Personal Information Protection and Privacy Policy

1. Context

Publideces is a company incorporated in Quebec that processes personal information as part of its activities.

This policy aims to ensure the protection of personal information and to govern how Publideces collects, uses, communicates, retains, and destroys it, or otherwise manages it. Furthermore, it aims to inform any interested person about how Publideces processes their personal information. It also covers the processing of personal information collected by Publideces through technological means.

2. 2. Application and Definitions

This policy applies to Publideces, including its officers, employees, consultants, volunteers, and any other person who provides services on behalf of Publideces. It also applies to the Publideces website, as well as all websites controlled and maintained by Publideces.

It covers all types of personal information managed by Publideces, whether it concerns its clients, prospective or current, its consultants, its employees, its members, or any other individuals (such as visitors to its websites or otherwise).

For the purposes of this policy, personal information is information that relates to a natural person and allows, directly or indirectly, to identify them. For example, this could include a person’s name, address, email address, phone number, gender, or banking information, information about their health, ethnic origin, language, etc.

A sensitive personal information is information for which there is a high degree of reasonable expectation of privacy, e.g., health information, banking information, biometric information, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.

Generally, a person’s professional or business contact information does not constitute personal information, for example, a person’s name, title, address, email address, or work phone number. More specifically and for clarity, within the meaning of Quebec’s Act respecting the protection of personal information in the private sector, and as of September 22, 2023, sections 3 (collection, use, communication), 4 (retention and destruction), and 6 (data security) do not apply to information about a person related to the exercise of a function within an enterprise, such as their name, title, function, as well as the address, email address, and phone number of their workplace.

These same paragraphs also do not apply to personal information that is public by law, effective upon the entry into force of this policy.

3. Collection, Use, and Communication

As part of its activities, Publideces may collect different types of information for various purposes. The types of information that Publideces may collect, their use (or intended purpose), and the means by which the information is gathered are set out in Appendix A of this policy.

Publideces will also inform the individuals concerned, at the time of collecting personal information, of any other information collected, the purposes for which it is collected, and the means of collection, in addition to other information to be provided as required by law.

Publideces applies the following general principles regarding the collection, use, and communication of personal information:

Consent:

• Generally, Publideces collects personal information directly from the individual concerned and with their consent, unless an exception is provided by law. Consent may be obtained implicitly in certain situations, for example, when the individual decides to provide their personal information after being informed by this policy about its use and communication for the purposes indicated therein (see Appendix A for more details). Thus, this policy and the information it contains can be consulted by the individual concerned at the time of personal information collection.
• Normally, Publideces must also obtain the consent of the individual concerned before collecting their personal information from third parties, before communicating it to third parties, or for any secondary use thereof. However, Publideces may act without consent in certain cases provided by law and under the conditions stipulated therein. The main situations where Publideces may act without consent are indicated in the relevant sections of this policy.

Collection:

• In all cases, Publideces collects information only if it has a valid reason to do so. Furthermore, the collection will be limited only to the necessary information it needs to achieve the intended purpose.
• Please note that Publideces’ services and programs are not aimed at minors, and more generally, Publideces does not intentionally obtain personal information concerning minors (in such cases, information cannot be collected from them without the consent of a parent or guardian).
• Collection from Third Parties. Publideces may collect personal information from third parties. Unless an exception is provided by law, Publideces will request the consent of the individual concerned before collecting personal information about them from a third party. If such information is not collected directly from the individual but from another organization, the individual concerned may request the source of the collected information from Publideces.

In certain situations, Publideces may also collect personal information from third parties, without the consent of the individual concerned, if it has a serious and legitimate interest in doing so and a) if the collection is in the individual’s interest and it is not possible to collect it from them in a timely manner, or b) if this collection is necessary to ensure the accuracy of the information.

Additionally, Publideces may collect personal information indirectly, notably by using:

• Clover. Clover has its own terms and privacy policy, which can be consulted for more information.
• Global Payments. Global Payments has its own terms and privacy policy, which can be consulted for more information.
• Stripe. Stripe has its own terms and privacy policy, which can be consulted for more information.

This collection through third parties may be necessary to use certain services or programs, or to otherwise do business with Publideces. When required, Publideces will obtain the individual’s consent at the appropriate time.

Retention and Use:

• Publideces ensures that the information it holds is up-to-date and accurate at the time of its use to make a decision concerning the individual in question.
• Publideces may only use an individual’s personal information for the reasons stated herein or for any other reasons provided at the time of collection. As soon as Publideces wishes to use this information for another reason or purpose, new consent must be obtained from the individual concerned, which must be obtained expressly if it concerns sensitive personal information. However, in certain cases provided by law, Publideces may use the information for secondary purposes without the individual’s consent, e.g.:
  • when such use is clearly for the benefit of that person;
  • when it is necessary to prevent or detect fraud;
  • when it is necessary to evaluate or improve protection and security measures.
• Limited Access. Publideces must implement measures to limit access to personal information only to employees and individuals within its organization who are qualified to access it and for whom this information is necessary in the performance of their duties. Publideces will request the individual’s consent before granting access to any other person.

Communication:

• Generally, and unless an exception is indicated in this policy or otherwise provided by law, Publideces will obtain the consent of the individual concerned before communicating their personal information to a third party. Furthermore, when consent is necessary and when it concerns sensitive personal information, Publideces must obtain the explicit consent of the individual before communicating the information.
• However, the communication of personal information to third parties is sometimes necessary. Thus, personal information may be communicated to third parties without the consent of the individual concerned in certain cases, including, but not limited to, the following:
  • Publideces may communicate personal information, without the consent of the individual concerned, to a public body (such as the government) which, through one of its representatives, collects it in the exercise of its functions or the implementation of a program it manages.

 

• • Personal information may be transmitted to its service providers to whom it is necessary to communicate the information, without the individual’s consent. For example, these service providers may include event organizers, Publideces subcontractors designated for the execution of mandates in programs administered by Publideces, and cloud service providers. In these cases, Publideces must have written contracts with these providers that specify the measures they must take to ensure the confidentiality of the personal information communicated, that the use of this information is only for the purpose of executing the contract, and that they cannot retain this information after its expiration. Furthermore, these contracts must stipulate that providers must notify Publideces’ Personal Information Protection Officer (indicated in this policy) of any breach or attempted breach of confidentiality obligations concerning the personal information communicated and must allow this officer to conduct any verification related to this confidentiality.

 

• • If necessary for the purpose of concluding a commercial transaction, Publideces may also communicate personal information, without the consent of the individual concerned, to the other party of the transaction and subject to the conditions provided by law.

• Communication Outside Quebec: It is possible that personal information held by Publideces may be communicated outside Quebec, for example, when Publideces uses cloud service providers whose server(s) are located outside Quebec or when Publideces deals with subcontractors located outside the province.

Additional Information on Technologies Used:

• Use of Cookies
  Cookies are data files transmitted to a website visitor’s computer by their web browser when they visit that site and can have several uses.

Websites controlled by Publideces use cookies, notably:

• To remember visitors’ settings and preferences, for example, for language selection and to allow tracking of the current session.
• For statistical purposes to understand visitor behavior, content viewed, and to allow for website improvement.

Websites controlled by Publideces use the following types of cookies:

• Session cookies: These are temporary cookies that are kept in memory only for the duration of the website visit.
• Persistent cookies: These are kept on the computer until they expire and will be retrieved during the next visit to the site.

Some cookies may be disabled by default, and visitors may choose whether or not to activate these functions when browsing Publideces’ websites.

It is also possible to enable and disable the use of cookies by changing preferences in the settings of the browser used.

• Use of Google Analytics

All websites under Publideces’ control use Google Analytics to enable continuous improvement. Google Analytics notably allows for the analysis of how a visitor interacts with a Publideces website. Google Analytics uses cookies to generate statistical reports on the behavior of visitors to these websites and the content viewed.

Information from Google Analytics will never be shared by Publideces with third parties.

It is possible to install a browser add-on to disable Google Analytics.

• Other Technological Means Used

Publideces also collects personal information through technological means such as web forms integrated into a website controlled by Publideces (for example, its contact form, its membership form to become a member, its form to subscribe to the newsletter and seminars), online questionnaires on its platforms and applications, as well as other platforms or form tools (e.g., Microsoft Forms).

If Publideces collects personal information by offering a technological product or service that has privacy settings, Publideces must ensure that these settings offer the highest level of privacy by default (cookies are not covered).

4. Retention and Destruction of Personal Information

Unless a minimum retention period is required by applicable law or regulation, Publideces will retain personal information only for the duration necessary to fulfill the purposes for which it was collected.

Personal information used by Publideces to make a decision concerning an individual must be retained for a period of at least one year following the decision in question, or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, the circumstances of an employment termination.

At the end of the retention period or when personal information is no longer necessary, Publideces will ensure:

1. to destroy it; or
2. to anonymize it (meaning it no longer, irreversibly, allows the identification of the individual and it is no longer possible to establish a link between the individual and the personal information) for serious and legitimate purposes.

The destruction of information by Publideces must be carried out securely, to ensure the protection of this information.

This section may be supplemented by any policy or procedure adopted by Publideces concerning the retention and destruction of personal information, where applicable. Please contact Publideces’ Personal Information Protection Officer (indicated in this policy) for more information.

5. Responsibilities of Publideces

Generally, Publideces is responsible for the protection of the personal information it holds.

The Privacy Officer at Publideces is the President of the organization. Generally, they must ensure compliance with applicable legislation regarding the protection of personal information. The officer must approve policies and practices governing personal information governance. More specifically, this person is responsible for implementing this policy and ensuring that it is known, understood, and applied. In the event of the absence or inability of this officer to act, the President will assume the duties of the Privacy Officer.

Publideces staff members who have access to personal information or are otherwise involved in its management must ensure its protection and comply with this policy.

The roles and responsibilities of Publideces employees throughout the personal information lifecycle may be specified by any other Publideces policy in this regard, where applicable.

6. Data Security

Publideces is committed to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium, and sensitivity of the information. This means that information that can be classified as sensitive (see the definition in section 2) will be subject to more significant security measures and will need to be better protected. In particular, and in accordance with what was previously mentioned regarding limited access to personal information, Publideces must implement the necessary measures to impose restrictions on the usage rights of its information systems so that only employees who need access are authorized to access them.

7. Rights of Access, Rectification, and Withdrawal of Consent

To exercise their rights of access, rectification, or withdrawal of consent, the person concerned must submit a written request to the Publideces Privacy Officer, at the email address indicated in the following section.

Subject to certain legal restrictions, data subjects may request access to their personal information held by Publideces and request its correction if it is inaccurate, incomplete, or ambiguous. They may also demand the cessation of the dissemination of personal information concerning them or that any hyperlink associated with their name allowing access to this information by technological means be de-indexed, when the dissemination of this information violates the law or a court order. They may do the same, or demand that the hyperlink allowing access to this information be re-indexed, when certain conditions provided by law are met.

The Publideces Privacy Officer must respond in writing to these requests within 30 days of the date of receipt of the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In such cases, the response must indicate the remedies available under the law and the deadline for exercising them. The officer must help the applicant understand the refusal if necessary.

Subject to applicable legal and contractual restrictions, data subjects may withdraw their consent to the communication or use of collected information.

They may also ask Publideces what personal information has been collected from them, the categories of people at Publideces who have access to it, and its retention period.

8. Complaint Handling Process

Reception

Any person wishing to file a complaint regarding the application of this policy or, more generally, the protection of their personal information by Publideces, must do so in writing by contacting the Publideces Privacy Officer, at the email address indicated in the following section.

The individual must provide their name, contact information, including a phone number, as well as the subject and reasons for their complaint, providing sufficient detail for it to be evaluated by Publideces. If the complaint is not sufficiently precise, the Privacy Officer may request any additional information deemed necessary to evaluate the complaint.

Processing

Publideces undertakes to treat all complaints received confidentially.

Within 30 days of receiving the complaint or receiving all additional information deemed necessary and requested by the Publideces Privacy Officer to process it, the latter must evaluate it and formulate a reasoned written response by email to the complainant. This evaluation will aim to determine whether Publideces’ processing of personal information complies with this policy, any other policies and practices in place within the organization, and applicable legislation or regulations.

Should the complaint not be able to be processed within this timeframe, the complainant must be informed of the reasons justifying the extension, the progress of their complaint’s processing, and the reasonable time required to provide a definitive response.

Publideces must create a separate file for each complaint addressed to it. Each file contains the complaint, the analysis and documentation supporting its evaluation, as well as the response sent to the person who originated the complaint.

It is also possible to file a complaint with the Commission d’accès à l’information du Québec or any other personal information protection oversight body responsible for enforcing the law relevant to the subject of the complaint.

However, Publideces invites any interested person to first contact its Privacy Officer and await the completion of Publideces’ processing procedure.

9. Approval

This policy is approved by the Publideces Privacy Officer, whose business contact information is as follows:

Privacy Officer:

Denis Lachance
President

For any requests, questions, or comments regarding this policy, please contact the officer by email at info@Publideces.com

10. Publication and Amendments

This policy is published on the Publideces website, as well as on all websites controlled and maintained by Publideces to which this policy applies, in relation to the personal information collected therein. This policy is also disseminated by any means suitable for reaching the data subjects.

Publideces reserves the right to amend this policy at any time.

Publideces must also do the same for all amendments to this policy, which must also be subject to notice to inform the data subjects.

*Notes: Please note that the use of the masculine gender is intended to simplify this policy and facilitate its reading.

Version and Change Log:

Version	Effective Date	Changes from Last Version
1.0	August 23, 2023	N/A – First Version
2.0

 

Appendix A

Below is a non-exhaustive list of the types of information Publideces may collect, their use, or the intended purpose, as well as the means by which the information is collected. This includes, but is not limited to, the following elements.

Please note that most personal information managed by Publideces consists of client information, employee personal information, job applicant information, and consultant information.

 

Relationship with Publideces, services, program, etc.	Type of Personal Information	Purpose of Collection / Uses	Method of Information Collection (Means)
	Any of this information, when necessary:	Used for:	May be collected:
Clients and Deceased Persons	Last Name Email Banking information Date of Birth Place of birth Parents’ names Place of death Date of Death Marital status	Establish and manage client relationships (and obtain a means of communication) provide a service in compliance with applicable laws Information request within our field of activity know the preferred language of communication ensure payment of costs related to services or programs	Through web forms integrated into a website controlled by Publideces, online questionnaires accessible on its platforms and applications, as well as other form platforms or technological tools. by email (directly or via an attached document or other type of form) from third parties (e.g., Clover, Global Payment, Stripe, CallRail)
Job Applicants and Employees	name phone number email Banking information social insurance number date of birth address	managing communications with the applicant or employee ensure the payroll system operates	by email by phone
Consultants	name phone number email Banking information address	managing communications with the consultant invoicing	by email (directly or via an attached document: Word, PDF, etc.)
Service Providers	name phone number email Banking information language	managing mandates invoice payment, know the languages in which they can provide services	through web forms integrated into a website controlled by Publideces by email
Publideces Network (Ecosystem Stakeholders)	name phone number email banking details (when necessary) language	future communications registration for activities organized by Publideces and for cybersecurity expertise portals surveys the creation of databases for these future communications and to understand the network’s expertise know the preferred language of communication	through web forms integrated into a website controlled by Publideces and other form platforms or technological tools (e.g., Microsoft Forms) from third parties (e.g., Eventbrite and Events.com for banking details)
Publideces Partners	name phone number email banking details (when necessary)	establish the partnership (signing partnership agreements) collaboration	by email (directly or via an attached document or other type of form)