Privacy policy

PRIVACY GOVERNANCE POLICY

I. Objectives

Groupe Gilbert collects and uses personal information as part of the activities of its companies. As a group of companies subject to the Act respecting the protection of personal information in the private sector, Groupe Gilbert has adopted this Privacy Governance Policy (hereinafter referred to as the "Policy"). This Policy aims to establish:

  • Rules applicable to the retention and destruction of personal information;
  • The roles and responsibilities of staff members throughout the life cycle of personal information;
  • A process for handling complaints related to the protection of personal information.

II. Legal Framework

This Policy has been adopted in compliance with the following legislation:

  • Act respecting the protection of personal information in the private sector, CQLR c. P-39.1;
  • Civil Code of Quebec, CQLR c CCQ-1991.

III. Application

This Policy applies to all companies within Groupe Gilbert:

  • The term "Groupe Gilbert" includes, but is not limited to, Fernand Gilbert Ltée, Transport F. Gilbert Ltée, Gilbert Énergie Ltée, Environnement Saint-Laurent Inc., Logistique Saint-Laurent Inc., Dynamitage TCG Inc., Concassage TCG Inc., Services Environnementaux Saint-Laurent, 5297 Nunavut Ltd – Groupe Sana, Nutrinor-Gilbert Renewable Energy Inc., and Investissement Gilbert Ltée, as well as their subsidiaries, affiliated companies, linked partnerships, or entities in which they have significant control, whether in Quebec, Nunavut, or elsewhere in Canada.
  • All executives and employees of Groupe Gilbert;
  • Any personal information, regardless of its medium.

Personal information is defined by the Act respecting the protection of personal information in the private sector as information concerning a natural person that allows them to be identified.

Personal information is considered "sensitive" when, due to its nature (e.g., medical, biometric, or otherwise intimate), or the context of its use or communication, it creates a high expectation of privacy.

Articles VII and VIII of this Policy do not apply to public personal information nor to personal information concerning the exercise of a person's function within a company, such as their name, function, work address, work email address, and work phone number.

IV. Personal Information Protection Officer

Groupe Gilbert has appointed a Personal Information Protection Officer responsible for ensuring the implementation of this Policy:

Jonathan Gilbert
Interim CEO
confidentialite@groupegilbert.com

Clermont Gilbert
Director TFGL/Logistique Saint-Laurent
confidentialite@groupegilbert.com

Any questions related to this Policy should be directed to the Personal Information Protection Officer.

V. Collection and Use of Personal Information

The personal information collected by Groupe Gilbert is strictly used in a limited manner. 

Furthermore, access to this information is restricted to individuals who need to use it as part of their duties. Access restrictions are outlined in Appendix 2 of this Policy.

  1. Activities of Groupe Gilbert 

Groupe Gilbert collects and uses personal information as part of its business activities. Without limiting the generality of the above, Groupe Gilbert must use and disclose personal information to:

  • Fulfill conditions related to certain contracts;
  • Ensure the provision of specific training for executives and employees;
  • Oversee transportation and accommodation for executives and employees whose workplace is remote;
  1. Recruitment

Groupe Gilbert collects and uses personal information (including resumes, cover letters, and references) as part of the recruitment process for executives and employees.

  1. Employee Records Management

Groupe Gilbert collects and uses personal information from its executives and employees for the purpose of managing employee records (including postal address, personal email address, phone numbers, date of birth, a copy of the driver's license (if required by the job), and social insurance number). Furthermore, Groupe Gilbert must share personal information with service providers as part of employee records management.

VI. Accuracy

Groupe Gilbert ensures that the personal information it uses is up-to-date, accurate, and complete.

VII. Disclosure of Personal Information to Third Parties

  1. General Principle

Groupe Gilbert does not disclose personal information to third parties in any manner (e.g., dissemination, exchange, sale, etc.) unless the individual concerned consents. Consent must be explicitly given if the personal information is sensitive.

  1. Exceptions

Groupe Gilbert may disclose personal information to third parties without the individual's consent when permitted by law, particularly to the following individuals:

  • Its legal counsel;
  • The Director of Criminal and Penal Prosecutions if the information is required for prosecution of an offense under applicable Quebec law;
  • A person or organization authorized by law to prevent, detect, or repress crime or violations of laws who requires the information in the exercise of their functions if the information is necessary for the prosecution of an offense under applicable Quebec law;
  • A person to whom it is necessary to disclose the information as part of applicable Quebec law or to apply a collective agreement;
  • A public body as defined by the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1) that collects it through a representative in the exercise of its powers or the implementation of a program under its management;
  • A person or organization with the authority to compel disclosure of the information and who requires it in the exercise of their functions;
  • A person to whom this disclosure must be made due to an emergency threatening the life, health, or safety of the individual concerned;
  • A person who may use the information for research, study, or statistical purposes in accordance with sections 21 and 21.1 of the Act respecting the protection of personal information in the private sector;
  • A person who, under the law, may collect debts on behalf of others and who requires the information to do so in the exercise of their functions;
  • A person if the information is necessary for the purpose of collecting a debt owed to the company;
  • Any person or organization if this disclosure is necessary for the performance of a mandate or execution of a service or enterprise contract that has been entrusted to them. In this case, the person operating a business must:some text
    1. Entrust the mandate or contract in writing;
    2. Indicate in the mandate or contract the measures that the mandatary or contractor must take to ensure the protection of the confidentiality of the disclosed personal information, so that this information is used only in the exercise of their mandate or the execution of their contract and not retained after its expiration. A person or organization exercising a mandate or executing a service or enterprise contract under the first paragraph must immediately notify the Personal Information Protection Officer of any breach or attempted breach by any person of one or more of the obligations related to the confidentiality of the disclosed information and must also allow the Personal Information Protection Officer to conduct any verification related to this confidentiality. This second condition does not apply when the mandatary or contractor is a public body as defined by the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1) or a member of a professional order.

VIII. Conservation et destruction des renseignements personnels

Groupe Gilbert has implemented all security measures required by law to protect and ensure the confidentiality of the personal information it collects and retains. Furthermore, it follows a rigorous process for the retention and destruction of personal information as detailed below. 

Documents containing personal information must be destroyed as soon as the purpose for which they were collected is fulfilled, subject to the retention period required by law or by a retention schedule.

  1. Retention Schedule for Personal Information (Paper and Electronic)

Groupe Gilbert must retain:

  • Candidate records for at least three (3) years following the rejection of their application;
  • Former executives and employees' records for at least seven (7) years following the end of their employment, except:some text
    • Claims records under the Act respecting industrial accidents and occupational diseases, which must be retained permanently due to the risk of recurrence and relapse;
    • Tax records and supporting documents for at least seven (7) years.
  1. Retention of Personal Information on Paper

Personal information on paper is stored in locked filing cabinets. 

Only executives and employees who need to use personal information as part of their duties have access to the relevant filing cabinet. 

When executives and employees are required to work outside of Groupe Gilbert's premises, they must prioritize the use of personal information in electronic form rather than paper form.

IX. Right of Access and Rectification

Groupe Gilbert informs any person who requests it of the existence of personal information concerning them, the use made of it, and whether it has been disclosed to third parties. It allows any person to consult or obtain a copy of their personal information and to have it rectified if necessary. 

A request for access or rectification can only be considered if it is made in writing by a person justifying their identity as the concerned person, as the representative of the concerned person's heir, successor, executor, life insurance or death benefit beneficiary, or holder of parental authority even if the minor child is deceased. Any request for access or rectification must be addressed to the Personal Information Protection Officer.

X. Privacy Incident

A "privacy incident" refers to the following situations:

  • Unauthorized access to personal information by law;
  • Unauthorized use of personal information by law;
  • Unauthorized disclosure of personal information by law;
  • Loss of personal information or any other breach of the protection of such information.

When an executive or employee has reason to believe that a privacy incident has occurred, they must notify the Personal Information Protection Officer. 

The concerned executive or employee and the Personal Information Protection Officer must jointly:

  • Assess the risk of harm to a person whose personal information is affected by a privacy incident by considering the sensitivity of the concerned information, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes;
  • Take reasonable steps to mitigate the risk of harm and prevent similar incidents in the future. If the incident presents a risk of serious harm, the Personal Information Protection Officer must promptly notify:some text
    • The Commission d'accès à l'information. The notice template is available on the Commission's website: https://www.cai.gouv.qc.ca/documents/CAI_FO_avis_incident_confidentialite.pdf;
    • Any person whose personal information is affected by the incident;
    • Any person or organization likely to mitigate this risk by only disclosing the necessary personal information for this purpose without the consent of the concerned person. In the latter case, the Personal Information Protection Officer must record the disclosure.

Despite the preceding paragraph, a person whose personal information is affected by the incident does not need to be notified as long as it could interfere with an investigation by a person or organization authorized by law to prevent, detect, or repress crime or violations of laws.

The Personal Information Protection Officer must record any privacy incident in a register as provided in the first appendix to this Policy.

XI. Privacy Impact Assessment (PIA)

The PIA is a process aimed at protecting personal information and respecting the privacy of individuals. It is a form of impact analysis. 

Groupe Gilbert must conduct a PIA in the following situations:

  • For any project involving the acquisition, development, and overhaul of an information system or the electronic provision of services involving personal information. Groupe Gilbert must begin the PIA before starting a project and throughout its duration;
  • Before disclosing personal information outside Quebec. In this situation, Groupe Gilbert must consider the following elements:some text
    1. The sensitivity of the information;
    2. The purpose of its use;
    3. The protective measures, including contractual ones, that the information would benefit from;
    4. The legal regime applicable in the state where the information would be disclosed, particularly the privacy protection principles that apply there. The disclosure can proceed if the evaluation shows that the information would be adequately protected, particularly regarding generally recognized privacy protection principles. It must be the subject of a written agreement that considers, among other things, the evaluation results and, if applicable, the agreed-upon measures to mitigate the risks identified during this evaluation.
  • Before disclosing personal information to a third party without the consent of the concerned persons for research, study, or statistical purposes.

To conduct a PIA, Groupe Gilbert must consider all factors that positively or negatively affect the respect of the privacy of concerned individuals. These factors are as follows:

  • The compliance of the project with applicable privacy legislation and the principles supporting it;
  • The identification of privacy risks generated by the project and the evaluation of their consequences;
  • The implementation of strategies to avoid or effectively reduce these risks and maintain them over time. 

The PIA must be documented in writing.

The Personal Information Protection Officer may refer to the Commission d'accès à l'information's guide for conducting a PIA: https://www.cai.gouv.qc.ca/documents/CAI_Guide_EFVP_FR.pdf.

XII. Complaint Process

Any complaint related to the management of personal information must be addressed in writing to the Personal Information Protection Officer. 

It must state the facts and reasons in support of the complaint. In addition, any document relevant to its analysis must be attached. 

The Personal Information Protection Officer must process the complaint diligently and provide a written response to the complainant.

XIII. Update

This Policy was updated on February 1, 2024.

Appendix 1

Confidentiality Incident Register

Date of the incident

Date the organization became aware of the incident

Summary description of the incident (attach any relevant document to the Confidentiality Incident Register)

Description of the personal information affected by the incident

Identification of the person(s) affected by the incident

Description of the factors that led the organization to conclude whether there is a risk of serious harm to the affected individuals (the sensitivity of the affected personal information, possible malicious uses of the information, anticipated consequences of its use, and the likelihood that it will be used for harmful purposes)

In the case of a risk of serious harm, was a notice sent to the Commission? If yes:

  • On what date?
  • Attach the notice to the Confidentiality Incident Register.

In the case of a risk of serious harm, was a notice sent to the person(s) affected by the incident? If yes:

  • On what date?
  • Attach the notice to the Confidentiality Incident Register.

In the case of a risk of serious harm, was a notice sent to any person or organization likely to mitigate this risk? If yes:

  • On what date?
  • Attach the notice to the Confidentiality Incident Register;
  • Attach the communication record to the Confidentiality Incident Register.
  • Description of the measures taken by the organization following the incident to mitigate the risk of harm.

Person who discovered the incident: ____________________________________

Date: _____________ Signature: ___________________________________

Person who discovered the incident: ____________________________________

Date: _____________ Signature: ___________________________________

255, 1er et 2e Rang Ouest
La Corne (Québec)
J0Y 1R0

Contact us

819 734-7857info@groupeminierdg.com

Partners

© 2024  Minière DG+ All rights reserved.

Privacy Policy

Website by: