Personal Data Governance and Retention Policy

PDF version in French | PDF version in English

Under section 3.2 of the Act Respecting the Protection of Personal Information in the Private Sector, chapter P-39.1 and Regulation respecting confidentiality incidents;

Preamble

This governance and personal information retention policy arises from the application of Law 25 on the modernization of legislative provisions regarding the protection of personal information. Its aim is to guide Verosoft Design’s internal rules regarding the management of personal information and ensure the respect of the rights of individuals concerned by the collection of such information.

This policy applies to all activities of the ADNM group (hereinafter referred to as “ADNM”), including the collection, use, communication, retention, and destruction of personal information. It also outlines procedures for handling confidentiality incidents and managing complaints.

Personal information

Personal information is defined as any information concerning a natural person that allows identification. A person’s name, taken alone, is not personal information. However, when this name is associated or combined with another piece of information about the same person, it then becomes personal information.

In the course of its activities, ADNM may collect and process various types of personal information necessary for its operations, including (non-exhaustive list):

·       Identification information (name, first name, address, email, phone number).

·       Software usage data (logs, IP address, interaction data).

·       Employee-related data (contact details, professional experience, social insurance number).

·       Contractual information related to clients, partners, and suppliers (contracts, technical access).

·       Financial and banking data for processing payments or other financial transactions.

Sensitive personal information is considered as such when, by its nature—such as medical, biometric, or otherwise intimate—or by the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy.

Use of personal information

ADNM ensures that the personal information collected is adequate, relevant, and not excessive for the purposes for which it is collected. This information may be used for various purposes, including:

·       To develop, deploy, and maintain our software products.

·       To effectively manage relationships with clients, employees, and partners.

·       To provide technical support and after-sales services.

·       To comply with legal or contractual requirements.

Access to personal information is limited to individuals with a legitimate need within their duties. ADNM ensures to obtain new consent if the information needs to be used for purposes other than originally intended.

Consent and collection of personal information

ADNM obtains consent from concerned individuals before collecting their personal information. This consent can be obtained through various means, such as a written form at hiring, a signed contract, or a checkbox during service registration.

In special circumstances, ADNM may collect, use, or disclose personal information without the individual or entity having been informed or having given prior consent, notably for regulatory, legal, judicial, medical, or security reasons.

This consent may be withdrawn at any time by contacting the person responsible for personal information.

Protection of personal information

ADNM implements appropriate and reasonable security measures to protect personal information against loss or theft, and against unauthorized access, disclosure, copying, use, or modification as required by law. Only staff members who absolutely need access to personal information as part of their duties are authorized to access it.

Staff members of the company or those working on its behalf must:

·       Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;

·       Take special precautions to ensure that personal information is not monitored, overheard, viewed, or lost when working in locations other than ADNM offices;

·       Take reasonable measures to protect personal information when moving from one place to another.

ADNM also implements ongoing monitoring to prevent intrusions and security breaches through a cybersecurity system.

ADNM employees and external providers with access to personal information are required to adhere to confidentiality agreements.

Person responsible of personal information

The person holding this role is responsible for:

·       Receiving and processing access and correction requests concerning the protection of personal information and confidentiality,

·       Receiving confidentiality incidents and handling them with the Commission d’accès à l’information,

·       Receiving complaints about the protection of personal information and handling them with the Commission d’accès à l’information,

·       Keeping the inventory of collected personal information and the register of confidentiality incidents up to date.

It is possible to contact the person responsible for personal information by the following means:

·       By mail: Human Resources – Person Responsible for Personal Information

·       4000, Louis B.-Mayer, Laval (Québec) H7P 0J1

·       By email: rh@adnm.net

·       By phone: 1-866-444-2366

Confidentiality incident and reporting

Anyone to whom Verosoft Design provides personal information (suppliers, partners, subcontractors) must report any confidentiality incident when they have reasonable grounds to believe such an incident has occurred regarding personal information held by Verosoft Design. This report must be made without delay to the person responsible for the protection of personal information.

Any Verosoft Design staff member who has reasonable grounds to believe a confidentiality incident has occurred must also immediately notify their supervisor or the person responsible for the protection of personal information.

Reception of the complaint

When a confidentiality incident occurs, Verosoft Design takes the following actions:

·       Identify the source of the incident, the date it occurred, its duration, and the individuals concerned;

·       Record the event in the internal confidentiality incidents register, which will be monitored by the person responsible for personal information;

·       Send written notice to the individuals concerned, indicating the origin of the incident and corrective measures taken;

·       Assess potential harm, considering the scale of the incident, the possibility of malicious use, and consequences for the individuals involved.

If the incident presents a risk of serious harm, Verosoft Design will notify the Commission d’accès à l’information in writing, following the procedures and forms prescribed by the Commission.

Any person concerned by the application of this policy can file a complaint about the protection of their personal information with Verosoft Design.

The complaint must be sent to rh@adnm.net.

Complaint handling

Verosoft Design is committed to handling any complaint received confidentially. The complaint will be evaluated within a reasonable timeframe by the person responsible for personal information, who will provide a written and reasoned response to the complainant.

This evaluation will determine whether Verosoft Design’s handling of personal information complies with this policy and company practices, as well as applicable legislation. If the complaint is justified, Verosoft Design will immediately take the necessary corrective measures and record the incident in the confidentiality incidents register.

Complaint file

Verosoft Design must create a separate file for each complaint received. This file will include the complaint, its analysis, and all relevant documentation.


Right of access, correction, and de-indexing

In accordance with current legislation on personal information protection, everyone has the right to consult, correct, or request deletion of personal information collected about them by an organization. ADNM respects these rights and is committed to handling requests in compliance with applicable regulations.

Anyone may make a request for access or correction of personal information held by ADNM, subject to exceptions provided by law. This request must be addressed to the person responsible for personal information and accompanied by proof of identity for the concerned person, as an authorized representative, or a body with legal authority.

The request must include precise information identifying the data concerned to allow ADNM to respond quickly and efficiently. The person responsible for personal information undertakes to respond to this request within 30 days of receipt. This period may be extended, if necessary, for a maximum of 15 days, with notice given to the person concerned.

ADNM will also take all reasonable steps to re-index or de-index personal information from search engines or other online research platforms, in accordance with legal obligations.

Data retention and destruction

ADNM retains personal information only for the duration necessary for the purposes for which it was collected, according to its retention schedule, unless a particular project or regulatory requirements require a longer retention period. Some documents and information must be retained for a prescribed period due to the nature of the projects or legal and contractual obligations.

ADNM implements appropriate technical and organizational measures to ensure that only essential personal data is retained and to destroy or anonymize this data securely once its purpose is fulfilled. This is done in compliance with retention periods required by law or applicable tax regulations.

Paper documents and physical files

Personal information kept in paper form is securely stored in ADNM offices. Before destroying a document, the responsible person must ensure that all personal data it contains is permanently destroyed, by means such as shredding or incineration.

Electronic documents

Personal information stored in computer files is hosted on ADNM servers or on secure cloud services. Regular archiving and destruction of these electronic documents are carried out in accordance with established retention periods.

Digital media (memory cards, USB drives, hard disks, etc.)

When it is necessary to destroy personal information on digital media, the medium is formatted for future reuse. If this is not possible, the medium is physically destroyed to ensure that the information it contains cannot be recovered.

Entry into force

This governance and personal information retention policy may be revised at any time to ensure compliance with current laws and to reflect any changes in our data collection, use, retention, and destruction processes.

ADNM is committed to regularly updating this policy to reflect best practices in personal information protection. The most recent version of this policy will be available on our website, and any significant changes will be communicated to concerned individuals.

Last updated: October 3, 2024