top of page

Privacy Policy

1. PREAMBLE

 

In the course of its activities and mission, Instrumentation Icetek Inc. (the "Company") processes personal information, in particular that of its customers, visitors to its website and its employees and other staff members, as well as its directors and officers. As such, the Company recognizes the importance of respecting privacy and protecting the personal information it holds.
In order to fulfill its obligations under the Act respecting the protection of personal information in the private sector, the Company has adopted this policy. It sets out the framework principles applicable to the protection of personal information held throughout its life cycle, the rights of the persons concerned, and the role of stakeholders in the implementation of the Act within the Company.

2. OBJECT

 

This policy :


- sets out the Company's governance principles and rules with regard to personal information throughout its life cycle;
- defines the roles and responsibilities of stakeholders with regard to the protection of personal information;
- provides a framework for the exercise of the rights of the persons concerned; and
- sets out the process for handling complaints concerning the protection of personal information.

3. SCOPE OF APPLICATION

 

This policy applies to personal information collected or held by the Company. It also applies to any person who handles personal information for the Company. Compliance with this policy is mandatory, and the Company is committed to handling personal information in accordance with the privacy principles set out in this policy.
This policy is the reference document for the Company's privacy compliance program, from which policies, directives, procedures or any other document covering such topics as :


- obtaining valid consents;
- conducting Privacy Impact Assessments;
- disclosing personal information to third parties without consent;
- disclosing personal information outside Quebec;
- exercising the rights of individuals;
- retention, archiving and destruction; and
- handling individual complaints.

4. DEFINITIONS

 

For the purposes of this policy, the following terms mean :
"CAI" refers to the Commission d'accès à l'information du Québec.
"Business contact information" refers to personal information concerning the performance of a function within an organization, such as name, title and function, as well as postal address, e-mail address and workplace telephone number.
"Life cycle" refers to all the steps involved in the processing of personal information, i.e. collection, use, disclosure, retention and destruction.
"Privacy Impact Assessment" or "PIA" refers to the process of protecting personal information and respecting the privacy of individuals. It is a form of impact analysis. It is evolutionary and must be reviewed throughout the project.
"Privacy incident" means any unauthorized access, use or disclosure of personal information, or any loss or other breach of the protection of such information.
"Law" means any statute, regulation, recommendation or notice applicable to privacy matters, including the Act respecting the protection of personal information in the private sector, the Act respecting the legal framework for information technology and any other statute, regulation, recommendation or notice that replaces, supplements, amends, extends, re-enacts or codifies applicable privacy laws.
"Data subject" means a natural person to whom personal information relates.
"Personal information" means any information relating to a natural person that allows that person to be identified directly - either by recourse to that information alone - or indirectly - by combination with other information.
"Privacy Officer" or "PPO" means the person within the Company who is responsible for ensuring compliance with and implementation of the law concerning the protection of personal information.

5. GUIDING PRINCIPLES

 

Personal information is protected throughout its life cycle in accordance with the following principles, unless otherwise provided by law. Business contact information and personal information of a public nature are not subject to the guiding principles.

5.1. Collection

  • The Company only collects personal information that is necessary for the performance of its activities. Before collecting personal information, the Company identifies the purposes for which it is to be processed.

  • 5.1.2.    At the time of collection, and thereafter upon request, the Company informs the persons concerned of the mandatory content provided for by law, including the purposes of collection and the right to withdraw consent to the use or disclosure of personal information by the Company.

  • The information provided for in paragraph 5.1.2 is given in clear and simple terms, by means of a privacy policy or a "just-in-time" notice.

  • The person concerned who provides his or her personal information after having received the information in paragraph 5.1.2 is presumed to consent to the use and communication for the declared purposes.

5.2. Use

  • The Company uses personal information only for the purposes for which it was collected. However, the Company may change these purposes with the prior consent of the person concerned.

  • It may also use personal information for other purposes without the consent of the person concerned, only in cases where the proposed use is permitted by law.

5.3. Communication

  • Subject to the exceptions provided by law, the Company may not disclose personal information to third parties without the consent of the person concerned.

  • When personal information is disclosed outside Québec, the Company conducts a PIA in accordance with section 6 hereof.

  • The Company maintains a register of certain disclosures of personal information without consent. The register records the disclosures covered by the Act, including the following:
    ◦ to a person or organization that has the power to compel the Company to disclose personal information and that requires it in the performance of its duties;

  • to a person to whom this communication must be made because of an emergency situation endangering the life, health or safety of the person concerned;

  • to a person or organization for the purposes of a mandate or contract for services or business;

  • to the other party to a commercial transaction, if the communication is necessary for the conclusion of the transaction;

  • to a person who may use it for study, research or statistical purposes;

  • to a person authorized by law to collect debts on behalf of others and who requires it for this purpose in the performance of his or her duties;

  • to a person if the information is required to collect a debt owed to the Company.

5.4. Conservation

  • The Company takes all reasonable steps to ensure that the personal information it holds is up-to-date, accurate and complete for the purposes for which it is collected or used.

  • The Company retains personal information only as long as necessary for the fulfillment of the purposes for which it was collected, subject to any retention obligations that may apply, in accordance with its retention schedule.

5.5. Destruction and anonymization

  • Once the purposes for which the personal information was collected have been fulfilled, the information is destroyed or, in certain cases, anonymized in accordance with the retention schedule.

6. PRIVACY IMPACT ASSESSMENT

  • The purpose of a PIA is to demonstrate that the Company has complied with all privacy obligations and that all measures have been taken to effectively protect personal information.

  • The Company conducts a PIA in the following situations, among others:

  • before undertaking a project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving personal information;

  • before communicating personal information without the consent of the individuals concerned to a person or organization wishing to use this information for study, research or statistical purposes;

  • before disclosing personal information outside Quebec.

  • In conducting a PIA, the Company takes into account the sensitivity of the information to be processed, the purposes for which it is to be used, its quantity, distribution and medium, as well as the proportionality of the measures proposed to protect personal information. The Company also takes into account the criteria determined by law for each PIA.

7. DROITS DES PERSONNES CONCERNÉES

  • At the request of a data subject, the Company must inform him or her of the following :

  • the personal information collected from him or her;

  • the categories of persons who have access to this information within the Company;

  • how long the information will be kept; and

  • contact information for the Company's Privacy Officer.

  • To the extent provided by law, a data subject has the following rights:

  • the right to be informed, where applicable, that personal information is being used to make a decision based on exclusively automated processing;

  • the right to withdraw consent to the use and communication of personal information collected by the Company.

  • 7.3.      To the extent provided by law, any individual about whom the Company holds personal information has the following rights:

  • the right to access personal information held by the Company and to obtain a copy, in electronic or other format;

unless this raises serious practical difficulties, at the request of a person concerned, the Company communicates computerized personal information collected from him or her in a structured and commonly used technological format;

  • the right to rectify any incomplete or inaccurate personal information held by the Company;

  • the right to request the deletion of information in certain circumstances, or to provide written comments to the Company;

  • the right to ask the Company to cease disseminating information or to de-index any hyperlink attached to your name, under certain conditions.

  • RPRP will respond in writing to requests to exercise the rights set out in paragraph 7.3, promptly and no later than 30 days from the date of receipt of the request.

8. SECURITY OF PERSONAL INFORMATION

  • The Company implements reasonable security measures to ensure the confidentiality, integrity and availability of personal information that is collected, used, disclosed, retained or destroyed. These measures take into account the sensitivity of the personal information, the purpose for which it is collected, its quantity, location and medium.

  • The Company manages the access rights of its employees to ensure that only those who require access in the course of their duties have access to personal information.

9. PRIVACY INCIDENTS

  • All confidentiality incidents are handled in accordance with the Company's incident response plan.

  • 9.2.       In accordance with the law, the Company maintains a register of confidentiality incidents.

  • If the confidentiality incident presents a risk of serious harm to the persons concerned, the Company will promptly notify them and the CAI.

  • The register provided for in paragraph 9.2 is kept up to date for five years after the last incident or the period of the last incident.

10. ROLES AND RESPONSIBILITIES

  1. The protection of personal information held by the Company relies on the commitment of all those who handle such information, and in particular the following stakeholders:
    1. The President:
    - ensures the implementation of the law;
    - facilitates the performance of the duties of the Privacy Officer, in particular by ensuring that he or she has the appropriate resources to carry out his or her mandate and implement the Company's privacy program.
    1. The Board of Directors of the Company:
    - approves this Policy, as well as any significant amendments to it, on the recommendation of the RPRP;
    - if applicable, receives and analyzes any issues relating to the protection of personal information submitted to it by the RPRP;
    - if applicable, receives and analyzes the RPRP's report;
    - keeps itself informed of the Company's privacy activities and takes any action it deems appropriate to maintain an acceptable level of risk for the Company.
    1. The RPRP:
    - ensures compliance with and implementation of the law within the Company;
    - is responsible for the application and implementation of this Policy and other documents forming the Company's Privacy Program;
    - designs the Company's privacy program and updates it as required;
    - supports the Company's employees in the implementation of the program, notably by acting as a respondent for any related questions;
    - as required, produces a report on activities related to the Company's privacy program and submits it to the Board of Directors;
    - oversees the coordination of the response to a privacy incident and the maintenance of the privacy incident log;
    - receives and responds to written requests from individuals to exercise their rights in accordance with this policy; and
    - is consulted, at the outset of Privacy Impact Assessments, and may suggest privacy safeguards to mitigate risks.
    1. Anyone handling personal information held by the Company :
    - acts with care and integrates the principles and guidelines set out in this policy into their activities;
    - when collecting personal information from individuals, ensures that valid consent is obtained and documented;
    - accesses only the information required to perform its duties;
    - keeps its files in such a way that only authorized persons have access to them;
    - refrains from disclosing personal information that comes to its knowledge in the performance of its duties, unless duly authorized to do so;
    - does not retain, at the end of her employment or contract, personal information obtained or collected in the course of her duties, and maintains her obligations of confidentiality;
    - retains and destroys all personal information in accordance with the Company's retention schedule;
    - participates in personal information protection awareness and training activities;
    - detects situations requiring a PIA and completes the appropriate documents;
    - promptly report any breach, confidentiality incident or any other situation or irregularity that could in any way compromise the security, integrity or confidentiality of personal information to the Privacy Officer;
    - promptly refers any request for the exercise of rights or any complaint relating to the Company's privacy practices to the GDPR.

11. COMPLAINTS HANDLING

 

All complaints concerning the Company's privacy practices or its compliance with legal requirements relating to personal information are forwarded to the Company's Privacy Officer, who acknowledges receipt and responds within 30 days.

Controlab Inc. Yvan Bissonnette yvanb@controlabinc.com

129, rue d'Amsterdam,  Saint-Augustin-de-Desmaures (Québec) G3A 2V5

Canada

12. SANCTIONS

 

Compliance with this policy and any other document forming the documentary framework is mandatory for the entire Company. Employees who fail to comply are subject to disciplinary measures ranging from disciplinary notice to dismissal, or to the contractual measures and penalties provided for suppliers and other third parties, which may include contract termination and claims for damages. Additional training and awareness may also be provided in the event of failure to comply with this policy.

13. REVIEW

 

In order to keep pace with changes in applicable privacy legislation and to improve the Company's privacy program, this Policy may be updated from time to time.

RPRP is responsible for this policy and its updates.

14. ENTRY INTO FORCE

 

This policy takes effect upon approval by the Board of Directors, on the recommendation of the RPRP.

Effective date: October 8, 2024.
Date of last modification: October 8, 2024.

bottom of page