Policy governing the protection of personal information

1. Context
The purpose of this policy is to ensure the protection of personal information and to govern the manner in which CIMMI collects, uses, communicates, retains and destroys personal information, or, in other words, the manner in which CIMMI manages personal information. This policy is also intended to inform any interested party of the manner in which CIMMI handles their personal information.

2. Application and definitions
This policy applies to CIMMI, which notably includes members of management and staff, consultants and volunteers, as well as to any other person who provides services on behalf of CIMMI. It also applies to the CIMMI website and to all websites controlled and maintained by CIMMI.

It applies to all types of personal information managed by CIMMI, whether information about its clients, potential or current, its consultants, staff members, members or any other persons (such as visitors to its websites or others).

For the purposes of this Privacy policy, personal information is information about an individual that directly or indirectly identifies that individual. For example, it could be a person’s name, address, e-mail address, telephone number, gender or banking information, information about their health, ethnic origin, language, etc.

Personal information is sensitive when it gives rise to a high reasonable expectation of privacy. Examples include information relating to health, banking, biometrics, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, and so on.

Generally speaking, a person’s professional contact information, such as name, title and position, as well as the address, e-mail address and telephone number of their place of work, does not constitute personal information. More specifically, and for greater clarity, within the meaning of Québec’s Act respecting the protection of personal information in the private sector and as of September 22, 2023, paragraphs 3 (Collection, use and disclosure), 4 (Retention and destruction) and 6 (Data security) do not apply to information about an individual relating to the performance of a function in an enterprise, such as the individual’s name, title, position, and the address, e-mail address and telephone number of the individual’s place of work.

These same paragraphs do not apply to personal information that is public by law, from the moment this policy comes into force.

3. Collection, use and disclosure
In the course of its activities, CIMMI may collect different types of information for different purposes. The types of information that CIMMI may collect, its use (orintended purpose) and the means by which the information is collected are set out in this policy.

CIMMI will also inform individuals, at the time personal information is collected, of any other information collected, the purposes for which it is collected and the means of collection, in addition to any other information required by law.

CIMMI applies the following general principles to the collection, use and disclosure of personal information.

Consent

  • In general, CIMMI collects personal information directly from the person concerned and with that person’s consent, unless an exception is provided for by law. Consent may be obtained implicitly in certain situations, for example when the individual decides to provide their personal information after being informed by this policy of the use and disclosure for the purposes indicated herein. Thus, this policy and the information it contains may be consulted by the person concerned at the time the personal information is collected.
  • Normally, CIMMI must also obtain the consent of the person concerned before collecting their personal information from third parties, before communicating it to third parties or for any secondary use thereof. However, CIMMI may act without consent in certain cases provided for by law and under the conditions set out in the law. The main situations in which CIMMI may act without consent are indicated in the relevant sections of this policy.

Collection

  • In all cases, CIMMI collects information only if it has a valid reason to do so. In addition, the collection of information will be limited to that which is necessary to fulfill the purpose for which it is collected.
  • CIMMI’s services and programs are not intended for minors, and more generally, CIMMI does not intentionally collect personal information from minors (in such cases, the information cannot be collected from the minor without the consent of a parent or guardian).
  • CIMMI may collect personal information from third parties. Unless an exception is provided for by law, CIMMI will seek the consent of the person concerned before collecting personal information about them from a third party. In the event that such information is not collected directly from the individual, but from another organisation, the individual may ask CIMMI to identify the source of the information collected.
  • In certain situations, CIMMI may also collect personal information from third parties without the consent of the person concerned if it has a serious and legitimate interest in doing so and (a) if the collection is in the interest of the person and it is not possible to ask for their consent in a timely manner, or (b) if this collection is necessary to ensure that the information is accurate. This collection through third parties may be necessary in order to use certain services or programs, or tootherwise do business with CIMMI. When required, CIMMI will obtain the individual’s consent at the appropriate time.

Retention and use

  • CIMMI ensures that the information it holds is up-to-date and accurate at the time it is used to make a decision about the individual concerned.
  • CIMMI may use an individual’s personal information only for the purposes indicated herein or for any other purposes provided at the time of collection. As soon as CIMMI wishes to use this information for another reason or another purpose, consent must again be obtained from the person concerned, and it must be obtained expressly if the information is sensitive personal information. However, in certain cases provided for by law, CIMMI may use the information for secondary purposes without the consent of the individual, for example:
  • when such use is clearly for the benefit of that individual;
  • when it is necessary to prevent or detect fraud; or
  • when it is necessary to evaluate or improve protection and security measures.
  • CIMMI must implement measures to limit access to personal information only to those members of its staff and persons within its organisation who are authorised to have access to it and for whom the information is necessary for the performance of their duties. CIMMI will seek the consent of the individual before granting access to any other person.

Disclosure

  • Generally, and unless an exception is indicated in this policy or otherwise provided for by law, CIMMI will obtain the consent of the person concerned before disclosing their personal information to a third party. In addition, where consent is required and where sensitive personal information is involved, CIMMI will obtain the individual’s express consent before disclosing the information.
  • However, disclosure of personal information to third parties is sometimes necessary. Thus, personal information may be disclosed to third parties without the consent of the individual concerned in certain cases, including, but not limited to, the following:
  • CIMMI may disclose personal information, without the consent of the person concerned, to a public body (such as the government) that, through one of its representatives, collects it in the exercise of its powers or the implementation of a program under its management.
  • Personal information may be transmitted to CIMMI’s service providers to whom it is necessary to communicate the information, without the individual’s consent. For example, these service providers may be event organisers, CIMMI subcontractors designated to carry out mandates in programs administered by CIMMI and cloud service providers. In these cases, CIMMI must have written contracts with these suppliers that specify the measures they must take to ensure the confidentiality of the personal information communicated, that the information is used only in the performance of the contract and that they may not retain this information after the contract has expired. In addition, these contracts must require suppliers to notify CIMMI’s Privacy Officer (identified in this policy) of any breach or attempted breach of confidentiality obligations with respect to the personal information provided. These contracts must also allow this person responsible to carry out any verification relating to confidentiality.
  • If necessary for the purposes of concluding a commercial transaction, CIMMI may also communicate personal information, without the consent of the person concerned, to the other party to the transaction and within the limits of the law.
  • It is possible that personal information held by CIMMI may be disclosed outside Québec, for example when CIMMI uses cloud service providers whose server(s) are located outside Québec or when CIMMI deals with subcontractors located outside the province.

Additional information about the technologies used
USE OF COOKIES

  • Cookies are data files sent to the computer of the person visiting an Internet site by their Web browser when that person visits the site and may have several uses. The websites controlled by CIMMI use cookies, in particular:
  • – to remember the settings and preferences of people who visit its website, for example for language selection and to enable tracking of the current session; and
  • – for statistical purposes to determine the behaviour of visitors to the site and the content they consult, and to help improve the website.
  • Websites controlled by CIMMI use:
  • – session cookies, which are temporary cookies kept in memory for the duration of the visit to the website only; and
  • – persistent cookies, which are kept on the computer until they expire and are retrieved the next time the site is visited.
  • Some cookies can be deactivated by default, and individuals can choose whether or not to activate these functions when visiting CIMMI websites.
  • It is also possible to activate and deactivate the use of cookies by changing the preferences in the settings of the browser used.

USE OF GOOGLE ANALYTICS

  • Some CIMMI websites use Google Analytics to enable continuous improvement. In particular, Google Analytics makes it possible to analyse how a person interacts with a CIMMI website. Google Analytics uses cookies to generate statistical reports on the behaviour of people who visit these websites and the content consulted.
  • Information from Google Analytics will never be passed on to third parties by CIMMI.
  • It is possible to install a browser add-on to deactivate Google Analytics.

USE OF OTHER TECHNOLOGICAL MEANS

  • CIMMI also collects personal information through technological means such as Web forms integrated into a Web site controlled by CIMMI (for example, a contact form and a form for subscribing to a newsletter), questionnaires accessible online on its platforms and applications and other platforms or form tools.
  • If CIMMI collects personal information by offering a technological product or service that has confidentiality settings, it must ensure that these settings offer the highest level of confidentiality by default ( this does not include cookies).

4. Retention and destruction of personal information
Unless a minimum retention period is required by applicable law or regulation, CIMMI will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.

Personal information used by CIMMI to make a decision about an individual must be kept for a period of at least one year following the decision in question, or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, the circumstances surrounding a termination of employment.

At the end of the retention period or when the personal information is no longer required, CIMMI will:

  • destroy it, or;
  • anonymise it (i.e., make it irreversibly impossible to identify the individual or establish a link between the individual and the personal information) in order to use it for serious and legitimate purposes.

The destruction of information by CIMMI must be done in a secure manner to ensure the protection of this information. This section may be supplemented by any policy or procedure adopted by CIMMI concerning the retention and destruction of personal information, if applicable. Please contact the person responsible for the protection of personal information at CIMMI (indicated at the end of this policy) for further information.

5. CIMMI responsibilities
In general, CIMMI is responsible for protecting the personal information it holds. CIMMI’s Privacy Officer is generally responsible for ensuring compliance with applicable privacy legislation. The person responsible must approve the policies and practices governing the governance of personal information. More specifically, this person is responsible for implementing this policy and ensuring that it is known, understood and applied. In the event of the absence or inability to act of the Privacy Officer, the CIMMI Chair will assume the duties of Privacy Officer.CIMMI staff members who have access to personal information or are otherwise involved in managing it must ensure its protection and comply with this policy.

The roles and responsibilities of CIMMI personnel throughout the life cycle of personal information may be specified by any other CIMMI policy in this regard, where applicable.

6. Data security
CIMMI is committed to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium and sensitivity of the information. This means that information that can be described as sensitive (see the definition of sensitive information in section 2) will require greater security measures and will need to be better protected. In particular, and in accordance with what was mentioned above concerning limited access to personal information, CIMMI must put in place the necessary measures to impose constraints on the rights of use of its information systems so that only members of staff who need to have access to them are authorised to access them.

7. Rights of access and rectification and right to withdraw consent
To exercise their rights of access and rectification or their right to withdraw consent, data subjects must submit a written request to this effect to the person responsible for the protection of personal information at CIMMI, at the following e-mail address: .

Subject to certain legal restrictions, individuals may request access to their personal information held by CIMMI and request that it be corrected if it is inaccurate, incomplete or ambiguous. They may also demand that the dissemination of personal information concerning them cease or that any hyperlink attached to their name and allowing access to this information by a technological means be de-indexed when the dissemination of this information contravenes the law or a court order. They may do the same or require the re-indexing of the hyperlink providing access to the information, when certain conditions provided for by law are met.

The person responsible for the protection of personal information at CIMMI must respond in writing to such requests within 30 days of receipt of the request. Reasons must be given for any refusal, together with the legal provision justifying the refusal. In such cases, the response must indicate the remedies available under the law and the deadline for exercising them. The person responsible must help the applicant to understand the refusal if necessary.

Subject to applicable legal and contractual restrictions, the persons concerned may withdraw their consent to the communication or use of the information collected. They may also ask CIMMI what personal information it has collected, which categories of people at CIMMI have access to it and how long it is kept.

8. COMPLAINTS HANDLING PROCESS
Reception
Any person wishing to make a complaint about the application of this policy or, more generally, about the protection of their personal information by CIMMI must do so in writing to the person responsible for the protection of personal information at CIMMI at the following e-mail address: .

The person making the complaint must provide his or her name, contact information, including a telephone number, as well as the subject of the complaint and the reasons for it, giving sufficient detail to enable CIMMI to assess the complaint. If the complaint is not sufficiently precise, the person responsible for protecting personal information may request any additional information he or she deems necessary to assess the complaint.

Procedure
CIMMI undertakes to handle any complaint received confidentially.

Within 30 days following receipt of the complaint or following receipt of all additional information deemed necessary and required by the person responsible for the protection of personal information at CIMMI in order to process it, the latter must evaluate the complaint and provide a reasoned written response by e-mail to the complainant. The purpose of this evaluation will be to determine whether CIMMI’s handling of personal information complies with this policy, any other policies and practices in place within the organisation and any applicable legislation or regulations.

If the complaint cannot be processed within this timeframe, the person responsible must inform the complainant of the reasons for the extension, the status of the processing of the complaint and the reasonable time required to provide a definitive response.

CIMMI must keep a separate file for each complaint it receives. Each file contains the complaint, the analysis and documentation supporting its evaluation, and the response sent to the person who lodged the complaint.

It is also possible to file a complaint with the Commission d’accès à l’information du Québec or any other privacy oversight body responsible for the application of the law concerned by the subject of the complaint.

However, CIMMI invites all interested parties to first contact the person responsible for the protection of personal information and to wait until the CIMMI complaint evaluation process has been completed.

9. Publication and modifications
This policy is published on the CIMMI website and on all websites controlled and maintained by CIMMI to which this policy applies, with respect to the personal information collected there. This policy is also disseminated by any means likely to reach the persons concerned.

CIMMI must also do the same for all changes to this policy, which must also be the subject of a notice informing the persons concerned.

10. Entry into force and revision of the policy
This policy comes into force on the day it is adopted by the CIMMI Board of Directors.

Any amendment or repeal of this policy must be adopted by the CIMMI Board of Directors and comply with the provisions of the relevant laws and regulations.

This policy will be revised when significant changes occur that could affect its provisions, or no later than eight years after its adoption.

Policy adopted by the Board of Directors at its meeting on June 20, 2023.

Michel R. Bouchard
Secretary, Board of Directors
Person responsible for the protection of personal information at CIMMI