Privacy Policy

PREAMBLE

Law 25 updates the framework applicable to the protection of personal information.

FOLIO MEDIAN is now required to adopt and ensure the application of a policy related to the rules governing governance with regard to the protection of the personal information it holds.

ARTICLE 1. DEFINITIONS

In this policy, unless the context otherwise requires, the following expressions mean:

Personal information :

Any information which concerns a natural person, and which directly or indirectly allows them to be identified, such as: name, address, telephone number, email address, occupation, social insurance number, date of birth, photograph and bank details.

Personal information must be protected, regardless of the nature of its medium, and whatever its form : written, graphic, audio, visual, computerized or other.

Sensitive Personal Information:

Personal information is sensitive when, by its nature or because of the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy. The following information is, in particular, considered sensitive: medical, biometric, genetic or financial information, or, even, information on life or sexual orientation, religious beliefs or ethnic origin.

Consent :

Consent is the authorization of the person holding the personal information to collect and use their personal information. Consent is not presumed. It must be manifest, free, enlightened, given for specific purposes, in simple and clear terms, for the duration necessary to achieve the purposes for which it was requested.

Minor or minor:

Person under the age of 18.

Major or major:

Person aged 18 and over or emancipated person under 18.

ARTICLE 2. SCOPE OF APPLICATION AND LEGAL FRAMEWORK

As a private company, FOLIO MEDIAN collects personal information, particularly that of customers and staff members. It is therefore subject to the provisions of Law 25.

This policy applies to any person who, in the performance of their duties, collects, consults, uses, communicates, holds, or retains personal information or sensitive personal information held by FOLIO MEDIAN concerning any natural person.

ARTICLE 3. COLLECTION OF PERSONAL INFORMATION

3.1. Personal information that may be collected

In order to adequately fulfill its mission, FOLIO MEDIAN must collect a lot of personal information.

It only collects the personal information necessary to carry out its activities.

FOLIO MEDIAN may also collect personal information if it is necessary to carry out activities. In such a case, the collection must be preceded by an assessment of the factors relating to privacy and carried out within the framework of a written agreement sent to FOLIO MEDIAN

FOLIO MEDIAN takes steps to ensure that the personal information it collects is adequate, relevant, not excessive and used for specific and limited purposes.

3.2. Information communicated when collecting personal information when it collects personal information, FOLIO MEDIAN ensures that the person concerned is informed, at the latest at the time of collection:

  1. The name of the organization in whose name the collection is made;
  2. The purposes for which this information is collected;
  3. The means by which the information is collected;
  4. The obligatory or optional nature of the request;
  5. The consequences of a refusal to respond or consent to the request;
  6. Rights of access and rectification provided for by law;
  7. The possibility of personal information being communicated outside of Quebec, if applicable.

The organization does not disclose any personal information except for service purposes. The only third parties to whom Folio Median discloses personal information for service purposes are the following:

1. Amazon Web Service on its Montreal data centers.
2. Sintch.

Upon request, the person concerned is also informed of the personal information collected from him/her, the categories of persons who have access to it within the private organization, the period for which this information is kept and the contact information of the person responsible for the protection of personal information.

ARTICLE 4. USE OF PERSONAL INFORMATION

FOLIO MEDIAN uses personal information concerning its customers, members of its staff and other third parties in order to carry out its mission and functions. It will not use personal information for purposes other than those specified at the time of collection unless the person concerned expressly consents or the Law permits it.

ARTICLE 5. CONSENT

In situations that require it, FOLIO MEDIAN must provide consent to the collection, use or disclosure of personal information to the individuals concerned. To be valid, consent must be manifest, free, informed, given for specific purposes, in simple and clear terms and for the duration necessary to achieve the purposes for which it was requested.

Once an individual has given consent to the collection, use and disclosure of their personal information, they may withdraw it at any time. To withdraw their consent, if applicable, they can contact the person whose name is indicated in the consent form (for example by email, fax, telephone, etc.).

Please note that if an individual withdraws their consent, it may be possible FOLIO MEDIAN cannot provide a particular service. For example, the person who refuses to give consent for the transmission of his data to FOLIO MEDIAN may not be able to use the services provided by the company. FOLIO MEDIAN will explain to this person the impact of withdrawing their consent to help them in their decision-making.

ARTICLE 6. COMMUNICATION OF PERSONAL INFORMATION

6.1. Communication with the consent of the data subject

FOLIO MEDIAN may communicate certain personal information it holds to a third person if it has obtained valid consent from the person concerned.

6.2. Communication without the consent of the person concerned.

FOLIO MEDIAN may disclose certain personal information held to comply with a court order, law or legal process, including to respond to any government or regulatory request, in accordance with applicable laws, or if it believes that the disclosure is necessary or appropriate to protect the rights, property or safety of FOLIO MEDIAN or other people.

FOLIO MEDIAN may communicate certain personal information that it holds to a member of the staff of FOLIO MEDIAN who has the status to receive it and when this information is necessary for the exercise of his functions.

FOLIO MEDIAN may transfer the personal information it collects to service providers and other third parties that support it. These third parties are contractually obligated to keep personal information confidential, using it only for the purposes for which FOLIO MEDIAN discloses them and processes personal information according to the standards set out in the policy and in compliance with the laws.

In certain situations, the person responsible for the protection of personal information must enter the communication in their personal information and communication register.

ARTICLE 7. PRESERVATION AND DESTRUCTION OF PERSONAL INFORMATION

FOLIO MEDIAN retains the personal information it holds only for the time necessary to fulfill the purposes for which it collected it and in accordance with its retention schedule, unless authorized or required by applicable laws or regulations.

Generally, when the purposes for which personal information was collected or used are accomplished, FOLIO MEDIAN must destroy or anonymize it to use it for private purposes.

Information concerning a natural person is anonymized when it is, at all times, reasonable to predict in the circumstances that it no longer allows that person to be directly or indirectly identified. It should be noted that the anonymization process must be irreversible.

However, as an exception to the general rule, if it concerns personal information contained in a document covered by the retention schedule of FOLIO MEDIAN, it must comply with the rules provided therein regarding the conservation and destruction of these documents.

When FOLIO MEDIAN destroys documents containing personal information, it ensures that it takes the necessary protective measures to ensure its confidentiality. The destruction method used must be determined based on the sensitivity of the information, the purpose of its use, its quantity, its distribution and its medium.

The information held by FOLIO MEDIAN is processed and stored in Quebec. When a transfer of personal information outside Quebec is necessary as part of the exercise of the functions of FOLIO MEDIAN, this transfer will only take place if it is assessed that the information would benefit from adequate protection, in particular by considering the sensitivity of the information, the purpose of its use, the protection measures from which the information would benefit and the applicable legal regime in the state or province where this information would be communicated. The transfer will also be subject to appropriate contractual agreements to ensure this adequate protection.

ARTICLE 8. PROTECTION OF PERSONAL INFORMATION

FOLIO MEDIAN has implemented appropriate and reasonable physical, organizational, contractual and technological security measures to protect your personal information, regardless of the medium on which it is stored, against loss or theft, and against access, disclosure , copying, use or modification not authorized by law. FOLIO MEDIAN has taken steps to ensure that only staff members who absolutely need to have access to personal information in the course of their duties are authorized to access it.

People who work for FOLIO MEDIAN or on his behalf must, in particular:

  • Provide reasonable efforts to minimize the risk of unintentional disclosure of Personal information.
  • Take special precautions to ensure that personal information is not spied on, overheard, accessed or lost when working on premises other than the office. FOLIO MEDIAN; And
  • Take reasonable steps to protect personal information when moving from one location to another.

Subcontractors with access to personal information FOLIO MEDIAN in custody or control will be informed of this privacy policy and other applicable policies and processes to ensure the security and protection of personal information. All subcontractors must agree in writing to agree to comply with applicable policies, processes and laws.

ARTICLE 9. REQUEST FOR ACCESS OR RECTIFICATION

9.1. Request for access to personal information.

Any person who requests it has the right of access to personal information concerning them held by FOLIO MEDIAN, subject to the exceptions provided for in the Access Act.

A request for communication can only be considered if it is made in writing by a natural person proving their identity as the person concerned, as a representative, heir or successor of the latter , as liquidator of the estate, as the beneficiary of life insurance or death compensation, as holder of parental authority even if the minor child is deceased, or as spouse or spouse or close relative of a deceased person.

This request must be sent in writing to the person responsible for the protection of personal information of FOLIO MEDIAN. The request must provide sufficient precise information to enable FOLIO MEDIAN to treat it.

FOLIO Median has been made available to requesters a form requesting restitution of personal information:

Link to PDF form

The person responsible for the protection of personal information must give the person who made a written request notice of the date of receipt of his or her request.

The responsible person must respond no later than twenty (20) days following the date of receipt of a request. If processing the request within the previously planned time frame does not appear possible without harming the normal course of the activities of the

FOLIO MEDIAN, the responsible person may, before the expiration of this period, extend it for a period not exceeding ten (10) days by giving notice to this effect to the requesting person before the expiration of the period of twenty (20) days.

If the person making the request is not satisfied with the response from FOLIO MEDIAN, it can refer this decision to the Commission for Access to Information so that it can be revised. This request for review must be made within thirty (30) days following the date of the decision or the expiration of the time limit provided for in the Access Act to respond to the request.

9.2. Request for rectification.

Any person who receives confirmation of the existence in a file of personal information concerning him or her may, if it is inaccurate, incomplete, or equivocal, or if its collection, communication or retention is not authorized by the Data Protection Act, can require that the file be rectified.

A request for rectification can only be considered if it is made in writing by a natural person proving their identity as the person concerned, as a representative, heir or successor of the latter , as liquidator of the estate, as the beneficiary of life insurance or death compensation, as holder of parental authority even if the minor child is deceased or as spouse or spouse or close relative of a deceased person.

This request must be sent in writing to the person responsible for the protection of personal information of FOLIO MEDIAN. The request must provide sufficient precise information to enable FOLIO MEDIAN to treat it.

FOLIO MEDIAN must, when granting a request for rectification of a file, deliver free of charge to the person who made it a copy of any modified or added personal information, or, as the case may be, a certificate of withdrawal of a personal information.

When FOLIO MEDIAN refuses in whole or in part to comply with a request for rectification of a file, the person concerned may demand that this request be recorded.

The responsible person must respond no later than twenty (20) days following the date of receipt of a request. If processing the request within the previously planned time frame does not seem possible without harming the normal course of the activities of the FOLIO MEDIAN, the responsible person may, before the expiration of this period, extend it for a period not exceeding ten (10) days by giving notice to this effect to the requesting person.

If the person making the request is not satisfied with the decision to FOLIO MEDIAN, it can refer this decision to the Commission for Access to Information so that it can be revised. This request for review must be made within thirty (30) days following the date of the decision or the expiration of the time limit provided for in the Access Act to respond to the request.

FOLIO Median has been made available to requesters a form requesting rectification of personal information:

Link to PDF form

ARTICLE 10. IMPROVEMENT

10.1. Definition

For the purposes of this policy, it constitutes a confidentiality incident:

  1. Access is not authorized by the Act respecting access to personal information. For example
  • a staff member who consults personal information is not necessary for the performance of their duties by exceeding the access rights granted to them or a computer hacker who infiltrates a system;
  • a person who interferes with a database containing personal information in order to alter it;
  • a staff member consults personal information without authorization;
  • the organization is the victim of a cyberattack, such as phishing or ransomware.
  1. Use of personal information is not authorized by the Access Act. For example
  • a staff member who uses personal information from a database to which he or she has access in the course of his or her duties with the aim of usurping the identity of a person.
  1. Communication is not authorized by the Act respecting access to personal information. For example
  • a communication made in error to the wrong person by their employer;
  • the communication of personal information contrary to the provisions of the Access Act;
  • a staff member communicates personal information to the wrong recipient.
  1. The loss of personal information or any other breach of the protection of such information. For example
  • a person who loses or has documents containing personal information stolen;
  • forgetting to redact personal information in a document;
  • sending an email containing personal information.

10.2. Handling a confidentiality incident

When FOLIO MEDIAN has reason to believe that a confidentiality incident involving personal information that it holds has occurred, it must take reasonable measures to reduce the risk of harm being caused and prevent new incidents of the same nature from occurring produce, which may include sanctioning the individuals involved.

FOLIO MEDIAN may also notify any person and/or any organization likely to reduce this risk by communicating only the personal information necessary for this purpose without the consent of the person concerned. In the latter case, the person responsible for the protection of personal information must record the communication.

If the confidentiality incident presents a risk that serious harm will be caused, the organization must, diligently, notify the Commission for Access to Information. He must also notify any person whose personal information is affected by the incident.

In order to assess the risk of harm being caused to a person whose personal information is affected by a confidentiality incident, FOLIO MEDIAN must consider, in particular:

  1. The sensitivity of the intelligence concerned;
  2. The anticipated consequences of its use; and
  3. The likelihood that it will be used for harmful purposes.

FOLIO MEDIAN must also consult the person responsible for the protection of personal information.

10.3. Privacy Incident Log

A private organization must keep a record of confidentiality incidents. This contains, in particular:

  1. A description of the personal information affected by the incident;
  2. The circumstances of the incident;
  3. The date of the incident took place;
  4. The date the person responsible for the protection of personal information became aware of the incident;
  5. The number of people targeted;
  6. Assessment of the severity of the risk of harm;
  7. If there is a risk of serious harm to the person concerned, the dates of transmission of notices; And
  8. Actions taken in response to the incident.

ARTICLE 11. PROCESS FOR HANDLING COMPLAINTS RELATING TO THE PROTECTION OF PERSONAL INFORMATION

11.1. Filing a complaint relating to the protection of personal information

Any person who has reason to believe that a confidentiality incident has occurred, and that FOLIO MEDIAN has failed to protect the confidentiality of the personal information it holds may file a complaint to request that the situation be corrected.

The complaint must be filed in writing and include a description of the incident, the date or period when the incident occurred, the nature of the personal information affected by the incident and the number of people affected.

The complaint must be sent by email to the person responsible for the protection of personal information.

In the event that the complaint calls into question the conduct of the person responsible for the protection of personal information, it must be addressed to the General Directorate of FOLIO MEDIAN. If the General Management is also responsible for the protection of personal information, the complaint must be addressed to the President of the Board of Directors.

11.2. Complaint handling

The person responsible for the protection of personal information or the General Management, or the Chair of the Board of Directors, as the case may be, is responsible for receiving and processing the complaint within 20 working days.

In the event that this proves to be founded, FOLIO MEDIAN takes the required measures to correct the situation as quickly as possible in accordance with paragraph 10.2 of this policy and enters the incident in the register, as indicated in paragraph 10.3.

ARTICLE 12. VIDEO SURVEILLANCE

The use of video surveillance must be carried out in compliance with the obligations provided for in particular by the Civil Code of Quebec, by the Charter of human rights and freedoms as well as by the Access Act.

ARTICLE 13. INFORMATION SYSTEM OR ELECTRONIC DELIVERY PROJECTS INVOLVING PERSONAL INFORMATION

FOLIO MEDIAN carries out an assessment of the factors relating to privacy for any project of acquisition, development or overhaul of an information system or electronic provision of services which would involve the collection, use, communication, the retention or destruction of personal information.

Regarding the assessment of privacy factors, FOLIO MEDIAN consults, from the start of the project, its committee on access to information and protection of personal information.

ARTICLE 14. ROLES AND RESPONSIBILITIES

The Director General :

  • Adopts the Personal Information Protection Policy as well as any amendments thereto.
  • Executive Committee
  • Determines measures aimed at promoting the application of the policy and legal obligations of FOLIO MEDIAN regarding the protection of personal information;
  • Determines directives and procedures that clarify or support the application of the policy;
  • In the event of a confidentiality incident, take reasonable measures to reduce the risk of harm being caused and prevent new incidents of the same nature from occurring.
  • Chairmanship of the board of directors
  • Ensures the processing of a complaint vis-à-vis the General Management if the latter assumes the General Secretariat.
  • Executive management
  • Ensures the application of the Personal Information Protection Policy;
  • Supervises the person responsible for the protection of personal information in carrying out their mandate;
  • Delegates certain responsibilities to the General Secretariat for the management of personal information.
  • general Secretariat
  • Is responsible for access to information and the protection of personal information;
  • Is responsible for receiving and processing complaints;
  • Is responsible, in certain situations, for recording communications in the personal information communication register;
  • Ensures the dissemination and updating of the policy on the website.
  • Committee on Access to Information and Protection of Personal Information
  • Is responsible for the evaluation of factors relating to privacy for any project of acquisition, development or redesign of an information system or electronic provision of services which would involve the collection, use, communication, retention or destruction of personal information;
  • Supports the person responsible for access to information and the protection of personal information in the exercise of his responsibilities and in the execution of his obligations under the law on access;
  • Approves the rules governing governance with regard to personal information.
  • Information Technology Department
  • Ensures that personal information protection requirements are met in the operation of information systems as well as in the carrying out of development or acquisition projects for information systems in which it is involved;
  • Actively participates in risk analysis, assessment of needs and measures to be implemented, and anticipation of any threat to the protection of personal information using information technologies;
  • Takes appropriate measures to address any privacy threats or incidents;
  • Participates in the execution of investigations relating to real or apparent contraventions of this policy and authorized by the Director General.
  • Human Resources Department
  • Gets any new staff member FOLIO MEDIAN, its commitment to respecting the policy;
  • Ensures that all new staff members sign the confidentiality commitment form for information processed within the framework of their duties;
  • Ensures the holding of training and awareness activities on the protection of personal information;
  • Determines the sanctions applicable in the event of non-compliance with this policy.
  • Material Resources Directorate
  • Participates, with the person responsible for information security, in the identification of physical security measures to adequately protect the information assets of the company. FOLIO MEDIAN.

Staff :

Responsibility for the protection of personal information lies with anyone who uses information assets of FOLIO MEDIAN. Anyone who accesses, consults or processes personal information is responsible for their use of it and must proceed in such a way as to protect the confidentiality of this personal information.

To this end, the staff member must:

  • Comply with this policy and any other directives of FOLIO MEDIAN regarding the protection of personal information;
  • Access and use personal information made available to them only within the framework of their functions and for the purposes for which they are intended;
  • Participate in training and awareness activities offered by FOLIO MEDIAN;
  • Report to the person responsible for the protection of personal information FOLIO MEDIAN
  • Any confidentiality incident that may constitute a violation of this policy.

ARTICLE 15. TRAINING AND AWARENESS ACTIVITIES ON THE PROTECTION OF PERSONAL INFORMATION OFFERED BY FOLIO MEDIAN TO ITS STAFF

Training and awareness activities are published on the Intranet site of FOLIO MEDIAN. The training and awareness activities calendar will be updated twice a year.

The obligatory nature of participation in training and activities will appear on the calendar.

ARTICLE 16. SANCTIONS APPLICABLE IN CASE OF NON-COMPLIANCE WITH THIS POLICY

Failure to comply with this policy could result in administrative and/or disciplinary measures up to and including dismissal. The nature, seriousness and repetitive nature of the alleged acts must be considered when determining a sanction.

As part of its contractual relations with a third party, FOLIO MEDIAN may terminate any contract without notice for non-compliance with this policy. This will be presented to all third-party contractors with FOLIO MEDIAN, who must undertake, in writing, to comply with it.

ARTICLE 17. DISTRIBUTION AND UPDATING OF THE POLICY

The person responsible for the protection of personal information ensures the dissemination and updating of the policy on the website. FOLIO MEDIAN.

ARTICLE 18. RESPONSIBILITY FOR ENFORCEMENT AND REVIEW OF THE POLICY

The General Management is responsible for the application of the policy and its revision.

ARTICLE 19. ENTRY INTO FORCE

This policy is approved and adopted by the Director General and Responsible for the Protection of Personal Information. It comes into force on the day of its adoption.

ANNEX 1

RELEVANT CONTACT INFORMATION

Director General and responsible for the protection of personal information: [email protected]