Privacy Policy
Following the adoption of the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25), assented to on September 22, 2021, a number of changes have been made to Act Respecting The Protection Of Personal Information In The Private Sector, c. P-39.1 (hereinafter ” Protection of Personal Information Act “) to reinforce the protection of personal information in Quebec. Solutions Ambra devant collecter, utiliser et conserver des renseignements personnels dans le cadre de ses activités et étant assujettie à cette loi a élaboré la Personal Information Protection Gouvernance Policy (herinafter ” the Act “).
GOALS
This Policy describes the standards for the collection, use, communication and retention of personal information in order to ensure the security of such information. It also explains the roles and responsibilities of anyone within the company with access to personal information, throughout its lifecycle within the company. Finally, it describes the process for handling complaints about the protection of this information.
SCOPE OF APPLICATION
This Policy applies to Ambra Solutions, which includes employees and any person who provides services on behalf of the company.
It applies to all personal information collected, used and retained by Ambra Solutions, regardless of its form (physical, digital, written, graphic, audio, visual or other), as well as to the Ambra Solutions website, where applicable.
*Personal information is defined as any information concerning a physical person that can lead, directly or indirectly, to identify this person.
*The APPENDICES are an integral part of the Policy.
PERSONAL INFORMATION
In the course of its activities, Ambra Solutions may collect and process various types of personal information, such as :
- information relating to identity (surname, first name, age, date of birth, etc.);
- contact information (street address, e-mail address and telephone number);
- employee information (employee files, educational diplomas, social security numbers, bank details, etc.);
- any other personal information required in connection with its activities.
COLLECTION
Ambra Solutions collects personal information from employees and potential candidates for recruitment purposes.
Ambra Solutions typically collects personal information directly from the person concerned with his or her consent, unless an exception is required by law.
Consent may be obtained implicitly in certain situations, for example, when an individual decides to provide his or her personal information voluntarily as part of a potential hiring process.
In all cases, Ambra Solutions collects personal information only if it has a valid reason to do so. Furthermore, the collection of information will be limited to that which is necessary to fulfill the intended purpose.
Unless an exception is prescribed by law, Ambra Solutions will seek the consent of the person concerned before requesting personal information about him or her from a third party.
Considering that Ambra Solutions collects personal information by technological means, it has adopted a Privacy Policy available in APPENDIX 1.
USE
Ambra Solutions is committed to using personal information in its possession only for the purposes for which it was collected and as authorized by law. It may, however, collect, use or disclose them without the consent of the person concerned when allowed or required by law. Such circumstances arise especially when, for legal, medical or security reasons, it is impossible or unlikely to obtain consent, when such use is clearly for the benefit of the person concerned, when it is necessary to prevent or detect fraud or for any other compelling reason.
Ambra Solutions limits employee access to personal information and personal knowledge necessary for the proper exercise of their functions.
COMMUNICATION
Normally, Ambra Solutions cannot disclose personal information about an individual without that person’s consent.
However, Ambra Solutions may disclose personal information to a third party without the consent of the concerned individual when the disclosure is due to a regulatory or legal requirement or when the Privacy Act or any other law so allows.
RETENTION
Retention
In the context of its operations, Ambra Solutions must keep many documents containing personal information.
In addition to obligations imposed by the Canada Revenue Agency, Revenu Québec and the Act respecting labour standards, some documents must be kept for a prescribed period of time. The obligation to retain documents is described in APPENDIX 4 of this document.
Retention period
The obligation to retain certain documents is described below:
|
Document |
Retention period |
|
Curriculum vitae |
4 years |
|
Paper employee file |
7 years |
|
Payroll software employee file |
2 years |
Physical and digital documentation
Depending on the nature of the personal information, it may be stored at Ambra Solutions’ offices, in various Ambra Solutions’ or its service providers’ computer systems, or in Ambra Solutions’ or its service providers’ storage facilities.
Security measures
The security and protection of personal information is important to Ambra Solutions. The company has implemented security measures to ensure that all personal information remains strictly confidential and is protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
Depending on the nature of the documents and information, different levels of security are applied to document management, and actions are taken accordingly. These security precautions may include organizational measures such as restricting employee access to what is strictly necessary; backing up and archiving data using an external system, etc.; and technological measures such as the use of passwords and encryption (e.g. frequent password changes and the use of firewalls).
Text-based digitization
In the event that Ambra Solutions wishes to destroy the original documents following their digitization, it complies with the following conditions:
- The information contained in the digitized documents has not been altered and has been maintained in its entirety;
- The digitization process, and the medium used to store the digitized documents, must ensure the stability and longevity of the documents.
Ambra Solutions chooses a medium or technology for storing its documents that complies with these conditions.
When Ambra Solutions digitizes a document, it follows the procedure described in APPENDIX 2.
DESTRUCTION
Original documents containing personal or confidential information are securely destroyed.
Ambra Solutions uses permanent document destruction techniques adapted to the level of confidentiality associated with the document to be destroyed.
We refer to APPENDIX 3 for definitive document destruction procedures.
PRIVACY IMPACT ASSESSMENT
Ambra Solutions is required to conduct a Privacy Impact Assessment (PIA) for all acquisition, development and redesign of information systems or electronic service delivery projects involving personal information.
The privacy impact assessment carried out must be in proportion to the sensitivity of the information concerned, the purpose for which it is to be used, its quantity, distribution and medium.
Ambra Solutions can use the guide developed by the Commission d’accès à l’information “Support guide – Performing a privacy impact assessment” to carry out a privacy impact assessment, if necessary.
REQUEST FOR ACCESS OR RESTRICTION
Any person may request access or correction of personal information held by Ambra Solutions.
The concerned person must submit a written request to this effect to the Ambra Solutions Privacy Officer.
Subject to certain legal restrictions, individuals may request access and correction of their personal information held by Ambra Solutions if it is inaccurate, incomplete or misleading.
The Ambra Solutions Privacy Officer must respond in writing to such requests within 30 days of receiving them.
CONFIDENTIALITY BREACH
Confidentiality incidents and breaches
A confidentiality breach is any unauthorized access, use or disclosure of personal information, as well as its loss or any other form of breach of confidentiality.
If Ambra Solutions has reason to believe that a confidentiality breach involving personal information held by Ambra Solutions has occurred, Ambra Solutions will use all reasonable efforts to minimize the risk of harm and to prevent similar incidents in the future.
In the event of a confidentiality breach, Ambra Solutions will assess the extent of the prejudice. This assessment takes into account, among other things: the sensitivity of the personal information concerned; the possible malicious uses of the information; the anticipated consequences of the use of the information; and the likelihood of the information being used for harmful purposes.
When the incident presents a risk of serious harm to the individuals whose information is involved, Ambra Solutions notifies in writing :
- The Commission d’accès à l’information via the prescribed notice form ;
- The concerned individual(s). The notice must provide adequate information on the scope and consequences of the breach. This notice must include :
- A description of the personal information involved in the breach. If this information is not known, the company must explain why this information cannot be provided.
- A brief description of the circumstances surrounding the incident;
- The date or period at which the incident took place, or an estimate of this period if not known;
- A brief description of the actions taken or planned to reduce the risk of harm resulting from the incident;
- The suggested measures to mitigate or reduce the risk of harm to the concerned individual;
- Contact details of an individual or department who may be contacted to obtain further information about the incident.
Confidentiality breach records
Ambra Solutions keeps a record of confidentiality breaches in accordance with APPENDIX 4.
The log records all breaches of confidentiality involving personal information:
- those that do not present a risk of serious harm and;
- those presenting a risk of serious prejudice.
The information contained in the confidentiality breach records is kept up to date and preserved for a minimum period of five (5) years after the date or period during which Ambra Solutions became aware of the incident.
PRIVACY COMPLAINT HANDLING PROCESS
Any individual concerned by the application of this Policy may file a complaint concerning the application of this Policy or, more generally, concerning the protection of his or her personal information by Ambra Solutions.
The procedure for handling privacy complaints is described in APPENDIX 5.
CONTACT DETAILS OF THE PERSON RESPONSIBLE FOR THE PROTECTION OF PERSONAL INFORMATION
Ms. Vanessa Catalano, HR & Communications Director, is responsible for the protection of Ambra Solutions’ personal information. She can be reached by phone at 877-374-3997 Ext.1083 or by e-mail at vanessa.catalano@ambra.co. In her absence, COO Mélissa Houle will be taking over, and can be contacted at 877-374-3997 Ext.1070 or melissa@ambra.co.
The Ambra Solutions Privacy Officer may be contacted for any questions regarding the application of this Privacy Policy.
EFFECTIVE DATE OF THE POLICY
The Policy takes effect on January 1, 2024.
The Policy has been approved by the Privacy Officer and General Management.
APPENDIX 1 - PRIVACY POLICY FOR THE COLLECTION OF PERSONAL INFORMATION BY TECHNOLOGICAL MEANS
Ambra Solutions is committed to protecting the privacy and confidentiality of the personal information you provide or that we collect when you visit our website or interact with us through technological means. In this regard, this privacy policy (hereinafter the “Policy”) is intended to inform you of the personal information collected, the purposes for which it is collected, the communications that may be carried out and, more generally, the protective measures put in place. It also addresses the use of cookies, where applicable.
The Privacy Policy is adopted in accordance with article 8.2 of the Act Respecting The Protection Of Personal Information In The Private Sector, c. P-39.1 (hereinafter the « Protection of Personal Information Act»).
Consent
If you visit our website or recieve any of our services, or if you submit your personal information to Ambra Solutions, we will consider you to have consented to the purposes set out below, for which Ambra Solutions collects and uses your personal information.
Use of cookies (hereinafter referred to as “cookies”)
Ambra Solutions uses cookie technology to improve the user experience through navigating our website and to provide users with the content they are most interested in.
A cookie is a string of information sent by a website and stored on the hard drive or temporarily in a computer’s memory.
The use of cookies is standard practice in the industry, and many recognized browsers are initially configured to accept them. You can reconfigure yours to refuse or accept cookies, or to alert you when a cookie is set on your computer. Please note that if you refuse the use of cookies, you may not be able to use all the features of the Ambra Solutions website.
What type of information do we collect?
You are solely responsible for deciding whether or not to provide us with your personal information. Generally, you can visit our website or communicate with us without having to provide your personal information. However, in some cases, it will be necessary for us to collect your personal information.
When visiting our website, we may collect and use the following categories of personal information:
- Identification: your first and last name.
- Contact details: your phone number and e-mail address.
- Interactions: when you communicate with us by e-mail, chat, by submitting a comment, by filling out a form, or if you send us your resume when applying for a job at our company, we save each interaction and, if applicable, each attached file.
- Using our website: When you browse our website, we automatically collect certain personal information from your browser’s cookies, including your IP address, language preferences, the date and time of your visit and the pages you viewed.
Use of personal information collected through our website
The personal information we collect is used only for the purposes indicated at the time of collection, i.e. when you browse or disclose information on our website. We use your personal information mainly to :
- Communicate with you and keep you informed: in response to a question, comment or request for information, etc;
- To personalize, enhance or facilitate your experience on our website: for example, to store your information so that you do not need to re-enter it each time you visit our website;
- Process job applications and resumes, where applicable;
- Analyze data for marketing purposes;
- Any other use authorized or required by the applicable laws.
Sharing and communicating information
Ambra Solutions may share your personal information with other organizations only if you have given us your consent to do so. We may disclose your personal information without your consent if we are legally required or authorized to do so, but in such cases we will only provide the information that is required.
Storage and security
All personal information you provide to Ambra Solutions is stored on secure servers with access that is restricted to Ambra Solutions. We take all reasonable technological precautions, such as firewalls, anti-virus software, access management, intrusion detection and regular backups, to ensure a secure environment and protect your personal information. However, given the very nature of the public network that is the Internet, you acknowledge and accept that the security of all transmissions made through the Internet cannot be guaranteed. Consequently, Ambra Solutions cannot guarantee nor assume any responsibility for any breach of confidentiality, hacking, virus, loss or alteration of data transmitted via the Internet.
Conservation
Ambra Solutions uses and stores your personal information only as long as necessary to fulfill the purposes for which it was collected, or as otherwise authorized or required by law.
External links
This Policy does not apply to third-party websites that may be accessed by clicking on links on our website, and Ambra Solutions is not liable in any way for such third-party websites. Ambra Solutions does not make any claims regarding any other website which you may access through our website. If you follow a link to a third-party website, that site will have its own privacy policies that you should review before providing any personal information.
Please note that a link to such a site does not imply that Ambra Solutions endorses the site or accepts any responsibility for its content or the use to which it may be put. It remains your responsibility to take the necessary precautions to ensure that the site you choose to visit is free of viruses and other destructive elements.
Responsability
Ambra Solutions is not responsible for the accuracy of the information you provide through our website.
Ambra Solutions cannot be held responsible for any direct or indirect damage caused by the use or non-use of information made available on our website.
Ambra Solutions does not guarantee that the site or its content will be free of interruptions or errors, that any faults will be rectified, or that the site or the server that hosts it are free of viruses or other harmful elements.
Additional information
For any inquiries or updates regarding your personal information, please contact the Privacy Officer by calling 877-374-3997 Ext.1083 or by e-mail at vanessa.catalano@ambra.co. In her absence, COO Mélissa Houle will be taking over, and can be contacted at 877-374-3997 Ext.1070 or melissa@ambra.co.
Modification
Ambra Solutions reserves the right to modify its Privacy Policy at its discretion. Ambra Solutions will make any potential changes to this Privacy Policy available on its website.
APPENDIX 2 - DIGITIZATION PROCEDURE
The person responsible for the digitization :
- Physically prepares documents for scanning (removes paper clips and staples);
- Scans documents and remains present throughout the process to protect the integrity of digitized data;
- Performs an exhaustive verification of digitized documents to ensure quantity, quality and integrity of the reproduced documents. They ensure that :
- the digitized documents are consistent with the original documents;
- the data is legible and in good condition (no loss of detail or information);
- duplexing has been carried out, if necessary; if the duplexing option has left any blank pages, it eliminates them;
- the documents or pages have been scanned in the right orientation and format.
- Ensures that the correct number of documents or pages have been scanned (if pages are missing, they will repeat the entire scanning process);
- Renames PDF files in accordance with the naming convention established by Ambra Solutions;
- Saves the PDF file(s) to the appropriate location in Ambra Solutions digital environment;
APPENDIX 3 - DEFINITIVE DOCUMENT DESTRUCTION METHODS
Permanent document destruction methods[1]
|
Paper (original and all copies) |
– Shredder |
|
Digital formats to be reused or recycled e.g. flash memory cards (SD, XD, etc.) USB sticks, computer hard drives |
– Formatting, rewriting, digital shredding (software performing a secure deletion which writes random information in the location of the deleted file to replace it). |
|
Non-reusable digital media e.g. certain CDs, DVDs, flash memory cards, USB sticks and hard drives that will no longer be used |
– Physical destruction (shredding, crushing, surface grinding, disintegration, incineration, etc.). Most shredders are capable of destroying CDs and DVDs. – Hard drive demagnetizing. |
|
Machines containing hard disks e.g. copier, fax machines, scanners, printers, etc. |
– Overwriting of information on hard drives, or hard drives removed and destroyed when machines are replaced. |
[1] Commission d’accès à l’information, Online destruction procedure : https://www.cai.gouv.qc.ca/entreprises/procedure-de-destruction/
APPENDIX 4 - CONFIDENTIALITY BREACH RECORDS
|
Confidentiality breach records |
||||||||
|
Date or time of breach |
Individuals concerned (compromised information) |
Description of breach circumstances |
Acknowledgement of the breach
|
Number of people concerned by the incident |
Description of the factors leading to the conclusion that there is or is no risk of serious harm[1] caused to the people involved. |
Date of notice sent to the Commission d’accès à l’information
|
Date on which the notices were sent to the concerned individuals
|
Description of the measures taken to reduce the risk of harm that might be caused caused |
[1] The evaluation of the potential risk of serious harm takes into account, among other things: the sensitivity of the personal information involved; the possible malicious uses of the information and the anticipated consequences resulting from the use of the information; and the likelihood that the information could be used for harmful purposes.
APPENDIX 5 - PROCEDURE FOR HANDLING COMPLAINTS RELATED TO THE PROTECTION OF PERSONAL INFORMATION
Receiving a complaint
Any individual who wishes to make a complaint concerning the application of this policy or, more generally, the protection of their personal information by Ambra Solutions, must do so in writing to the Ambra Solutions Privacy Officer.
The person must provide their name, contact information, including a telephone number, as well as the subject and reasons for their complaint, in sufficient detail for Ambra Solutions to be able to evaluate it. If the complaint is not specific enough, the Privacy Officer may request additional information in order to assess the complaint.
Complaint processing
Ambra Solutions is dedicated to treating all complaints in the strictest confidentiality.
Complaints are handled within a reasonable time frame. The Privacy Officer will assess the complaint and provide a reasoned written response to the complainant.
The assessment will aim to determine whether Ambra Solutions’ handling of personal information complies with this policy and the organization’s practices and applicable laws or regulations.
Complaint file
Ambra Solutions shall create a separate file for each complaint submitted in compliance with this Complaint Handling Procedure. Each file contains the complaint, the assessment and supporting documentation, as well as the written response sent to the complainant.
