This policy (hereinafter the “Policy”) sets out the guidelines relating to the collection, use, communication, retention and destruction of documents containing Personal Information held by Dulcedo Inc. (hereinafter “Dulcedo”) in the performance of its duties in accordance with the Act Respecting the Protection of Personal Information in the Private Sector (CQLR c. P-39.1) as amended by the Act to Modernize Legislation Provisions Respecting the Protection of Personal Information (SQ 2021, c. 25) (hereinafter collectively the “Act”).

This Policy applies to Dulcedo, which includes, but is not limited to, its employees, members of the Board of Directors, interns and volunteers, if applicable, as well as any person who otherwise provides services on behalf of Dulcedo, but particularly to those who collect, use, communicate, retain or destroy documents containing Personal Information.

It applies to all Personal Information collected, used and retained by Dulcedo, regardless of its form. The Policy covers Personal Information contained in all types of physical or digital records, in the broad sense, whether written, graphic, audio, visual, computerized or otherwise.

“Personal Information” means any information or combination of information that relates to an individual and that allows that individual to be identified, directly or indirectly, such as identity information (name, address, date of birth, social security number, etc.), contact information (email address, telephone number, etc.). Personal information about an individual is confidential and should be treated as such.

“Privacy Incidents” means unauthorized access, use or disclosure by the Act to, loss of, or any other breach of Personal Information.

“Privacy Officer” means the person designated by Dulcedo to perform the duties of Privacy Officer under the Act.

Dulcedo collects, uses and communicates Personal Information only with the explicit, voluntary, well-informed, and purpose-specific consent of the individual. When an individual consents to provide their Personal Information, it is presumed that they are also permitting its use and disclosure for the initially designated purposes.

Individuals may revoke in writing their consent for Dulcedo to collect, use, and disclose their Personal Information at any point. However, if this data collection is essential for Dulcedo to fulfill its contractual obligations, it may hinder Dulcedo's ability to provide services.

Dulcedo only collects Personal Information that is necessary to carry out its activities. In general, Dulcedo collects Personal Information directly from the individual concerned and with his or her consent, unless an exception is provided for by law.

Dulcedo undertakes to use and disclose the Personal Information only for the purposes for which it was collected and for which it is authorized by law to use it. It can however, collect, use or disclose it without the consent of the individual where permitted or required by law.

Access to Personal Information will be limited to employees who have a need to know within Dulcedo, when the Personal Information is necessary for the performance of their duties.

Dulcedo may need to disclose Personal Information to third parties, which could include suppliers, contractors, subcontractors, agents, insurers, professionals, other regulatory entities, or entities located outside of Quebec. Dulcedo can, without the consent of an individual, disclose Personal Information to such third party when it is essential for the execution of a mandate or a contractual service.

In specific situations, Dulcedo has the authority to collect, use, or disclose Personal Information without the individual's consent. These situations primarily arise when, due to legal or security reasons, obtaining consent from the individual is unfeasible or improbable, and when the use of such information is evidently in the individual's best interest or when it is imperative to avert or uncover fraud, or for other compelling reasons.

Prior to disclosing Personal Information outside of Quebec, Dulcedo will consider factors like the information's sensitivity, the intended purpose of its utilization, and the protective measures available in the external jurisdiction. Dulcedo will disclose Personal Information outside of Quebec only if its assessment concludes that the information will be subject to sufficient safeguards and protection in the external jurisdiction.

Dulcedo may retain the Personal Information for a period provided for in the Act, in any form whatsoever, regardless of whether or not the Personal Information is actively used.

Subject to such retention period, where the purposes for which the Personal Information was collected or used have been fulfilled, Dulcedo must destroy it.

Dulcedo will carry out privacy impacts assessments for new and existing projects that involve the collection, use or disclosure of Personal Information.

The extent of the privacy impact assessment undertaken should correspond to the sensitivity of the information at hand, the intended utilization, the volume, dispersion, and the medium of the information.

Dulcedo may employ the “Guide d'accompagnement - Réaliser une évaluation des facteurs relatifs à la vie privée” developed by the Commission d'accès à l'information to conduct the privacy impact assessment.

In line with Dulcedo’s commitment to transparency and the protection of Personal Information, Dulcedo employs Cookie Management Platforms (CMP) to manage cookies on its website. All documents and policies pertaining to this regulation will be prominently displayed on its official website.

The platform provides users with clear information about how their data will be used before obtaining their explicit consent. Users have the option to agree to certain uses of their data while declining others, allowing a degree of personalization that respects their choices.

When Dulcedo has reasonable grounds to believe that a Privacy Incident has occurred, it takes reasonable measures to reduce the risk of harm being caused and to prevent future incidents of the same nature from occurring. Any Privacy Incident needs to be reported to the Privacy Officer.

In case of a Privacy Incident, Dulcedo initiates an assessment of the damage. This assessment considers factors such as the sensitivity of the information, the possible misuse of it, the expected repercussions of its use, and the probability of it being employed for malicious purposes.

When the Privacy Incident presents a risk of a serious harm to an individual, Dulcedo will notify in writing the Commission d'accès à l'information and the individual concerned.

Dulcedo shall maintain a record of Privacy Incidents in its “Registry of Privacy Incidents of Personal Information”.

Any person concerned by the protection of his or her Personal Information or by the application of this Policy may file a writing complaint directly with the Privacy Officer.

The Policy is effective as October 25th, 2023.

The Policy has been approved by the Privacy Officer.

The Policy may be amended from time to time to comply with the Act and any amended Policy will be made available.