Privacy Policy
Privacy Policy – Compliance with Law 25
Purpose
Law 25 aims to modernize legislative provisions concerning the protection of personal information. It is designed to protect the population of Quebec by holding businesses accountable for the personal information they collect. The objective of Law 25 is to establish clear rules regarding the collection, use, retention, and disclosure of personal information by organizations in the course of their operations.
Scope
The Act applies to all public bodies and private enterprises that collect, hold, or process personal information.
Definition of Personal Information
Personal information refers to any data about an individual that allows, directly or indirectly, that person to be identified, regardless of the format. This information is confidential and cannot be disclosed without the consent of the individual, unless an exception applies.
Examples of personal information include:
Name, address, civil status, social insurance number, or date of birth;
Information related to race, national or ethnic origin, or family status;
Educational background, medical records, criminal history, professional background;
Biometric information such as fingerprints or blood type;
Job title, workplace addresses and phone numbers;
Voicemail messages, videos, recordings, or photos.
Use of Data
Data usage refers to the period during which authorized individuals within the company use the information. The organization must adhere to the following obligations:
Limit access to personal information to employees who require it to perform their duties;
Use personal information only for essential purposes.
Data Retention
Retention refers to the period during which the organization holds personal information, in any format, whether or not it is actively used.
Rights of Individuals
In accordance with Law 25, individuals whose personal information is held by Solaris Québec Portes et Fenêtres Inc. have the following rights:
Right to Information: To know what personal data is collected, for what purposes, and how it is used;
Right of Access: To obtain a copy of the personal data held about them;
Right to Rectification: To correct inaccurate, incomplete, or equivocal information;
Right to Withdraw Consent: To withdraw consent to the use or disclosure of their information, subject to legal or contractual obligations;
Right to Erasure: To request deletion of their personal data when it is no longer needed;
Right to Data Portability (as phased in): To receive their data in a structured and commonly used technological format;
Right to File a Complaint: To file a complaint with the organization’s data protection officer or with the Commission d’accès à l’information du Québec.
To exercise these rights, individuals may contact us at: ✉️ confidentialite@solarisquebec.com
Responsibility of Solaris Québec Portes et Fenêtres Inc.
The organization is responsible for complying with all requirements of Law 25. Failure to comply may result in significant financial penalties.
Role of the Data Protection Officer
The organization must appoint a Data Protection Officer (DPO) who understands the nature of the personal information collected, manages access logs, and ensures internal data governance. This person serves as the internal point of contact for all privacy-related matters.
Employee Responsibilities
All employees are responsible for the sensitive information they access. They must comply with the company’s security systems and report any data security incidents they witness or cause, according to established procedures.
Physical, Organizational, and Technological Safeguards
The level of protection required varies based on the sensitivity of the data and how it is stored. The following rules must be followed:
Personal information must never be left unattended;
Access to data is limited to those with a legitimate business need;
When sharing with third parties, only necessary information is provided;
Passwords must never be disclosed and must be protected by multi-factor authentication;
Devices must lock automatically after 5 minutes of inactivity.
Employees must be especially vigilant when handling sensitive personal information, including:
Employee records;
Medical files;
Financial records.
Security Incident Reporting
Any employee or individual associated with Solaris Québec Portes et Fenêtres Inc. must report any security incident in accordance with the company’s procedure (see Annex 1). Reports should be sent by email to confidentialite@solarisquebec.com to assist the privacy committee in assessing the incident and determining the appropriate response.
Handling of Security Incidents
All security incidents will be handled with utmost importance. The internal committee will process the situation promptly and, if necessary, report it to the Commission d’accès à l’information du Québec.
Data Destruction or Anonymization
Unless required by law to retain data for a minimum period, Solaris Québec Portes et Fenêtres Inc. retains personal information only as long as necessary. Once the retention period has ended, the company will:
Destroy the data; or
Anonymize it (making it irreversibly unidentifiable) for legitimate business use.
Destruction must be performed in a secure manner.
This policy may be supplemented by internal procedures concerning data retention and destruction. For more information, contact our Data Protection Officer at confidentialite@solarisquebec.com.
Federal and Provincial Legislation
The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes federal standards for how private-sector organizations collect, use, and disclose personal data. It applies to businesses, nonprofits, and federal agencies.
Quebec was the first jurisdiction in North America to adopt a comprehensive privacy law for the private sector. Other provinces, such as Alberta and British Columbia, have adopted similar legislation (e.g., the Personal Information Protection Act).
As additional provinces enact similar laws, businesses operating in those provinces must comply with applicable local legislation. PIPEDA continues to govern interprovincial, international, and cross-border data transactions.