Governance and internal management policy on the protection of confidential information

Preamble

As holders of personal information, we have a responsibility to protect the privacy of individuals and to comply with applicable data protection laws and regulations. This policy is largely based on the amendments made to Law 25.

Objectives

This policy is an essential tool for regulating the processing and protection of confidential data within our organization.

Scope of application

This policy applies to all Fortin Gaignard employees.

In addition, this policy applies to personal information collected, held, retained, communicated and used by the organization.

Collection and use of personal information

Personal information collected by Fortin Gaignard is provided to us directly by you, either verbally or by completing blank fields on various Web pages or forms (this list is not exhaustive):

  • Employment contract;
  • Financial statements;
  • Federal and provincial tax documents; and
  • Invoices.

Consent

The collection of certain personal information is subject to specific consent. Fortin Gaignard will only use personal information that is necessary for the purposes for which it was collected. In the event that Fortin Gaignard wishes to use your personal information for a purpose other than that described in this Policy, we will obtain your prior consent.

If you choose to refuse or withdraw your consent to the collection, use or sharing of your personal information, the organization will provide you with relevant information explaining the consequences of such withdrawal. Please note, however, that if you refuse to allow Fortin Gaignard to collect certain essential personal information (such as your contact information), we may not be able to provide you with the services you have requested.

Access to your personal information

Personal information collected by the company is accessible to our employees or partners who need it to perform their duties. Our employees and partners must maintain the confidentiality of this information at all times, and must regularly undergo training and awareness-raising activities on the security and protection of personal information.

Collection of personal information

The concept of personal information refers to any information that concerns a natural person and makes it possible, directly or indirectly, to identify him or her. The following is a non-exhaustive list of personal information that may be collected:

  • Customer and employee e-mail addresses;
  • Residence address of customers and employees ;
  • Employee bank account number;
  • Copies of individual tax returns;
  • Curriculum vitae;
  • Date of birth of employees;
  • Diploma and/or school transcript;
  • Biometric fingerprint;
  • Confidential financial information in customer file;
  • Employee SIN;
  • Credit card number;
  • Cell phone numbers of employees and customers; and
  • Compensation.

Retention of personal information

Company employees ensure the confidentiality of personal information in the performance of their duties. To this end, they :

  • Adheres to privacy policies, guidelines and procedures;
  • Do not reveal any personal information that has come to your knowledge in the performance of your duties without your authorization;
  • Participates in training and awareness-raising activities;
  • Accesses only the personal information required to perform its duties;
  • Ensures that the personal information it uses is complete, up-to-date and accurate for the purposes for which the company collects or uses it; and
  • does not retain any personal information brought to its knowledge in the course of its duties, and continues to maintain its confidentiality.

Use of personal information

Employees use personal information only for the purposes for which it was collected. Any other use must be authorized in advance by the manager or the person responsible for access.

They ensure that this new use complies with the law (authorized by law or requires the consent of the person concerned). Fortin Gaignard employees use personal information in the course of their duties and must :

  • Limit the use they make of it to the performance of their duties;
  • Ensure confidentiality in all circumstances;
  • Immediately inform their immediate superior and the person responsible for access of any situation where the confidentiality of personal information may have been compromised;

Accuracy and updating of your personal information

It is possible to request an update or changes to your personal information by contacting us as specified below. Management will endeavour to correct or update personal information that an employee identifies as inaccurate or incomplete.

It is therefore essential that the information contained in the file be accurate and regularly updated. Should a user wish to modify his or her information, he or she must contact a reference person within the organization.

Organization references

In order to guarantee the security of your information, the company has selected key partners specialized in the protection of your data.

Name Responsibility(ies)
- Dany Brisson - Associate
- Sylvain Crochetière - Associate
- Karyne Aubin - Administrative Assistant and Privacy Policy Manager

Possibility of filing a complaint

In the event of non-compliance with this policy, the organization offers the possibility of lodging a complaint.

This complaint can be made directly to the organization’s contact person.

Training

To ensure continued improvement in the protection of personal information, employees are trained to develop a thorough understanding of good data protection practices and encourage a culture of privacy.

Fortin Gaignard currently has two different training mechanisms. First, the company undertakes to present this policy to all its employees. The team will then receive annual awareness training to ensure that the regulations and obligations of Bill 25 are fully understood.

Management commitment

The organization is committed to promoting and supporting a culture of respect and protection of personal information. To this end, Fortin Gaignard is implementing a number of measures aimed at protecting information. Here are just a few of them:

  • Shred-it (document shredding when files are finished);
  • Lock filing cabinets;
  • Alarm system;
  • Doors closed during telephone discussions or virtual meetings with customers;
  • Secure document transmission with password known only to the customer;
  • Computer password protection; and
  • Use of secure portals for document filing.

Destruction of personal information

Fortin Gaignard employees securely destroy personal information once the purposes for which it was collected have been fulfilled, in accordance with the retention schedule and document management rules.

Review

This policy is revised from time to time, without exceeding a period of 3 years from the date of its adoption or last revision.

Entry into force and revision

This privacy policy comes into effect on September 22, 2023.