Women Growth

Menu
Menu

Privacy Policy

Procedure for the Retention, Destruction, and Anonymization of Personal Information

 

1. Overview

It is important to establish a procedure for the retention, destruction, and anonymization of personal information in order to ensure the protection of individuals’ privacy, comply with personal information protection laws, prevent privacy incidents involving personal information and security breaches, maintain client trust, and protect the organization’s reputation.

2. Purpose

The purpose of this procedure is to ensure the protection of individuals’ privacy and to comply with legal obligations regarding the protection of personal information.

3. Scope

This procedure covers the entire life cycle of personal information, from collection to destruction. It applies to all employees and stakeholders involved in collecting, processing, retaining, destroying, and anonymizing personal information in accordance with legal requirements and privacy best practices.

4. Definitions

Personal information: any information that identifies, directly or indirectly, a natural person.
Retention: secure storage of personal information for the required period.
Destruction: permanent deletion, disposal, or erasure of personal information.
Anonymization: a process that modifies personal information so that the individuals concerned can no longer be identified, directly or indirectly, at any time and irreversibly.

4. Procedure

4.1 Retention period

4.1.1 Personal information has been categorized as follows:

  • information concerning the company’s employees,

  • information concerning the organization’s members,

  • information concerning clients.

4.1.2 The retention period for each category is established as follows:

  • Employees: 7 years after the end of employment.

  • Members: varies depending on the type of personal information.

  • Clients: varies depending on the type of personal information.

For more details, refer to the complete inventory of personal information held.

Note: specific retention periods may apply.

4.2 Secure storage methods

4.2.1 Personal information is stored in the following locations: OneDrive, Wix.
4.2.2 The level of sensitivity for each storage location has been established.
4.2.3 These storage locations, whether paper or digital, are adequately secured.
4.2.4 Access to these storage locations is restricted to authorized individuals only.

4.3 Destruction of personal information

4.3.1 Paper records must be completely shredded.
4.3.2 Digital personal information must be permanently deleted from devices (computers, phones, tablets, external hard drives), servers, and cloud tools.
4.3.3 A destruction schedule must be created based on the retention period established for each category of personal information. It is imperative to document planned destruction dates.
4.3.4 Destruction must be carried out in a way that prevents personal information from being recovered or reconstructed.

4.4 Anonymization of personal information

4.4.1 Anonymization should only be carried out if the organization wishes to retain and use the information for serious and legitimate purposes.
4.4.2 The anonymization method selected is as follows: information will be deleted after the retention period.
4.4.3 It must be ensured that the remaining information can no longer irreversibly identify the individuals concerned, directly or indirectly, and that the risk of re-identification is regularly assessed through tests and analyses to ensure effectiveness.

Note: As of the date of this template, anonymization of personal information for serious and legitimate purposes is not possible. A government regulation must be adopted to determine the criteria and modalities.

4.5 Staff training and awareness

4.5.1 Ensure regular employee training on the retention, destruction, and anonymization procedure, as well as on privacy breach risks.
4.5.2 This also includes raising staff awareness about data security best practices and the importance of complying with established procedures.

Last updated: February 1, 2025

Procedure for Requests for Access to Personal Information and Complaint Handling

 

1. Overview

Since an individual may request access to the personal information an organization holds about them, or may also file complaints, it is important to have predefined guidelines for responding to such requests.

2. Purpose

The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.

3. Scope

This procedure applies to internal stakeholders responsible for processing access requests and complaints, as well as individuals seeking to access their own personal information.

4. Access request procedure

4.1 Submitting the request

4.1.1 The individual must submit a written request to the organization’s Privacy Officer. The request may be sent by email or postal mail.
4.1.2 The request must clearly indicate that it is a request for access to personal information and provide sufficient information to identify the individual and the information requested.
4.1.3 This information may include name, address, and any other relevant information needed to reliably identify the individual.

4.2 Receipt of the request

4.2.1 Once received, an acknowledgment of receipt is sent to confirm the request has been taken into account.
4.2.2 The request must be processed within thirty (30) days of receipt.

4.3 Identity verification

4.3.1 Before processing the request, the individual’s identity must be reasonably verified (e.g., requesting additional information or verifying identity in person).
4.3.2 If identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.

4.4 Incomplete or excessive requests

4.4.1 If a request is incomplete or excessive, the Privacy Officer contacts the individual for additional information or clarification.
4.4.2 The organization reserves the right to refuse a request if it is clearly abusive, excessive, or unjustified.

4.5 Processing the request

4.5.1 Once identity is verified, the Privacy Officer collects the requested information.
4.5.2 Relevant records are reviewed to gather the requested personal information while respecting any legal restrictions.

4.6 Review of information

4.6.1 Before communicating the information, the Privacy Officer carefully reviews it to ensure it does not contain confidential third-party information or information that could infringe on other rights.
4.6.2 If third-party information is present, the Privacy Officer assesses whether it can be separated or must be excluded.

4.7 Communication of information

4.7.1 Once verifications are completed, the information is provided within a reasonable timeframe in accordance with applicable legal requirements.
4.7.2 Information may be provided electronically, by secure postal mail, or in person, depending on the individual’s preferences and appropriate security measures.

4.8 Follow-up and documentation

4.8.1 All steps must be recorded accurately and completely.
4.8.2 Details must be recorded in a tracking register, including:

  • date the request was received;

  • date acknowledgment was sent;

  • date identity was verified;

  • method of identity verification;

  • decision (approved or refused);

  • date information was communicated (if applicable).

4.9 Confidentiality protection

4.9.1 All staff involved must maintain confidentiality and protect data.

4.10 Complaints and recourse

4.10.1 If an individual is dissatisfied, they must be informed of complaint procedures and available recourse before the Commission d’accès à l’information.
4.10.2 Complaints must be handled according to internal complaint-handling policies (see next section).

5. Complaint handling procedure

5.1 Receiving complaints

5.1.1 Complaints may be submitted in writing, by phone, email, or any other official communication channel. They must be recorded in a centralized register accessible only to designated staff.
5.1.2 The employee must immediately inform the person responsible for complaint intake.

5.2 Preliminary assessment

5.2.1 The designated person reviews each complaint to assess relevance and severity.
5.2.2 Frivolous, defamatory, or clearly unfounded complaints may be dismissed; however, justification must be provided to the complainant.

5.3 Investigation and analysis

5.3.1 The person in charge conducts an investigation by collecting evidence, interviewing involved parties, and gathering relevant documents.
5.3.2 The person must be impartial and have the authority necessary to resolve the complaint.
5.3.3 Confidentiality must be maintained and all parties must be treated fairly.

5.4 Complaint resolution

5.4.1 Appropriate solutions must be proposed as quickly as possible.
5.4.2 Solutions may include corrective measures, financial compensation, or any action required to resolve the complaint satisfactorily.

5.5 Communication with the complainant

5.5.1 The person in charge communicates regularly with the complainant to provide updates.
5.5.2 All communications must remain professional, empathetic, and respectful.

5.6 Closing the complaint

5.6.1 Once resolved, a written response is provided summarizing actions taken and solutions proposed.
5.6.2 All documents related to the complaint must be retained in a confidential file.

Last updated: February 1, 2025

Procedure for De-indexing and Deleting Personal Information

1. Overview

This procedure aims to address client concerns regarding privacy and the protection of personal information.

2. Purpose

The purpose of this procedure is to provide a structured mechanism for handling client requests for de-indexing and deletion of personal information.

3. Scope

This procedure applies to the internal team responsible for handling de-indexing and deletion requests. It covers all information published on our online platforms, including our website, mobile applications, databases, or any other digital medium used by our clients.

4. Definitions

Deletion of personal information: the complete erasure of data, making it unavailable and irrecoverable.
De-indexing of personal information: removal of information from search engines, making it less visible while still accessible directly.

Deletion permanently removes the data, while de-indexing limits its online visibility.

5. Procedure

5.1 Receiving requests

5.1.1 Requests must be received by the designated responsible team.
5.1.2 Clients may submit requests through specific channels such as an online form, dedicated email address, or phone number.

5.2 Identity verification

5.2.1 Identity must be reasonably verified before processing.
5.2.2 This may include requesting additional information or verifying identity in person.
5.2.3 If identity cannot be satisfactorily verified, the organization may refuse the request.

5.3 Request assessment

5.3.1 The responsible team reviews requests and the personal information concerned to determine eligibility for de-indexing or deletion.
5.3.2 Requests must be processed confidentially and within the required timelines.

5.4 Reasons for refusal

5.4.1 Valid reasons may justify refusal to delete or de-index personal information, including:

  • to continue providing goods and services to the client;

  • employment law compliance requirements;

  • legal reasons in the event of a dispute.

5.5 De-indexing or deletion

5.5.1 The team must take the necessary measures to de-index or delete eligible personal information according to the request.

5.6 Follow-up communication

5.6.1 The team communicates with requesters throughout the process, providing acknowledgments and regular updates.
5.6.2 Any delay or issue must be communicated with clear explanations.

5.7 Tracking and documentation

5.7.1 All requests and actions taken must be recorded in a dedicated tracking system.
5.7.2 Records must include request details, actions taken, dates, and results.

Last updated: February 1, 2025

Procedure for Managing Security Incidents and Personal Information Breaches

1. Overview

An incident response plan is essential for effectively managing cyber incidents. During a crisis, it is not always clear how to act and prioritize actions. An incident response plan helps reduce the stress of forgetting important steps.

2. Purpose

The purpose of this procedure is to ensure that the organization is prepared to respond to cyber incidents and resume operations quickly.

3. Scope

This procedure applies to all networks and systems, as well as stakeholders (clients, partners, employees, subcontractors, suppliers) who access these systems.

4. Recognizing a cyber incident

A cybersecurity incident may not be immediately recognized or detected. However, certain indicators may signal a security breach, system compromise, or unauthorized activity. It is essential to remain alert to any sign that a security incident has occurred or is ongoing.

Examples of indicators include:

  • excessive or unusual login and system activity, including from inactive user accounts;

  • excessive or unusual remote access within the organization (staff or third-party vendors);

  • the appearance of any new visible or accessible wireless (Wi-Fi) network;

  • unusual activity involving malware, suspicious files, or new/unapproved executable files and programs;

  • lost, stolen, or misplaced devices containing payment card data, personal information, or other sensitive data.

5. Contact information for resource persons

Company: OCM SYSTEME Inc.
Person in charge: Brigitte Dijon
Address: 173 Highfield, Mont-Saint-Hilaire J3H 3W3
Email: brigitte.dijon@ocm-systeme.com
Phone: 514 561 4087
Website: wixquebec.com

6. Personal information breach – specific response

If a security incident involving a breach of personal information protection is confirmed, the following steps must be taken:

  • complete the privacy incident register to document the incident;

  • assess whether personal information was lost due to unauthorized access, use, disclosure, or compromise, and whether there is a risk of serious harm to the individuals concerned;

  • if so, report it to the Commission d’accès à l’information du Québec;

  • and also notify the individuals whose personal information is affected.

7. Ransomware – specific response

If a ransomware incident is confirmed, take the following steps:

  • immediately disconnect affected devices from the network;

  • do not delete anything from devices (computers, servers, etc.);

  • analyze the ransomware and determine how it infected the device;

  • contact local authorities to report the incident and cooperate with the investigation;

  • once removed, perform a full system scan using up-to-date antivirus/anti-malware tools to confirm removal;

  • if it cannot be removed, reimage/reset the device using original installation media/images;

  • before restoring from backups, confirm backups are not infected;

  • if critical data must be restored but backups are not usable, search for decryption tools on nomoreransom.org;

  • the policy is not to pay the ransom, subject to the circumstances; using a breach coach (expert cyber incident project lead) is strongly recommended;

  • apply patches/fixes to prevent re-infection and future attacks.

8. Account compromise – specific response

If an account compromise is confirmed:

  • notify clients and suppliers they may receive fraudulent emails from us and should not respond or click links;

  • check whether access to the online account remains possible;

  • if not, contact platform support to recover access;

  • change the password used for the platform;

  • if reused elsewhere, change those passwords as well;

  • enable two-factor authentication;

  • remove unauthorized logins/devices from login history.

9. Loss or theft of a device – specific response

If equipment loss/theft is confirmed:

  • report it immediately to local police authorities, including outside business hours and weekends;

  • if the lost/stolen device contained sensitive data and was not encrypted, conduct a sensitivity assessment, including the type/volume of stolen data and potential payment card numbers involved;

  • where possible, lock/disable lost or stolen mobile devices and remotely wipe data.

Last updated: February 1, 2025

Legislation

We are committed to complying with the legislative provisions set out in:
Quebec

Law 25 Updates

This privacy policy may be updated from time to time in order to maintain compliance with the law and reflect any changes to our data collection process. We encourage users to review our policy periodically to stay informed of any updates. If necessary, we may notify users by email of changes made to this policy.

Updated: February 2025