Privacy Policy

November 2024 Update

This policy belongs to: Jean-Sébastien Charron inc.

1. Context

Since businesses must have and adapt their policies and practices to comply with obligations related to confidentiality and the protection of the personal information they collect, it is essential to establish an internal policy and procedures for protecting personal information, in accordance with the Act Respecting the Protection of Personal Information in the Private Sector (CQLR, chapter P-39.1). This policy includes compliance with obligations regarding the handling of personal information when it is collected, used, disclosed, stored, protected, and destroyed. This policy applies to all agents and employees of Jean-Sébastien Charron inc. All businesses providing goods and services in Québec must comply with this law.

2. Definition

“Personal information” means any information relating to a natural person that allows that person to be identified, directly or indirectly. Below are examples of personal information:

First and last name
Age
Home address
Personal email address, personal email messages, and IP address
Marital status
Financial situation (income, investments, insurance, assets, liabilities, etc.)
Social Insurance Number (SIN), driver’s license or passport, health insurance number, license plate number
Financial transactions in which a person has participated
Transactions or orders in a person’s account
Investment account statements
Bank information (e.g., bank account or credit union account numbers)
Income tax returns
Medical records, blood type, DNA, etc.
Medical questionnaires (insurance)
Insurance contracts and insurance proposals
Family situation
And others…

3. Implementation of the Policy

The implementation and application of this policy have been entrusted to Équipe Charron, the individual responsible for the protection of personal information. This person not only has the important task of ensuring compliance with the various applicable laws on personal information protection, but is also required to circulate information and train members of the organization on the procedures and practices of this policy.

The application of this policy falls within an ethical and legal framework that favors prudence in the collection, use, and disclosure of personal information, as well as maintaining its confidentiality and protection. Lastly, this individual is in charge of receiving requests for information, access, or rectification, as well as complaints related to the protection of personal information.

4. Responsible Organization

The Commission d’accès à l’information (CAI) of Québec is responsible for overseeing compliance with and the enforcement of the law on the protection of personal information in the private sector. It has inspection powers and the authority to impose significant sanctions and penalties in the event of non-compliance. You can find information on the CAI’s mandate, powers, and on businesses’ obligations on its website:
https://www.cai.gouv.qc.ca/

5. Information to Be Provided Before Collecting Personal Information

Before collecting personal information that is necessary (and that concerns a natural person), the following information must be provided to the individual from whom we wish to collect this information. The person must therefore be informed of:

The purposes for which the information is being collected;
The means by which the information is collected (for example, a form, by phone, video recording);
An explanation of their rights regarding access and correction under the law;
The right to withdraw consent to the communication or use of the information collected.

Where applicable, the following information must also be provided:

The name of the third party on whose behalf the information is being collected, if applicable;
The name of the third party or the categories of third parties to whom it is necessary to disclose the information to achieve the purposes justifying the collection;
The possibility that the information may be disclosed outside Québec (for example, if the information collected is stored with a cloud service provider in another province or country).

6. Consent

Jean-Sébastien Charron inc. undertakes to collect only the personal information about a client that is necessary to create their file and only insofar as the individual has given consent, except in cases provided by law that allow such information to be collected without the client’s consent. Where required, consent must be obtained before collecting the information.

To be valid, a person’s consent must be:

Manifest: Clearly given in a way that demonstrates the person’s actual will;
Free: Involving a real choice, given without undue pressure or constraint;
Informed: Specific, provided with full knowledge of the facts and with all necessary information to understand the scope of consent;
Specific: Given for a precise and clearly defined purpose;
Temporary: Valid only for the duration necessary to achieve the purposes for which it was requested.

Additionally, valid consent must be:

Granular: Requested for each specific purpose;
Understandable: Requested in simple, clear terms;
Distinct: Requested separately from any other information when the request is made in writing.

For more details on the criteria for valid consent, the CAI has issued guidelines (in French):
https://www.cai.gouv.qc.ca/documents/CAI_LD_Criteres_validite_consentement.pdf

Consent may be requested in different ways:

In writing;
Verbally;
By phone, including via automated message;
Electronically or digitally, or through a virtual video meeting.

Consent from a minor: Various situations may arise:

If the minor is under 14, consent to use or disclose their personal information must be given by a parent or person with parental authority;
If the minor is 14 or older, consent may be given by the minor themselves or by the parent or person with parental authority;
If collecting this information is clearly for the benefit of the minor, it may be done without parental consent.

7. Personal Information Collected

In order to carry out the mandate entrusted to us by our clients, we collect the following categories of information:

Information used to identify and authenticate the individual;
Health information;
Insurance records;
Financial information;
Employment information;
Information on products and services used and on transactions;
Information about family members;
Digital information (websites, apps, social media, portals, etc.);
Information about communications with us;
Other information required by any law, regulation, directive, or standard applicable to our activities.

8. Use and Disclosure for Specific Purposes

The personal information collected will only be used and disclosed for the purposes for which it was collected and in the normal course of business, solely to carry out the mandate entrusted to us.

Individuals working for Jean-Sébastien Charron inc. may access it only if sharing this information is necessary for performing their duties or responsibilities.

If necessary to achieve the intended purposes and to carry out the mandate entrusted to us by clients in the normal course of business, we may disclose personal information to third parties (partners) so that they can fulfill their tasks, duties, and contractual obligations with us. Naturally, we must ensure in advance that these third parties have good information security and personal information protection practices.

9. Retention of Personal Information

Place of Retention: We primarily store the personal information under our responsibility within the territory of Québec or Canada. It can happen, and may continue to happen, that we do business with external partner suppliers (third parties) based elsewhere, meaning we may disclose your personal information to another country or province. Naturally, we ensure in advance that they have good information security and personal information protection practices before disclosing any such data.

Before sharing personal information with a third party located outside Canada, we will conduct a Privacy Impact Assessment whose findings must meet our satisfaction. We will document this exercise for future reference.

Storage Media: The personal information we collect is stored in various formats and on various media, primarily in digital and paper form. We apply very strict security measures to protect personal information against any incident, regardless of the format in which we hold it. We continually strive to adapt our security measures to technological advances. For example, we use physical, technological, and administrative security measures.

10. Security Measures and File Retention

We commit to implementing measures we believe are appropriate to ensure the protection of the personal information we retain, particularly against loss or theft, as well as against unauthorized viewing, disclosure, copying, use, or modification. The security measures used apply regardless of the form of media used to store it. Below are examples of the means we use:

Physical Security Measures

Physical control of visitors to our administrative offices upon arrival;
Restricted access to our administrative offices and to rooms housing our servers;
Backup and archiving of personal information in an emergency backup system;
Other security measures.

Technological Security Measures

Multi-factor authentication to access most of our various systems;
Data encryption where necessary for storage or for communication outside the organization;
Digital certificates;
Antivirus software and firewall;
Logging of access to various systems;
Other security measures.

Administrative Security Measures

Security checks for certain types of positions;
Access rights control for personal information to limit access to only what is necessary;
Logging all copying and exporting operations involving personal information in our daily operations;
Continuous monitoring of our facilities to detect suspicious activities;
Regular staff training and awareness on policies, practices, and procedures concerning security and personal information protection;
Verification of the identity of anyone requesting personal information, whether online, by phone, or in person;
Other security measures.

11. Length of Retention

We keep the personal information collected for as long as necessary to:

Achieve the goals for which we collected it; and
Comply with the obligations imposed on us by various laws and regulations that apply to our activities.

Even when a client is no longer doing business with us, we must still retain the data for a certain period to respect our legal and regulatory obligations, as well as to protect our rights in the event of a dispute.

The minimum length of time client records, logs, and registers must be retained is the period prescribed by regulation, i.e., 5 years from the date the file is closed. (Life Insurance Sector)

12. Destruction of Personal Information

All destruction of files, books, logs, or documents containing personal information must be carried out in a manner that respects the confidential nature of this information.

Once the legally required retention period has passed, we destroy your personal information permanently and securely in accordance with our retention schedule.

13. Respect for Individuals’ Rights

We commit to respecting the rights of individuals who share their personal information with us, in accordance with the law on the protection of personal information in the private sector.

They enjoy the following rights:

a) Right to Amend Their Consent

An individual who has shared personal information with us may request to view and modify their consent preferences regarding the collection, use, and disclosure of their personal information at any time.

Since the consent originally given is temporary, the individual also has the right to withdraw that consent. Given our contractual and legal obligations requiring us to retain certain personal information in order to continue serving them, we may no longer be able to offer our products and services to that person in the future.

b) Right of Access to Their Personal Information

An individual who has provided personal information may at any time access the personal information we hold about them.

They must submit a written request to our person responsible for the protection of personal information, explaining the reasons for their request so that it is well understood and so we can identify the documents containing the personal information to which they wish to have access.

We will process this request within 30 days of receiving it, unless there are exceptional circumstances.

We will send them a written response along with the information they wish to access, in a commonly used structured technological format (for example, a PDF file).

Among other things, the individual may request:

Whether we hold any personal information about them;
How their personal information was collected, used, or disclosed;
Whether another person or organization holds their personal information on our behalf;
To consult the personal information we have about them.

Access to personal information will be free of charge, except for reasonable fees that may be required for transcription, reproduction, or transmission. If fees are charged, the client will be informed in advance.

Access to personal information may be refused in situations such as: the personal information contains details about other persons; disclosure of the personal information could impede an investigation by our internal department; disclosure of the personal information could affect judicial proceedings in which we have an interest; or it is impossible to reproduce the personal information due to the medium on which it is held. Any refusal will be justified and notified in writing to the individual concerned.

Important Note: We cannot share information that would reveal details about another person.

c) Right to Modify, Correct, or Rectify Their Personal Information

If the individual who provided us with personal information wishes to modify any information we hold about them—such as in the event of an address change or a change in their personal circumstances—they are responsible for notifying us.

If they wish to correct any inaccuracies or incomplete data we hold about them, they must contact us to request it and provide the necessary information supporting that request.

d) Right to Request Deletion of Their Personal Information

An individual who provided us with personal information may ask us to delete it. However, our response may vary depending on the situation.

In some circumstances, we may not be able to delete the personal information due to our legal and regulatory obligations. If so, we will explain the reasons why we cannot comply.

In certain cases, the deletion of their personal information means we will no longer be able to serve them or offer our products and services.

Procedures for Complaints

In the event of a refusal to disclose a client’s personal information or a failure to comply with one of the principles stated above, the client may submit comments, concerns, or a complaint to our person responsible for the protection of personal information.

That person undertakes to respond to all requests within 30 days of receiving such a complaint and to inform the complainant of any measures taken. If deemed necessary, this responsible individual will conduct an investigation and communicate the outcome regarding the processing of the complaint within this timeframe.

14. Confidentiality Incidents Involving Personal Information

A confidentiality incident corresponds to any access, use, or disclosure of personal information not authorized by law, as well as the loss of personal information or any other breach of its protection.

If we have reason to believe that a confidentiality incident has occurred involving personal information that we hold, we must take reasonable measures to reduce the risk of harm and to prevent future incidents of a similar nature.

Any confidentiality incident must be reported immediately to the person responsible for the protection of personal information. As soon as they are informed, this responsible individual must make every necessary and reasonable effort to investigate the situation, minimize the impact of the incident, and restore normal conditions as quickly as possible. They may enlist the services of experts in personal information protection and information security if deemed necessary.

Furthermore, under our contractual agreements with our general agent, we must immediately inform MICA by contacting its legal affairs department.

Likewise, under the contractual agreements with our partners whose individual insurance products we distribute, we must immediately notify each of the insurance companies whose clients are affected by the confidentiality incident in order to inform them of the situation.

Responsibilities of the Person Responsible for the Protection of Personal Information

Taking Measures to Reduce Risks and Prevent Future Incidents

If we have reason to believe that a confidentiality incident involving personal information under our control has occurred, we must take reasonable measures to reduce the risk of harm and prevent similar incidents from happening again.

The following questions help us quickly evaluate the situation:

Who: Which individuals are affected by the incident? Are they employees, clients, or business partners? Who might have gained access to the personal information?
How many: How many individuals are affected by the incident?
What: What type of personal information is involved? Is it sensitive? What risks might this pose to the individuals concerned?
When: When did the incident occur? When was it discovered?
Where: Where did the incident occur? Within the organization? If so, in which department? Did it occur at a third party that holds personal information on the organization’s behalf (e.g., an agent, a provider)?
Why: What are the causes? Which security measures were in place at the time of the incident? Why did they prove ineffective?

The reasonable measures to implement depend on these findings. Every situation is different. Even if all relevant information is not known initially, it is important to respond swiftly. If necessary, we will continue to adapt or adopt new measures as we clarify the circumstances and impacts of the incident over time.

Evaluating Whether the Incident Presents a Risk of Serious Harm

For any confidentiality incident, the person responsible for the protection of personal information must assess the severity of the risk of harm to the individuals concerned. To do so, they must consider, in particular:

The sensitivity of the information involved;
The potential consequences of its use;
The likelihood that it will be used for harmful purposes.

If needed, we may also involve other actors, such as external experts.

If the assessment shows a risk of serious harm, the person responsible for the protection of personal information must notify the Commission and the individuals concerned about the incident. Otherwise, they must still take steps to reduce the risks and prevent similar incidents from recurring in the future.

Who Must Be Notified if the Incident Poses a Risk of Serious Harm?

a) The Commission d’accès à l’information
By completing and submitting the required form:
https://www.cai.gouv.qc.ca/documents/CAI_FO_avis_incident_confidentialite.pdf

Following the submission of this notice, if we become aware of new information, we will inform the Commission.

b) The Individuals Whose Information Is Involved
The notice to the individual must inform them of the scope and consequences of the incident posing the risk of serious harm.

This notice must include:

A description of the personal information affected by the incident. If this information is unknown, we must give the reason justifying why it cannot be provided.
A brief description of the circumstances of the incident.
The date or timeframe when the incident occurred or, if unknown, an approximation of this period.
A brief description of the measures taken or planned to reduce the risk of harm following the incident.
Recommendations to the individual to help reduce or mitigate the risk of harm.
The contact information of a person or department from whom the individual can obtain more information about the incident.

Note: We are not required to notify individuals whose personal information is involved if doing so could hinder an investigation conducted under the law to prevent, detect, or repress crime or legal violations.

c) Individuals Who Could Prevent or Reduce the Risk of Serious Harm
We may notify any person or organization capable of reducing the risk of serious harm. Only the necessary personal information may be disclosed, without the individual’s consent. Our person responsible for the protection of personal information must retain a record of this disclosure for future reference.

15. Keeping a Confidentiality Incidents Register

We maintain a register in which we record all confidentiality incidents involving personal information. We must include even those incidents that do not present a risk of serious harm. At the Commission’s request, we must provide a copy of our register.

Our confidentiality incident register must contain the following elements:

A description of the personal information affected by the incident. If this information is unknown, we must record the reason justifying why it cannot be provided.
A brief description of the circumstances of the incident;
The date or period when the incident occurred or, if unknown, an approximation of this period;
The date or period during which we became aware of the incident;
The number of individuals affected by the incident or, if unknown, an approximation of that number;
A description of the elements that lead us to conclude whether or not there is a risk of serious harm to the individuals concerned, such as:
- The sensitivity of the personal information involved;
- Possible malicious uses of the information;
- The anticipated consequences of using the information and the likelihood it will be used for harmful purposes;
The dates when notices were sent to the Commission and to the individuals affected, if the incident poses a risk of serious harm. We must also indicate if we issued public notices and the reason for them;
A brief description of the measures we took as a result of the incident to reduce the risk of harm.

The register’s information must be kept up to date and retained for a minimum period of five (5) years after the date or period when we first became aware of the incident.

16. Duty to Inform the Public and Ensure Transparency

We make the following information accessible to the public:

The title and contact information of the person responsible for personal information protection;
Clear, simple information about our policies and practices regarding the protection of personal information;
A confidentiality policy for personal information collected by technological means (e.g., cookies).

These details are made accessible to the public, in plain and clear language, as follows:

On our website: jscharron.ca
Or upon request

17. Approval of the Policy

This policy has been approved by the person responsible for the protection of personal information.

End of Policy

The security of your personal information is important to Les Architectes hypothécaires. That is why we have adopted the following policy to govern the use and management of your personal information.

We collect, use, and disclose your personal information for various reasons:
i) to identify you and verify any information you provide to us;
ii) to assess your creditworthiness and your eligibility for products and services;
iii) to recommend particular products and services that may be of interest to you;
iv) to submit your mortgage application to various lenders and insurers in order to obtain and/or renew a mortgage loan and/or a related service;
v) to maintain our relationship with you as a client so that we can better serve you.

You understand that Les Architectes hypothécaires retains its own file containing your personal information.

A physical copy of your file will be kept at the office of your independent Les Architectes hypothécaires mortgage planner until the financing of a loan/mortgage loan, after which your file will be scanned and sent to the Les Architectes hypothécaires office or to an authorized office for review by the Compliance Department. An electronic copy will then be kept in Les Architectes hypothécaires’ secure computer systems. Your file will also be subject to the lender’s confidentiality policy, if that lender is financing your mortgage.

Access to your file at Les Architectes hypothécaires is restricted to staff members who require it. Our staff is obliged to protect the confidentiality of your personal information and your privacy. We have implemented systems that protect your personal information and prevent unauthorized access.

Except as provided in this Privacy Policy, we do not disclose any personal information about you without your authorization, unless permitted or required by law.

You may view the file containing your personal information upon request, and any inaccurate or incomplete information will be corrected as necessary.

If you have any concerns regarding our Privacy Policy or would like additional information about it, please contact our Privacy Service Agent at 1 877 802-9100.

Riadh Trigui | Senior Vice-President (Québec)
Les Architectes hypothécaires
2525 boulevard Daniel-Johnson, Suite 370, Laval, QC H7T 1S9
450.973.3350 | 877.802.9100 | riadh@archyp.ca

Sangeeta Nair | VP Compliance (all Canadian provinces except Québec)
MA Mortgage Architects Inc.
5375 Whittle Road, Mississauga, ON L4Z 3P8
905.542.9100 | 877.802.9100 | sangeeta.nair@mtgarc.ca