Personal Information and Confidentiality Policy
1. Context
Lepage Millwork's core business is not in the field of personal data. Therefore, Lepage Millwork will not analyze or process your data beyond what is necessary in order for us to provide you with high quality services and products. This means that we do NOT use your data to monitor or profile you beyond what is necessary for our business activities.
The purpose of this policy is to ensure the protection of personal information and to govern the manner in which Lepage Millwork collects, manages, uses, communicates, retains and destroys such personal information. This policy is intended to inform all of Lepage Millwork’s stakeholders of the way the company handles their personal information. It also covers the processing of personal information collected by Lepage Millwork through technological tools and processes.
2. Application and Definitions
This policy applies to Lepage Millwork, including but not limited to its officers, employees, consultants, volunteers, and any person who otherwise provides services on behalf of Lepage Millwork. It also applies to Lepage Millwork's website, as well as to all websites controlled and maintained by Lepage Millwork, as the case may be.
It applies to all types of personal information managed by Lepage Millwork, such as information of its clients, potential or actual, its consultants, its employees, its members or any other person (such as visitors to its websites or otherwise).
For the purpose of this policy, personal information relates to any information about an individual that, directly or indirectly, allows the identification of that individual. For example, it could include a person's name, address, e-mail address, telephone number, gender, banking information, health information, ethnic origin, language, etc.
Sensitive personal information relates to information towards which there is a high reasonable expectation of privacy, e.g. health information, banking information, biometric information, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.
On a general basis, an individual's professional or business contact information does is not considered personal information. More specifically, as part of Quebec's Act respecting the protection of personal information in the private sector, and as of September 22, 2023, sections 3 (collection, use, communication), 4 (retention and destruction) and 6 (data security) do not apply to any information on an individual relating to the exercise of its business functions, such as name, title, function, as well as the address, e-mail address and telephone number of the individual's workplace.
These same paragraphs do not apply to personal information that is of public nature by law, as of the effective date of this policy.
3. Collection, Use and Communication
Most services, including the access to our websites, as week as the products we offer, require us to collect only a limited amount of data. In such cases, we will ask you to provide us with your name, a means of contacting you (such as a telephone number or e-mail address) and, where applicable, a postal address or other form of geolocation; all of this in the purpose of delivering of our products or our services.
If you subscribe to one of our newsletters or request to receive marketing materials and information about our products and services, we will need your name, e-mail address and details of your interests so that we can provide you with the relevant information. The same data will be required if you request more information about our products and services at events, such as trade shows, or if you contact us by phone.
If you are a current or potential business partner, we collect basic data about the people with whom we communicate, such as their names, titles and contact details.
If you apply for a job with Lepage Millwork, we will collect the data you provide us with through our websites or any other form of communication, such as your resume and any forms you may fill out.
Lepage Millwork will also inform all individuals, at the time of collection of personal information, of any other information being collected, the purposes for which it is being collected and the means of collection, in addition to any other information to be provided as required by law.
Lepage Millwork applies the following guiding principles to the collection, use and disclosure of personal information:
Consent:
- In general, Lepage Millwork collects personal information directly from the individual with his or her consent, unless an exception is provided by law. Consent may be implied in certain situations, for example, when the individual decides to provide his or her personal information after having been informed by this policy of the use and disclosure herein described. Thus, this policy and the information it contains will be available to the person concerned at the time personal information is collected.
- Normally, Lepage Millwork must also obtain the consent of the person concerned before collecting his or her personal information from third parties, before communicating it to third parties or for any secondary use thereof. However, Lepage Millwork may act without consent in certain cases provided for by law and under the conditions set forth therein. The main situations in which Lepage Millwork may act without consent are indicated in the relevant sections of this Policy.
Collection:
- Lepage Millwork will only collect information if there is a valid reason to do so. In addition, the collection of information will be limited to that which is necessary to fulfill the purpose for which it is collected.
- Please note that Lepage Millwork's services and programs are not intended for minors, and more generally, Lepage Millwork does not intentionally obtain personal information from minors (in such cases, information cannot be collected from them without the consent of a parent or a legal guardian).
- Collection from third parties. Lepage Millwork may collect personal information from third parties. Unless an exception is provided by law, Lepage Millwork will seek the consent of the individual concerned before collecting personal information about him or her from a third party. In the event that such information is not collected directly from the individual, but from another organization, the individual may request the source of the information collected from Lepage Millwork.
In certain instances, Lepage Millwork may also collect personal information from third parties, without the consent of the person concerned, if there is a serious and legitimate interest in doing so and a) if the collection is in the interest of the person and it is not possible to collect it from him or her in a timely manner, or b) if such collection is necessary to ensure that the information is accurate.
This collection through third parties may be necessary in order to use some of Lepage Millwork’s products or services, or to do business with Lepage Millwork. When required, Lepage Millwork will obtain consent from the individual at the appropriate time.
Storage and Use:
- Lepage Millwork ensures that all personal information it holds relating to an individual is current and accurate at the time it is used.
- Lepage Millwork may only use an individual's personal information for the purposes identified herein or for any other purposes provided at the time of collection. Should Lepage Millwork wishes to use such information for another reason or purpose, a new consent must be obtained from the person concerned, which must be timely obtained in the case of sensitive personal information. However, in certain cases provided for by law, Lepage Millwork may use information for secondary purposes without the consent of the individual, e.g. :
- when such use is clearly for the benefit of the individual;
- when necessary to prevent or detect fraud;
- when necessary to evaluate or improve protection and security measures.
- Limited access. Lepage Millwork shall implement measures to limit access to personal information only to employees and individuals within its organization who have a right to know the information and for whom the information is necessary in the performance of their duties. Lepage Millwork will seek the consent of the individual before granting access to any other person.
Communication:
- Generally, and unless an exception is indicated in this policy or otherwise provided by law, Lepage Millwork will obtain the consent of the individual concerned before disclosing his or her personal information to a third party. In addition, where consent is required and where sensitive personal information is involved, Lepage Millwork will obtain the individual's consent prior to disclosing the information.
- However, disclosure of personal information to third parties is sometimes necessary. Therefore, personal information may be disclosed to third parties without the prior consent of the individual concerned in certain cases, including, but not limited to, the following:
- Lepage Millwork may communicate personal information, without the consent of the person concerned, to a public entity (such as the government) which, through one of its representatives, collects it in the exercise of its role or for the implementation of a program under its management.
- Personal information may be transmitted to service providers to whom it is necessary to communicate the information, without the obtaining prior the individual's consent. For example, (1) Lepage Millwork's subcontractors executing contracts authorized by Lepage Millwork, and (2) cloud service providers. In such cases, Lepage Millwork must have written contracts with these suppliers indicating the measures to be taken to maintain confidentiality of the personal information communicated, that the use of this information is made only in the context of the execution of the contract and that they shall not retain this information beyond its expiry. Moreover, such contracts must provide that suppliers are required to notify Lepage Millwork's Privacy Officer (identified in this policy) of any breach or attempted breach of confidentiality obligations with respect to the personal information communicated and must permit such officer to conduct any audit relating to such confidentiality.
- If necessary for the purposes of concluding a business transaction, Lepage Millwork may also disclose personal information, without the consent of the person concerned, to the other party involved in the business transaction and subject to the conditions provided by law.
Disclosure outside Quebec
Personal information held by Lepage Millwork may be disclosed outside Quebec, for example, when Lepage Millwork uses cloud service providers whose server(s) are located outside Quebec or when Lepage Millwork deals with subcontractors located outside the province.
Additional information on the technologies used:
Use of cookies
Cookies are data files sent to a website visitor's computer by his Web browser when he or she visits the site and can serve several purposes.
Websites controlled by Lepage Millwork use cookies, in particular:
- To memorize visitors' settings and preferences, for example, language selection and tracking of the current session.
- For statistical purposes, to track visitors behavior and content, and to help improve the website.
Websites controlled by Lepage Millwork use the following types of cookies:
- Session cookies: These are temporary cookies that are kept in memory for the duration of the website visit only.
- Persistent cookies: These are kept on the computer until they expire and will be retrieved the next time the site is visited.
Usage of Google Analytics
Some of Lepage Millwork's websites use Google Analytics for continuous improvement purposes. In particular, Google Analytics makes it possible to analyze how a visitor interacts with a Lepage Millwork website. Google Analytics uses cookies to generate statistical reports on the visitors’ behaviour on these websites and the content consulted.
Information from Google Analytics will never be shared by Lepage Millwork with third parties.
Other technologies used
Lepage Millwork also collects personal information through technological means such as web forms integrated into a website controlled by Lepage Millwork (for example, its contact form) as well as other platforms or form tools (e.g., Microsoft Forms).
If Lepage Millwork collects personal information by offering a technological product or service that has privacy settings, Lepage Millwork must ensure that these settings offer the highest level of privacy by default (cookies are not covered).
4. Conservation and Destruction of Personal Information
Unless a minimum retention period is required by applicable law or regulation, Lepage Millwork shall retain personal information only for as long as necessary to fulfill the purposes for which it was collected.
Personal information used by Lepage Millwork to make a decision about an individual must be retained for a period of at least one year following the said decision or, if there is tax implications, up to seven years after the end of the fiscal year in which the decision was made.
At the end of the retention period or when the personal information is no longer required, Lepage Millwork will:
- destroy it; or
- anonymize it (i.e., it no longer irreversibly identifies the individual and it is no longer possible to establish a link between the individual and the personal information) in order to use it for serious and legitimate purposes. The destruction of information by Lepage Millwork must be done in a secure manner to ensure the protection of this information.
This section may be supplemented by any policies or procedures adopted by Lepage Millwork regarding the retention and destruction of personal information, if any. Please contact Lepage Millwork's Privacy Officer (identified in this policy) for further information.
5. Responsibilities of Lepage Millwork
In general, Lepage Millwork is responsible for the protection any personal information it holds.
Lepage Millwork's Privacy Officer is the Information Technology Director (IT Director). In general, the IT Director is responsible for maintaining compliance with applicable legislation regarding the protection of personal information. The IT Director must approve the policies and practices governing the governance of personal information. More specifically, this person is responsible for implementing this policy and ensuring that it is known, understood and applied. In the event of the absence or inability of the Privacy Officer, Lepage Millwork's Human Resources Director will assume the duties of the Privacy Officer.
Lepage Millwork employees who have access to personal information or who are involved in the management of the company must ensure protection of personal information and comply with this policy.
The roles and responsibilities of Lepage Millwork's employees throughout the life cycle of personal information may be specified by any other Lepage Millwork policy in this regard, if applicable.
6. Data Security
Lepage Millwork is committed to implementing reasonable security measures to ensure the protection of personal information under its control. The security measures in place correspond, among other things, to the purpose, quantity, distribution and sensitivity of the information. This means that information that may be considered sensitive (see definition in section 2) will require more stringent security measures and greater protection. In particular, and in accordance with what was mentioned above regarding limited access to personal information, Lepage Millwork must put in place the necessary measures to constrain the rights of use of its information systems so that only employees who need to have access to personal information are authorized to access it.
7. Rights of Access, Rectification and Withdrawal of Consent
To exercise his or her right of access, rectification or withdrawal of consent, the person must submit a written request to Lepage Millwork's Privacy Officer, at the e-mail address indicated in the following section.
Subject to certain legal restrictions, individuals may request access to their personal information held by Lepage Millwork and request its correction if it is deemed inaccurate, incomplete or equivocal. They may also demand that the sharing of their personal information cease, or that any hyperlink attached to their name allowing access to this information by a technological means be deactivated, when the dissemination of this information contravenes the law or a court order. They may do the same, or require that the hyperlink providing access to this information be reactivated, when certain conditions provided for by law are met.
Lepage Millwork's Privacy Officer must respond in writing to such requests within 30 days from the date of the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In such cases, the reply must indicate the remedies available under the law and the time limit for exercising them. The person in charge must help the applicant understand the refusal if necessary.
Subject to applicable legal and contractual restrictions, the persons concerned may withdraw their consent to the communication or use of the information collected.
They may also ask Lepage Millwork what personal information has been collected from them, what categories of people at Lepage Millwork have access to it and how long it will be kept.
8. Complaints Handling Process
Reception:
Any person who wishes to make a complaint regarding the application of this policy or regarding the protection of his or her personal information by Lepage Millwork, must do so in writing to Lepage Millwork's Privacy Officer at the e-mail address indicated in the following section.
The person must provide his or her name, contact information, including a telephone number, as well as the subject of the complaint and the reasons for the complaint, in sufficient detail for the complaint to be evaluated by Lepage Millwork. If the complaint is deemed incomplete or inaccurate, the Privacy Officer may request any additional information he or she deems necessary to assess the complaint.
Treatment:
Lepage Millwork will treat all complaints received confidentially.
Within 30 days following the receipt of the complaint or following the receipt of all additional information deemed necessary and required by Lepage Millwork's Privacy Officer in order to process the complaint, the latter shall evaluate the complaint and formulate a written response by e-mail to the complainant. The purpose of this assessment will be to determine whether Lepage Millwork's handling of personal information complies with this policy, any other policies and practices in place within the organization and applicable legislation or regulations.
In the event that the complaint can’t be processed within this timeframe, the complainant shall be informed of the reasons for the extension, the status of the processing of the complaint and the reasonable time required to provide a final response.
Lepage Millwork shall keep a separate file for each complaint it receives. Each file contains the complaint, the analysis and documentation supporting its assessment, as well as the response sent to the person who submitted the complaint.
9. Approval
This policy is approved by Lepage Millwork's Privacy Officer, whose business contact information is as follows:
Privacy Officer:
c/o Personal Information and Confidentiality Officer
141 Chemin des Raymond,
Rivière-du-Loup (Québec) G5R 4L9
Email: confidentialite@lepagemillwork.com
For all requests, questions or comments regarding this policy, please contact the Privacy Officer by e-mail.
10. Publication and Modifications
This policy is published on Lepage Millwork's website, as well as on all websites controlled and maintained by Lepage Millwork, to which this policy applies, with respect to the personal information collected therein. This policy is also disseminated by any means suitable to reach the persons concerned.
We reserve the right to update this Policy at any time. The most recent version of the Policy may be consulted by visiting our website. Your use of our website may also be subject to additional terms described in the Terms of Use and elsewhere on the website.
*Notes: Please note that the use of the masculine gender is intended to lighten this policy and make it easier to read.
Last update: September 27, 2023