Personal information governance policy
(Confidentiality)

1. Preamble

In the management exercise, Revetement Exterieur G.B. must collect, process and communicate some
personal information. In this context, Revetement Exterieur G.B. wish to put in place, in compliance with the
law on the protection of personal information in the private sector, chapter p-39.1, the processes, methods,
instructions/rules, politics to ensure that the registration, processing, communications, protection and the
destruction of the personal information complies with the active legislation in this area, and ultimately, to
ensure the absence of any confidentiality incident and otherwise have in place the procedures necessary to
minimize or eliminate serious legal damages.

2. Policy objectives

The policy has the following objectives:
– Comply to the Protection of personal information in the private sector law, chapter p-39.1;
– Protect the personal information present;
– React effectively and show the diligence of Revêtement Exterieur G.B.;
– To understand what is a personal information;
– Clearly define the responsibilities and the obligations of each stakeholder in the organization;
– Have in place the politics and practices to protect the personal information recollected by Revetement
Exterieur G.B.;
– Establish the actions to be taken in the event of a risk of confidentiality incident without serious legal
damages;
– Establish the actions to be taken in the event of a risk of confidentiality incident with serious legal
damages;
– Establish the safe methods of destruction of the personal information;
– Establish rules for retaining personal information;

3. The organization’s commitment

Revetement Exterieur G.B. must ensure the protection of the personal information it holds, acquires,
processes, transmit and destroy.

4. The role and responsibilities of staff members and managers

Each staff member and managers have the responsibility to protect, and use accessed personal information
wisely in the context of work throughout the life cycle of the personal information.
At no time will the staff member or executive will collect, consult, transmit or destroy personal information
without first obtaining permission from the person responsible of the protection of the personal information, or
in the event of absence, of his replacement.
Failure to comply with this obligation could initiate a disciplinary process which could result in dismissal.

5. The roles and responsibilities of the person responsible for the protection of
personal information throughout their life cycle

The person responsible for the protection of personal information must:
– Define his role and responsibility within the policy;
– Take inventory of the personal information acquired and evaluate their sensibility;
– Implement measures to prevent or limit the consequence of a confidentiality incident implying
personal information;
– Evaluate the privacy impact assess (PIA)/data protection impact assessment (DPIA).
PIA/DPIA is a process used to determine the impact that a program or service could have on the private
life of a person;
– To raise awareness and train company staff;
– Ensure confidentiality incident management and keep a record of them;
– Know the nature of the personal information that Revetement Exterieur G.B. has;
– Hold, process and communicate personal information according to the rules laid down by law;
– Know who can have access to that personal information and for what reason;
– Ensure that personal information to which people have access is requires in the context of their duties;
– Make and imply policies and procedures that governs the governance of personal information;
– Apply or enforce personal information policies and practices;

6. Collection of personal information

The collection of personal information must be done by the following 3 rules
– The rule of consent
– The rule of serious and legitimate interest and necessity
– The rule of direct collecting

7. Security of personal information collected by information technology

Revetement Exterieur G.B. uses information technologies to support its operations. The personal
information recollected are used to offer services in line with expectations of those concerned and at the
declaration of services of Revetement Exterieur G.B. All personal information collected are conserved in a
safe space complying with the law.

7.1 Employees

All employees of Revetement Exterieur G.B. are obliged to follow the planed instructions provided in this
policy and always act to preserve the security of the personal information collected by information
technology, detained and processed by Revetement Exterieur G.B.
7.2 The collected personal information by the information technology access
The information will be limited only to people qualified to receive it within the organization when this
information is necessary for the exercise of their functions.

7.2 Access to personal information collected through information technology.

Access to personal information obtained through the use of information technology will be limited to authorized individuals within the organization when such information is necessary for the performance of their duties.

7.3 Identification, localization and profiling 

In the case where Revetement Exterieur G.B. would use a technology including functions making it possible
to identify, locate or profile, it is understood that the person concerned will be informed in advance.
– On the use of such technology
– Means offered to activate functions allowing identification, locating or profiling

8. Use of personal information

8.1 Use

Personal information may only be used for the purpose for which it was collected. If the personal
information is used for another purpose, authorization from the person concerned must be given before
using their personal information.
As provided for by law, the collection of personal information gives authorization on the part of the person
concerned to use the information collected. Specifically, the limitations on the use of personal information
are as follows:
– Limit access to personal information to only those who have the capacity to receive it within the
organization when this information is necessary for tasks regarding their functions.
– Limit the use of personal information unless otherwise provided by law, consent must be obtained from
the person concerned to use their information once the purpose of the file has been completed.

8.2 Safety during use

During the use of personal information, the person using it must ensure its protection. The person must,
without restriction.
– Not give access to an unauthorized person
– If the person using personal information temporarily leaves their workspace, personal information must
be arranged to not be visible to passers-by.
• Personal information must be stored in a locked filing cabinet or drawer.
• The computer screen must be locked.
– Ensure that personal information cannot be seen from the outside your workstation or office
– When discussing personal information, it must be done in a private environment where the discussion
cannot be heard by people who do not have authorization to have access to it.

9. Disclosure of personal information

9.1 Consent to communication

Before any communication whether verbal or written and telephone, email, text message, letter, report,
website, or, etc., the consent of the person concerned is necessary except in the cases provided by law.
Specifically, the following obligations must be respected:
– Obtain consent from the individuals concerned to communicate their information to a third party (e.g.:
insurer or service provider) unless an exception provided by law;
– Respect the rule of consent (see article 7.1);
– Respect the obligation provided by law when communicating personal information without the consent
of the person concerned;
– Respect the specific obligations applicable to the communication of personal information outside
Quebec.
The authorization to collect and use personal information does not allow communication to a third party of
the information in question.
The person concerned must complete and sign the form for consent to communication.

10. Handling complaints relating to the protection of personal information.

10.1 Handling complaints

The adequate uniform and diligent handlings of complaints is a priority at Revetement Exterieur G.B. any
person dissatisfied with the process of collecting, use, communication or destruction of personal
information can file a complaint with the person responsible for the protection of personal information.

10.2 Complaint handling process.

If a complaint is filed, the person responsible for the protection of personal information must follow the
steps outlined in the procedure for handling a complaint. He has 30 days to do so. The following steps will
need to be followed:
– Receipt of the complaint
– Analysis of admissibility
– If the complaint is no admissible
• Letter to the complainant and termination of the process
– If the letter is admissible
• Letter to the complainant and investigation
– Investigation
– Result of the investigation
– Written notice to the complainant on the result of the investigation
– Implementation of solutions
The person responsible will take all actions necessary to protect as much as possible, the personal
information detained, processed and communicated.

10.3 Security measures

The person responsible of the personal information protection must put in place security measures to
ensure the protection of personal information, collected, used, communicated, conserved or destroyed
during the complaint handling process.
Those measures are reasonable considering the sensitivity, purpose, quantity, distribution and support to
the personal information.

11. Retention of personal information

The person responsible for the protection of personal information will see to the conservation of personal
information. Retention consists of the period for which personal information is retained, in any form,
regardless of whether the information is actively used or not.

11.1 Conservation rules

It is specifically:
– Ensure the updating and accuracy of personal information held at the time it is used for a decision
relating to the person concerned;
– Implement and comply with the necessary measures to ensure the security of personal
information;
– Keep personal information until the purposes for which it was collected is achieved or as determined
by law;
– Keep personal information in a secure location intended for this purpose;
– Allow the use of personal information when the purpose for which it was collected is accomplished,
only with the consent of the person concerned, subject to the time limit provided by law or by retention
schedule established by government regulation.

11.2 End of retention period

At the end of the retention period, in other words, at the end of the purpose for which it was collected,
Revetement Exterieur G.B. will ensure:
– To destroy them securely and as provided in this policy;
Or
– To anonymize (Meaning, they no longer make it possible to identify the person concerned nor to
establish a link between the person concerned and the personal information) and this irreversibly with
the aim of using them for a serious and legitimate purpose.

11.3 Retention period

Retention period is the duration necessary to achieve the purposes for which it was requested or that
provided in the document on the retention period of personal information or that provided for in a law in
force.

12. Destroying personal information rules

The person responsible for the protection of personal information must ensure that the destruction of
personal information is done in a secure manner. In addition, if the organization wishes to keep personal
information, the person responsible for protecting personal information must ensure its anonymization and
use for serious and legitimate purposes.

12.1 The moment of destruction

The person responsible of the protection of personal information must ensure and take the necessary
measures regarding the purpose for which they were collected is accomplished, subject to the time limit
provided by law for a retention schedule established by government regulation (e.g. for tax obligations), that
they be destroyed.

12.2 The method of destruction

A destruction method is a process that allows personal information to be permanently and irreversibly
destroyed. This may include shredding, formatting, rewriting, physical destruction, crushing,
demagnetization, overwriting information.

12.3 Anonymization methods

An anonymization method is an irreversible process by which personal information is processed in such a
way to make the direct or indirect identification of the person concerned impossible.

12.4 Policy enforcement

The person responsible of the protection of the personal information has the responsibility to interpret and
apply the policy.

12.5 Policy revisition

This policy will be reviewed every 3 years.

12.6 Effective date

The policy will take effect on July 26, 2024.