Privacy policy
PREAMBLE
1. Groupe ISM (“Groupe ISM”) operates in the field of IT consulting and support. Among other services, it provides solutions in cybersecurity, IT hardware, as well as data management and osting. As part of its operations, Groupe ISM collects and processes personal information.
2. Accordingly, Groupe ISM recognizes the importance of respecting privacy and protecting the personal information it holds and has access to.
3. To comply with applicable legal requirements, Groupe ISM has adopted this Confidentiality and Personal Information Policy (the “Policy”), available on its website at www.groupeism.ca (the
“Website”) or upon request from the Privacy Officer (as defined in Section 8 of the Policy). The Policy outlines the principles governing, among other things, the collection, protection, processing, retention, and destruction of personal information.
4. Here are the full contact details of Groupe ISM:
199 rang du Golf, Lavaltrie, QC, J5T 3C6
Phone number : (514) 253-8111
Email address : info@groupeism.ca
www.groupeism.ca
OBJECTIVE AND REGULATORY FRAMEWORK
5. This Policy defines and governs the collection, retention, use, sharing, and destruction of Personal Information relating to any Client, Applicant, Employee, Website Visitor, officer, or director of roupe ISM.
6. It governs the management of Personal Information throughout its lifecycle (as defined in Section 12) and the exercise of data subjects’ rights. It also designates the Privacy Officer responsible for the protection of Personal Information.
7. It aims to establish measures to protect the confidentiality of Personal Information in accordance with the Act and its regulations.
8. The Privacy Officer of Groupe ISM (the “Privacy Officer”) is as follows:
Mr. Simon-David Williams, President, General Director
199 rang du Golf, Lavaltrie, QC, J5T 3C6
Phone number : (514) 253-8111
Email address : vieprivee@groupeism.ca
9. The Privacy Officer is responsible for Personal Information and for ensuring its protection and processing throughout its Lifecycle.
10. Groupe ISM Employees and Suppliers who have access to Personal Information in the course of their duties are informed of the contents of this Policy and are required to comply with it. As a condition of employment, Groupe ISM Employees undertake to protect Personal Information, maintain its confidentiality, and ensure its security. This obligation remains in effect even after the termination of their employment or, in the case of Suppliers, the end of their mandate.
11. Please note that Groupe ISM is not responsible for the practices of its Suppliers with respect to the protection of Personal Information. However, Groupe ISM only works with service providers deemed acceptable and who will use such information solely to assist us in responding to your requests and delivering our services. We will only share the Personal Information that is necessary and will ensure that these authorized Suppliers agree to keep such information confidential and secure.
DEFINITIONS
12. The following definitions apply to this Policy.
Client(s) : any person or legal entity that has entered into an agreement to benefit from the services of Groupe ISM.
Lifecycle: the series of stages involved in the processing of Personal Information, namely its collection, use, sharing, retention, and destruction.
Login and Usage Data: information that may include your IP address, the pages you visit on the Website, as well as the date and time of your use.
Employee(s): a person who works for Groupe ISM in exchange for compensation or practical experience, including internships.
Supplier(s): any person or legal entity that provides Groupe ISM with accounting, information technology, legal, or other services as required from time to time, and who may have access to Personal Information in the course of delivering such services.
Data Subject(s): a person to whom the Personal Information relates.
Privacy Officer: the individual designated as responsible for the protection of Personal Information within Groupe ISM, in accordance with the Act respecting the protection of personal information in the private sector.
Policy: this Confidentiality and Personal Information Policy.
Applicant: any person who submits an employment application to Groupe ISM.
Personal Information: any information, regardless of its format (paper, digital, web, etc.), that relates to a natural person and allows for their direct or indirect identification. Business or professional contact information, as well as personal information that is publicly available, is not considered Personal Information.
COLLECTION, USE AND RETENTION
13. Groupe ISM must collect certain Personal Information in order to achieve specific purposes, whether in relation to Website Visitors, its Employees, or its officers and directors. The nature of the Personal Information and the purposes of such collection are defined in the following sections.
TYPES OF PERSONNAL INFORMATION COLLECTED
14. Groupe ISM collects various types of Personal Information in the course of its activities and service delivery, including:
a. Identity or biographical information (such as name, first name, date of birth, mailing address,
email address, etc.);
b. Information relating to recruitment and employee management;
c. Information relating to communication preferences;
d. Access and Usage Data;
e. Information provided by Suppliers on their own behalf or produced in the course of service
delivery;
f. Identification information;
g. Any other information voluntarily provided by an Applicant, Employee, Website Visitor, officer,
or director.
15. Groupe ISM collects only the Personal Information necessary for the conduct of its activities and for
the specific purposes described below.
PURPOSES FOR WHICH PERSONNAL INFORMATION IS COLLECTED, USED AND RETAINED
16. With respect to Website Visitors, Personal Information is collected, retained, and used for the following purposes:
a. To follow up on applications submitted through the Website Internet.
17. With respect to Clients, Personal Information is collected, retained, and used for the following purposes:
a. To create and maintain up-to-date client files, in order, among other things, to communicate
information to them;
b. To comply with legal and governmental requirements;
c. For administrative and management purposes;
d. For any other purposes consistent with the purposes set out above.
18. With respect to Applicants, Employees, and the officers and directors of Groupe ISM, Personal Information is collected, retained, and used for the following purposes:
a. Management of records relating to Applicants, Employees, officers, and directors;
b. Collecting and maintaining up-to-date information on Employees, officers, and directors to
enable the administrative management of human resources, including compensation, work
schedules, and leave, where applicable;
c. Ensuring the health and safety of Employees by complying with all legal and administrative
requirements necessary to provide a safe and legally compliant work environment
d. Processing payments;
e. Any other purposes consistent with the purposes set out above.
19. Groupe ISM reserves the right to modify these purposes upon providing notice to the Data Subject.
Collection
20. Personal Information is collected through interactions with Data Subjects or their authorized representatives. Such interactions may take place verbally or in writing, either physically or
electronically, depending on the most effective method under the circumstance.
21. Groupe ISM collects Personal Information relating to Website Visitors through Access and Usage Data.
Conservation
22. The Personal Information of Clients, Applicants, Employees, officers, directors, and Website Visitors that is collected is retained for the purposes set out in Sections 16, 17, and 18.
23. Only authorized Employees have access to Personal Information and to the platforms where it is collected, processed, or stored. The computer systems and the procedures governing the processing and access of Personal Information are equipped with appropriate control mechanisms, which are continuously monitored to ensure compliance with Groupe ISM’s policies on the security and protection of Personal Information.
TRANSFER OF PERSONNAL INFORMATION ABROAD
24. Personal Information held by Groupe ISM is hosted in Canada. However, certain Personal Information concerning you may, in the future, be transferred to another jurisdiction and become subject to the laws of that jurisdiction.
25. We nevertheless ensure the protection of all Personal Information under our custody, including Personal Information entrusted to a Supplier. This includes implementing robust and effective security measures, as well as prohibiting the disclosure, transfer, or use of your Personal Information by others, in accordance with the applicable legislation of the Province of Québec regarding the protection of personal information.
CONSENT
26. The collection of Personal Information is carried out directly from the Data Subject on the basis of explicit, free, and informed consent given for specific purposes.
27. Consent for a minor under the age of 14 must be provided by the holder of parental authority or by a legal guardian. Consent for a minor aged 14 or older may be given by the minor, the holder of parental authority, or the legal guardian. If we become aware that we have inadvertently collected Personal Information from individuals under the age of 14 without having obtained consent from the holder of parental authority or the legal guardian, we will ensure that such information is deleted from our records as quickly as possible. If you are the holder of parental authority or the legal guardian of a minor under the age of 14 and you are aware that your child has provided Personal Information, we invite you to contact our Privacy Officer using the contact information provided in Section 8 of this Policy so that we may take the necessary actions.
28. Consent from the Data Subject is obtained prior to the collection of data and after disclosure of the purposes for which it is collected. Such consent is valid only for the time necessary to fulfill the purposes for which it was requested.
29. Groupe ISM does not sell, trade, or exchange collected Personal Information.
30. To the extent that Groupe ISM uses technology that includes identification, monitoring, geolocation, or profiling functions, the Data Subject will be informed in advance of the use of such technology and of the options available to activate the identification, geolocation, or profiling functions
COMMUNICATION
31. Groupe ISM limits the communication and disclosure of your Personal Information for purposes other than those mentioned above; however, please note the following clarifications and exceptions.
Application of the Law
32. We may share your Personal Information in response to law enforcement requests, court orders, or other legal processes, or if we believe such disclosure is necessary to investigate, prevent, or respond to illegal activities, fraud, physical threats, or as otherwise required by any applicable law or regulation, and to the extent necessary to protect the property, interests, and rights of Groupe ISM.
Archiving Service
33. We may share your Personal Information with an organization whose purpose is the preservation of records for their general informational value.
Our Employees and Service Providers
34. Our Employees may have access to your Personal Information in order to assist us in providing services to you. They access and use such Personal Information strictly in accordance with our
instructions, only on a need-to-know basis, and under strict confidentiality and security obligations. Please note that we ensure our Employees handle this information with the utmost discretion and diligence, and in compliance with this Policy as well as applicable legal and regulatory requirements.
35. When you provide Personal Information to Groupe ISM, you grant us the right to share your Personal Information with authorized Service Providers that we deem acceptable and who will use this information to help us respond to your requests and deliver services. Please note that we will share only the Personal Information necessary for the use of such third-party services, solely for the purpose of providing those services to you, and we will ensure that these authorized Service Providers agree to keep this information confidential and secure. Service Providers retain only the information necessary to perform the functions for which they have been engaged, and we do not authorize these third parties to use or disclose your Personal Information for their own marketing or for any other purposes.
Commercial Transactions
36. Groupe ISM may be involved (1) in the sale or lease of all or substantially all of its business and/or assets, (2) in a change to its legal structure through a merger or otherwise, (3) in a ransaction to obtain a loan or any other form of financing, and (4) in any other similar transaction (individually and collectively, the “Transaction”). In connection with such a Transaction, we may transfer or disclose your Personal Information to the contracting organization, whether current or potential, but we will require that such organization agree to protect the confidentiality of your Personal Information in a manner equivalent to this Policy.
Explicit Consent of the Data Subject
37. Groupe ISM may also disclose your Personal Information if you request it or provide express consent.
38. A Data Subject may, at any time, refuse to consent to Groupe ISM collecting, using, or disclosing Personal Information, or may withdraw their consent by providing Groupe ISM with reasonable prior notice, provided, however, that such refusal or withdrawal does not limit Groupe ISM’s ability to provide its services, to comply with applicable laws regarding Personal Information in its possession, or to exercise any of its rights under this Policy or those granted by applicable legislation.
39. In certain cases, if a Data Subject refuses to provide consent, there is a risk that Groupe ISM may be unable to deliver its services, hire the individual, or retain them as an Employee, as applicable.
DESTRUCTION
40. Subject to applicable laws regarding retention, once the purposes for which they were collected have been fulfilled, Groupe ISM undertakes to securely destroy all Personal Information. When
Personal Information is destroyed, Groupe ISM ensures that no unauthorized access is possible.
41. For more details on the destruction procedure implemented by Groupe ISM, please contact the Privacy Officer using the contact information provided in Section 8 of this Policy.
ACCESS AND RIGHTS OF DATA SUBJECTS
42. You have the right to access your Personal Information and to obtain copies of it. You also have the right to update, rectify, and correct any Personal Information that you believe is inaccurate or
incomplete. You may also require the cessation of the dissemination of Personal Information concerning you, or the de-indexing of any hyperlink attached to your name that provides access to
such Personal Information by technological means, where its dissemination contravenes the Act or a court order. You may do the same or require that the hyperlink providing access to the Personal
Information be re-indexed, where certain conditions provided for by the Act are met.
43. To do so, the Data Subject may submit a written request to the Privacy Officer, whose contact information is provided in Section 8, specifying which right they wish to exercise, the reasons for
doing so, and their own contact details. This request may be sent by email. The Privacy Officer must respond in writing within 30 days from the date of receipt of any complete request in this regard.
44. If you wish to obtain copies of your Personal Information, we may charge you a minimal fee, which will be disclosed to you in advance, solely to cover the costs of transcription, reproduction, and/or transmission.
45. Subject to legal and contractual restrictions, where applicable, you may withdraw your consent at any time to the use or disclosure of Personal Information collected about you.
46. Groupe ISM updates Personal Information only upon request. It is therefore in the best interest of the Data Subject to promptly inform Groupe ISM of any change in name, address, or other relevant
Personal Information.
47. Groupe ISM reserves the right not to disclose certain Personal Information, even when requested, in specific circumstances, including the following:
a. Where disclosure would result in the communication of Personal Information, including opinions, about another individual, living or deceased;
b. Where disclosure of Personal Information would reveal trade secrets or confidential or proprietary information of Groupe ISM, or if such disclosure could undermine the integrity of the
hiring process, Employee evaluation, or any other internal process of Groupe ISM;
c. Where disclosure of Personal Information would prejudice contractual or other negotiations
involving Groupe ISM;
d. Where Personal Information is subject to litigation or is protected by solicitor-client privilege
or another legal professional privilege;
e. Where Personal Information is difficult to access and the work or cost required to extract it
would be disproportionate to its nature or value;
f. Where Personal Information does not exist or cannot be found, having been, for example,
destroyed;
g. Where disclosure of Personal Information may hinder or obstruct the work of law enforcement
agencies or other investigative or regulatory activities of a body authorized by law to conduct
such activities;
h. Where disclosure of Personal Information may be refused or is prohibited under applicable
law.
48. If Groupe ISM refuses to grant access to a Data Subject’s Personal Information, the Data Subject will receive a written explanation, information on the recourses available, and the applicable time limits within which to act, if any. This decision may be challenged by sending an email to the Privacy Officer.
COMPLAINTS
49. Any questions, comments, concerns, or complaints regarding the handling of Personal Information, this Policy, or practices related to the protection of Personal Information must be directed to the Privacy Officer, whose contact information is provided in Section 8 of this Policy.
50. Complaints must be submitted by email using the document entitled “Complaint Description”, which is available upon request from the Privacy Officer. The Privacy Officer will respond to each request within a reasonable period of thirty (30) days.
CONFIDENTIALITY INCIDENTS AND REPORTING PROCEDURE
51. Suppliers, Employees, officers, or directors must promptly report to the Privacy Officer any incident or suspected confidentiality incident of which they become aware.
52. Where possible, the individual making the report must take appropriate measures to contain the incident and limit any harm or damage, as quickly as possible.
53. Any individual intending to file a report must do so by completing the document entitled “Confidentiality Incident Reporting Form for Incidents Presenting a Plausible Risk of Serious Harm”, available upon request from the Privacy Officer, and submitting it by email to the Privacy Officer.
54. Furthermore, if the incident constitutes a crime, Groupe ISM will notify the appropriate police authority.
55. The Privacy Officer shall:
• Implement the corrective measures necessary to put an end to the incident;
• Adopt such preventive measures as deemed appropriate to prevent a recurrence;
• Record all measures taken in the Confidentiality Incident Register.
UPDATES
56. In order to keep updated with the developments in the regulatory framework applicable to the protection of Personal Information and to ensure compliance with current regulations, Groupe ISM reserves the right to amend and update this Policy at any time.
57. The last update to this Policy was made in: May 2025.