Privacy Policy

Context

MGP Conseils (9410-7125 Québec Inc.) is a provincial corporation that processes personal information as part of its activities.

The purpose of this policy is to ensure the protection of personal information and to define MGP Conseils’ practices for the collection, use, disclosure, retention, destruction, and management of personal information. It also aims to inform any concerned individual about MGP Conseils’ processing of their personal information. This policy also applies to the processing of personal information collected by MGP Conseils through technological means.

Scope and Definitions

This policy applies to MGP Conseils, including its officers, employees, consultants, volunteers, and any person providing services on behalf of MGP Conseils. It also covers MGP Conseils’ website and all websites controlled and maintained by the company.

It concerns all types of personal information managed by MGP Conseils, whether it pertains to data of its prospective or current clients, consultants, employees, members, website visitors, or others.

For the purposes of this policy, personal information is information relating to a natural person that directly or indirectly identifies them. This may include elements such as name, address, email address, phone number, gender, banking information, as well as details on health, ethnic origin, language, etc.

Sensitive personal information refers to information for which there is a reasonably high expectation of privacy, such as health data, banking information, biometric data, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.

Generally, a person’s professional or business contact information is not considered personal information. For example, a person’s name, title, address, email address, or work phone number are not covered. For greater clarity, in accordance with Quebec’s Act respecting the protection of personal information in the private sector and as of September 22, 2023, sections 3 (collection, use, disclosure), 4 (retention and destruction), and 6 (data security) do not apply to a person’s information related to their role within a company, such as their name, title, function, as well as their work address, email address, and phone number.

These same paragraphs also do not apply to personal information that is public under the law, effective upon the entry into force of this policy.

Collection, Use, and Disclosure

As part of its activities, MGP Conseils may collect different types of personal information for various purposes. The types of information that MGP Conseils may collect, their use (or intended purpose), and the means by which the information is collected are set out in Appendix A of this policy.

MGP Conseils will also inform the individuals concerned, at the time of personal information collection, of any other information collected, the purposes for which it is collected, and the means of collection, in addition to other information to be provided as required by law.

MGP Conseils applies the following general principles regarding the collection, use, and disclosure of personal information:

Consent

  • Generally, MGP Conseils collects personal information directly from the individual concerned and with their consent, unless an exception is provided by law. In certain situations, consent may be implied, for example, when the individual decides to provide their personal information after being informed by this policy of the intended use and disclosure for the purposes indicated therein (see Appendix A for more details). Thus, the individual concerned will be able to consult this policy and the information it contains at the time of personal information collection.
  • In addition to collecting consent directly from the individual concerned, MGP Conseils must also obtain their consent before collecting their personal information from third parties, disclosing it to third parties, or using it for secondary purposes. Nevertheless, it is important to note that MGP Conseils may act without consent in certain cases specified by law and in accordance with the conditions set out therein. The main situations where MGP Conseils may act without consent are explained in the appropriate sections of this policy.

Collection

  • In all situations, MGP Conseils collects personal information only if there is a valid and legitimate reason to do so. Furthermore, the collection of such information will be restricted to the minimum necessary to achieve the intended purpose.
  • Please note that the services provided by MGP Conseils are not intended for minors, and generally, the company does not intentionally obtain personal information concerning minors (in such cases, this information cannot be collected without the consent of a parent or guardian).
  • Collection from third parties: MGP Conseils may collect personal information from third parties. Unless an exception provided by law applies, MGP Conseils will request the consent of the individual concerned before collecting personal information about them from a third party. If such information is not collected directly from the individual, but from another organization, the individual concerned may request the source of the collected information from MGP Conseils.

In certain specific situations, MGP Conseils may also collect personal information from third parties without the consent of the individual concerned, if the company has a serious and legitimate interest in doing so, and if one of the following conditions is met:

  1. The collection is in the interest of the individual concerned, and it is not possible to collect this information directly from them in a timely manner.
  2. The collection is necessary to ensure the accuracy of the information.

Furthermore, MGP Conseils may collect personal information indirectly, particularly by using various technological platforms. Below is a list of technological platforms used by MGP Conseils, along with links to their terms of use and privacy policies:

The collection of information through third parties may be necessary to access certain services or programs, or to conduct transactions with MGP Conseils. In such situations, MGP Conseils will obtain the consent of the individual concerned at the appropriate time, in accordance with legal requirements and appropriate collection practices. Respecting individual consent is an essential priority for MGP Conseils.

Retention and Use

  • MGP Conseils attaches great importance to updating and ensuring the accuracy of the information it holds when it is used to make a decision concerning the individual in question.
  • MGP Conseils commits to using an individual’s personal information only for the reasons set out in this policy or for any other reason specified at the time of collection. If MGP Conseils wishes to use this information for different or additional purposes, new consent will be required from the individual concerned, particularly express consent if it involves sensitive personal information. However, in certain cases provided by law, MGP Conseils may use the information for secondary purposes without the individual’s consent, for example:
  • when such use is in the interest of that individual;
  • when it is necessary to prevent or detect fraud;
  • when it is necessary to evaluate or improve protection measures.
  • Limited Access. MGP Conseils must take measures to limit access to personal information only to employees and individuals within its organization who require this information in the performance of their duties. Before allowing access to this information to any other person, MGP Conseils will obtain the consent of the individual concerned. The confidentiality and protection of personal information are essential concerns for MGP Conseils, and data access will be strictly controlled to ensure its security and confidentiality.

Disclosure

  • Generally, and unless an exception is indicated in this policy or otherwise provided by law, MGP Conseils will obtain the consent of the individual concerned before disclosing their personal information to a third party. Furthermore, when consent is necessary and it involves sensitive personal information, MGP Conseils must obtain the explicit consent of the individual before disclosing this information. The confidentiality and protection of personal information are essential commitments for MGP Conseils, and any disclosure of data to third parties will be carried out with respect for the consent of the individuals concerned.
  • However, it may be necessary to disclose personal information to third parties in certain specific circumstances. Thus, personal information may be disclosed to third parties without the consent of the individual concerned in certain cases, including, but not limited to, the following situations:
  • MGP Conseils may disclose personal information to a public body (such as the government) without the consent of the individual concerned, if that body collects it in the exercise of its functions or as part of the implementation of a program it manages. This disclosure may be made in accordance with current legal and regulatory requirements, respecting the applicable provisions concerning the protection of personal information. MGP Conseils will ensure compliance with appropriate laws and regulations when it is necessary to disclose personal information to public bodies.
  • MGP Conseils may transmit personal information to its service providers when necessary, without the consent of the individual concerned. These service providers may include event organizers, subcontractors designated by MGP Conseils for the execution of mandates in programs administered by the company, as well as cloud service providers. In such cases, MGP Conseils must establish written contracts with these providers to guarantee the confidentiality of the personal information disclosed. These contracts must stipulate that providers may only use this information within the scope of the contract’s execution and are not authorized to retain this information after the contract’s expiration. Furthermore, these contracts must also require providers to notify MGP Conseils’ Personal Information Protection Officer (as designated in this policy) of any breach or attempted breach of confidentiality obligations concerning the personal information disclosed. These contracts must allow the officer to conduct verifications regarding the confidentiality of this information if necessary. The security and confidentiality of personal information remain a priority for MGP Conseils when shared with service providers.
  • Indeed, if it proves necessary for the purpose of concluding a commercial transaction, MGP Conseils could disclose personal information to the other party of the transaction, without the consent of the individual concerned, subject to the conditions provided by law. However, this disclosure of information will be carried out in compliance with the applicable legal provisions concerning the protection of personal information and taking into account confidentiality requirements. The confidentiality and security of personal information remain an essential concern for MGP Conseils during any commercial transaction involving data disclosure.
  • It is possible that personal information held by MGP Conseils may be disclosed outside Quebec, for example, when the company uses cloud service providers whose servers are located outside Quebec, or when it collaborates with subcontractors located outside the province. In such cases, MGP Conseils will ensure that the disclosure of this information outside Quebec complies with applicable laws and regulations regarding personal information protection. Appropriate measures will be taken to ensure the security and confidentiality of personal information, even when it is transmitted outside the province.

Information on Technologies We Use

Use of Cookies.

Cookies are data files transmitted to a website visitor’s computer by their web browser when they visit that site and can have several uses.

Websites controlled by MGP Conseils use cookies, notably:

  • To remember visitors’ settings and preferences, for example, for language selection and to allow tracking of the current session.
  • For statistical purposes to understand visitor behavior, content viewed, and enable website improvement.

Websites controlled by MGP Conseils use the following types of cookies:

  • Session cookies: These are temporary cookies that are kept in memory only for the duration of the website visit.
  • Persistent cookies: They are kept on the computer until they expire and will be retrieved during the next visit to the site.

It is also possible to enable and disable the use of cookies by changing preferences in the settings of the browser used.

Use of Google Analytics

Some MGP Conseils websites use Google Analytics with the aim of continuously improving their services. Google Analytics notably allows for analyzing how visitors interact with MGP Conseils’ websites. To this end, Google Analytics uses cookies to generate statistical reports on visitor behavior and content viewed on these sites.

It is essential to note that MGP Conseils commits to never sharing information from Google Analytics with third parties. The data collected by Google Analytics is used exclusively for the improvement of MGP Conseils’ services and with respect for user confidentiality. The protection of visitors’ privacy is a priority for MGP Conseils, and the information collected by Google Analytics is processed securely and in accordance with personal information protection laws.

It is possible to install a browser add-on to disable Google Analytics.

Other Technologies Used

MGP Conseils also collects personal information through technological means such as web forms integrated into a website under its control (e.g., contact form, newsletter subscription, etc.), online questionnaires accessible on its platforms and applications, as well as other platforms or form tools.

When MGP Conseils collects personal information by offering a technological product or service with privacy settings, the company ensures that these settings provide the highest level of privacy by default (excluding cookies). This means that the initial settings must be configured to protect user privacy from the outset, without users having to make additional adjustments to ensure their confidentiality.

The security and protection of users’ personal information are a priority for MGP Conseils when collecting data through technological means, and the company strives to adhere to the highest standards of confidentiality.

Retention and Destruction of Personal Information

Unless a minimum retention period is required by applicable law or regulation, MGP Conseils will retain personal information only for the period necessary to fulfill the purposes for which it was collected.

Personal information used by MGP Conseils to make a decision concerning an individual will be retained for at least one year after the decision is made. In cases where the decision has tax implications, such as circumstances of employment termination, the information will be retained for seven years after the end of the fiscal year in which the decision was made.

Responsible retention of personal information is a priority for MGP Conseils, and the company will ensure compliance with appropriate retention periods based on specific circumstances. The security and confidentiality of individuals’ data are central to the retention practices implemented by MGP Conseils.

At the end of the retention period or when personal information is no longer necessary, MGP Conseils will ensure:

  • their destruction; or
  • their anonymization (meaning they can no longer, irreversibly, identify the individual, and it is no longer possible to link the individual to the personal information) for serious and legitimate purposes.

The destruction of personal information by MGP Conseils will be carried out securely, thereby ensuring the protection of this confidential information.

Any specific policy or procedure adopted by MGP Conseils regarding the retention and destruction of personal information may be added to this section, where applicable. For more information on this matter, please contact the MGP Conseils Privacy Officer, whose contact details are provided in this policy.

The confidentiality and security of personal information are paramount concerns for MGP Conseils, and the company is committed to implementing appropriate measures to ensure the protection of individuals’ data. The secure destruction of unnecessary personal information is a crucial step in the responsible management of this data.

Data Security

MGP Conseils is firmly committed to implementing reasonable security measures to ensure the protection of the personal information it manages. These security measures are adapted to the purpose, quantity, distribution, medium, and sensitivity of the collected information.

This means that information deemed sensitive will be subject to stricter security measures and will benefit from enhanced protection. In accordance with the limited access policy for personal information, MGP Conseils will take the necessary steps to restrict usage rights for its information systems, ensuring that only authorized employees who need access are able to do so.

Access control and management of confidential information constitute a crucial component of MGP Conseils’ security strategy. The implementation of these measures aims to prevent any unauthorized access and to protect the confidentiality of personal information held by the company. Data security is an absolute priority for MGP Conseils, and the company strives to maintain high protection standards to ensure client trust and compliance with personal information protection regulations.

Rights of Access, Rectification, and Withdrawal of Consent

To exercise their rights of access, rectification, or withdrawal of consent, data subjects must submit a written request to the MGP Conseils Privacy Officer, at the email address indicated in the following section of this policy.

Subject to certain legal restrictions, data subjects have the right to request access to their personal information held by MGP Conseils, and to request its correction in case of inaccuracy, omission, or ambiguity. They may also demand the cessation of dissemination of personal information concerning them, or request that any hyperlink associated with their name allowing access to this information through technological means be de-indexed, when the dissemination of this information contravenes the law or a court order. Similarly, under certain conditions provided by law, they may request that the hyperlink allowing access to this information be re-indexed.

The MGP Conseils Privacy Officer will respond in writing to these requests within 30 days of their receipt. If a request is refused, the reasons will be explained and accompanied by the legal provision justifying this refusal. In such cases, the response will also inform the data subjects of the remedies available under the law and the deadline for exercising them. The officer will also provide any necessary assistance to help applicants understand the reason for the refusal.

Subject to applicable legal and contractual restrictions, data subjects have the right to withdraw their consent to the communication or use of personal information collected from them. They may also ask MGP Conseils to provide them with information on the personal information collected from them, the categories of individuals within MGP Conseils who have access to this information, and the duration of its retention.

Complaint Handling Process

To exercise their rights of access, rectification, or withdrawal of consent, data subjects must submit a written request to the MGP Conseils Privacy Officer, at the email address indicated in the following section of this policy.

Subject to certain legal restrictions, data subjects have the right to request access to their personal information held by MGP Conseils, and to request its correction in case of inaccuracy, omission, or ambiguity. They may also demand the cessation of dissemination of personal information concerning them, or request that any hyperlink associated with their name allowing access to this information through technological means be de-indexed, when the dissemination of this information contravenes the law or a court order. Similarly, under certain conditions provided by law, they may request that the hyperlink allowing access to this information be re-indexed.

The MGP Conseils Privacy Officer will respond in writing to these requests within 30 days of their receipt. If a request is refused, the reasons will be explained and accompanied by the legal provision justifying this refusal. In such cases, the response will also inform the data subjects of the remedies available under the law and the deadline for exercising them. The officer will also provide any necessary assistance to help applicants understand the reason for the refusal.

Subject to applicable legal and contractual restrictions, data subjects have the right to withdraw their consent to the communication or use of personal information collected from them. They may also ask MGP Conseils to provide them with information on the personal information collected from them, the categories of individuals within MGP Conseils who have access to this information, and the duration of its retention.

Receipt

Any person wishing to file a complaint regarding the application of this policy or the protection of their personal information by MGP Conseils must do so in writing and address their complaint to the MGP Conseils Privacy Officer, at the email address indicated in the following section of this policy.

The individual must provide their name, contact details, including a phone number, as well as the subject and reasons for their complaint, providing sufficient details for it to be evaluated by MGP Conseils. If the complaint is not sufficiently precise, the Privacy Officer may request any additional information deemed necessary to adequately evaluate the complaint.

MGP Conseils is committed to examining all complaints fairly and diligently. The Privacy Officer will review each complaint confidentially and take the necessary measures to resolve any potential issue related to the protection of personal information. Individuals who have filed a complaint will be kept informed of the progress of their case and the actions taken to resolve the situation.

Processing

MGP Conseils attaches great importance to the confidentiality and confidential handling of complaints it receives. Within 30 days following receipt of the complaint, or after receiving all additional information deemed necessary by the MGP Conseils Privacy Officer to process the complaint, the latter must evaluate the situation and provide a written and reasoned response by email to the complainant. This evaluation aims to determine whether MGP Conseils’ processing of personal information complies with this policy, other policies and practices in force within the organization, as well as applicable legislation and regulation regarding personal information protection.

If, for particular reasons, the complaint cannot be processed within this 30-day period, the complainant will be informed of the reasons justifying this extension, the progress of their complaint’s processing, and the reasonable time required to provide a definitive response.

MGP Conseils is required to keep a separate file for each complaint received. Each file contains the complaint itself, the analysis performed and any documentation supporting the evaluation, as well as the response sent to the person who filed the complaint.

It is also possible for the complainant to bring their complaint before the Commission d’accès à l’information du Québec or any other supervisory body responsible for enforcing the law relating to the protection of personal information, in connection with the subject of the complaint. However, MGP Conseils encourages any interested person to first contact its Privacy Officer and await the outcome of MGP Conseils’ internal processing before resorting to other external remedies.

Approval

This policy is approved by the MGP Conseils Privacy Officer, whose business contact details are as follows:

Privacy Officer:

Manuel Patry

support@mgpconseils.ca

For any request, question, or comment within the scope of this policy, please contact the officer by email.

Publication and Amendments

This personal information protection policy is available and published on MGP Conseils’ main website, as well as on all other websites controlled and maintained by MGP Conseils that are subject to this policy and collect personal information. This policy is also disseminated by any appropriate means to reach data subjects.

Any amendment made to this policy will also be published on the aforementioned websites and will be subject to a notice to inform data subjects.

MGP Conseils is committed to keeping this policy up to date and actively informing its users and clients of any significant changes that could affect the protection of their personal information. This transparency aims to ensure that data subjects are fully aware of MGP Conseils’ personal information protection practices and their right to know how their data is used and protected.

Version: 1.0 | Effective Date: August 1, 2023 | Changes since last version: First version.

Appendix A

Below is a non-exhaustive list of the types of information that MGP Conseils may collect, as well as their use or intended purpose, and the means by which this information is gathered. It is important to note that most personal information managed by MGP Conseils primarily concerns employees, job applicants, and consultants. For other categories of individuals mentioned in the table below, the information provided is generally professional or business in nature. Furthermore, MGP Conseils often collects individuals’ professional titles or functions, as well as the name and/or address of their organization.

Types of Information Collected

Purposes and Uses

Means of Collection

  • name
  • phone number
  • email
  • banking information (when necessary)
  • language
  • postal code
  • establish and manage client relationships (and obtain a means of communication)
  • provide a service
  • register members for events organized by MGP Conseils
  • ensure payment of service-related costs
  • newsletter and MGP Conseils event registration
  • provide training (webinars or other opportunities, workshops, etc.)
  • future communications
  • invoicing
  • registration for activities organized by MGP Conseils
  • surveys
  • web forms, online surveys on platforms and applications, as well as other technological form platforms or tools.
  • by email (directly or through an attached document or other type of form)
  • from third parties

 

Types of Information Collected

Purposes and Uses

Means of Collection

  • name
  • phone number
  • email
  • banking information
  • Social Insurance Number
  • date of birth
  • address
  • managing communications with the applicant or employee
  • ensure the operation of the payroll system
  • by email
  • by phone
  • via website and forms

Types of Information Collected

Purposes and Uses

Means of Collection

  • name
  • phone number
  • email
  • banking information
  • address
  • managing communications with the consultant
  • invoicing
  • by email (directly or through an attached document: Word, PDF, etc.)
  • via website and forms

Types of Information Collected

Purposes and Uses

Means of Collection

  • name
  • phone number
  • email
  • banking details (when necessary)
  • establish the partnership (signing of partnership agreements)
  • collaboration
  • by email (directly or through an attached document or other type of form)
  • by phone

Please note that this list is not exhaustive, and other personal information may be collected based on the specific needs of each situation or project. MGP Conseils is committed to using this information responsibly and in accordance with the objectives set out in this privacy policy.