Personal Information Protection Policy

1. Purpose, Scope and Users

Sertech Électrique is committed to respecting the privacy of individuals in accordance with the laws, regulations and standards applicable in Quebec with respect to the protection of Personal Information.

The purpose of this Privacy Policy (the “Policy”) is to set out the general principles to which we adhere to and the practices we follow in collecting, using, disclosing, retaining and destroying Personal Information of our clients, suppliers, business partners, employees and other individuals in the course of our business. This Policy also outlines the responsibilities of the Data Protection Officer, as well as the various committees and officers of the Organization.

This Policy applies to all employees, committees, service providers, business partners and other contractors who work on behalf of or with the Organization, as well as the persons referred to in article 12 hereof.

2. Reference Documents

2.1. Legislation

Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (“Private Sector Act”)
An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage the reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act S.C. 2010, c.23
The Personal Information Protection and Electronic Documents Act SC 2000, c.5
Act to establish a legal framework for information technology, CQLR c C-1.1
Charter of Human Rights and Freedoms, CQLR c C-12
Civil Code of Québec, CQLR c CCQ-1991

(collectively, the “Privacy Laws”)

3. Definitions

The following words and phrases, when appearing with a capitalized first letter in the Policy, shall have the meanings ascribed to them below, unless otherwise implied or expressed in the text:

Data Protection Officer or DPO: means the individual responsible for ensuring compliance with and implementation of Quebec’s privacy laws within the Organization

Personal Information: means any information that relates to a natural person and allows that person to be identified, that is to say, that reveals, directly or indirectly or by reference, something about that person’s identity, characteristics, activities, location or other identifiable information (e.g., abilities, preferences, psychological tendencies, predispositions, mental abilities, character and behaviour, economic, cultural or social status), regardless of the nature of the medium in which it is stored and regardless of the form in which the information is made available (written, graphic, audio, visual, computerized or other) and includes, in any case, Sensitive Personal Information.

Privacy Impact Assessment or PIA: refers to the process designed to describe processing activities, assess the necessity and proportionality of a processing operation, and help manage the risks to the rights and freedoms of individuals resulting from the processing of personal data.

Privacy Incident: means any unauthorized access to, use of, or disclosure of personal information, as well as the loss or other impairment of the privacy or confidentiality of personal information.

Processing Activity or Processing means any operation or set of operations performed on Personal Information or sets of Personal Information, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sensitive Personal Information: means personal information is considered sensitive when, by its nature or the context of its use or disclosure, it gives rise to a reasonable expectation of privacy. Examples of sensitive personal information include medical, biometric, genetic or financial information, or information about a person’s sexual life or orientation, religious or philosophical beliefs, union membership or ethnic origin.

4. Basic Principles Regarding Personal Data Processing

The Privacy Laws as well as certain contracts with which the Organization is bound require us to comply with the following general principles:

4.1. Responsibility and Governance

The Organization is responsible for the protection of Personal Information that it holds, uses, processes, communicates, retains or destroys. Among other things, it must:

Designate a DPO who is accountable for compliance with and implementation of Quebec’s privacy laws, including the principles set out below;
Establish and implement policies and practices related to the governance of Personal Information;
Establish a procedure for the retention and destruction of Personal Information;
Respond to requests for individuals’ rights concerning their Personal Information;
Publish information related to the Information Governance Program on its website through the Privacy Policy, outlining its policies and practices;
Notify the Commission d’accès à l’information, the Office of the Privacy
Commissioner of Canada should it be necessary, and any individuals concerned by any Privacy Incident in the event that this could result in serious harm to the latter.

4.2. Consent

Before collecting, using, or disclosing Personal Information, the Organization shall obtain the consent of the individual, appropriate to the sensitivity of the Personal Information. Consent shall be manifest, free, and informed and shall be given for specific purposes. Consent must be sought for each of these purposes in clear and simple terms, separate from any other information provided to the individual.
Consent is valid only for the time necessary to fulfil the purposes for which it was sought. We must obtain express consent from the individual to use the Personal Information when:

The secondary purpose concerns Sensitive Personal Information;
The secondary purpose presents a risk of serious harm;
The secondary purpose is contrary to reasonable expectations.

This consent shall be stated or drafted simply and clearly, and shall include:

the original purpose for which the information was collected;
the new purpose(s) (or secondary purposes);
the reason for the change of purpose.

When the collection of Personal Information concerns a child under the age of 14, the DPO must ensure that the consent of the minor’s parental authority or guardian has been obtained prior to collection, using the Parental Consent Form. This is also the case when a foreign immigrant worker comes to settle in Quebec and Organization or the mandated firm helps him or her settle with a family that includes a child under the age of 14.

We must keep proof of obtaining valid consent.

The DPO ensures that we comply with the rules for obtaining consent lawfully and properly.

4.3. Fairness and Legality

Personal Information shall be handled by fair and lawful means throughout its life cycle.

That is why we regularly train and raise awareness among our employees regarding Sertech Électrique’s policies and practices for managing personal information. They are written in simple and clear terms to facilitate understanding and are easily accessible to both our employees and our clients.

4.4 Transparency

The Organization shall inform its customers and employees of the policies and practices it uses to manage Personal Information in its business operations. These policies and practices shall be written in plain language and shall be easily accessible. As such, before or at the time of collecting Personal Information, we shall provide individuals with the following minimum information

The legitimate purposes for which the information is being collected;
The means by which the information is collected;
The rights of access and rectification provided by law;
The right of the individual to withdraw consent to the disclosure or use of the information;
The name of the third party for whom the information is being collected, if applicable;
The possibility that the information may be communicated outside Quebec, if applicable;
The possibility that Personal Information may be shared with service providers, including affiliated organizations, if any, or other similar third parties;
Contact information for the DPO.

Upon request, we provide additional information:

The Personal Information that has been communicated to third parties;
The categories of persons within the Organization who have access to the Personal Information;
The applicable retention period of the Personal Information;

4.5. Identifying the Purposes of Collection and Use

Personal Information shall be collected and used for specific, explicit, and legitimate purposes that are directly related to and demonstrably necessary for the fulfilment of the Processing Activities for which it was collected. These purposes shall be identified before Personal Information is collected and used and must not be further processed in a manner incompatible with these established purposes unless the consent of the person concerned has been obtained. The Organization shall be open and honest about the purposes for which it collects Personal Information.

4.6. Accuracy and Correction

The Organization shall ensure that Personal Information held by it is current and accurate at the time it is used to make a decision about the individual. This obligation is designed to safeguard the integrity of the information, both in substance and form, and to ensure that the individual is not prejudiced by information that is inaccurate or out of date. Reasonable steps shall be taken to ensure that Personal Information is erased or rectified in a timely manner.

4.7 Retention and Anonymization

Personal Information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. Once these purposes have been fulfilled, the Organization shall destroy the Personal Information. We may also anonymize Personal Information, in accordance with generally accepted best practices, to use it for meaningful and legitimate purposes only.

When the Organization recruits a foreign worker and the latter settles in Quebec, the Personal Information collected and held by the Organization, if so, whether they were initially collected by the Organization or by the immigration firm mandated to assist the worker’s family in their immigration proceedings, be destroyed or anonymised by the Organization as soon as they are no longer necessary for the implementation of these procedures.

Any immigration firm mandated to carry out the procedures is responsible for the destruction or anonymization of the information it holds, and the Organization is not responsible for the retention, the destruction or anonymization of such personal information within the firm. The foreign worker is invited to take note of the immigration firm’s protection, retention, destruction and anonymization measures.

Some laws may specify an additional retention period that the Organization will be required to comply with.

4.8. Security and Confidentiality

The Organization shall implement reasonable security safeguards to protect the Personal Information it holds, uses, discloses, retains, or will proceed to destroy from any loss, theft, unauthorized or improper access, disclosure, copying, use, processing, modification or destruction.

The security safeguards shall consider, among other things, the sensitivity of the Personal Information, the purpose for which it is to be used, the amount, distribution, method of storage, medium and format of the Personal Information, and the privacy risks involved.

Adequate security measures should consist of multiple layers of security including, but not limited to, technical, physical, organizational and administrative safeguards.

5. Legitimate Purposes for Processing Employee Information

Sertech Électriquemay use its employees’ Personal Information for legitimate purposes, some of which are described below:

5.1. Human resources management

To enable us to manage human resources, particularly with regard to numerous processes: recruitment, execution of an employment contract, termination of employment, performance management, employee training, compensation and benefits, various employee services, occupational health and safety, disability and return-to-work processes, as well as any other human resources activities.

Employees who provide Personal Information implicitly consent to its collection and use by the Employer. Sertech Électrique may process its employees’ Personal Information without renewing this consent as long as the employee is employed by Sertech Électrique, because as an employer, Sertech Électrique has a legitimate obligation to collect its employees’ Personal Information in order to manage its activities in a sound and efficient manner. However, Sertech Électrique’s information needs must be consistent with employees’ right to the protection of their Personal Information.

5.2. Other activities

To enable us to carry out our business activities and operations, such as managing Sertech Électrique’s assets, providing IT or web services, ensuring information security, conducting internal audits and investigations, complying with the obligations of its commercial contracts, obtaining legal or commercial advice, preparing for legal disputes, etc.

5.3. Compliance with the law

To enable us to comply with legal obligations and for any other purpose required by law, including the disclosure of employees’ Personal Information to the relevant tax authorities.
You may expand this section to make it more practical and specific to the reasons for processing that go beyond the usual scope.

6. Integrating Data Protection to Business Activities

To demonstrate compliance with the principles of data protection, the Organization must integrate the following data protection guidelines into its business activities.

6.1. Collection of Personal Information

Personal Information must be collected directly from the person concerned. The latter must be informed of the elements mentioned in section 4.4 of this Policy no later than the time their information is collected.

If Personal Information is collected from third parties, including an immigration firm mandated to facilitate the arrival of foreign workers and their families, the DPO shall ensure that the collection is authorized by law and complies with our policies and practices in this regard.

At all times, the Organization limits its collection of Personal Information to that which is necessary for the purposes identified and announced to the person concerned.

6.2. Collection of Personal Information for employees

When we collect Personal Information, we first collect it directly from the individual concerned, after providing the information specified in section 4.5.
However, if Personal Information is collected from third parties, the Privacy Officer must ensure that the collection is authorized by law and complies with Sertech Électrique’s policies and practices in this regard.

6.3. Use, Retention, and Disposal

The purposes, methods, retention period and storage limits for Personal Information shall be consistent with the information contained in our Integrated Document Management Policy.

The DPO shall conduct a monthly audit of Personal Information collected and processed in and shall construct a Personal Information Registry describing the information used in the documents produced by the Organization, the purposes for which the information was produced, the retention periods for such documents and the information contained therein, as well as the access rights relating to each of these documents.

Since we must maintain the accuracy, integrity, confidentiality, and relevance of Personal Information in accordance with the purpose of the Processing and, moreover, retain it only for as long as we need it for these purposes, we have put in place reasonable and adequate security mechanisms to prevent theft, misuse or fraudulent use of Personal Information and to prevent Privacy Incidents.
To this end, we also ensure that Personal Information in our possession is not unlawfully destroyed or altered, and we also undertake not to sell or provide Personal Information to any third party unlawfully or without authorization. We carry out regular audits to ensure that this is the case.

6.4. Use, Retention and Destruction of Employee Personal Information

For almost all employee Personal Information – including payroll and benefits records, official and unofficial personnel files, Internet browsing records, e-mail and audit trails – the following fundamental rules must be respected to maintain a balance between the Organization’s rights and those of its employees:

The Organization shall process employee Personal Information only for the purposes for which it was collected and shall retain it only as long as necessary for such purposes, unless it has the consent of the employee concerned to use it for other purposes or is required by applicable law to use or disclose the employee’s Personal Information for other purposes.
The Organization has implemented reasonable security measures to ensure the protection of its employees’ Personal Information that it holds, uses, communicates, retains or destroys, against loss, theft or any unauthorized or abusive access, communication, copying, use, processing, modification or destruction. These security measures comprise several layers of security including, but not limited to, technical, material, organizational and administrative means to ensure risk and incident management and business continuity.
The Organization shall also ensure that we do not unlawfully destroy or alter this Personal Information or sell or provide it to any third party in an unlawful or unauthorized manner.

To this end, a compliance questionnaire for subcontractors may be used. Once the form has been completed and returned to the attention of the DPO, she and any designated committee analyze the risks relating to the disclosure of Personal Information. On the basis of this analysis, the DPO must ensure that the service provider implements a governance program that complies with the Organization’s Governance Program, and the third party must also commit to entering into an Information Security Agreement.

6.5. Disclosure to Third Parties

Prior to transferring Personal Information to a service provider, business partner or any other third party, the Organization shall, in each case, enter into a written agreement with such third party, such as a data transfer agreement, which shall provide, at a minimum:

A description of the measures taken by the third party to ensure the privacy of the Personal Information disclosed (e.g., a description of security measures);
An obligation on the part of the third party to use the Personal Information only for the purpose of providing the services indicated therein and to promptly delete or return any such information after the contract has expired or been completed; and
An obligation for the third party to promptly notify the DPO of any breach, attempted breach, Privacy Incident, or any event affecting our obligation to maintain the confidentiality of the Personal Information entrusted to it and to allow the DPO to conduct any audit of the confidentiality requirements.

A Subcontractor Compliance Questionnaire may be used for this purpose. Once the form is completed and returned to the attention of the DPO, they along with any designated committee will analyze the risks associated with the disclosure of Personal Information. Based on this analysis, discussions shall be initiated with the third party to implement a governance program within their organization that will comply with the Organization’s existing governance program and the third party shall commit to a data transfer agreement.

6.6. Disclosure during a Commercial Transaction

If disclosure of Personal Information is required as part of a commercial transaction, the DPO shall, and in each case, enter into a written agreement with the parties which shall provide, among other things, that the party receiving the disclosure of Personal Information agrees to:

use the information only for the purpose of completing the transaction;
not to disclose such information without the consent of the individuals concerned;
take the necessary measures to ensure the protection of the confidentiality of the Personal Information; and
destroy all such Personal Information received if the transaction is not completed or if its use is no longer required for the purpose of completing the transaction.

To this end, each party or parties involved in the transaction must enter into a data transfer agreement with the Organization.

6.7. Transfer outside Quebec

The DPO, for the Organization, shall conduct a PIA prior to disclosing Personal Information outside of Quebec. This analysis will determine whether the Personal Information will be adequately and appropriately protected in accordance with, among other things, generally accepted privacy principles.

6.8. Access and Rectification Rights

Upon request, individuals may access their Personal Information at any time, free of charge (or at a nominal charge for reproductions). They may also have inaccurate information corrected or updated, subject to the exceptions provided by law. Such requests are processed within 30 days and are recorded in the Register of Access and Rectification Requests. If a request for access is refused, the DPO responds in writing, explaining the reasons for the refusal.

6.9. Data Portability

An individual may request that Personal Information collected about him or her be disclosed or transferred to another organization designated by the individual in a commonly used, technological format. This does not include information created or inferred by the Organization from the analysis of the individual’s Personal Information that was initially provided. The Organization is not required to destroy any Personal Information it holds after processing a portability request unless there is no reasonable expectation for this information to be used for the purposes for which it was provided by the individual.

6.10. Rights concerning automated decision making

Any person may, subject to certain conditions, request the following information in connection with a decision based exclusively on automated processing:

The personal information used to make the decision;
The reasons, as well as the main factors and parameters, that led to the decision;
His or her right to have the personal information used to make the decision rectified.

He or she may also submit observations concerning the decision and request a review by a member of staff.

6.11. De-Indexation Right

Individuals may request that the Organization, subject to certain conditions, cease disseminating their Personal Information and de-index any hyperlinks attached to their name that provide access to such Personal Information, if such dissemination causes them any form of injury or is contrary to law or a court order. The DPO shall take the necessary steps to comply with this de-indexing right and shall inform third parties that use or process such Personal Information to comply with the request.

7. Organization and Governance

Responsibility for ensuring the protection and proper processing of Personal Information rests with the Organization and any person working with or on behalf of us who has access to Personal Information.

The main responsibilities for the governance and management of Personal Information fall under the following organizational roles:

The DPO is responsible for the following tasks:

Manage and implement the information governance program;
Develop and promote our privacy policies and practices;
Monitor and analyse applicable privacy legislation, as well as changes contemplated or introduced by the legislator;
Educate and train employees on the Organization’s privacy practices;
Develop and maintain our compliance requirements and assist us in achieving its privacy objectives.

In addition, we may set up committees to ensure the smooth running of operations while respecting the confidentiality of Personal Information. Each of these committees, where applicable, has well-defined tasks, detailed in a document explaining these various tasks, available on request.

8. Reporting Privacy Incidents and Responding to Complaints

Any individual whose personal information is affected by an actual or apprehended Privacy Incident may file a complaint with the DPO, which will be handled in accordance with the Complaint and/or Privacy Incident Response and Notification Procedure.

Any person who becomes aware of an actual or apprehended Privacy Incident involving the Personal Information of one or more individuals must, as soon as possible, make a report to the DPO in accordance with the Privacy Incident Response and Notification Procedure.

We shall notify the Commission d’accès à l’information and, should it be necessary, the Office of the Privacy Commissioner of Canada and all affected individuals of any Privacy Incident that presents a risk of serious harm given the sensitivity of the information involved, the apprehended consequences of its use, and the likelihood that it will be used for harmful purposes.

9. Audit

The DPO is responsible for auditing the Organization’s implementation of this Policy.

10. Sanctions

Any person who violates this Policy will be subject to disciplinary action up to and including termination and may also be subject to civil or criminal prosecution if their conduct violates this Policy and any applicable laws or regulations.

11. Conflicts of Law

This Policy is intended to comply with the laws and regulations and with any business contract involving the Organization in the course of its operations and commercial activities. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.

12. Other Staff Members

The Organization must also respect and apply this Policy when it carries out a Processing activity involving the processing of Personal Information of other members of its personnel, which includes, in particular: (i) persons applying for a job at the Organization or taking part in its recruitment process, (ii) the Organization’s former employees and (iii) non-employees working in its offices, including self-employed workers, consultants, volunteers and trainees.

13. Managing Records Kept on the Basis of this Document

Record name	Storage location	Person responsible for storage	Controls for record protection	Retention time
Data Subject Consent Forms	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	10 years
Data Subject Consent Withdrawal Form	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	10 years
Parental Consent Form	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	10 years
Parental Consent Withdrawal Form	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	10 years
Processing Activities	It is part of : Rules, policies, Procedures, Processus of the information system (link to access the folder)	DPO	Only authorized persons may access the forms	Permanent
Data Subject Rights	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	Permanent
Personal Information (Inventory)	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	Permanent
Communications	[specify folder location on network or physical location]	DPO	Only authorized persons may access the forms	Permanent
Supplier Data Processing Agreements	[specify folder location on network or physical location]	DPO	Only authorized persons may access the folder	5 years after the agreement has expired
Register of Privacy Notices	[specify folder location on network or physical location]	DPO	Only authorized persons may access the folder	Permanently

14. Validity and document management

This document is valid and in effect as of 1er Décembre, 2023. The owner of this document is M. Marc Globensky, who must check and, if necessary, update the document at least once a year.