As a responsible company, ESI pays the utmost attention to the protection of its employees’, clients’ and partners’ personal information by implementing procedures and technical solutions that comply with cybersecurity standards and applicable regulations, in particular the Act to modernize legislative provisions as regards the protection of personal information in Quebec (Law 25) and the laws and regulations.
This policy is published and updated annually on all websites of ESI Technologies and its integrated subsidiaries. The purpose of this publication is to inform the public about the management of and rights relating to personal information handled by ESI Technologies.
2. Personal information management
2.1. Personal information collected
The categories (not exhaustive) of personal information collected by ESI Technologies are listed below:
- Identifying information: last name, first name, mailing address, cellphone number, personal email address, nationality, age, age range, date of birth, marital status, avatar, photo, awards or prizes, zip code, country or city of birth, etc.
- Commercial information: transaction history, requests for information and quotes, etc.
- Application and hiring information: resume, educational background, grade level, school, experience, recommendation letters, references, security clearances, work history, hobbies, interest categories, community involvement, club/charity memberships (other than political or religious), educational programs, school records, test/exam scores, high school diplomas, grades/grade point average, interview information, etc.
- Computer and digital activity information: IP address, MAC address, logs, device type, etc.
- Account information: roles and permissions, settings and preferences, login, password, etc.
In accordance with ESI Technologies’ information systems security policy, personal information is confidential data and must be treated as such (identification, protection).
Note: Personal information concerning the exercise of a function within an enterprise by a specific person (name, title, function, email and business telephone number, etc.) does not fall within the scope of this policy, nor of the Act to modernize legislative provisions as regards the protection of personal information in Quebec.
2.2. Purposes of collecting and processing personal information
ESI Technologies collects and processes personal information for the following purposes.
- Prospection and commercial transactions
- Website customization.
- Use of the services offered by ESI Technologies.
- Transaction management (orders, shipping, billing, payments).
- Sending commercial communications related to our company or selected partner companies.
- Notifications or newsletters.
- Verification of educational background/degrees, conducting interviews, recruiting events, reference checks, identification of qualified candidates.
- Management of profiles, applications and exchanges with ESI Technologies.
- Sending messages about positions that may be of interest to candidates.
- Research and development
- We use personal information for research and development purposes (product improvement, websites and applications, services and user experience, research and analysis for product improvement, etc.).
- Audits, reports and investigations
- Statistics, internal surveys, reports on ethics and compliance incidents, conflict of interest management, litigation management, legal obligations of the company and mandate management.
- Legal compliance
- Compliance with legal obligations, in particular to respond to an authority, a judicial decision or a legitimate request for communication of documents.
- To protect the company’s employees, clients and partners, and others
- When it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, potential threats to individuals, violation of policies, conditions or other regulations.
- Analysis of information
- Optimization of IT resources, improvement of ESI’s performance and processes, guaranteeing and safeguarding ESI’s interests, and compliance with labour agreements and/or our legal obligations.
Personal information is used only for the purposes stated above, unless we reasonably believe that we need to use it for another purpose that is also consistent with the original purpose. In this case, the owner of the personal information will be informed prior to any processing.
Note: Personal information may be used for another purpose without the consent of the individual:
- When its use is for purposes consistent with those for which it was collected.
- When its use is clearly for the benefit of the individual concerned.
- When its use is necessary for study, research or statistical purposes and it is de-identified.
2.3. Information on the collection of personal information
ESI Technologies shall inform clients and users about the collection of personal information, including:
- The purposes for which the information is collected.
- The means by which the information is collected.
- The rights of access and rectification provided by law.
- The right to withdraw consent for the disclosure or use of the information collected.
The information is collected:
- Through the general and special terms and conditions provided upon entering into a contractual transaction with ESI Technologies.
- At the time of the confirmation of the user’s consent when creating a client account.
- Using any other information device.
With regard to the collection of personal information through technical means of identification, profiling or location, these technical means are disabled by default. The user is informed of the possibility and means to activate and deactivate these functions.
2.4. Consent to the disclosure of personal information
Apart from the exceptions provided for by law, the user’s consent for the communication of their personal information must be express, free, informed and intended for the purposes defined above.
The consent is confirmed through a specific form and is separate from any other information in the following forms: handwritten signature, electronic signature, click box.
Consent is collected separately for each of the purposes.
Consent is valid only for the time required for the purposes for which it was requested.
Consent of minors
Consent for minors under the age of 14 is given by the parent or guardian.
The consent of minors aged 14 and over is given by the minor themself, the holder of parental authority or guardian.
Exemption from consent
Consent to the collection or disclosure of personal information is not required in the following circumstances:
- Disclosure of personal information required to complete a business transaction.
- Disclosure of personal information for study, research or statistical purposes.
- Other cases provided for by law: communication to the Prosecutor, prosecution of an offence under a Quebec law, application of a collective agreement, emergency situation involving endangerment, etc.
2.5. Decision based on automated processing of personal information
If ESI Technologies were to use such a process, users would be informed in advance and made aware of their rights, including the ability to correct information used to make decisions and the right to comment.
2.6. Disclosure of personal information outside Quebec
Personal Information collected may be stored, processed and transferred in any country or region in which ESI Technologies operates.
In the case of a transfer outside of the province of Quebec, the Privacy Officer uses a privacy impact assessment to ensure that the personal information is afforded the appropriate level of protection and confidentiality.
2.7. Life cycle of personal information
Retention and updating of personal information.
Personal information is retained only as long as necessary for the purposes for which it was collected or as long as necessary to comply with ESI’s legal and contractual obligations.
ESI maintains the accuracy of the information in its possession, including by processing update requests from the owners of such personal information.
2.8. Protection of personal information
ESI Technologies is ISO 27001:2013 certified.
ESI Technologies complies with current regulations and the standards imposed with regard to the protection of personal information and the security of information systems.
We apply technical, organizational and incident response security measures to protect personal information managed by ESI. These include:
- Identification of PI and sensitive data.
- Personal Information Management Risk Analysis (aka Évaluation des Facteurs relatifs à la Vie Privée).
- Human resources provisions (audits, retention, training).
- Governance of information systems security.
- Managing identity and access.
- Technical means (protection, detection, encryption of PI at rest and in transit).
- Safeguards and recovery.
- Physical protection.
- Contingency planning.
2.9. PI owner rights and complaint management
Rights of the owner of the personal information.
Owners of personal information managed by ESI Technologies are entitled to:
- Withdraw consent for the use or disclosure of their personal information.
- Right of access and rectification of personal information.
- Right to be forgotten: in certain cases, such as when personal information is no longer necessary for the purposes for which it was collected or when the dissemination of the personal information contravenes the law, the personal information must be deleted and all hyperlinks de-indexed.
- Right to portability of information in a structured, commonly used and readable format.
Contacting requesters and processing complaints about the management of personal information.
In accordance with the law, any person who wishes to have access to their personal information, wishes to modify it, or is dissatisfied with the way their personal information has been handled may contact the ESI Technologies Privacy Data Officer by the following means:
- Mailing address: 1550 Metcalfe Street #1100, Montreal, Quebec H3A 1X6, Canada
- Email: [email protected].
The procedure for requesting access to personal information is free of charge to the person concerned. Requests for access to personal information are duly registered.
The transmission of any personal information is subject to verification of the requester’s identity in accordance with the relevant procedure within ESI Technologies.
A response to an access request must be provided to the requester within 30 days of receipt of the request. Failure to do so will result in the request being considered denied.