Privacy Policy

Last revised: October 26, 2023.

Empreinte Digitale Québec is committed to safeguarding the personal information it holds. Personal information is confidential, except as required by law. Anyone with access to personal information held by the Empreinte Digitale Québec must take the necessary steps to ensure its protection and confidentiality. This policy and its related procedures outline the measures to be taken to reduce the risks of a confidentiality breach, determine its handling when necessary, and prevent similar incidents from occurring in the future.

 

1.INFORMATION COLLECTION BASED ON BUSINESS RELATIONSHIP AND SERVICES RENDERED NEEDS.

In the context of the services provided to its clients or for marketing purposes, the Empreinte Digitale Québec collects certain information, which may include personal data. This information can be obtained through the voluntary disclosure of individuals during our communications or through technological applications (forms, emails, applications, or others). This information is used to sell products, provide services, or make offers.

By providing this information to the Empreinte Digitale Québec or by using the technological means on our website, social networks, or any applications or services offered by the Empreinte Digitale Québec, you consent to the collection and use of this information.

The Empreinte Digitale Québec strives (and only if required for our activities) to exchange or transmit this information to reliable partners for whom we have ensured that they apply satisfactory security and confidentiality measures. To the extent possible, all information is stored on servers in Quebec or at least within Canada.

Every individual has the right to obtain details of the information held about them and to request corrections if necessary.

 

2.INFORMATION RETENTION AND DESTRUCTION
 
On request, any individual can obtain details about the methods of storing their personal information, including who has access to it, its usage, and the duration of retention before the information is destroyed.

 

3.CONFIDENTIALITY INCIDENT AND PROCEDURE 

The following procedure outlines the steps to be taken when the Empreinte Digitale Québec has reasonable grounds to believe that a confidentiality incident has occurred (or if such an incident is confirmed) involving personal information it holds, in accordance with the Private Sector Privacy Act, Chapter P-39.1, and the Privacy Incident Regulations.

 

4.DEFINITION

Here are the definitions to be considered for the application of this procedure, which may be supplemented by any other regulations, policies, directives, or procedures referencing them:

Confidentiality Incident: Unauthorized access, use, or disclosure of personal information as prohibited by law, as well as its loss or any other form of breach of its protection.

Here are some examples:

  • Unauthorized access to a computer system by a hacker.
  • Unauthorized use of personal information from a database by a person in the course of their duties for identity theft.
  • Accidental communication of sensitive information to the wrong person.
  • Loss or theft of documents containing personal information.
  • Unauthorized intrusion into a database containing personal information for the purpose of altering it.

Personal Information: Any information concerning an individual that allows for their identification. A person’s name, in isolation, is not considered personal information. However, when this name is associated or linked with another piece of information pertaining to the same individual, it then becomes personal information.

Here are some examples of personal information:

  • A person’s name and date of birth.
  • Social security number.
  • Credit card number.
  • Health insurance number.
  • Medical or financial information.
  • A person’s name and their personal phone number.
  • A person’s name and their home address.

Sensitive Personal Information: Personal information is considered sensitive when, by its nature, especially when it’s medical, biometric, or otherwise intimate, or due to the context of its use or disclosure, it gives rise to a high degree of reasonable privacy expectations.

This may include, for example, medical, biometric, genetic, or financial information, as well as information about ethnic origin, political beliefs, life or sexual orientation, or religious convictions.

 

5.PERSONAL INFORMATION PROTECTION

The Empreinte Digitale Québec implements appropriate and reasonable security measures to protect personal information against loss or theft, as well as against unauthorized access, disclosure, copying, use, or alteration as prohibited by law. Only staff members who absolutely need access to personal information in the course of their duties are authorized to access it.

Staff members of the Empreinte Digitale Québec or those working on its behalf must:

  • Make reasonable efforts to minimize the risk of unintentional disclosure of personal information.
  • Take special precautions to ensure that personal information is not monitored, overheard, accessed, or lost when working in locations other than Empreinte Digitale Québec offices.
  • Take reasonable steps to protect personal information when moving it from one location to another.

 

6. CONFIDENTIALITY INCIDENT REPORTIN

Anyone to whom the Empreinte Digitale Québec discloses personal information (colleagues, suppliers, partners, experts, including subcontractors) must report an incident of confidentiality if they have reasonable grounds to believe that a confidentiality incident involving personal information held by the Empreinte Digitale Québec has occurred. To do so, this report must be made without delay to the person responsible for the protection of personal information.

A staff member of the Empreinte Digitale Québec who has reasonable grounds to believe that a confidentiality incident involving personal information held by the Empreinte Digitale Québec has occurred must also notify their immediate supervisor.

Any serious incident involving a large number of individuals or sensitive information that could cause significant harm must be reported to the Commission d’accès à l’information (Access to Information Commission) as soon as it becomes known.

 

7. PERSON RESPONSIBLE FOR PERSONAL INFORMATION: ROLES AND RESPONSIBILITIE

The individual responsible for the protection of personal information for the Empreinte Digitale Québec can be reached at the following contact information:

  • Mario Pilon, President/Founder
  • Email : mario.pilon@empreintedigitalequebec.com
  • Phone : 514 497-4017

Their role includes:

  • Contributing to the establishment of the confidentiality incident management process.
  • Keeping the register of confidentiality incidents up to date, documenting these incidents, and ensuring the necessary follow-up on their resolution.
  • Maintaining the register of complaints, documenting these complaints, and ensuring the necessary follow-up on their resolution.
  • Participating in the analysis of confidentiality incident risks to identify threats and vulnerabilities and implement appropriate solutions.

In the event of a confidentiality incident, the person responsible for the protection of personal information takes charge of managing the incident and collaborates with any other relevant individuals depending on the nature of the incident.

In this capacity, :

  • They assess the risk of harm and determine the severity level during the evaluation. This assessment considers factors such as the sensitivity of the information involved, the anticipated consequences of its use, and the probability of it being used for harmful purposes.
  • With due diligence, they notify the individual whose personal information is affected by the incident when there is a risk of causing serious harm, unless it would hinder an investigation conducted by a person or organization legally responsible for preventing, detecting, or prosecuting crimes or violations of the law.

This notice must contain the following information:

  1. A description of the personal information affected by the incident, or if this information is not known, an explanation for the inability to provide such a description;
  2. A brief description of the circumstances surrounding the incident;
  3. The date or the period when the incident occurred, or if this is not known, an approximation of that period;
  4. A brief description of the measures the organization has taken or plans to take following the incident to reduce the risk of harm;
  5. Recommendations for actions that the affected individual can take to reduce the risk of harm or mitigate such harm;
  6. Contact information for the affected person to seek further information regarding the incident.
  • They notify, if necessary, any person or organization that can help reduce the risk, providing only the necessary personal information for that purpose.
  • They promptly and in writing notify the Commission d’accès à l’information (Access to Information Commission) of the confidentiality incident when it poses a risk of causing serious harm.

This notice must include the following information:

  1. The name of the company (Empreinte Digitale Québec) and the Quebec Enterprise Number assigned to it under the Loi sur la publicité légale des entreprises (Law on the Legal Publicity of Enterprises);
  2. The name and contact information of the person to contact within the Empreinte Digitale Québecregarding the incident;
  3. A description of the personal information affected by the incident, or an explanation if this information is not known;
  4. A brief description of the circumstances of the incident and, if known, its cause;
  5. The date or period when the incident occurred or an approximation of that period;
  6. The date or period during which the Empreinte Digitale Québecbecame aware of the incident;
  7. The number of individuals affected by the incident, and among them, the number residing in Quebec, or an approximation if these numbers are not known;
  8. A description of the factors leading the Empreinte Digitale Québecto conclude that there is a risk of causing serious harm to affected individuals, such as the sensitivity of the personal information involved, potential malicious uses of this information, anticipated consequences of its use, and the likelihood of it being used for harmful purposes;
  9. Measures taken or intended to be taken by the Empreinte Digitale Québecto notify affected individuals, including the date when individuals were informed or the expected timeframe for notification;
  10. Measures taken or intended to be taken by the Empreinte Digitale Québecfollowing the incident, including those aimed at reducing the risk of harm, mitigating such harm, and preventing similar incidents from occurring in the future, along with the timeline for implementation;
  11. If applicable, a statement indicating that a person or organization outside of Quebec with responsibilities similar to those of the Commission d’accès à l’information regarding the oversight of personal information protection has been notified of the incident.

 

  • They promptly notify the insurers of the Empreinte Digitale Québec, if applicable.
  • They record the confidentiality incident in the designated register.
  • Upon request from the Commission d’accès à l’information, they provide a copy of this register.

 

 

8. INCIDENT LOG FOR CONFIDENTIALITY INCIDENT

Empreinte Digitale Québec is required to maintain a record of confidentiality incidents.

8.1 Retention Period for Information in the Register

The information contained in the register must be kept up to date and retained for the longer of the two following periods: for a minimum of five years from the date Empreinte Digitale Québec became aware of the incident or the period required by any government agency or applicable law and regulation.

 

9. COMPLAINTS REGISTER AND THEIR HANDLING
 
Empreinte Digitale Québec is required to maintain a complaints register and record the handling of complaints.

9.1 Retention Period for Information in the Registe

The information contained in the register must be kept up to date and retained for the longer of the two following periods: for a minimum of five years from the date Empreinte Digitale Québec became aware of the incident or the period required by any government agency or applicable law and regulation.

 
10. EFFECTIVE DATE

This policy and its procedures come into effect on September 22, 2023.

11. CONTACT US

If you have any questions about our privacy policy, want to exercise your rights as outlined above, file a complaint, or update your personal information, please contact our person responsible for personal information protection in the following way:

By email: mario.pilon@empreintedigitalequebec.com

By mail: Empreinte Digitale Québec, Attn: Person Responsible for the Personal Information Protection Policy, 306-1555, boul. de l’Avenir, Laval (QC) H7S 2N5. We will make our best efforts to process your request promptly.