Context

The Quebec Mineral Exploration Association (QMEA) is a non-profit legal entity under Quebec law that processes personal information as part of its activities. This policy aims to ensure the protection of personal information and to frame how QMEA collects, uses, discloses, retains, and destroys or otherwise manages it. Additionally, it aims to inform any interested individual about how QMEA handles their personal information. It also addresses the processing of personal information collected by QMEA through technological means.

Scope

This policy applies to QMEA, including its directors, employees, consultants, volunteers, and any person otherwise providing services on behalf of QMEA. It also applies to QMEA’s website, as well as websites (coreplatform.ca, libres.aemq.org, exploabitibi.aemq.org, xplor.aemq.org et membre.aemq.org) controlled and maintained by QMEA. It encompasses all types of personal information managed by QMEA, whether concerning its clients, potential or current, consultants, employees, members, or any other individuals (such as visitors to its websites or others).

Definitions

Personal Information: Refers to an individual and enables their direct or indirect identification. For example, it could include a person’s name, address, email address, phone number, gender, or banking information, as well as information about their health, ethnic origin, language, etc.

Sensitive Personal Information: Refers to any personal information that, due to its nature, especially medical, biometric, or otherwise intimate, or because of its use or disclosure, raises a high degree of reasonable privacy expectation.

Business Contact Information: Refers to personal information concerning a person’s role within a company, such as their name, title, and function, as well as their business postal address, email address, and phone number.

Privacy Incident: Refers to any unauthorized consultation, use, or disclosure of personal information under the law, or any loss or other breach of the protection of such information.

Privacy Officer: Ensures compliance with applicable legislation regarding the protection of personal information. The officer must approve policies and practices governing personal information governance. Specifically, this person is responsible for implementing this policy and ensuring it is known, understood, and enforced.

In general, a person’s business or professional contact information does not constitute personal information, for example, a person’s name, title, address, email address, or work phone number.

Specifically, under the Quebec Private Sector Personal Information Protection Act, as of September 22, 2023, sections 3 (collection, use, disclosure), 4 (retention and destruction), and 6 (data security) do not apply to a person’s information related to their role in a company, such as their name, title, function, as well as their work address, email address, and phone number. These same paragraphs also do not apply to personal information that is public under the law, effective from the date of this policy.

Collection, Use, and Disclosure

During its activities, QMEA may collect various types of information for different purposes. The types of information that QMEA might collect, their use (or intended purpose), and how information is collected are outlined in Appendix A of this policy.

QMEA will also inform affected individuals, at the time of collecting personal information, of any other information collected, the purposes for which they are collected, and the means of collection, in addition to other required information as mandated by law.

QMEA applies the following general principles regarding the collection, use, and disclosure of personal information:

Consent:

• In general, QMEA collects personal information directly from the individual concerned and with their consent, unless an exception is provided by law. Consent may be obtained implicitly in certain situations, for example, when the individual decides to provide their personal information after being informed by this policy about its use and disclosure for the purposes outlined herein (see Appendix A for more details). Thus, this policy and the information it contains can be accessed by the individual concerned at the time of collecting personal information.
• QMEA must also obtain the consent of the individual concerned before collecting their personal information from third parties, before disclosing it to third parties, or for any secondary use thereof. However, QMEA may act without consent in certain cases provided by law and under the conditions set out therein. The main situations where QMEA may act without consent are indicated in the relevant sections of this policy.

Information collection:

• In all cases, QMEA only collects information if it has a valid reason to do so. Moreover, the collection will be limited to the necessary information needed to fulfill the intended purpose.
• Please note that QMEA’s services and programs are not aimed at minors, and more generally, QMEA does not intentionally obtain personal information about minors (in such cases, information cannot be collected from them without the consent of a parent or guardian).
• Collection from Third Parties. QMEA may collect personal information from third parties. Unless an exception provided by law applies, QMEA will seek the consent of the individual concerned before collecting personal information about them from a third party. In cases where such information is not collected directly from the individual, but from another organization, the individual concerned may request the source of the information collected by QMEA.

In certain situations, QMEA may also collect personal information from third parties without the consent of the individual concerned if it has a serious and legitimate interest to do so and a) if the collection is in the interest of the individual and it is not possible to collect it from them in a timely manner, or b) if this collection is necessary to ensure that the information is accurate.

Additionally, QMEA may collect personal information indirectly, including by:

• Yapla: Yapla has its own terms and privacy policy, which can be consulted for more information.
• Paypal: Paypal has its own terms and privacy policy, which can be consulted for more information.
• Rouillier Communication Agency: Rouillier Communication Agency has its own terms and privacy policy, which can be consulted for more information.
• Eudonet: Eudonet has its own terms and privacy policy, which can be consulted for more information.
• Arkys: Arkys has its own terms and privacy policy, which can be consulted for more information.

This collection through third parties may be necessary to use certain services or programs, or to otherwise engage with QMEA. When required, QMEA will obtain the individual’s consent at the appropriate time.

Retention and Use:

• QMEA ensures that the information it holds is up-to-date and accurate at the time of its use to decide regarding the individual concerned.
• QMEA may only use an individual’s personal information for the reasons outlined herein or for any other reasons provided at the time of collection. Whenever QMEA intends to use this information for another reason or purpose, new consent must be obtained from the individual concerned, which must be obtained explicitly if it involves sensitive personal information. However, in certain cases provided by law, QMEA may use the information for secondary purposes without the individual’s consent, e.g.:
  • When such use is clearly to the benefit of the individual.
  • When it is necessary to prevent or detect fraud.
  • When it is necessary to assess or improve protection and security measures.
• Limited Access: QMEA must implement measures to restrict access to personal information only to employees and individuals within its organization who are authorized to access it and for whom the information is necessary in the performance of their duties. QMEA will seek the individual’s consent before granting access to any other person.

Communication:

• Generally, and unless an exception is indicated in this policy or otherwise provided by law, QMEA will obtain the consent of the individual concerned before disclosing their personal information to a third party. Moreover, when consent is required and it concerns sensitive personal information, QMEA must obtain explicit consent from the individual before disclosing the information.
• However, disclosure of personal information to third parties is sometimes necessary. Thus, personal information may be disclosed to third parties without the consent of the individual concerned in certain cases, including, but not limited to, the following cases:
  • QMEA may disclose personal information, without the consent of the individual concerned, to a public body (such as the government) that collects it through its representatives in the exercise of its powers or the implementation of a program it manages.
  • Personal information may be transmitted to its service providers who need the information without the consent of the individual. For example, these service providers may be event organizers, QMEA subcontractors designated for mandates in programs administered by QMEA, and cloud service providers. In these cases, QMEA must have written contracts with these providers outlining the measures they must take to ensure the confidentiality of the personal information disclosed, that the information is used only within the scope of the contract, and that they cannot retain this information after its expiry. Furthermore, these contracts must stipulate that the providers must notify QMEA’s privacy officer (as indicated in this policy) of any breach or attempted breach of confidentiality obligations regarding the disclosed personal information and must allow this officer to conduct any verification regarding this confidentiality.
  • If necessary for the conclusion of a commercial transaction, QMEA may also disclose personal information, without the consent of the individual concerned, to the other party to the transaction and subject to the conditions provided by law.
• Communication Outside Quebec: Personal information held by QMEA may be communicated outside Quebec, for example, when QMEA uses cloud service providers whose servers are located outside Quebec or when QMEA deals with subcontractors located outside the province. However, the information is retained within Canada.

Additional Information on Technologies Used:

• Use of Cookies

Cookies are data files transmitted to a visitor’s computer by their web browser when they visit a website and can serve various purposes.

Websites controlled by QMEA use cookies for various purposes, including:

• To remember visitors’ settings and preferences, such as language choice, and to enable tracking of the current session.
• For statistical purposes to understand visitor behavior, the content viewed, and to improve the website.

Websites controlled by QMEA use the following types of cookies:

• Session Cookies: These are temporary cookies that are stored only for the duration of the website visit.
• Persistent Cookies: They are stored on the computer until they expire and will be retrieved during the next visit to the site.

Some cookies may be disabled by default, and visitors may choose to enable or disable these functions when accessing QMEA websites.

It is also possible to enable or disable the use of cookies by changing preferences in the settings of the browser used.

• Use of Google Analytics

Some QMEA websites use Google Analytics to enable continuous improvement. Google Analytics allows analysis of how a visitor interacts with an QMEA website. Google Analytics uses cookies to generate statistical reports on visitor behavior on these websites and the content viewed.

Information from Google Analytics will never be shared by QMEA with third parties.

It is possible to install a browser add-on to disable Google Analytics.

• Other Technological Means Used

QMEA also collects personal information through technological means such as web forms integrated into an QMEA-controlled website (e.g., its contact form, membership form to become a member, form to subscribe to the newsletter and seminars), online questionnaires on its platforms and applications, as well as other form platforms or tools (e.g., Microsoft Forms).

Conservation and Destruction of Personal Information

Unless a minimum retention period is required by applicable law or regulation, QMEA will only retain personal information for the time necessary to achieve the purposes for which it was collected.

Personal information used by QMEA to decide regarding an individual must be retained for a period of at least one year following the decision in question or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, the circumstances of an end of employment.

At the end of the retention period or when personal information is no longer necessary, QMEA will ensure:

1. To destroy them; or
2. To anonymize them (i.e., they no longer allow, irreversibly, to identify the person and it is no longer possible to establish a link between the person and the personal information) for use for serious and legitimate purposes.

The destruction of information by QMEA must be done securely to ensure the protection of this information.

This section may be supplemented by any policy or procedure adopted by QMEA concerning the retention and destruction of personal information, if applicable. Please contact QMEA’s privacy officer (as indicated in this policy) for more information.

QMEA Responsibilities

In general, QMEA is responsible for protecting the personal information it holds. QMEA’s privacy officer is the organization’s general manager. In the absence or inability to act of this officer, the organization’s administration supervisor will perform the functions of the privacy officer.

QMEA staff members with access to personal information or otherwise involved in its management must ensure its protection and comply with this policy.
The roles and responsibilities of QMEA employees throughout the lifecycle of personal information may be specified by any other QMEA policy in this regard, if applicable.

Data Security

QMEA is committed to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium, and sensitivity of the information.

Thus, this means that information that could be considered sensitive (see the definition provided in section 2) must be subject to more stringent security measures and must be better protected.

In particular, and in accordance with what was previously mentioned regarding limited access to personal information, QMEA must implement necessary measures to impose constraints on the rights of use of its information systems so that only employees who need access are authorized to access them.

Access, Rectification, and Withdrawal of Consent Rights

To assert their access, rectification, or withdrawal of consent rights, the individual concerned must submit a written request to the QMEA’s privacy officer, at the email address indicated in the following section.

Subject to certain legal restrictions, individuals concerned may request access to their personal information held by QMEA and request its correction if it is inaccurate, incomplete, or ambiguous. They may also demand the cessation of the dissemination of personal information concerning them or that any hyperlink attached to their name allowing access to this information by technological means be dereferenced when the dissemination of this information violates the law or a court order. They may do the same, or demand that the hyperlink allowing access to this information be reindexed, when certain conditions provided by law are met.

QMEA’s privacy officer must respond in writing to these requests within 30 days of the date of receipt of the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In these cases, the response must indicate the remedies under the law and the deadline for exercising them. The officer must assist the requester in understanding the refusal if necessary.

Subject to applicable legal and contractual restrictions, individuals concerned may withdraw their consent to the communication or use of the information collected by QMEA.

They may also ask QMEA what personal information has been collected from them, the categories of persons at QMEA who have access to it, and its retention period.

Complaint Handling Process

Reception

Any person who wishes to make a complaint regarding the application of this policy or, more generally, regarding the protection of their personal information by QMEA must do so in writing by addressing the QMEA’s privacy officer at the email address indicated in the following section.

The individual must provide their name, contact information, including a telephone number, as well as the subject and reasons for their complaint, giving sufficient details for the complaint to be evaluated by QMEA. If the complaint is not sufficiently precise, the privacy officer may request any additional information he deems necessary to evaluate the complaint.

Processing

QMEA undertakes to handle any complaint received confidentially.
Within 30 days of receiving the complaint or upon receipt of any additional information deemed necessary and required by QMEA’s privacy officer to process it.

The officer will evaluate it and provide a reasoned written response via email to the complainant. This evaluation will aim to determine whether the processing of personal information by QMEA complies with this policy, any other policy and practice within the organization, and applicable laws or regulations.

If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons for the extension, the progress of the complaint processing, and the reasonable timeframe needed to provide a definitive response.

QMEA must maintain a separate file for each complaint received. Each file contains the complaint, the analysis and supporting documentation for its evaluation, as well as the response sent to the complainant.

It is also possible to file a complaint with the Commission d’accès à l’information du Québec or any other oversight body responsible for enforcing the law related to the subject of the complaint.

However, QMEA encourages anyone interested to first contact its privacy officer and wait for the completion of the processing by QMEA.

Approval

This policy is approved by QMEA’s privacy officer, whose business contact information is as follows:

Privacy Officer:

Alain Poirier
132 Avenue du Lac,
Bureau 203
Rouyn-Noranda, Quebec J9X 4N5
alainpoirier@QMEA.org

For any requests, questions, or comments regarding this policy, please contact the officer by email.

Publication and Amendments

This policy is published on QMEA’s website, to which this policy applies regarding the personal information collected therein. This policy is also disseminated through any means capable of reaching the individuals concerned. QMEA must also do the same for any amendments to this policy, which must also be notified to inform the individuals concerned.

*Notes: Please note that the use of the masculine gender is intended to streamline this policy and make it easier to read.

Version History and Changes:

Version	Effective date	Changes since last version
1.0	September 27, 2023	Initial version
2.0	December 8, 2023	Modification et adjustment
3.0	March 22, 2024	Modification et adjustment

Annexe A

Below is a non-exhaustive list of the types of information that QMEA may collect, their use, or the intended purpose, as well as how the information is collected. This includes, but is not limited to, the following elements.

Please note that most of the personal information managed by QMEA pertains to employees, candidates, members, and consultants. For other categories of individuals listed in the table below, the provided information is, in most cases, professional or business-related (see section 2 on professional contacts). It should be noted that in most cases, QMEA also collects the professional title/position of individuals, the name of the organization, and/or the organization’s address (see section 2 on professional contacts).

The information, when necessary: Used for: Can be collected:

Relationship with QMEA, services	Type of personal information	End of collection / uses	Method of collecting information (means)
	The information, when necessary	Used for:	Can be collected:
Employees and job applicants	Name Phone number Email Banking information Social Insurance Number Date of birth Address	Managing communications with the candidate or employee Ensuring the operation of the payroll system	In person By email By phone
Consultants	Name Phone number Email Banking information Address	Managing communications with the consultant Invoicing	By email (directly or through an attached document: Word, PDF, etc.)
Members (individuals and organizations)	Name Phone number Email Banking information Language	Membership registration Future communications Invoicing Registration for activities organized by QMEA and for cybersecurity expertise portals Surveys Building QMEA member databases Languages in which they can provide services and preferred language of communication.	Through web forms integrated into an QMEA-controlled website and other technological form platforms. From third parties (PayPal, Eudonet, Arkys, and Yapla for banking information)

Q&A

Privacy Protection Law

Has QMEA assessed the security issues of its service providers?

• Each provider must have its own policy and procedures in place.

Does Arkis, the protection it offers, include an alert system in case of a breach involving personal information?

• Yes, at various levels (external breach yes, but internal no, that falls to QMEA personnel).

Is the storage of information in cloud services done on servers in Quebec, Canada, or is there a possibility of it being stored abroad?

• Quebec with backups in Canada.

Is an email sent in error to the wrong person considered an incident under the law?

• This will be evaluated based on the risk of disclosing confidential information and the subject matter. If necessary, report it to the CAI and inform the individuals concerned, or record it only in an internal register.

Shouldn’t QMEA obtain specific consent during the membership process?

• QMEA does not have access to confidential information as outlined in point 2 of the policy during membership or registration for QMEA activities. However, it is possible for QMEA staff to request a member to enter their credit card number to finalize a financial transaction. Once the transaction is completed, the QMEA employee no longer has access to this information. Since the request and information come from the member, we consider it implicit consent and do not retain the information any longer than necessary.

How does it work for job applicants?

• A paper form will be used (few cases).

Which staff member should have access to (and be responsible for) confidential information?

• The general manager, the person responsible for administrative management, and accounting for employees and consultants.

How long will the information of job applicants not selected by the employer be retained by the employer?

• One year.

How long will the information of former employees be retained by the employer after their departure?

• Five years.