Personal Information Governance Policy

1. Purpose

This governance policy is established pursuant to section 3.2 of Quebec's Law 25 (Act to modernize legislative provisions respecting the protection of personal information).

It describes the rules that Syspark Inc. has put in place to ensure the protection of personal information it holds, in accordance with applicable legal requirements.

2. Scope

This policy applies to:

• All employees, officers, and mandataries of Syspark Inc.
• Sub-processors acting on behalf of Syspark
• All personal information held by Syspark, whether concerning clients, prospects, site visitors, job applicants, partners, or employees

3. Privacy Officer

In accordance with section 3.1 of Law 25, Syspark has designated a person in charge of the protection of personal information:

Chief Information Officer (CIO) of Syspark Inc.
Email: [email protected]

Roles and responsibilities of the Privacy Officer

• Ensure the application and compliance with Law 25 and other applicable laws
• Approve policies and practices for managing personal information
• Oversee Privacy Impact Assessments (PIAs)
• Manage access, rectification, and consent withdrawal requests
• Coordinate response to confidentiality incidents
• Train and raise awareness among personnel
• Serve as point of contact with the Commission d'accès à l'information (CAI)

4. Internal Roles and Responsibilities

4.1 Syspark Management

• Ensure that necessary resources are allocated to the protection of personal information
• Approve policies and procedures
• Receive annual governance reports

4.2 Technical team

• Implement technical security measures (encryption, firewalls, logging)
• Keep systems up to date (patches, updates)
• Monitor access and potential incidents
• Manage backups and business continuity

4.3 Sales and operations team

• Collect only necessary information
• Obtain appropriate consent
• Respect retention periods
• Report any incident to the Privacy Officer

4.4 Sub-processors

• Comply with contractual data protection clauses
• Implement equivalent security measures
• Notify Syspark of any incident

5. Personal Information Processing Workflow

5.1 Collection

• Syspark collects only the personal information necessary for the stated purpose
• Consent is obtained explicitly when required
• Individuals are informed of the collection, purposes, recipients, and their rights

5.2 Use

• Information is used only for the purposes for which it was collected
• No secondary use without additional consent
• No automated profiling or automated decisions with legal effects

5.3 Communication to third parties

• Sub-processors are governed by written contractual agreements
• No sale or transfer of personal information for commercial purposes
• Transfers outside Quebec are documented by a Privacy Impact Assessment (PIA)

5.4 Retention and destruction

• Retention periods defined by data type (see privacy policy)
• Secure destruction of information at the end of the retention period
• Destruction of paper documents by shredding, digital files by irreversible deletion

6. Security Measures

6.1 Technical measures

• TLS 1.2+ encryption for all web communications
• Encryption at rest for sensitive backups
• Access control via strong authentication for internal systems
• Logging of access to sensitive data
• Firewalls and anti-DDoS protection (Cloudflare + Syspark infrastructure)
• Regular updates of systems and software
• Network segmentation between environments

6.2 Organizational measures

• Access to personal information on a need-to-know basis
• Confidentiality agreements signed by employees
• Annual training on personal information protection
• Security awareness sessions
• Regular internal audits of practices

6.3 Physical measures

• Hosting in certified datacenters (Equinix PA2/PA3 in France, ISO/IEC 27001:2022)
• Physical access controls at Syspark's premises in Montréal
• Secure physical destruction of decommissioned media

7. Privacy Impact Assessment (PIA)

In accordance with sections 3.3 and 3.4 of Law 25, Syspark conducts a PIA:

• Before any project to acquire, develop, or redesign an information system involving personal information
• Before any transfer of personal information outside Quebec
• Before any communication of personal information for study, research, or statistical production purposes

PIAs are documented, preserved, and updated according to the evolution of processing activities.

8. Management of Requests from Data Subjects

8.1 Covered rights

Syspark processes the following requests in accordance with Law 25 and GDPR:

• Access to personal information
• Rectification of inaccurate data
• Withdrawal of consent
• Data portability (effective since September 2024)
• Erasure (GDPR)
• Objection to processing (GDPR)

8.2 Processing procedure

1. Reception: by email to [email protected]
2. Identity verification: request for proof if doubt exists
3. Analysis of the request by the Privacy Officer
4. Reasoned response within a maximum of 30 days
5. Reasoned refusal if applicable, with indication of remedies
6. Logging of the request and response

9. Management of Confidentiality Incidents

9.1 Definition

A confidentiality incident refers to:

• Unauthorized access to personal information
• Unauthorized use of personal information
• Unauthorized communication of personal information
• Loss of personal information or any other breach of its protection

9.2 Procedure

1. Detection and reporting to the Privacy Officer without delay
2. Immediate containment (measures to stop the incident)
3. Risk assessment of serious harm to affected individuals
4. If serious risk: notification to the CAI and information to affected individuals
5. Corrective measures to prevent recurrence
6. Documentation in the incident register
7. Post-incident analysis and update of procedures if necessary

9.3 Incident register

Syspark maintains an internal register of confidentiality incidents, including date, nature, personal information concerned, number of affected individuals, measures taken, and notifications made.

10. Training and Awareness

• Mandatory training for all new employees on personal information protection
• Annual refresher and update session
• Continuous awareness (internal communications, security alerts)
• Specific training for employees frequently handling personal information

11. Policy Revision

This policy is revised:

• At least once per year
• Upon any relevant legislative evolution
• After any major confidentiality incident
• Upon significant change in Syspark's activities

12. Publication

In accordance with section 3.2 of Law 25, this policy is:

• Published on Syspark's website in simple and clear terms
• Accessible in French and English from the footer
• Communicated to Syspark personnel
• Provided upon request to any person making such a request

13. Contact

For any questions regarding this policy:

Privacy Officer
Syspark Inc.
Email: [email protected] (or [email protected])

See also: Privacy Policy