1. PREAMBULE
2. PURPOSE
3. NORMATIVE FRAMEWORKS
4. DEFINITIONS
5. SCOPE OF APPLICATION
6. TREATMENT OF PERSONNAL INFORMATION
7. PRIVACY IMPACT ASSESSMENT
8. RESEARCH ACTIVITIES AND ACCESS TO PERSONNAL INFORMATION
9. RIGHTS OF PERSONS CONCERNED
10. HANDLING OF COMPLAINTS
11. SECURITY OF PERSONNAL INFORMATION
12. PRIVACY INDICENTS
13. PRIVACYC INCIDENT LOG
14. ROLES AND RESPONSABILITIES
15. APPROVAL
16. AWARENESS ACTIVITIES
17. PENALTIES
18. UPDATING
19. EFFECTIVE DATE
PREAMBLE
As part of its activities and mission, EVOQ Architecture processes personal information, including that of its clients and employees. As such, EVOQ Architecture recognizes the importance of respecting privacy and protecting the personal information it holds.
To fulfill its obligations in this regard, EVOQ Architecture has implemented this policy. It sets out the guiding principles for the protection of personal information throughout its lifecycle, as well as the rights of the individuals concerned.
The protection of personal information is the responsibility of everyone who handles such information.
OBJECT
This policy :
Sets out the governance principles of EVOQ Architecture concerning personal information throughout its lifecycle;
Regulates the exercise of the rights of individuals concerned;
Outlines the process for handling complaints related to the protection of personal information;
Defines the roles and responsibilities regarding the protection of personal information within EVOQ Architecture;
Describes the training and awareness activities offered by EVOQ Architecture to its personnel.
REGULATORY FRAMEWORK
This policy is governed in particular by the Act Respecting the Protection of Personal Information in the Private Sector and applicable privacy protection regulations.
DEFINITIONS
For the purposes of this policy, the following terms are defined as follows:
"CAI" refers to the Commission d’accès à l’information du Québec.
"Lifecycle" refers to all stages of personal information processing, including collection, use, communication, retention, and destruction.
"Privacy Impact Assessment" or "PIA" refers to a preventive approach aimed at better protecting personal information and respecting the privacy of individuals. It involves considering all factors that could have positive or negative consequences on respecting the privacy of those concerned.
"Privacy Incident" refers to any unauthorized consultation, use, or communication of personal information as defined by law, or any loss or breach of the protection of such information.
"Law" refers to the Act Respecting the Protection of Personal Information in the Private Sector.
"Concerned Individual" refers to a natural person to whom personal information relates.
"Profiling" refers to the collection and use of personal information to evaluate specific characteristics of a natural person, such as for analyzing work performance, economic situation, health, personal preferences, interests, or behavior.
"Personal Information" refers to any information about a natural person that can identify them directly—through the information alone—or indirectly—by combining it with other information.
"Sensitive Personal Information" refers to personal information that, due to its nature (e.g., medical, biometric, or otherwise intimate) or the way it is used or shared, creates a high degree of reasonable privacy expectation.
"Privacy Officer" or "PO" refers to the person within EVOQ Architecture responsible for ensuring compliance with and implementation of the law.
SCOPE OF APPLICATION
This policy applies to personal information held by EVOQ Architecture and to any individual or entity processing personal information on behalf of EVOQ Architecture, such as service providers or subcontractors.
PROCESSING OF PERSONAL INFORMATION
The protection of personal information is ensured throughout its lifecycle in compliance with the following principles, taking into account exceptions provided by law.
COLLECTION
EVOQ Architecture collects only the personal information necessary for its activities. Before collecting personal information, EVOQ Architecture determines the purposes for its processing.
Personal information is collected directly from the individual concerned unless the law allows collection from a third party.
subsequently upon request, EVOQ Architecture provides the individuals concerned with at least the following information:
The purposes for which the information is collected;
The means by which the information is collected;
The rights of access and rectification as provided by law;
Their right to withdraw consent to the use or communication of the collected information;
When applicable, the name of the third party for whom the information is collected;
When applicable, the name(s) or categories of third parties to whom the information must be communicated for the stated purposes;
When applicable, the possibility that the information may be communicated outside of Quebec;
When applicable, the use of technology that includes features enabling identification or profiling;
The means provided to enable or disable functions for identification, localization, or profiling.
This information is presented in simple and clear terms in section 6.1.3, either through a privacy policy or a "just-in-time" notice.
An individual who provides their personal information after receiving the information outlined in section 6.1.3 is presumed to consent to its use and communication for the stated purposes.
Upon request, EVOQ Architecture will also provide individuals with the following information:
The personal information collected about them;
The categories of individuals within EVOQ Architecture who have access to this information;
The retention period for this information;
Contact details for EVOQ Architecture’s Privacy Officer.
When the law requires explicit consent—where it cannot be presumed as outlined in sections 6.1.3 and 6.1.5, and no exception applies—this consent must be explicit, free, informed, and given for specific purposes. It must be obtained for each purpose in simple and clear terms and is valid only for the time required to fulfill the purposes for which it was requested.
USE
EVOQ Architecture uses personal information solely for the purposes for which it was collected. However, these purposes may be modified if the individual concerned consents.
EVOQ Architecture may also use personal information for secondary purposes without the individual’s consent in the following cases:
When the use is for purposes compatible with those for which the information was collected (compatible purposes exclude commercial or philanthropic solicitation);
When the use is clearly in the interest of the individual concerned;
When the use is necessary for the prevention and detection of fraud or the evaluation and improvement of security measures;
When the use is necessary for the provision or delivery of a product or service requested by the individual concerned;
When the use is necessary for study, research, or statistical purposes, and the information is anonymized.
If secondary purposes involve sensitive personal information, EVOQ Architecture must obtain the explicit consent of the individuals concerned.
COMMUNICATION
Subject to exceptions provided by law, EVOQ Architecture cannot disclose personal information without the consent of the individual concerned. Explicit consent must be obtained when sensitive personal information is involved.
EVOQ Architecture may disclose personal information without consent to an agent or service provider within the framework of a mandate or service contract. In such cases, EVOQ Architecture must establish a written agreement with the agent or service provider, which must include, at a minimum, the following measures:
Ensuring the confidentiality of the disclosed personal information;
Ensuring that the information is used solely for the purposes of fulfilling the mandate or executing the contract;
Ensuring that the information is not retained after the contract's expiration.
Additionally, the agreement must include the following provisions:
The agent or service provider must promptly inform the Privacy Officer of any breach or attempted breach of confidentiality obligations by any party regarding the disclosed information;
EVOQ Architecture's Privacy Officer reserves the right to perform verifications related to confidentiality.
When personal information is disclosed outside Quebec, EVOQ Architecture conducts a Privacy Impact Assessment (PIA) in accordance with Article 7 of this policy.
COMMUNICATIONS REGISTER
EVOQ Architecture maintains an up-to-date register of certain communications involving personal information. This register details the following types of disclosures:
To a person or organization with the authority to compel EVOQ Architecture to disclose personal information in the course of their duties;
To a person requiring the information due to an emergency situation that endangers the life, health, or safety of the individual concerned, or to prevent an act of violence, including suicide, in cases of serious risk of death or grave injury to an individual or an identifiable group;
To an archive service or any individual, in the latter case, if the document is over 100 years old or if the individual concerned has been deceased for more than 30 years;
To a person or organization for the purposes of fulfilling a mandate, service contract, or business agreement;
To the other party in a commercial transaction if the disclosure is necessary for concluding the transaction;
To a person for purposes of study, research, or statistics, or to someone authorized by the CAI to use the information;
To an individual authorized by law to recover debts on behalf of others, requiring the information for that purpose;
To an individual if the information is necessary for recovering a debt owed to EVOQ Architecture.
RETENTION
EVOQ Architecture takes all reasonable measures to ensure that the personal information it holds is up-to-date, accurate, and complete for the purposes for which it is collected or used.
Personal information is retained for as long as necessary to conduct the organization’s activities, subject to timeframes outlined in its Retention Policy and related schedule.
DESTRUCTION AND ANONYMIZATION
EVOQ Architecture ensures that personal information is securely destroyed or anonymized when it is no longer required for the purposes for which it was collected or as stipulated by the Retention Policy.
PRIVACY IMPACT ASSESSMENT (PIA)
Under the supervision of the Privacy Officer (PO), EVOQ Architecture conducts a PIA in the following contexts involving the processing of personal information:
Before initiating a project to acquire, develop, or overhaul an information system or electronic service delivery that involves personal information;
Before disclosing personal information without the consent of the individuals concerned to a person or organization intending to use the information for study, research, or statistical purposes;
When intending to disclose personal information outside Quebec.
In conducting a PIA, EVOQ Architecture considers the sensitivity of the information to be processed, the purposes of its use, the quantity, distribution, and medium of the information, and the proportionality of the measures proposed to protect the information.
When personal information is disclosed outside Quebec, EVOQ Architecture ensures that the information benefits from adequate protection, adhering to generally recognized principles for personal information protection.
The completion of a PIA demonstrates that EVOQ Architecture has fulfilled its obligations concerning personal information protection and has taken all measures necessary to effectively safeguard the information.
RESEARCH ACTIVITIES AND ACCESS TO PERSONAL INFORMATION
Researchers may request access to personal information for research purposes. Such requests must be submitted to the PO of EVOQ Architecture.
If the PIA concludes that personal information may be disclosed for this purpose, EVOQ Architecture must enter into an agreement with the researchers. This agreement must include the mandatory provisions outlined by law and any additional measures identified in the PIA.
RIGHTS OF INDIVIDUALS
Subject to applicable laws, individuals whose personal information is held by EVOQ Architecture have the following rights:
The right to access their personal information held by EVOQ Architecture and to obtain a copy in either electronic or non-electronic format;
Unless it poses serious practical difficulties, the right to request that personal information collected directly from them (not created or inferred) be provided in a structured, commonly used electronic format. At their request, this information can also be transmitted to another person or organization authorized by law to collect such information;
The right to rectification of any incomplete or inaccurate personal information held by EVOQ Architecture;
The right to request deletion of outdated or unjustified information, or to submit written comments to EVOQ Architecture;
The right to request the cessation of dissemination of information or the removal of hyperlinks associated with their name via technological means when the dissemination violates the law or a judicial order;
The right to request cessation of dissemination, deindexing, or reindexing of hyperlinks associated with their name when:
The dissemination causes serious harm to their reputation or privacy;
The harm outweighs the public interest in accessing the information or an individual’s interest in freedom of expression;
The cessation, reindexing, or deindexing requested is no more extensive than necessary to prevent ongoing harm. This takes into account factors such as whether the person is a public figure, whether the information concerns a minor, the information’s sensitivity, the context of dissemination, the time elapsed since the dissemination, and whether the information pertains to criminal or penal proceedings, including pardons or restrictions on access to court records.
The right to be informed when personal information is used to make a decision based on automated processing.
Additionally, the spouse or close relative of a deceased person may request access to the deceased’s personal information held by EVOQ Architecture if such information could assist them in their grieving process, provided the deceased did not explicitly deny this right in writing.
Although the right of access may be exercised at any time, access to documents containing personal information is subject to certain exceptions outlined in the law.
EVOQ Architecture may refuse to disclose personal information to an individual if the disclosure would likely:
Harm an investigation conducted by its internal security service aimed at preventing, detecting, or suppressing crime or legal infractions, or an investigation conducted on its behalf by an external service with the same purpose or by a licensed security or investigation agency under the Private Security Act;
Affect ongoing judicial proceedings in which one of the parties has an interest
EVOQ Architecture must refuse to disclose personal information:
To an individual if the disclosure would likely reveal personal information about a third party or the existence of such information and cause serious harm to that third party, unless the third party consents to the disclosure or it involves an emergency that endangers the life, health, or safety of the individual concerned;
To the liquidator of an estate, a beneficiary of life insurance or death benefits, an heir, or a successor of the individual concerned, unless the disclosure is necessary to protect the interests and rights of the requesting party in their role as liquidator, beneficiary, heir, or successor. This is subject to the aforementioned rights of a deceased person’s spouse or close relative.
Access requests for personal information must be sufficiently specific to enable the Privacy Officer (PO) to identify the requested information. The right of access applies only to existing personal information.
The PO must respond to requests for access or rectification in writing, with due diligence, and no later than 30 days after receiving the request.
Access to personal information contained in a file is free of charge. However, EVOQ Architecture may charge reasonable fees for the transcription, reproduction, or transmission of this information, provided the requester is informed in advance of the approximate cost before the process begins
If the PO agrees to a request for rectification or deletion, they must notify any person who has received the information within the preceding six months and, if applicable, any party responsible for retaining it. Additionally, they must provide the requester with a free copy of the modified or added information or, if applicable, a certificate confirming the deletion of the information.
If EVOQ Architecture does not respond to a request within 30 days, it is deemed to have refused the request. If a request is denied, the PO must:
Justify the refusal, citing the specific provision of the law that supports the decision;
Inform the requester of their legal recourse options, including the timeframe for exercising those options;
Provide assistance, upon request, to help the individual understand the reasons for the refusal.
COMPLAINT HANDLING
Any complaint regarding EVOQ Architecture's personal information protection practices or its compliance with legal requirements is addressed to the Privacy Officer (PO). The complaint-handling process proceeds as follows:
Receipt of Complaint: Upon receiving the complaint, the PO sends an acknowledgment of receipt to the complainant within 7 business days.
Complaint Assessment: The PO reviews the complaint to evaluate its admissibility and the nature of the concerns raised. This step includes analyzing the reported facts, consulting records, and, if necessary, conducting interviews with the complainant or other relevant parties.
Investigation and Resolution: Depending on the complexity of the complaint, the PO may conduct a thorough investigation to determine if there have been breaches of the personal information protection policies. Corrective measures, including new procedures or disciplinary actions, may be implemented to address identified breaches.
Formal Response: The PO provides a written response to the complainant within 45 days of receiving the complaint. This response includes:
A description of the investigation's findings;
Corrective measures planned or implemented (if applicable);
Available recourse for the complainant, such as filing a complaint with Quebec's Commission d’accès à l’information (CAI) if the response is deemed unsatisfactory.
Follow-Up: After resolving the complaint, the PO documents the actions taken and updates personal information protection practices, if necessary, to prevent similar incidents.
SECURITY OF PERSONAL INFORMATION
While zero risk cannot be guaranteed, EVOQ Architecture implements reasonable security measures to ensure the confidentiality, integrity, and availability of personal information collected, used, disclosed, retained, or destroyed. These measures take into account the sensitivity of the information, the purpose of its collection, its volume, location, and format.
EVOQ Architecture manages access rights for its personnel to ensure that only those bound by confidentiality agreements (if applicable) and who need access for their duties can access personal information.
CONFIDENTIALITY INCIDENTS
Any confidentiality incident is handled in accordance with EVOQ Architecture's established procedures. The organization takes reasonable measures to mitigate risks of harm and prevent similar incidents in the future, updating its personal information protection program as needed.
All confidentiality incidents are reported to the PO and recorded in the confidentiality incidents register, in accordance with Article 13.1 of this policy.
If the incident poses a serious risk of harm to the individuals concerned, EVOQ Architecture promptly notifies those affected and the CAI, in compliance with its incident response procedure.
CONFIDENTIALITY INCIDENTS REGISTER
EVOQ Architecture maintains a confidentiality incidents register in compliance with applicable laws and regulations. This register includes:
A description of the personal information involved in the incident or, if this information is unknown, the reason why such a description cannot be provided;
A brief description of the circumstances of the incident;
The date or period when the incident occurred or, if unknown, an approximate timeframe;
The date or period when the organization became aware of the incident;
The number of individuals affected by the incident or, if unknown, an estimate of this number;
A description of the factors that led EVOQ Architecture to conclude whether or not there is a risk of serious harm to affected individuals, such as the sensitivity of the personal information involved, possible malicious uses, anticipated consequences of misuse, and the likelihood of the information being used for harmful purposes;
If the incident poses a risk of serious harm, the dates of notification to the Commission d’accès à l’information (CAI) and affected individuals, in accordance with Section 3.5 of the Act Respecting the Protection of Personal Information in the Private Sector, as well as whether public notices were issued by EVOQ Architecture and the reasons for doing so, if applicable;
A brief description of the measures taken by EVOQ Architecture to mitigate the risks of harm following the incident;
Any other elements required by the Regulation Respecting Confidentiality Incidents.
ROLES AND RESPONSIBILITIES
The protection of personal information held by EVOQ Architecture depends on the commitment of all individuals involved in processing this information, with particular responsibilities assigned to the following roles:
PRIVACY OFFICER (PO) :
Appointed in writing by the highest authority within EVOQ Architecture;
Ensures compliance with and implementation of the law for EVOQ Architecture;
Establishes and implements policies and practices governing the organization’s personal information management, including approving them;
Consulted at the beginning of any project involving the acquisition, development, or overhaul of information systems or electronic service delivery that entails the collection, use, communication, retention, or destruction of personal information.
At any stage of such a project, the PO may recommend measures to ensure personal information protection, such as:
Appointing a person responsible for implementing protection measures;
Including personal information protection measures in project-related documents;
Describing the responsibilities of project participants regarding personal information protection;
Conducting training activities on personal information protection for project participants.
Supervises the registers outlined in Articles 6.4 and 13 of this policy.
Evaluates the risk of serious harm related to confidentiality incidents, considering the sensitivity of the information involved, anticipated consequences of its misuse, and the likelihood of its malicious use.
Collaborates with relevant government authorities and stakeholders in the event of a confidentiality incident;
Records the communication of a confidentiality incident to a person or organization capable of mitigating the risk of harm, if applicable.
Conducts audits of confidentiality obligations related to personal information disclosures in mandates or contracts with third parties, in compliance with Section 6.3.2 of this policy.
Receives written requests from individuals exercising their rights and ensures compliance with Sections 9.5 to 9.8 of this policy.
Reports annually to the board of directors on EVOQ Architecture’s compliance with legal requirements and the implementation of the policies and practices under their oversight.
Any individual processing personal information held by EVOQ Architecture must:
Act cautiously and integrate the principles outlined in this policy into their activities;
Access only the information necessary to perform their duties;
Include and retain information solely in records intended for the performance of their duties
keep such records secure so that only authorized individuals have access;
Protect access to the personal information in their possession or to which they have access using a password;
Refrain from disclosing personal information learned in the course of their duties unless duly authorized to do so;
Avoid retaining personal information obtained or collected in the course of their duties after their employment or contract ends, while continuing to uphold their confidentiality obligations;
Destroy all personal information in accordance with EVOQ Architecture’s retention schedule;
Participate in awareness and training activities on personal information protection;
Report any breach, confidentiality incident, or other situation or irregularity that could compromise, in any way, the security, integrity, or confidentiality of personal information in accordance with EVOQ Architecture’s established procedure.
APPROVAL
This policy and all related policies on personal information protection are subject to the approval of EVOQ Architecture.
AWARENESS ACTIVITIES
EVOQ Architecture provides training and awareness activities to its staff on personal information protection, including:
Mandatory annual training for all employees;
Periodic email reminders to reinforce best practices.
SANCTIONS
Any individual who violates this policy is subject to disciplinary action in accordance with the applicable regulatory framework.
MISE À JOUR
To stay aligned with evolving personal information protection laws and to improve EVOQ Architecture's personal information protection program, this policy may be updated as necessary.
ENTRÉE EN VIGUEUR
This policy takes effect upon its adoption on November 18, 2024.
