Date of last change: October 23, 2024
As a responsible organization, Les Emballages Carrousel Inc. (hereinafter “Carrousel”) is extremely diligent about the protection of its employees’, clients’ and partners’ personal information (PI), implementing procedures and technical solutions that comply with cybersecurity standards and applicable regulations, in particular Law 25, which modernizes legislative provisions surrounding the protection of personal information in Quebec.
This policy is regularly updated and published on all Carrousel websites. The purpose of this publication is to inform our stakeholders about the management of and rights relating to personal information handled by Carrousel.
This general policy applies to all Carrousel business units based in the province of Quebec that handle personal information hosted or stored in Quebec.
“Personal Information” (PI) refers to any information that relates to a natural person and that allows, directly or indirectly, that person to be identified. This definition applies to information collected and retained by Carrousel or by a third-party partner, regardless of the medium on which it is stored and the form in which it is accessible.
Note: Personal information concerning the exercise of a function within an enterprise by a specific person (name, title, function, email address, business telephone number, etc.) does not fall within the scope of this policy, nor of Quebec’s Act to modernize legislative provisions as regards the protection of personal information.
1. Personal Information
1.1 Personal information collected
The categories (non-exhaustive) of personal information collected by Carrousel are listed below:
- Identifying information: last name, first name, mailing address, cellphone number, personal email address, nationality, age range, date of birth, marital status, avatar, photo, awards or prizes, postal code, country or city of birth, etc.
- Application and hiring information (employees, volunteers): Social Insurance Number (SIN), résumé, educational background, level of education, school, experience, recommendation letters, references, work history, hobbies, interest categories, community involvement, club/charity memberships (other than political or religious), educational programs, academic records, test/exam scores, high school diploma, grades/grade point average, interview information, etc.
- Commercial information: credit card numbers, account details, money transfer details, etc.
- Computer and digital activity information: IP address, MAC address, logs, device type, etc.
- Account information: roles and permissions, settings and preferences, login information, etc.
1.2 Purposes of collecting and processing personal information
Carrousel collects and processes personal information (with your consent) for the following purposes:
- Prospection and commercial transactions
- Website customization
- Use of the services offered by Carrousel
- Marketing and segmentation of donors
- Transaction management: orders, shipping, billing, payments
- Sending commercial communications related to our company or selected partner companies
- Notifications or newsletters
- Verification of educational background/degrees, conducting interviews, recruiting events, reference checks, gathering information on job applicants, identifying and attracting qualified candidates
- Management of profiles, applications and exchanges with Carrousel
- Sending messages about positions that may be of interest to candidates
- Analysis, research and development: optimization of IT resources, research and development, including to improve our products, websites, applications, services and user experience, as well as other research and analysis purposes to improve our products, services, activities, operations and processes
- Audits, reports and investigations: statistics, internal investigations, reports on ethics and compliance incidents, conflict of interest management, compliance with export controls, litigation management, company’s legal obligations and mandate management
- Legal compliance: compliance with legal obligations, in particular to respond to an authority, a judicial decision or a request for document disclosure
- Protect the company’s employees, clients and partners, and others: when it is necessary to investigate, prevent or take action on illegal activities, suspected fraud, potential threats to individuals, violation of policies, conditions or other regulations
Personal information is used only for the purposes stated above.
Personal information may also be used for another purpose as long as it is consistent with the original purpose and the information provided to the owner of said information.
1.3 Life cycle of personal information
Retention and updating of personal information
Personal information is retained only as long as necessary for the purposes for which it was collected or as long as necessary to comply with Carrousel’s legal and contractual obligations.
A procedure is in place for updating personal information to ensure its accuracy, destruction, or anonymization once the objective has been achieved.
1.3.1 Information on the collection of personal information
Carrousel must inform donors and users about the collection of personal information, including:
- The purposes for which the information is collected.
- The means by which the information is collected.
- The right to access and correct the information, as provided by law.
- The right to withdraw consent for the disclosure or use of the information collected.
The information is collected as follows:
- According to the general and special terms and conditions provided upon entering into a contractual transaction with Carrousel.
- At the time of confirmation of the user’s consent when creating a donor account.
- At the time of a donation (online link, etc.).
Note: Personal information may be used for another purpose without the consent of the individual:
- When its use is consistent with the purposes for which it was collected.
- When its use is clearly for the benefit of the individual concerned.
- When its use is necessary for study, research or statistical purposes and it is de-identified.
1.3.2 Consent to the disclosure of personal information
Except as provided by law, a donor’s consent for the disclosure of their personal information must be express, voluntary, informed and intended for the purposes defined above.
- Consent is confirmed through a click box.
- Consent is obtained separately for each intended purpose.
- Consent is valid only for the time required to achieve the purposes for which it was requested.
Consent of minors under the age of 14 is given by the holder of parental authority or the guardian. Consent of minors aged 14 and over is given by the minor, the holder of parental authority or the guardian.
Exemption from consent
Consent for the collection or disclosure of personal information is not required in the following circumstances:
- Disclosure of personal information for study, research or statistical purposes.
- Other cases provided for by law: communication to the Attorney General, prosecution of an offence under a Quebec law, application of a collective agreement, emergency situation involving endangerment, etc.
1.3.3 Disclosure of personal information outside Quebec
Personal Information collected may be stored in, processed in and transferred to any country or region in which Carrousel operates, to enable the company to use such information in accordance with this policy.
In the event of a transfer outside of the province of Quebec, the Personal Information Privacy Officer (PIPO or Privacy Officer) will conduct and formalize a Privacy Impact Assessment (PIA) to ensure that the personal information is afforded the appropriate level of protection and confidentiality.
1.3.4 Protection of personal information
In accordance with Carrousel’s information security policy, personal information is confidential data and must be secured or anonymized using the tools and procedures provided, depending on the information medium.
Carrousel complies with the regulations and standards applicable to the protection of personal information and the security of information systems.
Security assessments are conducted to ensure the robustness of Carrousel’s privacy and cybersecurity management system.
Carrousel applies technical, organizational and incident response security measures to protect personal information managed by the company. These include:
- Identification of PI and sensitive data
- Personal information management risk analysis
- Human resources provisions (onboarding, retention, training)
- Governance of information systems security
- Identity management and personal information policy
- Technical means (protection, detection, encryption)
- Safeguarding and recovery measures
- Physical protection (servers, PCs)
2. PI owner rights and complaint management
2.1 Rights of the owner of the PI
Through the Privacy Officer, each Carrousel department handling personal information must be able to respond to the following requests:
- Withdrawal of consent for the use or disclosure of personal information.
- Right to access and correct personal information.
- Right to be forgotten. In some cases, such as when personal information is no longer necessary for the purposes for which it was collected or when the dissemination of the personal information contravenes the law, the personal information must be deleted and all hyperlinks de-indexed.
- Right to portability of information in a structured, commonly used and readable format.
2.2 Contact information and processing complaints about the management of PI
In accordance with the law, any person who wishes to have access to their personal information, wishes to modify it, or is dissatisfied with the way their personal information has been handled may contact the Carrousel Data Privacy Officer by the following means:
- Email: [email protected]
- Mailing address: 1401 rue Ampère, Boucherville, QC J4B 6C5
- Phone: 514-875-2025
The procedure for requesting access to personal information is free of charge.
Requests for access to personal information are duly registered.
The transmission of any personal information is subject to verification of the requester’s identity according to the procedure in place within Carrousel.
A response to an access request must be provided to the requester within 30 days of receiving the request. Otherwise, the request is considered denied.