Privacy Policy

Following the adoption of the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25), assented to on September 22, 2021, a number of changes have been made to Act Respecting The Protection Of Personal Information In The Private Sector, c. P-39.1 (hereinafter ” Protection of Personal Information Act “) to reinforce the protection of personal information in Quebec. As ECOTEL is required to collect, use and retain personal information in the course of its activities and is subject to this Act, it has developed the Personal Information Protection Governance Policy. (herinafter ” the Act “).

GOALS

This Policy describes the standards for the collection, use, communication and retention of personal information in order to ensure the security of such information. It also explains the roles and responsibilities of anyone within the company with access to personal information, throughout its lifecycle within the company. Finally, it describes the process for handling complaints about the protection of this information.

SCOPE OF APPLICATIONS

This Policy applies to ECOTEL, which includes employees and any person who provides services on behalf of the company.

It applies to all personal information collected, used and retained by ECOTEL, regardless of its form (physical, digital, written, graphic, audio, visual or other), as well as to the ECOTEL website, where applicable.

*Personal information is defined as any information concerning a physical person that can lead, directly or indirectly, to identify this person.

*The APPENDICES are an integral part of the Policy.

COLLECTIONS

ECOTEL collects personal information from employees and potential candidates for recruitment purposes.

ECOTEL typically collects personal information directly from the person concerned with his or her consent, unless an exception is required by law.

Consent may be obtained implicitly in certain situations, for example, when an individual decides to provide his or her personal information voluntarily as part of a potential hiring process.

In all cases, ECOTEL collects personal information only if it has a valid reason to do so. Furthermore, the collection of information will be limited to that which is necessary to fulfill the intended purpose.

Unless an exception is prescribed by law, ECOTEL will seek the consent of the person concerned before requesting personal information about him or her from a third party.

Considering that ECOTEL collects personal information by technological means, it has adopted a Privacy Policy available in APPENDIX 1.

USE

ECOTEL is committed to using personal information in its possession only for the purposes for which it was collected and as authorized by law. It may, however, collect, use or disclose them without the consent of the person concerned when allowed or required by law. Such circumstances arise especially when, for legal, medical or security reasons, it is impossible or unlikely to obtain consent, when such use is clearly for the benefit of the person concerned, when it is necessary to prevent or detect fraud or for any other compelling reason.

ECOTEL limits employee access to personal information and personal knowledge necessary for the proper exercise of their functions.

COMMUNICATION

Normally, ECOTEL cannot disclose personal information about an individual without that person’s consent.

However, ECOTEL may disclose personal information to a third party without the consent of the concerned individual when the disclosure is due to a regulatory or legal requirement or when the Privacy Act or any other law so allows.

RETENTION

Retention

In the context of its operations, ECOTEL must keep many documents containing personal information.

In addition to obligations imposed by the Canada Revenue Agency, Revenu Québec and the Act respecting labour standards, some documents must be kept for a prescribed period of time. The obligation to retain documents is described in APPENDIX 4 of this document.

Retention period

The obligation to retain certain documents is described below:

Document

Retention period

Curriculum vitae

4 years

Paper employee file

7 years

Payroll software employee file

2 years

Physical and digital documentation

Depending on the nature of the personal information, it may be stored at ECOTEL’ offices, in various ECOTEL’ or its service providers’ computer systems, or in ECOTEL’ or its service providers’ storage facilities.

Security measures

The security and protection of personal information is important to ECOTEL. The company has implemented security measures to ensure that all personal information remains strictly confidential and is protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

Depending on the nature of the documents and information, different levels of security are applied to document management, and actions are taken accordingly. These security precautions may include organizational measures such as restricting employee access to what is strictly necessary; backing up and archiving data using an external system, etc.; and technological measures such as the use of passwords and encryption (e.g. frequent password changes and the use of firewalls).

Text-based digitization

In the event that ECOTEL wishes to destroy the original documents following their digitization, it complies with the following conditions:

  1. The information contained in the digitized documents has not been altered and has been maintained in its entirety;
  2. The digitization process, and the medium used to store the digitized documents, must ensure the stability and longevity of the documents.

ECOTEL chooses a medium or technology for storing its documents that complies with these conditions.

When ECOTEL digitizes a document, it follows the procedure described in APPENDIX 2.

DESTRUCTION

Original documents containing personal or confidential information are securely destroyed.

ECOTEL uses permanent document destruction techniques adapted to the level of confidentiality associated with the document to be destroyed.

We refer to APPENDIX 3 for definitive document destruction procedures.

PRIVACY IMPACT ASSESSMENT

ECOTEL is required to conduct a Privacy Impact Assessment (PIA) for all acquisition, development and redesign of information systems or electronic service delivery projects involving personal information.

The privacy impact assessment carried out must be in proportion to the sensitivity of the information concerned, the purpose for which it is to be used, its quantity, distribution and medium.

ECOTEL can use the guide developed by the Commission d’accès à l’information “Support guide – Performing a privacy impact assessment” to carry out a privacy impact assessment, if necessary.

REQUEST FOR ACCESS OR RESTRICTION

Any person may request access or correction of personal information held by ECOTEL.

The concerned person must submit a written request to this effect to the ECOTEL Privacy Officer.

Subject to certain legal restrictions, individuals may request access and correction of their personal information held by ECOTEL if it is inaccurate, incomplete or misleading.

The ECOTEL Privacy Officer must respond in writing to such requests within 30 days of receiving them.

CONFIDENTIALITY BREACH

Confidentiality incidents and breaches

A confidentiality breach is any unauthorized access, use or disclosure of personal information, as well as its loss or any other form of breach of confidentiality.

If ECOTEL has reason to believe that a confidentiality breach involving personal information held by ECOTEL has occurred, ECOTEL will use all reasonable efforts to minimize the risk of harm and to prevent similar incidents in the future.

In the event of a confidentiality breach, ECOTEL will assess the extent of the prejudice. This assessment takes into account, among other things: the sensitivity of the personal information concerned; the possible malicious uses of the information; the anticipated consequences of the use of the information; and the likelihood of the information being used for harmful purposes.

When the incident presents a risk of serious harm to the individuals whose information is involved, ECOTEL notifies in writing :

  • The Commission d’accès à l’information via the prescribed notice form ;
  • The concerned individual(s). The notice must provide adequate information on the scope and consequences of the breach. This notice must include :
    • A description of the personal information involved in the breach. If this information is not known, the company must explain why this information cannot be provided.
    • A brief description of the circumstances surrounding the incident;
    • The date or period at which the incident took place, or an estimate of this period if not known;
    • A brief description of the actions taken or planned to reduce the risk of harm resulting from the incident;
    • The suggested measures to mitigate or reduce the risk of harm to the concerned individual;
    • Contact details of an individual or department who may be contacted to obtain further information about the incident.

Confidentiality breach records

ECOTEL keeps a record of confidentiality breaches in accordance with APPENDIX 4.

The log records all breaches of confidentiality involving personal information:

  • those that do not present a risk of serious harm and;
  • those presenting a risk of serious prejudice.

The information contained in the confidentiality breach records is kept up to date and preserved for a minimum period of five (5) years after the date or period during which ECOTEL became aware of the incident.

PRIVACY COMPLAINT HANDLING PROCESS

Any individual concerned by the application of this Policy may file a complaint concerning the application of this Policy or, more generally, concerning the protection of his or her personal information by ECOTEL.

The procedure for handling privacy complaints is described in APPENDIX 5.

CONTACT DETAILS OF THE PERSON RESPONSIBLE FOR THE PROTECTION OF PERSONAL INFORMATION

Ms. Vanessa Catalano, HR & Communications Director, is responsible for the protection of ECOTEL’ personal information. She can be reached by phone at 877-374-3997 Ext.1083 or by e-mail at vanessa.catalano@ambra.co. In her absence, COO Mélissa Houle will be taking over, and can be contacted at 877-374-3997 Ext.1070 or melissa@ambra.co.

The ECOTEL Privacy Officer may be contacted for any questions regarding the application of this Privacy Policy.

EFFECTIVE DATE OF THE POLICY

The Policy takes effect on January 1, 2024.

The Policy has been approved by the Privacy Officer and General Management.

APPENDIX 1 - PRIVACY POLICY FOR THE COLLECTION OF PERSONAL INFORMATION BY TECHNOLOGICAL MEANS

ECOTEL is committed to protecting the privacy and confidentiality of the personal information you provide or that we collect when you visit our website or interact with us through technological means. In this regard, this privacy policy (hereinafter the “Policy”) is intended to inform you of the personal information collected, the purposes for which it is collected, the communications that may be carried out and, more generally, the protective measures put in place. It also addresses the use of cookies, where applicable.

The Privacy Policy is adopted in accordance with article 8.2 of the Act Respecting The Protection Of Personal Information In The Private Sector, c. P-39.1 (hereinafter the « Protection of Personal Information Act»).

Consent

If you visit our website or receive any of our services, or if you submit your personal information to ECOTEL, we will consider you to have consented to the purposes set out below, for which ECOTEL collects and uses your personal information.

Use of cookies (hereinafter referred to as “cookies”)

ECOTEL uses cookie technology to improve the user experience through navigating our website and to provide users with the content they are most interested in.

A cookie is a string of information sent by a website and stored on the hard drive or temporarily in a computer’s memory.

The use of cookies is standard practice in the industry, and many recognized browsers are initially configured to accept them. You can reconfigure yours to refuse or accept cookies, or to alert you when a cookie is set on your computer. Please note that if you refuse the use of cookies, you may not be able to use all the features of the ECOTEL website.

What type of information do we collect?

You are solely responsible for deciding whether or not to provide us with your personal information. Generally, you can visit our website or communicate with us without having to provide your personal information. However, in some cases, it will be necessary for us to collect your personal information.

When visiting our website, we may collect and use the following categories of personal information:

  • Identification: your first and last name.
  • Contact details: your phone number and e-mail address.
  • Interactions: when you communicate with us by e-mail, chat, by submitting a comment, by filling out a form, or if you send us your resume when applying for a job at our company, we save each interaction and, if applicable, each attached file.
  • Using our website: When you browse our website, we automatically collect certain personal information from your browser’s cookies, including your IP address, language preferences, the date and time of your visit and the pages you viewed.

Use of personal information collected through our website?

The personal information we collect is used only for the purposes indicated at the time of collection, i.e. when you browse or disclose information on our website. We use your personal information mainly to :

  • Communicate with you and keep you informed: in response to a question, comment or request for information, etc;
  • To personalize, enhance or facilitate your experience on our website: for example, to store your information so that you do not need to re-enter it each time you visit our website;
  • Process job applications and resumes, where applicable;
  • Analyze data for marketing purposes;
  • Any other use authorized or required by the applicable laws.

Sharing and communicating information?

ECOTEL may share your personal information with other organizations only if you have given us your consent to do so. We may disclose your personal information without your consent if we are legally required or authorized to do so, but in such cases we will only provide the information that is required.

Storage and security

All personal information you provide to ECOTEL is stored on secure servers with access that is restricted to ECOTEL. We take all reasonable technological precautions, such as firewalls, anti-virus software, access management, intrusion detection and regular backups, to ensure a secure environment and protect your personal information. However, given the very nature of the public network that is the Internet, you acknowledge and accept that the security of all transmissions made through the Internet cannot be guaranteed. Consequently, ECOTEL cannot guarantee nor assume any responsibility for any breach of confidentiality, hacking, virus, loss or alteration of data transmitted via the Internet.

Conservation

ECOTEL uses and stores your personal information only as long as necessary to fulfill the purposes for which it was collected, or as otherwise authorized or required by law.

External links

This Policy does not apply to third-party websites that may be accessed by clicking on links on our website, and ECOTEL is not liable in any way for such third-party websites. ECOTEL does not make any claims regarding any other website which you may access through our website. If you follow a link to a third-party website, that site will have its own privacy policies that you should review before providing any personal information.

Please note that a link to such a site does not imply that ECOTEL endorses the site or accepts any responsibility for its content or the use to which it may be put. It remains your responsibility to take the necessary precautions to ensure that the site you choose to visit is free of viruses and other destructive elements.

Responsibility

ECOTEL is not responsible for the accuracy of the information you provide through our website.

ECOTEL cannot be held responsible for any direct or indirect damage caused by the use or non-use of information made available on our website.

ECOTEL does not guarantee that the site or its content will be free of interruptions or errors, that any faults will be rectified, or that the site or the server that hosts it are free of viruses or other harmful elements.

Additional information

For any inquiries or updates regarding your personal information, please contact the Privacy Officer by calling 877-374-3997 Ext.1083 or by e-mail at vanessa.catalano@ambra.co. In her absence, COO Mélissa Houle will be taking over, and can be contacted at 877-374-3997 Ext.1070 or melissa@ambra.co.

APPENDIX 2 - DIGITIZATION PROCEDURE

  1. Physically prepares documents for scanning (removes paper clips and staples);
  2. Scans documents and remains present throughout the process to protect the integrity of digitized data;
  3. Performs an exhaustive verification of digitized documents to ensure quantity, quality and integrity of the reproduced documents. They ensure that :
    • the digitized documents are consistent with the original documents;
    • the data is legible and in good condition (no loss of detail or information);
    • duplexing has been carried out, if necessary; if the duplexing option has left any blank pages, it eliminates them;
    • the documents or pages have been scanned in the right orientation and format.
  1. Ensures that the correct number of documents or pages have been scanned (if pages are missing, they will repeat the entire scanning process);
  2. Renames PDF files in accordance with the naming convention established by ECOTEL;
  3. Saves the PDF file(s) to the appropriate location in ECOTEL digital environment;

APPENDIX 3 - DEFINITIVE DOCUMENT DESTRUCTION METHODS

Permanent document destruction methods[1]

Medium used

Examples of destruction methods

Paper

(original and all copies)

• Shredder

Digital formats to be reused or recycled

e.g. flash memory cards (SD, XD, etc.) USB sticks, computer hard drives

• Formatting, rewriting, digital shredding (software performing a secure deletion which writes random information in the location of the deleted file to replace it).

Non-reusable digital media

e.g. certain CDs, DVDs, flash memory cards, USB sticks and hard drives that will no longer be used

• Physical destruction (shredding, crushing, surface grinding, disintegration, incineration, etc.).

Most shredders are capable of destroying CDs and DVDs.

• Hard drive demagnetizing.

Machines containing hard disks

e.g. copier, fax machines, scanners, printers, etc.

• Overwriting of information on hard drives, or hard drives removed and destroyed when machines are replaced.

[1] Commission d’accès à l’information, Online destruction procedure :  https://www.cai.gouv.qc.ca/entreprises/procedure-de-destruction/

 

APPENDIX 4 - CONFIDENTIALITY BREACH RECORDS

Confidentiality breach records

Date or time of breach

Individuals concerned (compromised information)

Description
of breach circumstances

Acknowledgement of the breach

 

Number of people concerned by the incident

Description of the factors leading to the conclusion that there is or is no risk of serious harm[1] caused to the people involved.

Date of notice sent to the Commission d’accès à l’information

 

Date on which the notices were sent to the concerned individuals

 

Description of the measures taken to reduce the risk of harm that might be caused

         
         
         
         
         

[1] The evaluation of the potential risk of serious harm takes into account, among other things: the sensitivity of the personal information involved; the possible malicious uses of the information and the anticipated consequences resulting from the use of the information; and the likelihood that the information could be used for harmful purposes.

APPENDIX 5 - PROCEDURE FOR HANDLING COMPLAINTS RELATED TO THE PROTECTION OF PERSONAL INFORMATION

Receiving a complaint

Any individual who wishes to make a complaint concerning the application of this policy or, more generally, the protection of their personal information by ECOTEL, must do so in writing to the ECOTEL Privacy Officer.

The person must provide their name, contact information, including a telephone number, as well as the subject and reasons for their complaint, in sufficient detail for ECOTEL to be able to evaluate it. If the complaint is not specific enough, the Privacy Officer may request additional information in order to assess the complaint.

Complaint processing

ECOTEL is dedicated to treating all complaints in the strictest confidentiality.

Complaints are handled within a reasonable time frame. The Privacy Officer will assess the complaint and provide a reasoned written response to the complainant.

The assessment will aim to determine whether ECOTEL’ handling of personal information complies with this policy and the organization’s practices and applicable laws or regulations.

Complaint file

ECOTEL shall create a separate file for each complaint submitted in compliance with this Complaint Handling Procedure. Each file contains the complaint, the assessment and supporting documentation, as well as the written response sent to the complainant.