Privacy Policy
Procedure for the Retention, Destruction and Anonymization of Personal Information
1. Overview
It is essential to establish a procedure for the retention, destruction, and anonymization of personal information in order to protect individual privacy, comply with applicable privacy laws, prevent confidentiality incidents and security breaches, maintain client trust, and safeguard the organization’s reputation.
2. Purpose
The purpose of this procedure is to ensure the protection of individuals’ privacy and compliance with legal obligations relating to personal information protection.
3. Scope
This procedure applies to the entire lifecycle of personal information, from collection to destruction. It concerns all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal information in accordance with applicable legal requirements and privacy best practices.
4. Definitions
Personal Information: Any information that identifies, directly or indirectly, a natural person.
Retention: Secure storage of personal information for the required duration.
Destruction: Permanent deletion, elimination, or erasure of personal information.
Anonymization: A process by which personal information is irreversibly modified so that individuals can no longer be identified, directly or indirectly.
4. Procedure
4.1 Retention Period
Personal information has been categorized as follows:
-
Employee information
-
Member information
-
Client information
Retention periods are established as follows:
-
Employees: 7 years after termination of employment
-
Members: Variable depending on the type of personal information
-
Clients: Variable depending on the type of personal information
For additional details, refer to the complete inventory of personal information held.
Specific statutory retention periods may apply.
4.2 Secure Storage Methods
Personal information is stored in the following locations:
-
OneDrive
-
Wix
Each storage location has been assessed for sensitivity level.
Both physical and digital storage systems are adequately secured.
Access is restricted to authorized personnel only.
4.3 Destruction of Personal Information
Paper records must be fully shredded.
Digital personal information must be permanently deleted from devices (computers, phones, tablets, external drives), servers, and cloud-based platforms.
A destruction schedule must be established in accordance with retention periods. Planned destruction dates must be documented.
Destruction must be carried out in a manner that ensures information cannot be recovered or reconstructed.
4.4 Anonymization of Personal Information
Anonymization should only occur when the organization intends to retain and use information for serious and legitimate purposes.
The chosen method of anonymization consists of deletion after the retention period.
The organization must ensure that remaining data cannot irreversibly identify individuals and must periodically assess re-identification risk through testing and analysis.
At the time of drafting this template, anonymization for serious and legitimate purposes is subject to regulatory criteria to be established by government regulation.
4.5 Staff Training and Awareness
Employees must receive regular training regarding retention, destruction, and anonymization procedures, as well as risks related to privacy breaches.
Training includes data security best practices and adherence to established procedures.
Last Updated: November 1, 2025
Procedure for Access Requests and Complaint Handling
1. Overview
Individuals have the right to request access to personal information held about them and to file complaints. This procedure establishes guidelines for responding to such requests.
2. Purpose
To ensure that all access requests are handled confidentially, promptly, and accurately, in compliance with applicable legal requirements.
3. Scope
This procedure applies to internal actors responsible for processing access requests and complaints, as well as individuals seeking access to their personal information.
4. Access Request Procedure
Requests must be submitted in writing to the Privacy Officer via email or postal mail.
The request must clearly state that it concerns access to personal information and provide sufficient identifying details.
An acknowledgment of receipt will be sent.
Requests must be processed within thirty (30) days.
Identity must be reasonably verified prior to disclosure.
Incomplete or excessive requests may require clarification or may be refused if manifestly abusive.
All stages of the request must be documented in an access request register.
5. Complaint Handling Procedure
Complaints may be submitted in writing, by phone, or electronically.
Each complaint is assessed for validity and seriousness.
An impartial investigation must be conducted.
Resolutions may include corrective measures or other appropriate actions.
The complainant must be informed in writing once the matter is resolved.
All documentation must be retained confidentially.
Procedure for De-indexation and Removal of Personal Information
Defines structured mechanisms for handling client requests for removal or de-indexation of personal data from online platforms.
Removal permanently deletes data.
De-indexation reduces visibility in search engines while keeping information accessible directly.
Identity verification is required.
Legitimate grounds for refusal include legal obligations or service continuity.
All requests must be documented.
Security Incident and Personal Information Breach Management Procedure
Defines response plans for:
-
Cybersecurity incidents
-
Ransomware
-
Account compromise
-
Device loss or theft
If a personal information breach presents a serious risk of harm, it must be reported to the Commission d’accès à l’information du Québec and to affected individuals.
The organization maintains a confidentiality incident register.
Legal Compliance
We are committed to complying with applicable legislation, including:
Quebec (Law 25 — Act to Modernize Legislative Provisions Respecting the Protection of Personal Information)
This privacy policy may be updated periodically to maintain legal compliance.
Users are encouraged to review it regularly.
Last Updated: November 1, 2025