning, ventilation, heating and refrigeration.
  • Establish commercial relationships with our customers, particularly for billing management, account administration, collection and processing of payments, limiting the risk of unpaid debts, enabling the recovery of payments due.
  • Meet legal and regulatory obligations.
  • Prevent fraud and/or conduct any background checks required by applicable law or regulation.
  • Carry out development and research to ensure that we maintain the highest standard of security and understand the requirements of our customers to improve our offer.
  • Recruit staff, process applications and evaluate the candidate's profile in relation to the position requirements.
  • As permitted or required, for any applicable legal or regulatory obligation or provision.
  • Any other purpose to which you have consented.
  1. Our roles, responsibilities and scope of application of the law

CAM Mécanique Inc. takes responsibility for implementing this policy and establishing mechanisms and actions to collect, retain, use, communicate and destroy the personal information we collect.

A person within the organization is responsible for protecting personal information.

Sandrine Leblanc, Director of Human Resources

[email protected] or 438-883-7491

The person responsible:

  • Will ensure that the policies and procedures in place are followed by employees.
  • Establish standards for classifying the sensitivity of personal information to determine the appropriate level of protection as well as the method of retention.
  • Ensure open, transparent and complete communication with employees and other people with access to personal information regarding expectations, good practices and compliance with procedures and policies in place.
  • Will provide the same training to all employees to understand, apply and deal with the procedures and policies in place.
  • Will ensure that procedures are in place to notify individuals of any inappropriate collection, retention, use, disclosure, protection or destruction of their personal information.
  • Ensure compliance with this policy and update it as necessary.

Employees must:

  • Find out about their obligations regarding the conservation, use, communication, protection and/or destruction of this personal information.
  • Report any violation of the policy in force to their superior.
  • Find out the purposes for which the information is obtained. If they cannot do this, they will have to contact another employee who can explain the reason for the collection.

Managers, executives and/or supervisors must, in addition to the responsibilities mentioned above:

  • Inform their employees of their obligations regarding the conservation, use, communication, protection and/or destruction of this personal information.
  • Examine any question brought to their attention regarding this policy.
  • Notify the human resources manager of questions and/or interrogations.
  1. Limitation on collection of use and disclosure of personal information

CAM Mécanique Inc. strives to limit the collection of personal information to what is strictly necessary to accomplish the purposes for which it is collected. Please be assured that we will not disclose or use your personal information for any other purpose, unless you consent or the law provides for it.

In addition, we limit access to your personal information only to people who have the capacity and need to access it, and this, for a specific purpose.

Please note that we do not knowingly collect information from anyone under the age of 18.

  1. Measures and actions taken for the retention, protection and destruction of personal information
  • Policies, practices and procedures

We have implemented policies, practices and procedures relating to the management of the personal information we hold.

These internal policies and procedures govern the collection, use, disclosure, retention and destruction of personal information as well as the handling of complaints, information security and data governance. They also provide the framework for implementing privacy impact assessments and the prevention and potential response to privacy incidents.

  • Retention for a limited period

The information will be kept according to the standards applicable in the law. The retention of information on all media (digital or physical) considers the degree of sensitivity or the nature of this information, which means that some of this information could be retained for longer.

  • Places of conservation

Whether the conservation is digital or physical, CAM Mécanique Inc. ensures compliance with current legislation regarding computer security and the physical security of personal information. As a result, different actions such as secure passwords, locks or encryption of information are put in place.

  • Destruction

Depending on the medium used, the appropriate destruction method will be chosen. This can be done through various means, such as: shredding, incineration, formatting, rewriting, physical destruction, degaussing, overwriting information, and/or replacing the hard drive.

  1. Obtaining consent

Where possible, we try to obtain consent from the individual before collecting their personal information. The form of consent may vary depending on the circumstances and the type of information sought. Consent may be express or implied and may be provided directly by the individual or their authorized representative.

We prefer to obtain explicit consent, whether verbally, electronically or in writing. Implied consent may be reasonably inferred from an individual's action or inaction, for example, providing a name and address to receive information or a name and telephone number to obtain a response to a request. question. To determine the appropriate type of consent, we consider the sensitivity of the personal information involved, the purposes for which it is collected and the reasonable expectations of the individual. If we want to use personal information for a new purpose, we will describe the intended use and ask for consent again.

It is not always possible during an investigation to obtain the person's consent to collect, use or communicate their personal information. If, for example, you request information about one of our services, we will consider that you accept that we communicate with you to answer your questions.

We will not use your personal information without your consent, except:

  • whether they are to be used for the same purposes as those for which the information was initially collected or compiled.
  • if we must comply with a court order or other binding request.
  • if there is an investigation into the violation of a contract and/or law.
  1. Rights of an individual regarding their personal information

 

  • Right to accept or refuse to provide your personal information

Your information always belongs to you. You have the right to withdraw your consent to the collection, use or communication of your information. A request from you at this level will be processed as soon as possible.

However, certain information is essential so that we can provide you with the services and products we offer. If you refuse to provide them, it may be difficult, if not impossible, to establish or maintain a business relationship with you or even to offer you some of our services.

  • Right to refuse the use of your information for certain purposes

You have the right to refuse our use of your information or withdraw your consent for the purposes of promotional communications, advertising/posting on social networks, our online payment services and other means in which we collect information.

To withdraw your consent, you must make a request to the person responsible for the protection of personal information indicated in the policy. This request will be processed as soon as possible.

  1. Privacy Incident Management
    • Definitions

For the purposes of this policy, constitutes a confidentiality incident:

  1. Access not authorized by the Act respecting access to personal information. For example:
  • An employee who consults personal information not necessary for the performance of their duties by exceeding the access rights granted to them or a computer hacker who infiltrates a system.
  • A person who interferes with a database containing personal information to alter it.
  • An employee consults personal information without authorization.
  • The organization is the victim of a cyberattack, such as phishing or ransomware.
  1. Use of personal information not authorized by the Access Act. For example:
  • An employee who uses personal information from a database to which he/she has access in the course of his/her duties for the purpose of usurping the identity of a person.
  1. Communication not authorized by the Act respecting access to personal information. For example:
  • A communication made by mistake to the wrong person by their employer.
  • The communication of personal information contrary to the provisions of the Access Act.
  • An employee communicates personal information to the wrong recipient.
  1. The loss of personal information or any other breach of the protection of such information. For example:
  • A person who loses or has documents containing personal information stolen.
  • Forgetting to redact personal information in a document.
  • Sending an email containing personal information.

Handling a confidentiality incident

If CAM Mécanique Inc. has reason to believe that a confidentiality incident has occurred, the company will take reasonable measures to eliminate the risk at source and put in place actions and mechanisms to prevent another incident of the same type occurs, which may include the sanction of the person involved.

If the confidentiality incident presents a risk that serious harm will be caused, CAM Mécanique Inc. must, diligently, notify the Commission d’access à l’information and any person concerned by the incident. The company must then consider:

  1. The sensitivity of the information concerned
  2. The anticipated consequences of its use; And
  3. The likelihood that a will be used for harmful purposes.

The person responsible for personal information will therefore be informed as soon as possible.

  • Confidentiality incident log

CAM Mécanique Inc. will keep a register of confidentiality incidents, in accordance with the requirements of the Commissions d’access à l’information. The register will contain:

  • A description of the personal information affected by the incident.
  • The circumstances of the incident.
  • The date, the place.
  • The person(s) targeted.
  • Assessment of the severity of the risk of harm.
  • Actions taken in response to the incident.
  1. Process for handling complaints relating to the protection of personal information

Filing the complaint

Any person who has reason to believe that a confidentiality incident has occurred and who considers that CAM Mécanique Inc. has failed to protect the confidentiality of personal information must file a complaint with the person responsible for personal information. The complaint must be filed in writing with various necessary details (time, date, location, nature of the information, etc.). The situation will be addressed within a period deemed reasonable by CAM Mécanique Inc. If the complaint concerns the person responsible for the protection of personal information, the complaint must be filed with the vice-president at [email protected] as soon as possible. [email protected] dès que possible.

Complaint handling

The person responsible for the protection of personal information or the vice-president, if applicable, is responsible for receiving and processing the complaint within 20 working days. If this proves to be justified, CAM Mécanique Inc. takes the required measures to correct the situation as quickly as possible in accordance with paragraph 10.2 of this policy and proceeds to enter the incident in the register, as as indicated in paragraph 10.3.

  1. Video surveillance

The use of video surveillance is carried out in compliance with the obligations provided for in particular by the Civil Code of Quebec, by the Charter of human rights and freedoms as well as by the Access Act.

  1. Updating this policy

CAM Mécanique Inc. will ensure that this policy is updated regularly, in accordance with applicable legislation. If changes need to be made to the Policy, update notices (such as online notices or emails) may be used to notify you of these changes.

Otherwise, the posting of the revised policy on the Site will be deemed sufficient notice and, by continuing to use the Site or submitting personal information to us, you accept the changes to our policy.

Of all translated versions of this Policy, the French version will prevail in the event of any differences. The policy will be reviewed every 3 years unless there are substantial legal changes.

Any violation of this policy, whether committed intentionally or through negligence, may result in disciplinary action up to and including dismissal. Legal sanctions can also be taken, if necessary.