Personal information protection and privacy policy
1. Introduction
This personal information protection policy (hereinafter referred to as the “Policy”) aims to define the principles and practices of Groupe Serenis Inc. (hereinafter referred to as “Serenis”) regarding the collection, processing, retention, destruction, and protection of personal information in accordance with the Act respecting the protection of personal information in the private sector (Chapter P-39.1) (hereinafter referred to as the “Act”).
It also outlines the roles and responsibilities of Serenis staff members as well as the process for handling complaints related to the protection of personal information.
2. Definitions
“Collection” means the act of gathering, acquiring, or obtaining personal information by any means and in any manner whatsoever, including from Third Parties;
“Consent” means a freely given agreement to the collection, use and/or disclosure of personal information for purposes determined with the User by Serenis. Consent may be explicit, or implicit under certain conditions provided for by law when a record is created. Personal information must be collected directly from the user or from a Third Party; in the latter case, Serenis must obtain the user’s written authorization. When consent is explicit, it must be unequivocal.
“Disclosure” means the act of revealing personal information to a person without authorization by law or by the user;
“Personal information” means any information that relates to a natural person and allows, directly or indirectly, that person to be identified;
“Personal Information Protection Officer” means the person holding the highest authority at Serenis or the person designated in writing to hold this role, who is responsible for the protection of personal information, including compliance with this policy within Serenis;
“Third Party” means any person other than the user, Serenis, or an agent of Serenis;
“User” means any client, employee, or any person who accesses any service offered by Serenis;
“Use” means the processing, handling, and management of personal information by Serenis.
3. Responsibilities
When creating a record on a user, Serenis must inform the User, at the time of collection and subsequently upon request, of the purpose of the record, the use that will be made of the personal information, as well as the categories of persons who will have access to it within Serenis, the location where the record will be kept, and the User’s rights of access or rectification of their personal information.
Serenis is responsible for ensuring the security of the personal information it holds and must designate a Personal Information Protection Officer who will be responsible for ensuring compliance with this policy.
The Personal Information Protection Officer is responsible for the application of this Policy. Other Serenis employees may also be designated to assist the Personal Information Protection Officer or to carry out the day-to-day activities of collection, use, disclosure, and processing of personal information. Serenis will post on its website the title and contact details of the Personal Information Protection Officer, as indicated in Section 14 of this Policy.
No personal information may be disclosed to a Third Party, except in cases provided for by law or with the user’s clear, free, and informed consent, and only for the specified purposes.
4. Scope
This policy applies to all personal information collected, processed, and retained by Serenis in the course of its activities in Quebec, in compliance with the Act.
5. Collection and Use of Personal Information
Serenis will only collect personal information that is necessary for specific and legitimate purposes, and will inform users of the reasons why their personal information is being collected. The user’s personal data will only be used for the specified purposes, unless explicitly consented to by the user or mandated by law.
Serenis will take reasonable steps to ensure that the user is informed of the purposes and means for which the personal information will be used when their consent is given.
6. Consent
Serenis will obtain the users’ explicit, free, and informed consent before collecting, processing, or using their personal information. Users have the right to withdraw their consent at any time.
Users may contact the Personal Information Protection Officer with the contact details provided below to withdraw their consent regarding the disclosure and/or use of their personal information held by Serenis. It should be noted that such a withdrawal may result in the unavailability of Serenis services if the personal information is essential to provide the services or to fulfill agreements with them, particularly for employees.
When personal information concerns a minor under the age of 14, consent must be given by the person holding parental authority or by the guardian, except where the collection, use, or disclosure of the personal information is clearly to the benefit of the minor. When personal information concerns a minor aged 14 and over, consent is generally obtained directly from the minor, subject to cases provided for by law.
7. Processing of Personal Information
Personal information will be processed in a lawful, fair, and transparent manner. Serenis will implement appropriate security measures to protect personal information against unauthorized access, loss, disclosure, or alteration.
Serenis will adopt appropriate practices for the collection, retention, and processing of personal information, as well as security measures to ensure protection against unauthorized access to personal information, and to safeguard it against modification, disclosure, or destruction.
8. Retention of Personal Information
Personal information will be retained only for as long as reasonably necessary to achieve the purposes for which it was collected, unless otherwise required by law.
Once Serenis has completed its mandate, fulfilled the contract, or achieved the purposes for which the personal information was collected, it may either destroy the information or anonymize it. However, anonymization may only be carried out for the purpose of using anonymized information for serious and legitimate purposes by Serenis.
9. User Rights
In accordance with the Act, users have the right to access their personal information, correct it, delete it, restrict its use, and object to its disclosure. Requests relating to these rights will be handled diligently and within the time limits prescribed by law. Serenis must respond within 30 days to any request for access to or correction of personal information.
Serenis will ensure that the personal information it holds is up to date and accurate when making a decision related to a request.
Serenis will update personal information when necessary to make a decision, to fulfill the specified purposes, or to correct, following a request, any inaccurate personal information.
Users may also request that the computerized personal information they have provided to Serenis be communicated to them in a structured, commonly used technological format or be transferred to another organization, where permitted by law.
A user may, by submitting a written request to the Personal Information Protection Officer whose contact details are provided below, obtain a copy of the personal information Serenis holds about them.
A user may, by submitting a written request to the Personal Information Protection Officer whose contact details are provided below, be informed about how their personal information is being used.
When personal information is published by Serenis, the user may, in cases provided for by law, request that its publication be stopped or that any hyperlink associated with their name be de-indexed.
Serenis does not currently make any decisions producing legal effects with respect to a user, nor any decisions that otherwise significantly affect them, based solely on automated processing of personal information. If Serenis were to implement such decision-making processes in the future, the user would be informed in advance in accordance with the Act and would be provided with appropriate mechanisms to present their observations and exercise their rights.
Serenis will not charge any fees for access to the personal information file it holds regarding a user. However, certain fees may apply for reproduction, transmission, or transcription of information.
Serenis may refuse to disclose personal information if such disclosure could cause harm to Serenis, to a Third Party, or if it contravenes a law. In such cases, Serenis will provide reasons for its refusal.
10. Sharing Personal Information
Serenis will share personal information with Third Parties only to the extent necessary to achieve the specific purposes for which it was collected. Appropriate contracts and agreements will be put in place to ensure that Third Parties process personal information in compliance with the Act.
With respect to service providers, Serenis commits to ensuring that the processing of personal information by a service provider is subject to a written contract guaranteeing the confidentiality of the personal information disclosed so that such information is used only in the context of performing the contract.
Serenis also conducts privacy impact assessments in other situations provided for by law, particularly in connection with projects involving the acquisition, development, or redesign of information systems involving personal information.
11. International Transfer of Personal Information
International transfers of personal information will be carried out in accordance with applicable legal provisions and with appropriate safeguards in place.
When personal information is disclosed outside of Quebec or entrusted to a Third Party located outside of Quebec, Serenis commits to collecting, using, disclosing, or retaining personal information on its behalf and to conducting a privacy impact assessment (PIA).
Where applicable, the following factors are taken into account: the sensitivity of the information, the purpose of its use, the protective measures—including contractual measures—that will apply, and the legal framework applicable in the receiving jurisdiction, including the principles of personal information protection that apply there. Where applicable, Serenis conducts a PIA for processing activities involving the disclosure of personal information outside of Quebec.
12. Personal Information Protection Officer
Ms. Jessica Deslauriers-Carosello, Director of Operations, is designated as the Personal Information Protection Officer and is responsible for implementing this policy.
The Personal Information Protection Officer shall, in particular:
- Establish and implement policies and practices governing the protection of personal information within Serenis;
- Ensure that the collection, holding, use, retention, destruction, anonymization, and disclosure of personal information to Third Parties comply with the Act;
- Define the framework applicable to the retention and destruction of personal information;
- Take the necessary measures to secure information systems;
- Take the necessary measures to prevent confidentiality incidents from occurring and to prevent their recurrence, where applicable;
- Notify the Commission d’accès à l’information and the individuals concerned about any confidentiality incident presenting a risk of serious harm;
- Maintain a register of confidentiality incidents;
- Define the roles and responsibilities of company personnel throughout the lifecycle of personal information;
- Conduct privacy impact assessments where required by law;
- Handle complaints relating to the protection of personal information;
- Provide training on the protection of personal information.
13. Training and Awareness
Serenis will ensure that its personnel are trained and made aware of the importance of maintaining a high level of protection of personal information in accordance with the Act.
Serenis will also ensure that more specific training is provided to employees who play a leading role in implementing the company’s Personal Information Protection Policy. Annual training sessions on best practices in cybersecurity and personal information protection will be provided to all staff members.
14. Complaint
Any individual may file a complaint by contacting the Personal Information Protection Officer. Serenis has a complaint handling process related to the processing of personal information.
15. Policy Changes
Serenis reserves the right to modify this policy in response to legal and operational developments. Any changes will be communicated to the users concerned.
All users are encouraged to consult this page to stay informed about changes and how Serenis contributes to the protection of the personal information it collects.