Personal Information Governance Policy
Updated: 2024-10-01

 

1. Objective

Groupe Touchette attaches great importance to the protection of personal information. In this regard, Groupe Touchette has developed this policy to provide a framework for its governance of personal information, and to enable its employees and subcontractors to understand the legal requirements and privacy principles inherent in the performance of their duties.

More specifically, this policy aims to ensure compliance with applicable laws and standards, by specifying, among other things: (i) the rules governing the collection and other processing of personal information held by Groupe Touchette; (ii) the management of access to personal information; (iii) the process for handling complaints relating to the protection of personal information; and (iv) the security measures implemented to ensure the confidentiality, integrity and availability of personal information throughout its life cycle.

Groupe Touchette has also implemented various measures in this area in compliance with applicable laws, and in particular with the changes introduced by Bill 25. To this end, Groupe Touchette has: (i) validated and confirmed the roles and responsibilities of its Privacy Officer; (ii) implemented various policies in this area, including the following; (iii) set up a register of confidentiality incidents; (iv) undertook a review and documentation of all governance measures and rules; and (vi) prepared various model contracts and registers.

2. Scope and Policies

This policy applies to:

  • Individuals: all employees of Groupe Touchette, as well as its subcontractors, when applicable.
  • Activities: any processing of personal information within the scope of Groupe Touchette's mission, activities or responsibilities, even if the physical possession of such information is not ensured by Groupe Touchette.
  • Resources: all information systems, regardless of their medium or format, whether stored internally or externally, such as cloud-based systems.
  • Information: all personal information, regardless of format or storage location (internal or external).

3. Definitions and Interpretation

In this policy, the following terms have the meanings set out below:

  • Groupe Touchette means Groupe Touchette Inc.
  • Anonymize means the process of handling personal information in accordance with generally accepted best practices and the criteria and procedures determined by regulation.
  • Hold refers to the legal holding of personal information as well as its physical holding unless it is entrusted to a third party,
  • Document refers to all documents, registers and other files kept on paper, electronically or in any other medium or format, and which contain personal information.
  • Employee refers to any person employed by Groupe Touchette.
  • Privacy Incident means: (i) any unauthorized access, use or disclosure of Personal Information; (ii) any loss of Personal Information; or (iii) any other breach of the security of Personal Information.
  • Laws means all laws and regulations and other normative/legislative frameworks applicable to Groupe Touchette, including the Act respecting the protection of personal information in the private sector.
  • Individual means any person whose personal information may be processed or is under the responsibility of Groupe Touchette in connection with its activities or mission.
  • Personal information means any information relating to a natural person that allows, directly or indirectly, that person to be identified, except as provided by law.
  • Sensitive personal information means information that by its nature, or because of the context of its use or communication, gives rise to a high degree of reasonable expectation of privacy (e.g. social insurance number).
  • Subcontractor refers to any consultant, service provider, partner or other duly authorized third party who holds, uses, accesses, hosts or otherwise processes personal information at Groupe Touchette's request.
  • Standards refers to any generally accepted guidelines, best practices, norms and industry standards to which Groupe Touchette adheres.
  • Process refers to any operation applied to personal information, such as collection, recording, organization, storage, adaptation, modification, retrieval, consultation, use, communication, dissemination (or otherwise making available), matching (or linking), blocking, erasure, destruction or anonymization.

Unless the context otherwise requires, grammatical variations of any defined term have a similar meaning, and the singular includes the plural, and the masculine includes the feminine, and vice versa.

 

4. Guiding Principles

As part of its mission and activities, Groupe Touchette is called upon to hold and/or process various types of personal information. To this end, Groupe Touchette stresses the importance of ensuring that all processing is carried out in accordance with the following guiding principles:

  • the collection of personal information must be necessary and required or permitted by law (and, where applicable, by contract);
  • all personal information is considered, by default, to be confidential and is treated as such;
  • no personal information may be processed unless the required consents have been obtained or such processing is permitted or required by law;
  • the protection of personal information must be ensured by, among other things, the implementation and observance of adequate security measures;
  • personal information may only be retained for the period required for the purposes for which it was collected (subject to applicable legal and contractual exceptions); and
  • any request (for access, rectification or other) and any incident of confidentiality must be reported immediately to the Privacy Officer.

5. Privacy Officer

The Privacy Officer ensures compliance and implementation of applicable privacy requirements:  

Groupe Touchette Inc.

Privacy Officer

750 Lebeau Blvd., Ville Saint-Laurent, QC, H4N 1S4

personalinformation@grtouchette.com

6. Personal Information Concerning Employees

This section applies to personal information that Groupe Touchette may collect or otherwise process about its employees. Such collection and processing of personal information will be done only to the extent that it is (i) required to manage its employment relationship with its employees; (ii) permitted by law; or (iii) necessary to comply with applicable legal and contractual requirements. Such processing will take place as set out in the Corporate Governance Policy.

i. COLLECTION AND USE OF PERSONAL INFORMATION BY GROUPE TOUCHETTE

Groupe Touchette collects personal information that is required or optional to manage its employment relationship with its Employees.

Except as provided by law, when Groupe Touchette collects, uses or discloses personal information that is not required to manage the employer-employee relationship, the employee's consent is required. Similarly, when personal information is collected to manage the employer-employee relationship, and Groupe Touchette wishes to use or disclose it for other purposes, consent is also required. When personal information is collected and used to manage the employer-employee relationship, only Groupe Touchette employees whose duties so require will have access to such personal information.

Similarly, Groupe Touchette will only disclose personal information to third parties who need it to fulfill their contractual obligations to Groupe Touchette, who are bound by Groupe Touchette's confidentiality obligations, or when Groupe Touchette honestly believes it is required to do so by law (for example, to tax authorities and law enforcement agencies) or for the protection of Groupe Touchette or its assets or employees. Otherwise, consent to the disclosure of personal information is required.

Groupe Touchette may provide its employees with one or more networks that allow them to: (i) communicate with each other and/or with third parties (including subcontractors or professionals) for business purposes; and (ii) access the Internet and Groupe Touchette information and documentation. Use of the network, information and materials owned by Groupe Touchette is limited to Groupe Touchette's business. However, Groupe Touchette is aware that limited use of the network or technological equipment provided by Groupe Touchette to its employees may be necessary during working hours for personal purposes (e.g., making personal appointments) (collectively, Personal Communications). Employees may not have a reasonable expectation of privacy with respect to Personal Communications made using Groupe Touchette's network or computer equipment.

ii. DISCLOSURE OF PERSONAL INFORMATION BY GROUPE TOUCHETTE

Groupe Touchette will not provide personal information about its employees to third parties without their consent, except as required by law or in accordance with this Policy, including, if necessary: (i) to manage the employer-employee relationship; (ii) to enable a third party to perform its contractual obligations to an employee or to Groupe Touchette; or (iii) if, in good faith, Groupe Touchette believes that such action is reasonably necessary to comply with legal process or respond to requests or to protect the rights, property or safety of Groupe Touchette, its representatives, employees and customers, or the public. In addition, only Groupe Touchette employees whose duties so require will have access to personal information. The following are examples of the various categories to which the disclosure of personal information may correspond:

Third parties Purpose Information Provided
Subcontractors (Suppliers and consultants – group benefit plans) Provide benefits programs to Groupe Touchette employees, administer claims and follow-up and calculate mathematical provisions for benefits. Name, date of birth, home address and telephone number, marital status, dependent information, salary, medical questionnaire, type of coverage, claims information, social insurance number, etc.
Subcontractors (Payroll department)   Provide direct deposit and payroll processing services to Groupe Touchette employees.  Name, date of birth, home address and telephone number, salary information, social insurance number, tax information.
Subcontractors (IT services, etc.) Assist Groupe Touchette with certain personnel management tasks. Information required by subcontractors to provide services.
Tax authorities Comply with Groupe Touchette’s obligations under the relevant tax legislation. Income or remuneration, social insurance number, other personal information such as age or residential address required by tax authorities.
References (provided by a candidate) Ensure the veracity of the information received from the candidate and obtain the reference’s opinion on his or her abilities. Candidate’s name, relevant extracts from the application.
Emergency services Ensure the safety of those concerned in the event of an emergency. Names and information required by services.
Law enforcement agencies or government authorities Where necessary, prevent, detect or terminate offences, ensure compliance with the law, and comply with court or tribunal orders. All relevant information for this purpose.

By submitting personal information to Groupe Touchette, employees acknowledge that they have consented to the collection, use and disclosure practices set out in this policy. Employees may withdraw their consent at any time for personal information that is not required to manage the employer-employee relationship, to enable a third party to perform its contractual obligations to them or to Groupe Touchette, or for any other purpose described herein by contacting Groupe Touchette's Privacy Officer in writing. However, by making this choice, the employee may limit Groupe Touchette's ability to serve and provide benefits to the employee or to perform any other applicable duties or functions.

7. Personal Information About Any Other Person

Groupe Touchette may also process personal information about individuals who communicate with Groupe Touchette. Such processing will take place on the basis of consent or in a situation permitted or required by law.

i. COLLECTION AND USE OF PERSONAL INFORMATION BY GROUPE TOUCHETTE

Various personal information may be processed by Groupe Touchette in its interactions with members of the public. Groupe Touchette collects personal information for the purposes stated at the time of collection.

ii. DISCLOSURE OF PERSONAL INFORMATION BY GROUPE TOUCHETTE

Groupe Touchette will not provide personal information about any individual to third parties without that individual's consent, except as required by law or in accordance with this policy. In addition, only employees whose duties so require will have access to such information. In addition to these disclosures, we may disclose personal information as required or permitted by law.

8. Consent

Groupe Touchette recognizes the importance of obtaining valid consent in connection with the collection or other processing of personal information. Consent must take into account the following requirements:

Consent Criteria
Personal information
  • be manifest (i.e. it must be obvious, certain and indisputable, and must leave no doubt as to the will expressed therein);
  • be free (i.e. given without coercion);
  • be informed (i.e. precise and rigorous, enabling the person concerned to give informed consent);
  • be given for specific purposes (i.e., for each of these purposes. It cannot therefore be general or cover other purposes);
  • be requested for each of the applicable purposes (i.e., the person must be able to confirm his or her intention for each purpose);
  • be requested in clear and simple terms;
  • be presented separately from any other information communicated to the person concerned when the request for consent is made in writing;
  • be valid only for the length of time required to achieve the purposes for which it was requested (i.e., the number of days, months or years required, or until the occurrence or termination of an event).
Sensitive information
  • be expressly stated;
  • otherwise comply with the requirements applicable to any consent to the processing of personal information.

The law recognizes certain situations in which the consent of the person concerned will not be sought or need not be sought. Please consult the Privacy Officer in this regard. Please note that when a person so requests, assistance is provided to help him or her understand the scope of the consent requested.

9. Retention, Destruction and Anonymization

Subject to a retention period provided by law, when the purposes for which personal information was collected or used have been fulfilled, Groupe Touchette will: (i) destroy such personal information in a secure manner; or (ii) if applicable, anonymize the information for use for serious and legitimate purposes, in accordance with the criteria established by regulation. In order to comply with the above, Groupe Touchette has developed a Retention Policy for documents containing personal information.

10. Procedures and Standards Relating to the Communication of Personal Information Outside Quebec

In order to comply with applicable legal requirements and to ensure the confidentiality and security of any personal information, Groupe Touchette will conduct a privacy impact assessment before disclosing any personal information outside Québec.

This assessment will take into account, among other things: (i) the sensitivity of the personal information; (ii) the purpose for which it is to be used; (iii) the safeguards, including contractual safeguards, from which the personal information would benefit; and (iv) the legal regime applicable in the jurisdiction where the personal information would be disclosed.

For the purposes of this assessment, the Privacy Officer will be consulted at the outset of the project. Groupe Touchette's legal advisors, as well as any other parties deemed necessary/desirable, may also be involved or consulted.

Disclosure may take place if the assessment demonstrates that the personal information would benefit from adequate protection, particularly in light of generally accepted privacy principles. Disclosure will be subject to a written agreement that takes into account, among other things, the results of the assessment and, where applicable, the terms and conditions agreed to in order to mitigate the risks identified during the assessment. The same applies when Groupe Touchette entrusts a person or organization outside Quebec with the task of collecting, using, communicating or storing such information on its behalf.

In order to comply with the foregoing, Groupe Touchette will develop a Privacy Impact Assessment Model in the context of the communication of personal information outside Quebec that complies with the law.

11. Procedures and Standards for Disclosing Personal Information for Study, Research or Statistical Purposes

As required by law, Groupe Touchette may disclose personal information without consent to a person or organization wishing to use the information for study, research or statistical purposes. To do so, Groupe Touchette will first conduct a privacy impact assessment. This assessment will conclude :

  • that the purpose of the study, research or production of statistics can only be achieved if the personal information is communicated in a form that identifies the persons concerned;
  • it is unreasonable to require the person or organization to obtain the consent of the individuals concerned;
  • the purpose of the study, research or statistical production outweighs, in terms of the public interest, the impact of the communication and use of the information on the privacy of the individuals concerned;
  • personal information is used in such a way as to ensure its confidentiality; and
  • only necessary personal information is disclosed.

Prior to disclosing any personal information, Groupe Touchette will enter into an agreement with the person or organization to whom it discloses such information, in accordance with the requirements of the law.

In order to comply with the foregoing, Groupe Touchette will develop a Privacy Impact Assessment Model in the context of the communication of personal information for study, research or statistical production purposes that complies with the law.

12. Technological Project Involving Personal Information

In order to comply with applicable legal requirements and to ensure the confidentiality and security of personal information, Groupe Touchette will conduct a privacy impact assessment for any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information. The assessment shall be proportionate to the sensitivity of the personal information concerned, the purpose for which it is to be used, its quantity, distribution and medium.

For the purposes of this assessment, the Privacy Officer will be consulted at the outset of the project. Groupe Touchette's legal advisors, as well as any other parties deemed necessary or desirable, may also be involved or consulted.

Groupe Touchette will ensure that any project allows computerized personal information collected from the person concerned to be communicated to the latter in a structured and commonly used technological format.

In order to comply with the above, Groupe Touchette will develop a Privacy Impact Assessment Model for technology projects involving personal information, in accordance with the law.

13. Use of Information, Location or Profiling Technology

From time to time, Groupe Touchette may use technology that includes functions to identify, locate or profile an individual. Groupe Touchette will comply with legal requirements in this regard.

14. Decision-Making Based on Automated Processing of Personal Information

From time to time, Groupe Touchette may use personal information to make a decision based exclusively on the automated processing of such information. In all cases and in accordance with the law, Groupe Touchette will inform the person concerned of this fact, at the latest at the time Groupe Touchette's decision is communicated to him or her, in addition to complying with other legal requirements in this regard. 

15. Safety Measures

Groupe Touchette monitors network usage, communications and information, including personal communications. Electronic monitoring includes activities such as logging employee access to the network, communications and information; accessing and recording communications sent or received by e-mail or other electronic messaging methods; and monitoring Internet usage, which may identify servers and sites accessed by Groupe Touchette employees. Groupe Touchette monitors the use of the network, communications and information, including personal communications, for maintenance and security purposes; to ensure that the use of the network, communications and information complies with Groupe Touchette policies and the law; and, when it deems it necessary or useful, to protect the rights, property or safety of Groupe Touchette, its representatives, employees and customers, or the public, but does not limit its ability to use the information collected through electronic monitoring. For these same purposes, it does the following:

  • periodically make security copies of communications, information and personal communications, which are kept in accordance which are kept in accordance with the Retention Policy for Documents Containing Personal Information, in Appendix 1 of this document;
  • may require access to equipment owned by Groupe Touchette or its employees and used to access the network, including passwords protecting such equipment;
  • may copy, use and disclose to third parties, including law enforcement agencies in Canada or elsewhere, communications, information and personal communications.

Upon leaving Groupe Touchette :

  • all communications, information and personal communications may be copied for subsequent use or disclosure;
  • only to the extent possible, an effort will be made to destroy personal communications;
  • at Groupe Touchette's discretion, Groupe Touchette may permit an employee to copy or retain personal communications;
  • all electronic devices owned by Groupe Touchette are returned to Groupe Touchette, and Groupe Touchette employees do not have the right to copy or retain information or communications on any Groupe Touchette or personal device.

Electronic passes issued to Groupe Touchette employees may record the time and location of their use, and security cameras installed on Groupe Touchette premises videotape key areas of Groupe Touchette facilities. Information from electronic passes and security camera recordings is accessible and usable for security purposes or to comply with Groupe Touchette policies. Depending on the location of your workstation, certain information associated with your electronic pass and security cameras may be collected by the building manager or owners, in which case such information is subject to that owner/manager's privacy policy.

Groupe Touchette implements various security measures to ensure the protection of the personal information it processes, which are reasonable in light of, among other things, the sensitivity of the information, the purpose for which it is used, its quantity, distribution and medium, including the following:

i. INTERNAL MEASURES

Groupe Touchette deploys various internal safety measures, including the following:  : 

Separation of roles, responsibilities and tasks

The separation of incompatible functions and accesses is one of the pillars of effective control, designed to prevent or reduce the risk of privacy breaches (for example, by ensuring that the same individual cannot control all phases of a process). To this end, Groupe Touchette ensures that access to personal information is limited to employees and/or subcontractors with a need to know.

Installation of software and equipment

Any installation of software or equipment is carried out exclusively under the supervision or pre-approval of the IT team, to ensure that risks have been validated and understood, that user agreements and rights comply with the intended use, that applications are standardized, and that platforms comply with configuration standards.

Privacy Impact Assessments and Risk Assessments

Privacy Impact Assessments, aimed at better protecting personal information and respecting the privacy of the individuals concerned, are carried out in accordance with the law and as more fully detailed in this Policy.

Training and awareness

Groupe Touchette takes reasonable steps to ensure that all its employees and subcontractors are aware of the privacy rules as set out in applicable laws and standards, as well as in this Policy. Ongoing awareness and training are essential to ensure the protection of personal information. Similarly, the procedure for dealing with confidentiality incidents is known to Groupe Touchette's Privacy Officer, management and relevant technical staff. Finally, Groupe Touchette is committed to providing training in the protection of personal information to employees, insofar as their duties justify the provision of such training.

Protection of information systems

The level of protection afforded to information systems is determined by the outcome of the risk assessment and the security required. In addition, any access to systems must identify the user, and security measures must be applied throughout the life cycle of personal information. Finally, the protection of personal information relies on the ongoing involvement of each employee, who must in particular: (i) use all resources judiciously for their intended purpose and in compliance with applicable laws and standards, as well as Groupe Touchette's instructions; (ii) choose complex passwords; (iii) maintain the security and confidentiality of all passwords and their identifiers; and (iv) not store personal information on technologies other than those specifically authorized by Groupe Touchette.

Transmission of information

Personal information must be transmitted, exchanged or otherwise transferred outside the Groupe Touchette network in a secure manner. Any transfer of personal information to unauthorized external sources is expressly prohibited.

Business continuity

Groupe Touchette has technological and procedural measures in place to ensure that operations deemed essential can be restored within a reasonable timeframe in the event of a disaster (e.g. major cyber-attack, flood, fire, etc.).

ii. MEASURES CONCERNING SUBCONTRACTORS

Subject to applicable laws, Groupe Touchette ensures compliance with the following when personal information must be processed by subcontractors in order for them to carry out the mandate/contract entrusted to them: 

  • enter into a written contract, indicating the provisions of the law that apply to personal information, the measures to be taken to ensure that it is used only for the purposes of the mandate/contract and is not retained after its expiry, and any other provisions required by law;
  • where applicable, ensure that any subcontractor takes the necessary measures to ensure that any third party that may assist it in carrying out the contract/mandate entrusted to it is required to comply with confidentiality obligations at least as stringent as those incumbent on the subcontractor (including those provided for in the contract/mandate and this policy).

In this respect of the above, Groupe Touchette has drawn up model contractual clauses. These models will be adjusted on a case-by-case basis, depending on the co-contractor and the content of the contract to be drawn up with the latter.

iii. CONFIDENTIALITY INCIDENTS

Various situations, including the following, constitute confidentiality incidents:

  • an employee or subcontractor accesses personal information not required for the performance of his or her duties, by exceeding the access rights granted to him or her;
  • a hacker infiltrates a system;
  • an employee or subcontractor uses personal information from a database to which he or she has access as part of his or her duties in order to impersonate an individual;
  • a communication made in error to the wrong recipient;
  • an employee or subcontractor loses or has stolen documents containing personal information;
  • a third party interferes with a database containing personal information in order to alter it.

Groupe Touchette will comply with all legal requirements in the event of a confidentiality incident.

Groupe Touchette keeps a register of confidentiality incidents, and will provide a copy to the Commission d'accès à l'information upon request.

16. Access, Rectification and Other Requests

All requests for access or rectification must be made in writing and addressed to the Privacy Officer. Where the request is not sufficiently precise, or where an individual so requests, the Privacy Officer will assist the individual in identifying the personal information sought. The Privacy Officer's duty to assist includes the following:

  1. When the request is not sufficiently precise or when a person so requests, the person in charge will assist that person in identifying the personal information sought.
  2. Subject to applicable laws and following a request to this effect by an employee or any other person, the person in charge will:
  • Confirm the existence of personal information in its possession concerning the applicant and, where applicable, give the applicant access to such information (or allow the applicant to obtain a copy thereof); and
  • Correct inaccurate, incomplete or ambiguous personal information concerning the applicant.
  1. In the event of a refusal to grant access, the reasons for the refusal will be communicated to the applicant in accordance with the law. The person in charge will then assist the requesting party in understanding the refusal.

In practice, the person in charge will:

  1. provide reasonable assistance throughout the processing of your request;
  2. provide information about the Act, including the processing of a request and the right to complain to the Commission d'accès à l'information;
  3. communicate with the requester if clarification is required about your request, such communication to take place as soon as reasonably possible;
  4. use reasonable efforts to locate and retrieve the requested documents;
  5. ensure that the exceptions invoked (in connection with a refusal to disclose all or part of documents) are precise and limited (to such documents);
  6. provide answers that, to the best of its knowledge, are accurate and complete;
  7. promptly provide the information requested as part of the access process; and
  8. if necessary, provide the documents in the format requested or, as the case may be, provide an appropriate place to examine the documents covered by the request.

Although the duty to assist is not covered by any of the parameters of the Act, the person in charge is obliged to provide it diligently and reasonably. However, this does not oblige the person in charge to provide the same explanations to a person several times. Once the person in charge has provided all the information necessary to help the person understand the decision, he or she may choose to stop providing explanations.

17. Distribution and Updating the Policy

This policy will be made available to all employees when they are hired, and then brought to their attention again on a periodic basis. This policy will also be made available, in whole or in part, to each subcontractor upon entering into any contract if required to ensure adequate protection of personal information, including informing the subcontractor of applicable requirements. This policy shall not be shared with other persons (subject to applicable regulatory authorities) unless Groupe Touchette has given its prior written consent. 

In accordance with applicable legal requirements, Groupe Touchette will undertake, on a periodic basis, a review of this Policy. Such revisions may take place when new requirements under applicable laws come into force, following the publication of guidelines by the Commission d'accès à l'information or otherwise when deemed necessary or desirable. The policy may then be revised or supplemented by other policies.

The updated policy (or any other relevant policy) will be made available. Anyone can find out whether this policy has changed by looking at the effective date.

18. Contact Groupe Touchette

1. GENERAL

Requests, questions or comments should be forwarded to the Privacy Officer at the address given in section 5

2. COMPLAINTS

Any person who wishes to file a complaint regarding the collection, retention, use, disclosure or destruction of personal information by Groupe Touchette may contact the Commission d'accès à l'information; in such a case, the complaint must be made in writing in accordance with the applicable process (detailed in particular on its website available here).

Any person may also file a complaint with Groupe Touchette using the contact information provided in section 5. This will involve the following steps:

  1. Submission of complaint. Basic personal information such as name, telephone number and e-mail or postal address should be provided, as well as general information about the complaint, including: (i) on whose behalf the complaint is made; (ii) the type of complaint; and (iii) any other details deemed relevant to the request (e.g. request number, date of request, relevant facts, etc.).
  2. Review. The complaint will be examined as soon as possible. A communication will be made to obtain any further information required, if applicable. Following the investigation, a communication will be made to the person who filed the complaint.

 

APPENDIX 1

Retention policy for documents containing personal information

1. OBJECTIVES AND SCOPE

Groupe Touchette attaches great importance to the protection of Personal Information.

In this regard, and in accordance with the Act, Groupe Touchette has developed this policy in order to confirm in writing: (i) the requirements applicable to the retention of documents containing Personal Information; (ii) the types of documents containing Personal Information that are held by Groupe Touchette; (iii) the levels of confidentiality of the Documents; (iv) the types of media for these Documents in order to associate an appropriate retention method and destruction method; and (v) the document retention schedule in compliance with applicable legal requirements.

This policy applies to all documents held by Groupe Touchette, regardless of their medium (paper, electronic or other), including :

  • those legally held by Groupe Touchette (i.e. those generated on its behalf and in the course of its business), regardless of whether Groupe Touchette assumes physical custody of them or whether this custody is assumed by a third party (hosting its Documents); and
  • where applicable, those owned by third parties and physically held by Groupe Touchette in the performance of contracts or otherwise.

2. DEFINITION AND INTERPRETATION

In this Policy, the following terms have the meanings set out below:

  • Document refers to all documents, registers and other files kept on paper, electronically or in any other medium or format, and which contain Personal Information.
  • Personal Information means any information relating to a natural person that allows, directly or indirectly, that person to be identified.
  • Privacy Officer refers to Groupe Touchette's Privacy Officer.
  • Groupe Touchette refers to Groupe Touchette Inc.

Unless the context otherwise requires, grammatical variations of any defined term have a similar meaning, and the singular includes the plural, and the masculine includes the feminine, and vice versa.

3. RESPONSIBILITIES

In accordance with the law, the Privacy Officer is responsible for ensuring that this policy is respected and kept up to date.

Where applicable, each manager or team leader will ensure that this policy is implemented within his or her respective work team, and will submit any questions or requests relating to the retention of documents (including their destruction) to the Privacy Officer.

4. CONSERVATION PRINCIPLES

Groupe Touchette is called upon to collect and process various documents and personal information in the course of its activities. This personal information is collected and processed and these documents are created/received and processed for serious, legitimate and predetermined purposes (subject to applicable legal exceptions, where applicable). 

During this period, documents and personal information will be stored securely and access will be limited to Groupe Touchette employees and, where applicable, subcontractors or consultants who require access in the course of their employment or mandate.

In order to comply with the foregoing, Groupe Touchette has drawn up a document retention schedule, available below. This schedule indicates the retention period deemed appropriate by Groupe Touchette for the various types of documents (and the personal information contained therein). Accordingly, such Documents will be retained for the period indicated in the retention schedule, unless otherwise instructed in writing in the event that certain Documents (or the Personal Information contained therein) must be retained for an additional period of time, as permitted or required under applicable laws.

5. DESTRUCTION PRINCIPLES

When the purposes for which such documents (or the Personal Information contained therein) are to be used are fulfilled, such documents/personal information will be destroyed, unless the law imposes a specific retention period with respect to such personal information or Document.

Periodically, the Privacy Officer, in conjunction with applicable managers and team leaders, will ensure that documents that have reached the retention period prescribed in the Retention Schedule are, depending on the medium of the documents, erased or otherwise securely destroyed.

6. CONTACTS

If you have any questions about this policy, please contact the Privacy Officer :

Privacy Officer

Address: 750 Lebeau Blvd., Saint-Laurent, QC, H4N 1S4

Email : informationpersonnelle@grtouchette.com

Phone : 514-381-1716

7. DISSEMINATION AND UPDATING OF THE POLICY

This policy will be available to all employees on Groupe Touchette's intranet. In addition, this policy will be brought to the attention of all employees involved in document management, at the time of hiring or at any other time deemed appropriate.

Groupe Touchette reserves the right to update or otherwise modify this policy from time to time. Any substantial change will be brought to the attention of the relevant employees by any means deemed acceptable by the Privacy Officer. Subsequently, the updated policy will be made available and easily accessible on Groupe Touchette's intranet. A new version of this policy will also be published whenever a minor change is made. You can tell whether this policy has changed by looking at the effective date indicated on its first page. Groupe Touchette recommends that this policy be reviewed periodically to ensure that everyone concerned remains aware of and complies with Groupe Touchette's current document retention and destruction practices at all times.

 

APPENDIX 2

Access, rectification and other requests

1. General principles: any person may request:

  • confirmation of the existence of personal information concerning him or her and communication allowing him or her to obtain a copy[1] .
  • rectification of any personal information concerning them that is inaccurate, incomplete or equivocal, or if its collection, communication or retention is not authorized by law;
  • cessation of the dissemination, where applicable, of any information concerning her or the de-indexing of any hyperlink attached to her name allowing access to this information by a technological means, where the dissemination of this information contravenes the law or a court order; and
  • reindexing of any hyperlink attached to its name when the prescribed requirements are met.

Groupe Touchette takes the necessary steps to ensure that individuals can exercise their rights. Groupe Touchette informs the public where and how to access personal information.

2. Request. Requests for access or rectification must be made in writing, and the person making the request must provide proof of identity. The request is addressed to the Privacy Officer. If the request is not sufficiently precise, or if the person making the request so requires, the person responsible for access will assist in identifying the information sought.

3. Acknowledgement of receipt: The person responsible may give the person who has made a written request notice of the date on which the request was received.

4. Research and analysis. The person in charge conducts or commissions a search within Groupe Touchette for the documents covered by the request for access or rectification. He or she also analyzes the request from a legal standpoint and determines whether the request will be accepted in full, partially accepted or refused, and on what grounds, in consultation with any member of management as required.

5. Analysis results. If a document covered by the access request contains:

  • any information covered by an access exception, then such information will not be disclosed; or
  • any third-party personal information, then such information must be redacted before the document is released unless the third party concerned has consented to such release).

6. Response. The person in charge prepares the response to the request for access. If disclosure of the documents or information is refused or partially granted, the person in charge shall give the reasons for the refusal and indicate: (i) the provision of the Act on which the refusal is based; and (ii) the remedies available to the applicant under the Act and the time limit within which they may be exercised. The person in charge of access also assists the applicant, upon request, in understanding the refusal. When the person responsible for access accepts a request for rectification, he or she must, in addition to any other applicable legal obligations, provide the person who made the request with a copy of any personal information that has been modified or added or, as the case may be, an attestation, free of charge.

Failure to respond to a request for access within the applicable 30-day time limit shall be deemed to constitute a refusal of access to the document. In the case of a written request, this failure gives rise to a right of review under the Private Access Act as if access had been refused.

7. Preservation. The person responsible for access shall ensure that any information that has been the subject of an access request is retained for the time required to enable the applicant to exhaust the recourses provided for in the Act.

 

[1]  At the request of the applicant, computerized personal information must be communicated in the form of a written and intelligible transcript. Unless this raises serious practical difficulties, computerized personal information collected from the applicant - and not created or inferred from personal information concerning him or her - is communicated to him or her in a structured and commonly used technological format at his or her request. This information is also communicated, upon request, to any person or organization authorized by law to collect such information. When the applicant is a disabled person, reasonable accommodation measures are taken upon request.