Privacy Policy and Confidentiality Policy

1. Context

The Coalition for the Diversity of Cultural Expressions (CDCE) is a non-profit organization registered in the Quebec business registry that handles personal information in the course of its activities.

This policy aims to ensure the protection of personal information and to outline the manner in which the CDCE collects, uses, discloses, retains, and destroys it, or otherwise manages it. Moreover, it seeks to inform any interested party about how the CDCE processes their personal information. It also addresses the processing of personal information gathered by the CDCE through technological means.

2. Scope and definitions

This policy applies to the CDCE, which notably includes its officers, employees, consultants, members, as well as anyone else who otherwise provides services on behalf of the CDCE. It also applies to the CDCE’s website.

It addresses all types of personal information managed by the CDCE, whether it’s the information of its current or potential clients, consultants, employees, members, or any other persons (such as visitors to its websites or otherwise).

For the purposes of this document, personal information is information relating to a natural person that allows, directly or indirectly, to identify them. For example, this could be the name, address, email address, phone number, gender, or banking information of an individual, information about their health, ethnic origin, language, etc.

Sensitive personal information is information for which there is a high degree of reasonable expectation of privacy, for example, health information, banking information, biometric data, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.

Generally, a person’s professional or business contact details are not considered personal information, for example, the name, title, address, email address, or work phone number of an individual. More specifically and for clarity, as per the “Act respecting the protection of personal information in the private sector” of Quebec, and as of September 22, 2023, sections 3 (collection, use, disclosure), 4 (storage and destruction), and 6 (data security) do not apply to the information about a person relating to their role in a company, such as their name, title, role, as well as the address, email, and phone number of their workplace.

The same paragraphs also do not apply to personal information that is public by law, effective from the date of implementation of this policy.

3. Collection, Use, and Disclosure

In the course of its activities, the CDCE may collect various types of information, for various purposes. The types of information that the CDCE might collect, their use (or the intended purpose), and the means by which the information is collected are specified in Annex A of this policy.

The CDCE will also inform the relevant individuals at the time of collecting personal information about any other information collected, the purposes for which they are collected, and the means of collection, in addition to other information to be provided as required by law.

The CDCE applies the following general principles regarding the collection, use, and disclosure of personal information:

Consent :

• Generally, the CDCE collects personal information directly from the concerned individual and with their consent, unless an exception is provided by law. Consent can be obtained implicitly in certain situations, for instance, when the person chooses to provide their personal information after being informed by this policy about the use and disclosure for the purposes indicated therein (see Annex A for more details). Thus, this policy and the information it contains can be consulted by the concerned individual at the time of the collection of personal information.
• Normally, the CDCE must also obtain the consent of the concerned person before collecting their personal information from third parties, before disclosing it to third parties, or for any secondary use of it. However, the CDCE may act without consent in certain cases provided by law and under the conditions set by the law. The main situations where the CDCE can act without consent are indicated in the relevant sections of this policy.

Collection :

• In all cases, the CDCE only collects information if there is a valid reason to do so. Moreover, the collection will be limited only to the necessary information needed to achieve the intended purpose.
• Please note that the CDCE’s services and programs do not target minors, and more generally, the CDCE does not intentionally obtain personal information concerning minors (in such cases, information cannot be collected from them without the consent of a parent or guardian).
• Collection from third parties. The CDCE may collect personal information from third parties. Unless an exception provided by law applies, the CDCE will seek the consent of the concerned individual before collecting personal information about them from a third party. If such information is not collected directly from the person but from another organization, the concerned individual can ask the CDCE about the source of the collected information.

In certain situations, the CDCE may also collect personal information from third parties, without the consent of the concerned individual, if there is a serious and legitimate interest in doing so and a) if the collection is in the individual’s best interest and it’s not possible to do it in a timely manner from them, or b) if this collection is necessary to ensure the accuracy of the information.

Additionally, the CDCE may collect personal information indirectly by using platforms such as:

• Mailjet. Mailjethas its own terms of service and privacy policy, which can be consulted for further details.

• Eventbrite. Eventbrite has its own terms of service and privacy policy, which can be consulted for more information.

This collection through third parties might be necessary to utilize certain services or programs, or to otherwise engage with the CDCE. When required, the CDCE will obtain the individual’s consent at the appropriate time.

Retention and use :

• The CDCE ensures that the information it holds is up-to-date and accurate at the time it is used to make a decision concerning the individual in question.
• The CDCE can only use an individual’s personal information for reasons indicated herein or for any other reasons provided at the time of collection. As soon as the CDCE wishes to use this information for another reason or purpose, new consent must be obtained from the concerned individual, which must be expressly obtained if it concerns sensitive personal information. However, in certain cases provided by law, the CDCE can use the information for secondary purposes without the individual’s consent, e.g.:
  • when this use is clearly for the benefit of the individual;
  • when it is necessary to prevent or detect fraud;
  • • when it is required to evaluate or enhance security and protection measures.

• Limited Access. The CDCE must implement measures to limit access to personal information only to employees and individuals within its organization who are qualified to be aware of it and for whom this information is necessary in the performance of their duties. The CDCE will seek the individual’s consent before granting access to any other person.

Communication :

• Generally, and unless an exception is indicated in this policy or otherwise provided by law, the CDCE will obtain the consent of the concerned individual before disclosing their personal information to a third party. Additionally, when consent is necessary and it concerns sensitive personal information, the CDCE will need to obtain the explicit consent of the person before disclosing the information.
• However, disclosing personal information to third parties is sometimes necessary. Thus, personal information can be shared with third parties without the consent of the concerned person in certain cases, notably, but not exclusively, in the following situations:
  • The CDCE may disclose personal information, without the consent of the concerned person, to a public body (such as the government) which, through one of its representatives, collects it in the exercise of its powers or the implementation of a program under its management.
  • Personal information may be transmitted to its service providers to whom it is necessary to share the information, and this without the consent of the person. For instance, these service providers can be event organizers, CDCE subcontractors appointed for the execution of mandates in the programs administered by the CDCE, and cloud service providers. In these cases, the CDCE must have written contracts with these providers that detail the measures they must take to ensure the confidentiality of the disclosed personal information, that the use of this information is only within the framework of executing the contract, and that they cannot retain this information after its expiration. Moreover, these contracts must specify that the providers must notify the CDCE’s personal data protection officer (mentioned in this policy) of any breach or attempted breach of confidentiality obligations concerning the disclosed personal information and must allow this officer to conduct any audit concerning this confidentiality.
  • If necessary for the conclusion of a business transaction, the CDCE might also disclose personal information, without the consent of the concerned person, to the other party of the transaction, subject to conditions provided by law.

• Communication outside Quebec : It is possible that the personal information held by the CDCE may be disclosed outside of Quebec, for example, when the CDCE uses cloud service providers whose server or servers are located outside Quebec or when the CDCE deals with subcontractors located outside of the province.

Additional informationon the technologies used :

• Use of connection cookies

Connection cookies are data files sent to a visitor’s computer by their web browser when they visit a site and can have several uses.

Websites controlled by the CDCE use connection cookies for the following reasons:

• To remember visitors’ settings and preferences, for example, language selection and to allow tracking of the current session.
• For statistical purposes to understand the behavior of visitors, the content viewed, and to allow for website improvement.

Websites controlled by the CDCE use the following types of cookies:

• Session cookies : These are temporary cookies that are kept in memory only for the duration of the website visit.
• Persitent cookies : These are kept on the computer until they expire, and they will be retrieved on the next site visit.

Some connection cookies may be disabled by default, and visitors can choose whether or not to activate these features when visiting the CDCE’s websites.

It’s also possible to enable and disable the use of connection cookies by changing the preferences in the settings of the used browser.

• Use of Google Analytics

The CDCE website (https://cdec-cdce.org/en/) uses Google Analytics to enable its continuous improvement. Google Analytics specifically helps analyze how a visitor interacts with the CDCE website. Google Analytics uses connection cookies to generate statistical reports on the behavior of these website visitors and the content they view.

The information from Google Analytics will never be shared by CDCE with third parties.

It is possible to install a Google Analytics opt-out browser add-on.

• Other Technological Means Used

CDCE also collects personal information through technological means such as web forms integrated into a website controlled by CDCE (for example, its contact form, and its newsletter registration form), online surveys on its platforms and apps, and other form platforms or tools (e.g., Microsoft Forms).

If CDCE collects personal data while offering a technological product or service that has privacy settings, CDCE must ensure that these settings offer the highest level of privacy by default (connection cookies are not targeted).

4. Retention and Destruction of Personal Information

Unless a minimum retention period is required by applicable law or regulation, the CDCE will retain personal information only for the duration necessary to achieve the purposes for which it was collected.

Personal information used by the CDCE to make a decision about an individual must be kept for a period of at least one year following the decision in question or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, the circumstances of an employment termination.

At the end of the retention period or when the personal information is no longer necessary, the CDCE will ensure:

1. to destroy them; or
2. to anonymize them (i.e., they no longer allow, irreversibly, the identification of the individual and it is no longer possible to establish a link between the individual and the personal information) for serious and legitimate purposes.

The destruction of information by the CDCE must be done securely to ensure the protection of this information.

This section may be supplemented by any policy or procedure adopted by the CDCE concerning the retention and destruction of personal information, as appropriate. Please contact the CDCE’s personal data protection officer (indicated in this policy) for more information.

5. Responsabilities of the CDCE

Generally, the CDCE is responsible for the protection of the personal information it holds.

The CDCE’s personal data protection officer is the executive director of the organization. Generally, he or she must ensure compliance with applicable legislation concerning the protection of personal information. The officer must approve policies and practices governing the governance of personal information. Specifically, this individual is responsible for implementing this policy and ensuring that it is known, understood, and applied. In the absence or inability of this officer to act, the co-chairs of the CDCE will assume the duties of the personal data protection officer.

Staff members of the CDCE who have access to personal information or are otherwise involved in its management must ensure its protection and comply with this policy.

The roles and responsibilities of CDCE employees throughout the lifecycle of personal information can be clarified by any other CDCE policy in this regard, if applicable.

6. Data Security

The CDCE commits to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium, and sensitivity of the information. Thus, this means that information that can be qualified as sensitive (see the definition provided in section 2) will require more substantial security measures and must be better protected. Notably, and in accordance with what was mentioned earlier concerning limited access to personal information, the CDCE must implement necessary measures to impose constraints on the rights of use of its information systems so that only employees who need to have access are authorized to do so.

7. Rights of Access, Rectification, and Withdrawal of Consent

To assert their rights of access, rectification, or withdrawal of consent, the concerned individual must submit a written request for this purpose to the CDCE’s personal information protection officer, using the email address indicated in the following section.

Subject to certain legal restrictions, concerned individuals can request access to their personal data held by the CDCE and request corrections in cases where they are incorrect, incomplete, or ambiguous. They can also demand the cessation of the distribution of personal information concerning them or that any hyperlink attached to their name, which gives access to this information by technological means, be de-indexed when the distribution of this information violates the law or a judicial order. They can also do the same, or even demand that the hyperlink giving access to this information be re-indexed, when certain conditions provided by law are met.

The CDCE’s personal information protection officer must respond in writing to these requests within 30 days from the date of receiving the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In these cases, the response must indicate the remedies under the law and the time limit to exercise them. The officer must help the applicant understand the refusal if necessary.

Subject to applicable legal and contractual restrictions, concerned individuals can withdraw their consent for the communication or use of the collected information.

They can also ask the CDCE about the personal information collected from them, the categories of people at the CDCE who have access to it, and its retention period.

8. Complaints Handling Process 

Receipt

Anyone wishing to file a complaint related to the implementation of this policy or, more generally, the protection of their personal data by the CDCE, must do so in writing by contacting the CDCE’s personal information protection officer, using the email address indicated in the following section.

The individual must provide their name, contact details, including a phone number, as well as the subject and reasons for their complaint, providing sufficient detail for it to be evaluated by the CDCE. If the complaint made is not specific enough, the personal information protection officer may request any additional information they deem necessary to assess the complaint.

Processing

The CDCE commits to handling every complaint received confidentially.

Within 30 days of receiving the complaint, or upon receipt of any additional information deemed necessary and required by the CDCE’s Personal Data Protection Officer for its evaluation, the officer must assess and send a reasoned written response via email to the complainant. This assessment will determine if the CDCE’s handling of personal information aligns with the current policy, any other practices and policies in place within the organization, and any applicable laws or regulations.

If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons for the delay extension, the progress of their complaint’s processing, and the reasonable timeframe required to provide a final response.

The CDCE must create a separate file for each complaint it receives. Each file should contain the complaint, its evaluation, supporting documentation, and the response sent to the individual who raised the concern.

It is also possible to lodge a complaint with the “Commission d’accès à l’information du Québec” or any other supervisory authority responsible for the enforcement of the law related to the nature of the complaint regarding personal data protection.

However, the CDCE encourages any interested party to first contact its Personal Data Protection Officer and wait until the CDCE’s complaint processing procedure concludes.

9. Approval

This policy is approved by the Personal Data Protection Officer of the CDCE, whose business contact details are as follows:

Personal Data Protection Officer:

Marie-Julie Desrochers
33, Milton St., 500
Montreal, QC  H2X 1V1
mjdesrochers@cdec-cdce.org

For any requests, questions, or comments regarding this policy, please contact the Personal Data Protection Officer via email.

10. Publication and Amendments

This policy is published on the CDCE’s website to which this policy applies, specifically in relation to the personal data collected there. This policy is also disseminated through any appropriate means to reach the affected individuals.

The CDCE must also do the same for any changes to this policy, which must also be subject to a notice to inform the relevant individuals.

Annex A 

Here is a non-exhaustive list of the types of information that the CDCE might collect, its use, or the intended purpose, as well as the means by which the information is collected. This includes, but is not limited to, the following items.

Please note that most of the personal data managed by the CDCE pertains to employees, job candidates, and consultants. As for the other categories of individuals indicated in the table below, the provided information is, in most cases, of a professional or business nature (see section 2 regarding professional contact details). It should be noted that in most cases, the CDCE also collects the professional title/position of individuals, the name of the organization, and/or the organization’s address (see section 2 regarding professional contact details).