Privacy Policy

1. Introduction and Objectives

 

Ici M Mécanique 360 ​​Auteuil places great importance on the protection of personal information. In this regard, Ici M Mécanique 360 ​​Auteuil has developed this policy to provide a framework for its governance of personal information and to enable its employees and subcontractors to understand the legal requirements and principles regarding the protection of personal information inherent in the performance of their duties.

 

More specifically, this policy aims to ensure compliance with applicable laws and standards by specifying, among other things: (i) the rules relating to the collection and other processing of personal information held by Ici M Mécanique 360 ​​Auteuil; (ii) the management of access to personal information; (iii) the process for handling complaints regarding the protection of personal information; and (iv) the security measures implemented to ensure the confidentiality, integrity, and availability of personal information throughout its lifecycle.

 

Ici M Mécanique 360 ​​Auteuil has also implemented various measures in this regard in accordance with applicable laws, including the changes introduced by Bill 25. For this reason, Ici M Mécanique 360 ​​Auteuil has: (i) validated and confirmed the roles and responsibilities of its Privacy Officer; (ii) implemented various privacy policies, including the following; (iii) established a privacy incident register; (iv) undertaken the review and documentation of all governance measures and rules; and (vi) prepared various contract and registry templates.

 

2. Scope of Application

 

This policy applies to:

• Individuals: all employees of Ici M Mécanique 360 ​​Auteuil, as well as its subcontractors, where applicable.

• Activities: Any processing of personal information within the scope of the mission, activities, or responsibilities of Ici M Mécanique 360 ​​Auteuil, even if the physical storage of such information is not ensured by Ici M Mécanique 360 ​​Auteuil.

• Resources: All information systems, regardless of their medium or format, whether stored internally or externally, such as cloud computing systems.

• Information: Any personal information, regardless of its format and storage location (internal or external).

 

3. Definitions and Interpretation

In this policy, the following terms have the meanings given to them below:

• Anonymize means the process of processing personal information according to generally accepted best practices and according to the criteria and procedures determined by the regulations. • Hold or detention refers to the legal possession of personal information as well as its physical possession, unless it is entrusted to a third party.

• Document refers to all documents, records, and other files kept in paper, electronic, or any other medium or format, and which contain personal information.

• Employee refers to any person employed by Ici M Mécanique 360 ​​Auteuil.

• Confidentiality incident refers to: (i) any access, use, or disclosure of personal information not authorized by law; (ii) any loss of personal information; or (iii) any other breach of the protection of such information.

• Laws refers to any laws, regulations, and other normative/legislative frameworks applicable to Ici M Mécanique 360 ​​Auteuil, including the Act respecting the protection of personal information in the private sector. • Individual means any person whose personal information may be processed or is under the responsibility of Ici M Mécanique 360 ​​Auteuil as part of its activities or mission.

• Personal information means any information that relates to a natural person and that allows them to be identified, directly or indirectly, except for exceptions provided for by law.

• Sensitive personal information means information that, by its nature or due to the context of its use or disclosure, gives rise to a high degree of reasonable expectation of protection (e.g., social insurance number).

• Subcontractor means any consultant, service provider, partner, or other duly authorized third party who holds, uses, accesses, hosts, or otherwise processes personal information at the request of Ici M Mécanique 360 ​​Auteuil.

• Standards means any generally accepted guidelines, best practices, norms, and industry standards to which Ici M Mécanique 360 ​​Auteuil adheres. • Process or treatment refers to any operation applied to personal information, such as collecting, reading, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating (or otherwise making available), combining (or interconnecting), blocking, erasing, destroying, or anonymizing.

Unless the context otherwise requires, grammatical variations of any defined term have a similar meaning, and the singular includes the plural, and the masculine includes the feminine, and vice versa.

 

4. Guiding Principles

As part of its mission and activities, Ici M Mécanique 360 ​​Auteuil is called upon to hold and/or process various types of personal information. To this end, Ici M Mécanique 360 ​​Auteuil emphasizes the importance of all processing being carried out in accordance with the following guiding principles:

• the collection of personal information must be necessary, and required or permitted by law (and, where applicable, by any contract);

• All personal information is considered, by default, confidential and is treated as such;

• No personal information may be processed unless the required consents have been obtained or such processing is permitted or required by law;

• The protection of personal information must be ensured, among other things, by implementing and complying with adequate security measures;

• Personal information may only be retained for the period required for the purposes for which it was collected (subject to applicable legal and contractual exceptions); and

• Any request (for access, rectification, or otherwise) and any confidentiality incident must be immediately reported to the Privacy Officer.

 

5. Privacy Officer

 

Ici M Mécanique 360 ​​Auteuil is an affiliate of M Mécanique 360. The Privacy Officer of M Mécanique 360 ​​Auteuil ensures compliance with and implementation of applicable privacy requirements:

M Mécanique 360 ​​Auteuil

Privacy Officer

5300 Boulevard des Laurentides, Laval, QC, H7K 2J8, mmufflerauteuil@gmail.com, Julien Ducharme

6. Personal Information Concerning Employees

This section applies to the personal information that Ici M Mécanique 360 ​​Auteuil collects or otherwise processes regarding its employees. This collection and processing of personal information will only be done to the extent (i) required to manage its employment relationship with its employees; (ii) permitted by law; or (iii) necessary to comply with applicable legal and contractual requirements. These processes will take place as provided for in the governance policy.

 

i. COLLECTION AND USE OF PERSONAL INFORMATION BY ICI M MÉCANIQUE 360 AUTEUIL

Ici M Mécanique 360 ​​Auteuil collects personal information that is required or optional to manage its employment relationship with its employees.

Except as otherwise provided by law, when Ici M Mécanique 360 ​​Auteuil collects, uses, or discloses personal information that is not necessary to manage the employer-employee relationship, the employee's consent is required. Similarly, when personal information is collected to manage the employer-employee relationship, and Ici M Mécanique 360 ​​Auteuil wishes to use or disclose it for other purposes, consent is also required.

 

• When personal information is collected and used to manage the employer-employee relationship, only Ici M Mécanique 360 ​​Auteuil employees whose duties require it will have access to this personal information.

• Similarly, Ici M Mécanique 360 ​​Auteuil will only disclose personal information to third parties who need it to fulfill their contractual obligations to Ici M Mécanique 360 ​​Auteuil, who are bound by the confidentiality obligations imposed by Ici M Mécanique 360 ​​Auteuil, or when Ici M Mécanique 360 ​​Auteuil sincerely believes it is required to do so by law (for example, to tax authorities and law enforcement agencies) or for the protection of Ici M Mécanique 360 ​​Auteuil, its property, or its employees. Otherwise, consent to the disclosure of personal information is required.

 

• Ici M Mécanique 360 ​​Auteuil may make available to its employees one or more networks that allow them: (i) to exchange information among themselves; and/or to communicate with third parties (including subcontractors or professionals) for business purposes; and (ii) to access the Internet as well as information and documentation from Ici M Mécanique 360 ​​Auteuil. Use of the network, information and material that is the property of Ici M Mécanique 360 Auteuil is limited to the business of Ici M Mécanique 360 ​​Auteuil. However, Ici M Mécanique 360 ​​Auteuil is aware that limited use of the network or technological equipment provided by Ici M Mécanique 360 ​​Auteuil to its employees may be necessary during working hours for personal purposes (e.g., scheduling personal appointments) (collectively, personal communications). Employees cannot have a reasonable expectation of privacy regarding personal communications made using the network or computer equipment of Ici M Mécanique 360 ​​Auteuil.

 

ii. DISCLOSURE OF PERSONAL INFORMATION THROUGH ICI M MÉCANIQUE 360 AUTEUIL

Ici M Mécanique 360 ​​Auteuil will not provide personal information about its employees to third parties without their consent, except as provided by law or in accordance with this policy, including, if necessary: ​​(i) to manage the employer-employee relationship; (ii) to enable a third party to perform its contractual obligations to an employee or to Ici M Mécanique 360 ​​Auteuil; or (iii) if, in good faith, Ici M Mécanique 360 ​​Auteuil believes that such action is reasonably necessary to comply with legal process or respond to requests, or to protect the rights, property, or safety of Ici M Mécanique 360 ​​Auteuil, its representatives, employees, and clients, or the public. Furthermore, only Ici M Mécanique 360 ​​Auteuil employees whose duties require it will have access to personal information. The following are examples of the various categories to which the disclosure of personal information may apply:

 

Third Party Purposes Information Provided

Subcontractors (Suppliers and Consultants – Group Benefit Plans) To provide benefit programs to Ici M Mécanique 360 ​​Auteuil employees, administer claims, and track and calculate benefit accruals. Name, date of birth, home address and telephone number, marital status, dependent information, salary, medical questionnaire, type of coverage, claim information, social insurance number, etc.

Subcontractors (Payroll Department) To provide direct deposit and payroll processing services to Ici M Mécanique 360 ​​Auteuil employees. Name, date of birth, home address and telephone number, compensation information, social insurance number, tax information.

Subcontractors (IT services, etc.) Assist Ici M Mécanique 360 ​​Auteuil with certain personnel management tasks. Information required by subcontractors to provide services.

Tax authorities. Comply with Ici M Mécanique 360 ​​Auteuil's obligations under relevant tax legislation. Income or remuneration, social insurance number, other personal information such as age or residential address required by tax authorities.

References (provided by an applicant) Ensure the veracity of the information received from the applicant and obtain the reference's opinion on their abilities. Applicant's name, relevant excerpts from the application.

Emergency services Ensure the safety of the persons concerned in the event of an emergency. Names and information required by the services.

Law enforcement agencies or government authorities. Where appropriate, prevent, detect, or terminate an offense, ensure compliance with the law, and comply with a court or tribunal order. All relevant information for this purpose.

By submitting personal information to Ici M Mécanique 360 ​​Auteuil, employees acknowledge having consented to the collection, use, and disclosure practices set out in this policy. Any employee may withdraw their consent at any time with respect to personal information that is not required to manage the employer-employee relationship, to allow a third party to perform its contractual obligations to them or to Ici M Mécanique 360 ​​Auteuil, or for any other purpose described herein by contacting the Privacy Officer at Ici M Mécanique 360 ​​Auteuil in writing. However, by making this choice, the employee may limit Ici M Mécanique 360 ​​Auteuil's ability to serve them and provide benefits or perform any other applicable tasks or functions.

 

7. Personal Information Concerning Any Other Person

Ici M Mécanique 360 ​​Auteuil may also process the personal information of individuals who communicate with it. This processing will take place based on consent or in a situation that is permitted or required by law.

 

8. Consent

Ici M Mécanique 360 ​​Auteuil recognizes the importance of obtaining valid consent in connection with the collection or any other processing of personal information. The consent obtained must take into account the following requirements:

Consent Criteria

Personal Information • be manifest (i.e., it must be obvious, certain, and indisputable, leaving no doubt as to the wishes expressed therein);

• be freely given (i.e., given without coercion);

• be informed (i.e., precise and rigorous, and allow the individual concerned to give their consent in full knowledge of the facts);

• be given for specific purposes (i.e., for each of these purposes. It cannot therefore be general or encompass other purposes);

• be requested for each of the applicable purposes (i.e., the individual must be able to confirm their intention with respect to each purpose);

• be requested in simple and clear terms;

• be presented separately from any other information communicated to the individual concerned when the request for consent is made in writing;

• be valid only for the period of time necessary to achieve the purposes for which it was requested (i.e., the number of days, months, or years required, or until the occurrence or completion of an event).

Sensitive Information

• be expressly formulated;

• otherwise comply with the requirements applicable to any consent to the processing of personal information.

The law recognizes certain situations where the individual's consent will not be sought or will not have to be sought. Please consult the Privacy Officer in this regard. Note that when an individual requests it, assistance is provided to help them understand the scope of the consent requested.

 

9. Retention, Destruction, and Anonymization

Subject to a retention period prescribed by law, when the purposes for which personal information was collected or used have been fulfilled, Ici M Mécanique 360 ​​Auteuil will: (i) securely destroy this personal information; or (ii) if applicable, anonymize the information for use for serious and legitimate purposes, according to the criteria established by regulation. To comply with the above, Ici M Mécanique 360 ​​Auteuil has developed a Retention Policy for Documents Containing Personal Information.

 

10. Procedures and Standards for the Communication of Personal Information Outside Quebec

To comply with applicable legal requirements and ensure the confidentiality and security of all personal information, Ici M Mécanique 360 ​​Auteuil will conduct a privacy impact assessment before communicating personal information outside Quebec.

This assessment will take into account, in particular: (i) the sensitivity of the personal information; (ii) the purpose of its use; (iii) the protective measures, including contractual ones, that would apply to the personal information; and (iv) the legal framework applicable in the country where the personal information would be disclosed.

For the purposes of this assessment, the privacy officer will be consulted from the outset of the project. Ici M Mécanique 360 ​​Auteuil's legal advisors, as well as any other stakeholders deemed necessary/desirable, may also be involved or consulted.

Disclosure may take place if the assessment demonstrates that the personal information would benefit from adequate protection, particularly with regard to generally accepted privacy principles. The disclosure must be the subject of a written agreement that takes into account, among other things, the results of the assessment and, where applicable, the agreed terms and conditions to mitigate the risks identified during the assessment. The same applies when Ici M Mécanique 360 ​​Auteuil entrusts a person or organization outside Quebec with the task of collecting, using, disclosing, or storing such information on its behalf.

In order to comply with the above, Ici M Mécanique 360 ​​Auteuil will develop a Privacy Impact Assessment Model for the disclosure of personal information outside Quebec, in accordance with the law.

 

11. Procedure and Standards for the Disclosure of Personal Information for Study, Research, or Statistical Purposes

In accordance with the requirements of the law, Ici M Mécanique 360 ​​Auteuil may disclose personal information without the consent of the individuals concerned to a person or organization that wishes to use this information for study, research, or statistical purposes. To do so, Ici M Mécanique 360 ​​Auteuil must first complete a privacy impact assessment. This assessment must conclude:

• that the purpose of the study, research, or statistical production can only be achieved if the personal information is disclosed in a form that allows the individuals concerned to be identified;

• that it is unreasonable to require the person or organization to obtain the consent of the individuals concerned;

• that the purpose of the study, research, or statistical production outweighs, in light of the public interest, the impact of the disclosure and use of the information on the privacy of the individuals concerned;

• that the personal information is used in a manner that ensures its confidentiality; and

• that only necessary personal information is disclosed.

Prior to disclosing the personal information in question, Ici M Mécanique 360 ​​Auteuil must enter into an agreement with the person or organization to which it is transmitting it that complies with the requirements of the law. In order to comply with the above, Ici M Mécanique 360 ​​Auteuil will develop a Privacy Impact Assessment Model for the disclosure of personal information for study, research, or statistical purposes, in accordance with the law.

 

12. Technology Projects Involving Personal Information

In order to comply with applicable legal requirements and ensure the confidentiality and security of personal information, Ici M Mécanique 360 ​​Auteuil will conduct a Privacy Impact Assessment for any project involving the acquisition, development, or redesign of an information system or electronic service delivery involving the collection, use, disclosure, retention, or destruction of personal information. This assessment must be proportionate to the sensitivity of the personal information concerned, the purpose of its use, its quantity, distribution, and medium.

For the purposes of this assessment, the Privacy Officer will be consulted from the outset of the project. Ici M Mécanique 360 ​​Auteuil's legal advisors, as well as any other stakeholders deemed necessary or desirable, may also be involved or consulted.

Ici M Mécanique 360 ​​Auteuil will ensure that any project allows for computerized personal information collected from the individual concerned to be communicated to that individual in a structured and commonly used technological format.

To comply with the above, Ici M Mécanique 360 ​​Auteuil will develop a Privacy Impact Assessment Model for technology projects involving personal information, in accordance with the law.

 

13. Use of Identification, Location, or Profiling Technology

From time to time, Ici M Mécanique 360 ​​Auteuil may use technology that includes features that allow for the identification, location, or profiling of an individual. Ici M Mécanique 360 ​​Auteuil will comply with the legal requirements in this regard.

 

14. Decision-Making Based on the Automated Processing of Personal Information

From time to time, Ici M Mécanique 360 ​​Auteuil may use personal information to render a decision based exclusively on automated processing. In all cases and in accordance with the law, Ici M Mécanique 360 ​​Auteuil will ensure that the individual concerned is informed of this fact, at the latest when Ici M Mécanique 360 ​​Auteuil's decision is communicated to them, in addition to complying with other legal requirements in this area.

 

15. Security Measures

Ici M Mécanique 360 ​​Auteuil monitors the use of the network, communications, and information, including personal communications. Electronic monitoring includes activities such as logging employee access to the network, communications, and information; accessing and recording communications sent or received by email or any other electronic messaging method; and monitoring Internet usage, which may identify the servers and sites that Ici M Mécanique 360 ​​Auteuil employees have accessed. Ici M Mécanique 360 ​​Auteuil monitors network usage, communications and information, including personal communications, for maintenance and security purposes; to ensure use of the network, communications and information in accordance with Ici M Mécanique 360 ​​Auteuil policies and the law; and, when deemed necessary or useful, to protect the rights, property or safety of Ici M Mécanique 360 ​​Auteuil, its representatives, employees and customers, or the public, but does not limit its ability to use information collected through electronic surveillance. For these same purposes, it does the following:

• it periodically makes backup copies of communications, information, and personal communications that are kept in accordance with the Retention Policy for Documents Containing Personal Information, in Appendix 1 hereto;

• it may require access to equipment owned by both Ici M Mécanique 360 ​​Auteuil and its employees and used to access the network, including passwords protecting this equipment;

• it may copy, use, and disclose to third parties, including law enforcement agencies in Canada or elsewhere, communications, information, and personal communications.

Upon leaving Ici M Mécanique 360 ​​Auteuil:

• all communications, information, and personal communications may be copied for future use or disclosure;

• only to the extent possible will an effort be made to destroy personal communications;

• At Ici M Mécanique 360 ​​Auteuil's discretion, it may allow an employee to copy or retain personal communications;

• All electronic devices belonging to Ici M Mécanique 360 ​​Auteuil are returned to it, and Ici M Mécanique 360 ​​Auteuil employees are prohibited from copying or retaining information or communications on any Ici M Mécanique 360 ​​Auteuil device or personal device.

Electronic passes issued to Ici M Mécanique 360 ​​Auteuil employees may record the time and location of their use, and security cameras installed on Ici M Mécanique 360 ​​Auteuil premises videotape key areas of Ici M Mécanique 360 ​​Auteuil establishments. Information from electronic passes and security camera recordings may be accessed and used for security purposes or to comply with Ici M Mécanique 360 ​​Auteuil policies. Depending on the location of your workstation, certain information associated with your electronic pass and security cameras may be collected by the building manager or owners, and in such cases, this information is subject to the owner's/manager's privacy policy.

Ici M Mécanique 360 ​​Auteuil implements various security measures to ensure the protection of the personal information it processes, which are reasonable given, in particular, its sensitivity, purpose of use, quantity, distribution, and medium, including the following:

 

i. INTERNAL MEASURES

Ici M Mécanique 360 ​​Auteuil implements various internal security measures, including the following:

Separation of Roles, Responsibilities, and Duties

The separation of incompatible functions and access is one of the pillars of effective control, designed to prevent or reduce the risk of privacy breaches (for example, by ensuring that a single individual cannot control all phases of a process). To this end, Ici M Mécanique 360 ​​Auteuil ensures that access to personal information is limited to employees and/or subcontractors with a need-to-know basis. Software and Equipment Installation

All software or equipment installations are performed exclusively under the supervision or pre-approval of the IT team to ensure that risks have been validated and understood, that user agreements and rights are consistent with the intended use, that applications are standardized, and that platforms comply with configuration standards.

Privacy Impact Assessment and Risk Assessment

Privacy impact assessments, aimed at better protecting personal information and respecting the privacy of the individuals concerned, are conducted in accordance with the law and as further detailed in this Policy.

Training and Awareness

Ici M Mécanique 360 ​​Auteuil takes all reasonably required measures to ensure that all its employees and subcontractors are aware of the privacy rules as provided for in applicable laws and standards, as well as in this Policy. Ongoing awareness and training are essential to ensure the protection of personal information. Likewise, the procedure in the event of confidentiality incidents is known to the person responsible for the protection of personal information, the managers and the relevant technical staff of Ici M Mécanique 360 ​​Auteuil. Finally, Ici M Mécanique 360 ​​Auteuil ensures that it dispenses with personal information protection training for employees, to the extent that their duties justify the provision of such training.

Information Systems Protection

The level of protection granted to information systems is determined based on the results of the risk assessment and the required security. Furthermore, all access to systems must allow for the identification of the user, and security measures must be applied throughout the lifecycle of personal information. Finally, the protection of personal information relies on the ongoing involvement of each employee, who must, in particular: (i) use all resources with discernment for the intended purposes and in compliance with applicable laws and standards, as well as with the instructions of Ici M Mécanique 360 ​​Auteuil; (ii) choose complex passwords; (iii) maintain the security and confidentiality of all passwords and identifiers; and (iv) not store personal information on technologies other than those specifically authorized by Ici M Mécanique 360 ​​Auteuil. Transmission of Information

Personal information must be transmitted, exchanged, or otherwise transferred outside the Ici M Mécanique 360 ​​Auteuil network securely. Any transfer of personal information to unauthorized external sources is expressly prohibited.

Business Continuity

Ici M Mécanique 360 ​​Auteuil has technological and procedural measures in place to ensure the restoration of essential operations within a reasonable time in the event of a disaster (e.g., major cyberattack, flood, fire, etc.).

ii. MEASURES RELATING TO SUBCONTRACTORS

Subject to applicable laws, Ici M Mécanique 360 ​​Auteuil ensures compliance with the following when personal information must be processed by subcontractors so that they can carry out the mandate/contract entrusted to them:

• enter into a written contract, and indicate the legal provisions that apply to the personal information, the measures that must be taken to ensure that it is used only in the exercise of the mandate/contract and that it is not retained after its expiration, and any other provisions required by law;

• where applicable, ensure that any subcontractor takes the necessary measures to ensure that any third party that may assist it in carrying out the contract/mandate entrusted to it is required to comply with confidentiality obligations at least as stringent as those incumbent on the subcontractor (including those stipulated in the contract/mandate and this policy).

In this regard, Ici M Mécanique 360 ​​Auteuil has developed model contractual clauses. These models will be adjusted on a case-by-case basis, depending on the contracting party and the content of the contract to be developed with them.

iii. CONFIDENTIALITY INCIDENTS

Various situations, including the following, constitute confidentiality incidents:

• An employee or subcontractor accesses personal information that is not necessary for the performance of their duties, exceeding the access rights granted to them;

• A hacker infiltrates a system;

• An employee or subcontractor uses personal information from a database to which they have access as part of their duties to impersonate an individual;

• A communication made by mistake to the wrong recipient;

• An employee or subcontractor loses or has documents containing personal information stolen;

• A third party accesses a database containing personal information in order to alter it.

Ici M Mécanique 360 ​​Auteuil will comply with all legal requirements in the event of a confidentiality incident.

Ici M Mécanique 360 ​​Auteuil maintains a record of confidentiality incidents and will provide a copy to the Commission d'accès à l'information upon request.

 

16. Requests for Access, Rectification, and Others

Any request for access or rectification must be made in writing and addressed to the Privacy Officer. When the request is insufficiently specific, or when a person requests it, the person in charge will assist that person in identifying the personal information sought. The person in charge's duty to assist includes the following:

1. When the request is insufficiently specific, or when a person requests it, the person in charge will assist that person in identifying the personal information sought. 2. Subject to applicable laws and following a request made to this effect by an employee or any other person, the controller will:

(i) Confirm the existence of personal information it holds concerning the requester and, where applicable, provide it to the requester (or will allow a copy to be obtained); and

(ii) Correct any personal information concerning them that is inaccurate, incomplete, or ambiguous.

3. In the event of a refusal to comply with a request for access, the reasons for this refusal will be communicated to the requester in accordance with the law. The person in charge will then provide assistance to the requester who requests it to help them understand the refusal.

In practice, the person in charge will ensure:

1. Offer reasonable assistance throughout the process of processing your request;

2. Provide information about the Act, particularly regarding the processing of a request and the right to file a complaint with the Commission d'accès à l'information;

3. Communicate with the requester if clarification is required regarding your request, such communication taking place as soon as reasonably possible;

4. Make reasonable efforts to locate and retrieve the requested documents;

5. ensure that the exemptions invoked (in connection with a refusal to disclose all or part of documents) are specific and limited (to such documents);

6. provide responses that, to the best of their knowledge, are accurate and complete;

7. promptly provide the information requested as part of the access process; and

8. if applicable, provide the documents in the requested format or, as the case may be, provide an appropriate location to examine the documents requested.

Although the duty to provide assistance is not subject to any parameters in the Act, the person responsible is required to provide it diligently and reasonably. This does not, however, require the person responsible to provide the same explanations to an individual multiple times. Once the person responsible has provided all the information necessary to help the individual understand the decision, they may choose to stop providing explanations.

 

17. Dissemination and Update of the Policy

This policy will be made available to all employees upon hiring and will be brought to their attention again periodically. This policy will also be made available, in whole or in part, to each subcontractor upon the conclusion of any contract if required to ensure adequate protection of personal information, and in particular, to inform the subcontractor of the applicable requirements. This policy must not be shared with other persons (subject to applicable regulatory authorities) unless Ici M Mécanique 360 ​​Auteuil has authorized it in advance and in writing.

In accordance with applicable legal requirements, Ici M Mécanique 360 ​​Auteuil will periodically review this policy. These revisions may take place when new requirements under applicable laws come into effect, following the publication of guidelines by the Commission d’accès à l’information, or otherwise when deemed necessary or desirable. The policy may then be revised or supplemented by other policies.

The updated policy (or any other relevant policy) will be made available. Anyone can determine if this policy has changed by checking the effective date.

 

18. Contacting Ici M Mécanique 360 ​​Auteuil

a. GENERAL

Requests, questions, or comments should be directed to the Privacy Officer at the contact information provided in Section 5.

b. COMPLAINTS

Anyone wishing to file a complaint regarding the collection, retention, use, disclosure, or destruction of personal information by Ici M Mécanique 360 ​​Auteuil may contact the Commission d'accès à l'information (Access to Information Commission); in such a case, the complaint must be submitted in writing according to the applicable process (detailed in particular on its website available here).

Anyone may also file a complaint with Ici M Mécanique 360 ​​Auteuil using the contact information provided in Section 5. This will involve the following steps:

1. Submitting the complaint. Basic personal information such as name, telephone number, and email or postal address must be provided, as well as general information about the complaint, including: (i) on whose behalf the complaint is made; (ii) the type of complaint; and (iii) any other details deemed relevant to the request (e.g., request number, date of request, relevant facts, etc.).

2. Review. The complaint will be reviewed as soon as possible. Any other information required will be requested, if applicable. Following the investigation, the person who filed the complaint will be contacted.

APPENDIX 1

Policy for the Retention of Documents Containing Personal Information

1. OBJECTIVES AND SCOPE

Ici M Mécanique 360 ​​Auteuil places great importance on the protection of personal information.

Personal information.

In this regard and in accordance with the Act, Ici M Mécanique 360 ​​Auteuil has developed this policy to confirm in writing: (i) the requirements applicable to the retention of documents containing personal information; (ii) the types of documents containing personal information held by Ici M Mécanique 360 ​​Auteuil; (iii) the confidentiality levels of the Documents; (iv) the types of media used for these Documents to associate them with an appropriate retention method and destruction method; and (v) the document retention schedule that complies with applicable legal requirements. This policy applies to all documents held by Ici M Mécanique 360 ​​Auteuil, regardless of their medium (paper, electronic, or other), including:

• those legally held by Ici M Mécanique 360 ​​Auteuil (i.e., those generated on its behalf and in the course of its activities), regardless of whether Ici M Mécanique 360 ​​Auteuil physically holds them or whether this is held by a third party (hosting its Documents); and

• where applicable, those belonging to third parties and physically held by Ici M Mécanique 360 ​​Auteuil for the performance of contracts or otherwise.

 

2. DEFINITIONS AND INTERPRETATION

In this policy, the following terms have the meanings given to them below:

• Document refers to all documents, records, and other files kept in paper, electronic, or any other medium or format, and which contain Personal Information. • Personal information means any information that relates to a natural person and that allows them to be identified, directly or indirectly.

• Privacy Officer refers to the Privacy Officer of Ici M Mécanique 360 ​​Auteuil.

• Ici M Mécanique 360 ​​Auteuil refers to Ici M Mécanique 360 ​​Auteuil.

Unless the context otherwise requires, grammatical variations of any defined term have a similar meaning, and the singular includes the plural, and the masculine includes the feminine, and vice versa.

 

3. RESPONSIBILITIES

In accordance with the law, the Privacy Officer ensures compliance with and updating of this policy.

Each manager or team leader will ensure, where applicable, that this policy is implemented within their respective work team, and will submit any questions or requests related to the retention of documents (including their destruction) to the Privacy Officer.

 

4. RETENTION PRINCIPLES

Ici M Mécanique 360 ​​Auteuil collects and processes various documents and personal information as part of its business. This personal information is collected and processed, and these documents are created/received and processed for serious, legitimate, and predetermined purposes (subject to applicable legal exceptions, if applicable).

During this period, documents and personal information will be kept securely, and access will be limited to employees and, where applicable, subcontractors or advisors of Ici M Mécanique 360 ​​Auteuil who require access to them as part of their employment or mandate.

In order to comply with the above, Ici M Mécanique 360 ​​Auteuil has developed a Document Retention Schedule, available below. This schedule indicates the retention period deemed appropriate by Ici M Mécanique 360 ​​Auteuil for these different types of documents (and the personal information contained therein). Thus, such Documents will be retained for the period indicated in the retention schedule, unless otherwise instructed in writing in the event that certain Documents (or the Personal Information they contain) must be retained for an additional period of time, as permitted or required under applicable law.

 

5. DESTRUCTION PRINCIPLES

When the purposes for which these documents (or the Personal Information contained therein) are fulfilled, such documents/personal information will be destroyed, unless the law imposes a specific retention period for such personal information or Document.

Periodically, the Privacy Officer, in consultation with the applicable managers and team leaders, will ensure that documents that have reached the retention period prescribed in the retention schedule are, depending on the document format, securely erased or otherwise destroyed.

 

6. CONTACTS

For any questions regarding this policy, please contact the Privacy Officer:

Privacy Officer

Name of Officer: Julien Ducharme

Address: 5300 boulevard des Laurentides, Laval, QC, H7K 2J8

Email: mmufflerauteuil@gmail.com

Phone: 450-628-5300

 

7. DISSEMINATION AND UPDATING OF THE POLICY

This policy will be available to all employees on the Ici M Mécanique 360 ​​Auteuil intranet. In addition, this policy will be brought to the attention of any employee involved in document management upon hiring or at any other time deemed appropriate.

Ici M Mécanique 360 ​​Auteuil reserves the right to update or otherwise modify this policy from time to time. Any substantial changes will be brought to the attention of the relevant employees by any means deemed acceptable by the Privacy Officer. Subsequently, the updated policy will be made available and easily accessible on the Ici M Mécanique 360 ​​Auteuil intranet. A new version of this policy will also be published whenever a minor modification is made. You can determine if this policy has changed by looking at the effective date indicated on its first page. Ici M Mécanique 360 ​​Auteuil recommends that this policy be reviewed periodically to ensure that all affected individuals remain aware of Ici M Mécanique 360 ​​Auteuil's current practices regarding document retention and destruction and comply with them at all times.

 

APPENDIX 2

Requests for Access, Rectification, or Other Information

1. General Principles: Any individual may request:

o confirmation of the existence of personal information concerning them and disclosure, allowing them to obtain a copy of it.

o rectification of any personal information concerning them that is inaccurate, incomplete, or ambiguous, or if its collection, disclosure, or retention is not authorized by law;

o cessation of the dissemination, where applicable, of any information concerning them or the de-indexing of any hyperlink attached to their name that allows access to this information by technological means, when the dissemination of this information contravenes the law or a court order; and

o re-indexing of any hyperlink attached to their name when the prescribed requirements are met.

Ici M Mécanique 360 ​​Auteuil takes the necessary measures to ensure that all individuals can exercise their rights. Ici M Mécanique 360 ​​Auteuil informs the public of the location where this personal information is accessible and the means of accessing it.

2. Request. The request for access or rectification must be made in writing, and the individual making the request must provide proof of identity. The request is addressed to the Privacy Officer. When the request is not sufficiently specific or when the applicant so requests, the Access Officer provides assistance in identifying the information sought. 3. Acknowledgment of Receipt: The manager may notify the person who made a written request of the date of receipt of the request.

4. Research and Analysis. The manager conducts or arranges for a search within Ici M Mécanique 360 ​​Auteuil of the documents covered by the access or rectification request. The manager also analyzes the request from a legal perspective and determines whether the request will be fully accepted, partially accepted, or refused, and for what reasons, in consultation with any member of management, if necessary.

5. Results of the Analysis. If a document covered by the access request contains:

o any information covered by an access exception, then such information will not be disclosed; or

o any personal information of a third party, then such information must be redacted before the document is disclosed, unless the third party concerned has consented to such disclosure.

6. Response. The manager prepares the response to the access request. If the disclosure of documents or information is refused or partially accepted, the person responsible shall provide reasons for the refusal and indicate: (i) the provision of the Act on which the refusal is based; and (ii) the remedies available to the requester under the Act and the time limit within which they may be exercised. The person responsible shall also provide assistance to the requester who requests it to help them understand the refusal. When the person responsible for access grants a request for rectification, they must, in addition to other applicable legal obligations, provide the person who made it with a copy of any amended or added personal information, or, as the case may be, a certificate, free of charge.

Failure to respond to a request for access within the applicable 30-day period shall be deemed to have refused access to the document. In the case of a written request, this failure gives rise to the review procedure provided for in the Private Access Act as if it were a refusal of access.

7. Retention. The access officer ensures that any information which has been the subject of an access request is it retained the time required to allow the applicant to exhaust the remedies provided for in the Law.