Privacy Policy

Adopted on April 16, 2025

N.B. To facilitate the reading of this policy, we have used the masculine gender as a neutral form to refer to both women and men.

Preamble

In the course of its management activities, Carrefour Emploi des Collines (CJE-CEC) must collect, process, and communicate information deemed to be personal. In this context, CJE-CEC wishes to implement, in accordance with the Act respecting the protection of personal information in the private sector, Chapter P-39.1, processes, methods, regulations, and policies to ensure that the collection, processing, communication, protection, and destruction of personal information comply with the legislation in force in this area and, ultimately, to ensure that there are no confidentiality incidents and, if there are, to have the necessary processes in place to minimize or eliminate serious harm.

Policy objectives

The objectives of this policy are:

comply with the Act respecting the protection of personal information in the private sector, c. P-39.1;
understand what personal information is;
protect personal information held, acquired, processed, transmitted, and destroyed in the course of our mission by implementing appropriate policies and practices;
respond effectively and demonstrate diligence;
clearly define the responsibilities and obligations of all persons with access to this type of information within the organization;
establish the actions to be taken in the event of a risk of a confidentiality incident with or without serious harm;
establish rules for the retention of personal information;
establish methods for the secure destruction of personal information.

Scope

This policy applies to all CJE-CEC staff, as well as to board directors, particularly in:

workplaces;
any other place where people must be present as part of their job (e.g., meetings, training, travel, social activities organized by the employer);
communications by any technological or other means.

Legal framework

This policy is based on the following laws:

the Act respecting the protection of personal information in the private sector, c. P-39.1;
Act respecting the legal framework for information technology, sections 44 and 45;
Act respecting Access to documents held by public bodies and the Protection of personal information, sections 122, 123, 134.2;
as well as other related laws, regulations, and standards.

Definitions

Anonymize:

An irreversible process whereby personal information is processed in such a way that it is impossible to identify the individual concerned, either directly or indirectly.

Depersonalization:

Process of rendering information incapable of directly identifying the person concerned.

Privacy incident:

Refers to any access, use, or disclosure of personal information not authorized by law, as well as the loss of personal information or any other breach of its protection.

List :

Names, telephone numbers, geographic addresses of natural persons, or technological addresses where a natural person can receive communication of a document or technological information.

Data subject:

A natural person who is concerned by personal information that allows them to be identified, directly or indirectly.

Serious harm:

Harm that, given the sensitivity of the personal information, the consequences of its use, and the likelihood that it will be used, could be detrimental to the individual concerned.

Personal information:

Any information that relates to a natural person and that allows, directly or indirectly, to identify them, e.g., reason for absence, timesheet, diploma, resume, disciplinary record, social or family situation, nominal information (including email address), etc. Business contact information is not considered personal information within the meaning of the Act.

Sensitive personal information:

When it gives rise to a high degree of reasonable expectations of privacy, due to its nature or the context in which it is used, e.g., medical, biometric (morphological, behavioral, biological characteristics), intimate (health, sexual orientation, ethnic group, financial status, philosophical or religious beliefs).

Person responsible for the protection of personal information

This officer is the individual responsible for ensuring that the Act is applied and complied with. Senior management is designated as the officer by default unless the board of directors delegates this responsibility to another person by resolution.

The form for Designating and committing the person responsible for protecting personal information is available in Appendix 1.

Role and responsibilities of the person responsible for protecting personal information throughout the life cycle of personal information

The person responsible for protecting personal information is the CJE-CEC’s senior management. They must:

develop and implement policies and practices that govern the management of personal information;
take inventory of the personal information held in order to understand its nature and assess its sensitivity;
know who has access to this personal information and ensure that access is required for the performance of their duties;
raise awareness and train staff and administrators;
apply or enforce policies and practices regarding personal information;
hold, process, and disclose personal information in accordance with the rules set out in the Act;
Implement measures to prevent or limit the consequences of a privacy incident involving personal information.
Manage privacy incidents and keep a record of them.

Role and responsibilities of persons with access to this type of information

All individuals with access to this type of information, regardless of their status, are responsible for protecting and using personal information accessed in the course of their work appropriately throughout the life cycle of the personal information. Administrators have the same responsibility with regard to access to documents relating to the legal entity.

At no time shall employees or administrators collect, consult, transmit, or destroy personal information without first obtaining permission from the person responsible for the protection of personal information or, in their absence, their replacement (Appendix 1).

The collection of personal information must comply with the following three elements:

obtain the consent of the individual concerned;
be able to demonstrate the necessity of collecting the information;
collect information only directly from the individual concerned.

Failure to comply with these obligations could result in disciplinary proceedings, which could lead to dismissal for an employee and removal from office for a director.

Security of personal information collected through information technology

Information technology

The CJE-CEC uses information technology to support its operations. The personal information collected is used to provide services that meet the expectations of the individuals concerned and to fulfill the CJE-CEC’s service mandate. All personal information collected is stored in a secure environment in accordance with the requirements of the Act.

Persons concerned

All persons concerned are required to follow the guidelines set out in this policy and to act at all times to preserve the security of personal information collected by information technology, held and processed by the CJE-CEC. As provided for in the policy, the CJE-CEC implements security and management measures that are appropriate, useful, and necessary, depending on the sensitivity of the personal information collected and processed by information technology.

Access to personal information collected by information technology

Access to personal information obtained through information technology will be limited to individuals within the CJE-CEC who are authorized to receive such information when it is necessary for the performance of their duties.

Identification, location, and profiling

In the event that the CJE-CEC has used technology that includes functions enabling identification, location, or profiling, it is understood that the person concerned will be informed in advance:

the use of such technology;
the means available to activate functions that enable identification, location, or profiling.

Use of Personal Information

Personal information may only be used for the purpose for which it was collected. If personal information is to be used for another purpose, the consent of the individual concerned must be obtained prior to the use of the personal information.

As provided for in the Act, the collection of personal information gives the individual concerned permission to use the information collected. Specifically, the limits on the use of personal information are as follows:

limit access to personal information to only those individuals within the organization who have a legitimate need to know the information in order to perform their duties;
limit the use of personal information. Unless an exception is provided for in the Act, consent must be obtained from the individual concerned to use their information once the purpose of the file has been fulfilled.

Safety during use

When using personal information, the person using it must ensure its protection. The person must, without limitation:

Do not give access to personal information to anyone who is not authorized to see it.
If the person using the personal information temporarily leaves their workspace, the personal information must be placed out of sight of passersby:
- Personal information must be stored in a locked location.
- The computer screen must be locked.

When discussing personal information, such discussions must take place in a private location where the discussion cannot be overheard by individuals who are not authorized to access it.

Disclosure of personal information

Before any communication, whether verbal or written and by any means (telephone, email, text message, letter, report, website, etc.), the consent of the person concerned is required, except in cases provided for by law.

Specifically, the following obligations must be met:

obtain the consent of the individuals concerned to disclose their information to a third party (e.g., insurer or service provider), unless an exception is provided for by the Act;
comply with the consent rule for disclosure;
comply with the obligations set out in the Act when disclosing personal information without the consent of the individual concerned;
comply with the specific obligations applicable to the disclosure of personal information outside Quebec.

Authorization to collect and use personal information does not allow for the disclosure of such information to third parties.

The person concerned must complete and sign the Form for Consent to Disclosure of Personal Information.

Personal information held by CJE-CEC may be disclosed outside Quebec, such as elsewhere in Canada or outside the country. For example, when CJE-CEC uses cloud service providers whose servers are located outside Quebec, or when CJE-CEC does business with subcontractors or partners located outside the province.

Handling complaints about privacy

To exercise their rights of access, rectification, or withdrawal of consent, the individual concerned must submit a written request to that effect to the CJE-CEC’s personal information protection officer at the email address indicated in Appendix 1.

Subject to applicable legal restrictions, individuals may withdraw their consent to the disclosure or use of the information collected. However, we may not be able to offer you all of our services without the necessary personal information.

Complaint handling

The proper, consistent, and prompt handling of complaints is a priority at CJE-CEC. Anyone dissatisfied with the process of collecting, using, disclosing, or destroying personal information may file a complaint with the person responsible for protecting personal information.

Complaint handling process

In the event that a complaint is filed, the person responsible for protecting personal information must follow the steps outlined in the Complaint Handling Procedure (Appendix 3). They have 30 days to do so. The following steps must be followed:

a) Receipt of the complaint;

b) Admissibility analysis;

c) If the complaint is inadmissible: letter to the complainant and termination of the process;

d) If the complaint is admissible: letter to the complainant and investigation;

e) Investigation;

f) Investigation results;

g) Written notice to the complainant regarding the investigation results;

h) Implementation of solutions.

The person responsible will take all necessary measures to protect the personal information held, processed, and disclosed to the greatest extent possible.

Safety measures

The person responsible for protecting personal information must implement security measures to ensure the protection of personal information collected, used, disclosed, retained, or destroyed during the complaint handling process.

These measures are reasonable, particularly given the sensitivity, purpose, quantity, distribution, and medium of the personal information.

Retention of personal information

The Privacy Officer will oversee the retention of personal information. Retention refers to the period during which personal information is kept, in any form, regardless of whether the information is actively used or not.

Retention rules

Specifically, these are:

ensure that personal information is up to date and accurate when it is used to make a decision about the individual concerned;
implement and comply with the necessary measures to ensure the security of personal information;
retain personal information until the purpose for which it was collected has been fulfilled or as otherwise required by law;
to keep personal information in a secure location designated for that purpose;
to allow the use of personal information once the purpose for which it was collected has been fulfilled, only with the consent of the individual concerned, subject to the time limit provided for by law or by a retention schedule established by government regulation.

End of shelf life

At the end of the retention period for personal information, i.e., once the purpose for which it was collected has been fulfilled, the CJE-CEC will ensure that:

destroy them securely and as provided for in this policy;

anonymize them (i.e., they no longer allow the identification of the individual concerned or the establishment of a link between the individual concerned and the personal information), irreversibly, for the purpose of using them for serious and legitimate purposes.

Shelf life

The retention period is the period of time necessary to fulfill the purposes for which the information was requested or as specified in the Personal Information Retention Period document.

Rules for the destruction of personal information

Moment of destruction

The person responsible for protecting personal information must ensure that personal information is destroyed in a secure manner. In addition, if the CJE-CEC wishes to retain personal information, the person responsible for protecting personal information must ensure that it is anonymized and used for serious and legitimate purposes.

Destruction methods

A destruction method is a process that permanently and irreversibly destroys personal information. It may involve shredding, formatting, rewriting, physical destruction, grinding, demagnetization, or overwriting information. The practices are set out in the document Method of Destruction of Personal Information.

Anonymization methods

An anonymization method is an irreversible process by which personal information is processed in such a way that it is impossible to directly or indirectly identify the individual concerned.

Adoption and implementation of the policy

This policy governing the management of personal information was adopted by resolution by the CJE-CEC Board of Directors at its regular meeting on April 16, 2025. It comes into effect on that date.

The person responsible for the protection of personal information is responsible for interpreting and applying the policy. For the proper administrative functioning of the CJE-CEC and to the extent that the policies established by the Board of Directors are maintained and respected, this policy may be revised or amended as part of the integration of new measures established by the CJE-CEC Board of Directors or by any government authority, in order to make any changes and clarifications that may be necessary after its implementation.

All individuals are required to report any breach of the CJE-CEC policy to the executive director, the person responsible for the protection of personal information, or the board of directors, as appropriate.

Ms. Véronique St-Onge: President

Ms. Yaolin Lacroix: Secretary-Treasurer

Appendix 1 — Designation and Commitment of the Person Responsible for the Protection of Personal Information

Under section 3.1 of the Act respecting the protection of personal information in the private sector, any person who operates a business is responsible for the protection of the personal information they hold. At Carrefour Emploi des Collines (CJE-CEC), senior management ensures compliance with and implementation of this Act.

She acts as the privacy officer; she may delegate this role in writing, in whole or in part, to any person. Her contact details are published on our website: http://www.toncec.ca/

Name of the person responsible : Lyne Besner

Title of the person responsible : Chief Executive Officer

Contact information : dg@toncec.ca | 819 457-4480

If the person responsible for protecting personal information is unavailable, please contact:

Name of replacement: Véronique St-Onge

Title of replacement: President

Contact information : soutien@legrenierdescollines.com

I hereby declare my commitment to comply with and enforce this policy and to assume the responsibilities associated with it.

Lyne Besner: Executive Director

Ms. Véronique St-Onge: Chair of the Board of Directors

Appendix 2 — Non-exhaustive list of personal information collected and its uses

Relationship with the CEC	Type of personal information	End of collection / Use	Method of collecting information (means)
	Either of these pieces of information, when necessary	Used for:	The following may be collected:
Employees	– Last name, first name – SIN – Mailing address – Date of birth – Email – Emergency contact – Annual assessment – RRSP number – Bank details – Medical note – Criminal record – Resume – Valid study or work permit	– Administering our business and performing our services; – Managing communications with employees; – Ensuring the payroll system functions properly; – Ensuring the transmission of financial and tax information; – Any other compatible secondary purposes; – Meeting our legal and regulatory obligations;	– By technological means – By hand – By email
Volunteers/Board of Directors	– Last name, first name – Postal address – Email address – Phone number – Date of birth – Photo ID	Registrar	– By email – In person – By phone
Clientele	– Last name, first name – Postal address (not collected for persons under 18) – Telephone number – Date of birth – Email address – SIN (not collected for persons under 18) – Resume	– Delivering the services requested by customers; – Managing communications with customers; – Any other compatible secondary purpose; – Meeting our legal and regulatory obligations;	– By technological means – By hand delivery

Appendix 3 — Complaint Handling Procedure

Steps	Deadline	Interventions
[1] Receipt of the complaint	The entire investigation process must be completed within 30 days of the complaint being filed.	Sending an acknowledgment of receipt of the complaint
[2] Admissibility analysis The admissibility analysis consists of determining whether, to the extent that all or part of the allegations in the complaint prove to be accurate, i.e., demonstrated by preponderant evidence, this could constitute a breach in relation to the governance of personal information.		The subject of the complaint relates to personal information. The complaint concerns a practice set out in the governance policy. The analysis shows that the alleged facts could constitute a breach of the governance policy.
[2.1] If the complaint is inadmissible		Sending a letter stating that the complaint is not admissible
[2.2] If the complaint is admissible, investigation		Sending a letter indicating the start of the investigation
[3] Survey		Drafting of the investigation report
[4] Survey results		Rédaction du rapport d’enquête
[5] Written notice to the complainant regarding the outcome of the investigation		Letter indicating the outcome of the investigation and any changes that will be implemented, as applicable
[6] Implementation of solutions		Implementation of changes

Become a member