top of page

PRIVACY POLICY
THE RENOUVEAU DUNHAM TEAM

Procedure for the Retention, Destruction, and Anonymization of Personal Information

1. Overview

It is essential to implement a procedure for the retention, destruction, and anonymization of personal information to ensure individuals' privacy, comply with data protection laws, prevent privacy incidents and security breaches, maintain client trust, and protect the organization’s reputation.

 

2. Purpose

The purpose of this procedure is to ensure the protection of individuals’ privacy and to comply with legal obligations regarding the management of personal information.

 

3. Scope

This procedure covers the entire lifecycle of personal information, from collection to destruction. It applies to all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal information, in accordance with legal requirements and best privacy practices.

 

4. Definitions

  • Personal Information: Any data that directly or indirectly identifies a natural person.

  • Retention: Secure storage of personal data for the required duration.

  • Destruction: Permanent deletion, elimination, or erasure of personal information.

  • Anonymization: The process of modifying personal information so that individuals can no longer be identified, directly or indirectly, at any time and in an irreversible manner.

 

5. Procedure

5.1 Retention Period

5.1.1 Personal information is categorized as follows:

  • Employee information

  • Member information

  • Client information

5.1.2 Retention periods for each category are as follows:

  • Employees: 7 years after the end of employment

  • Members: Varies depending on the type of information

  • Clients: Varies depending on the type of information

Refer to the full inventory of personal information for specific retention periods.
Note: Certain categories may have specific retention requirements.

5.2 Secure Storage Methods

5.2.1 Personal information is stored in the following locations: OneDrive, Wix
5.2.2 The sensitivity level of each storage location has been assessed.
5.2.3 All storage locations, whether digital or physical, are properly secured.
5.2.4 Access is restricted to authorized personnel only.

5.3 Destruction of Personal Information

5.3.1 Paper records must be fully shredded.
5.3.2 Digital records must be permanently deleted from devices (computers, phones, tablets, external drives), servers, and cloud tools.
5.3.3 A destruction schedule must be created based on the established retention periods, with all planned destruction dates documented.
5.3.4 Destruction must be performed in a manner that ensures data cannot be recovered or reconstructed.

 

5.4 Anonymization of Personal Information

5.4.1 Anonymization should only be performed if the organization wishes to retain and use the data for serious and legitimate purposes.
5.4.2 The chosen method is to delete the information after the retention period.
5.4.3 The remaining data must not allow any form of direct or indirect re-identification. The risk of re-identification must be assessed regularly through testing and analysis.

Note: As of the date of this template, anonymization for serious and legitimate purposes is not yet legally permitted. A government regulation must be adopted to define the applicable criteria and procedures.

 

5.5 Employee Training and Awareness

5.5.1 Employees must receive regular training on the retention, destruction, and anonymization procedure, as well as the risks associated with privacy breaches.
5.5.2 Staff should also be made aware of best practices in data security and the importance of following established procedures.

 

📅 Last updated: July 2025

Procedure for Access Requests and Complaint Handling Regarding Personal Information

1. Overview

Since individuals may request access to their personal information held by an organization, or file complaints, it is important to have clear guidelines in place to respond to such requests.

 

2. Purpose

The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.

 

3. Scope

This procedure applies to internal staff responsible for handling access and complaint requests, as well as individuals wishing to access their personal information.

 

4. Access Request Procedure

 

4.1 Submitting the Request

4.1.1 Individuals wishing to access their personal information must submit a written request to the organization’s Privacy Officer. The request may be sent by email or postal mail.
4.1.2 The request must clearly indicate that it is an access request and provide sufficient information to identify the individual and the data being requested.
4.1.3 This information may include the individual’s name, address, and any other relevant identifying details.

 

4.2 Acknowledging the Request

4.2.1 Upon receipt of the request, an acknowledgment will be sent to the individual confirming that the request has been received.
4.2.2 The request must be processed within thirty (30) days of receipt.

 

4.3 Identity Verification

4.3.1 The individual’s identity must be reasonably verified before the request is processed. This may involve requesting additional information or verifying identity in person.
4.3.2 If identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.

 

4.4 Incomplete or Excessive Requests

4.4.1 If the request is incomplete or excessive, the Privacy Officer will contact the individual to request clarification or additional information.
4.4.2 The organization reserves the right to refuse requests that are clearly abusive, excessive, or unjustified.

 

4.5 Processing the Request

4.5.1 Once identity is confirmed, the Privacy Officer collects the requested personal information.
4.5.2 Relevant records will be consulted, ensuring compliance with legal limitations.

 

4.6 Reviewing the Information

4.6.1 Before disclosing personal information, the Privacy Officer must review it to ensure it does not contain third-party confidential data or infringe on the rights of others.
4.6.2 If third-party information is present, a decision must be made whether it can be separated or excluded from the disclosure.

 

4.7 Communicating the Information

4.7.1 Once verified, the personal information will be communicated to the individual within a reasonable time frame, in compliance with applicable laws.
4.7.2 Information may be provided electronically, by secure mail, or in person, depending on the individual’s preference and applicable security measures.

 

4.8 Follow-Up and Documentation

4.8.1 All steps of the request process must be accurately and thoroughly documented.
4.8.2 Details such as request date, acknowledgment date, identity verification date and method, decision (approved or denied), and date of disclosure (if applicable) must be recorded in a tracking log.

 

4.9 Confidentiality Protection

4.9.1 All staff involved in processing access requests must respect confidentiality and data protection protocols.

 

5. Complaint Handling Procedure

5.1 Receiving Complaints

5.1.1 Complaints may be submitted in writing, by phone, email, or any other official communication channel. They must be recorded in a centralized log accessible only to authorized staff.
5.1.2 Employees must immediately notify the person responsible for handling complaints.

 

5.2 Preliminary Assessment

5.2.1 The designated person evaluates each complaint for relevance and severity.
5.2.2 Frivolous, defamatory, or unfounded complaints may be dismissed, but a justification must be provided to the complainant.

 

5.3 Investigation and Analysis

5.3.1 The complaint handler conducts an investigation by gathering evidence, interviewing parties involved, and reviewing relevant documentation.
5.3.2 The person in charge must be impartial and have the authority to resolve the complaint.
5.3.3 Confidentiality must be maintained throughout the process, and all parties treated fairly.

 

5.4 Complaint Resolution

5.4.1 The complaint handler proposes appropriate solutions to resolve the issue promptly.
5.4.2 Solutions may include corrective actions, financial compensation, or any other necessary measures to resolve the complaint satisfactorily.

 

5.5 Communication with the Complainant

5.5.1 The complaint handler keeps the complainant informed throughout the process.
5.5.2 All communications must be professional, empathetic, and respectful.

 

5.6 Complaint Closure

5.6.1 Once resolved, the complaint handler provides a written response summarizing the actions taken and the outcome.
5.6.2 All complaint-related records and documents must be stored in a confidential file.

📅 Last updated: July 2025

Procedure for De-indexing and Deletion of Personal Information

  1. Overview
    This procedure aims to address clients' concerns about privacy and the protection of their personal information.
     

  2. Purpose
    The purpose of this procedure is to provide a structured mechanism for handling client requests to de-index or delete their personal information.
     

  3. Scope
    This procedure applies to our internal team responsible for managing de-indexing and deletion requests. It covers all information published on our online platforms, including our website, mobile applications, databases, and any other digital medium used by our clients.
     

  4. Definitions
    Deletion of personal information refers to the act of permanently erasing data, making it inaccessible and unrecoverable.
    De-indexing of personal information refers to the removal of information from search engine results, making it less visible while still accessible via direct links.
    Deletion permanently eliminates the data, whereas de-indexing limits its visibility online.
     

  5. Procedure
     

5.1 Receipt of requests
Requests for de-indexing or deletion must be submitted to the designated responsible team.
Clients may submit requests through specific channels such as an online form, a dedicated email address, or a phone number.
 

5.2 Identity verification
Before processing any request, the individual's identity must be reasonably verified.
This may involve requesting additional information or verifying the individual’s identity in person.
If identity cannot be satisfactorily verified, the organization may deny the request.
 

5.3 Evaluation of requests
The responsible team must carefully review each request and the personal information involved to determine whether it qualifies for de-indexing or deletion.
All requests must be handled confidentially and within the appropriate timeframe.
 

5.4 Grounds for refusal
There may be valid reasons to deny a request for deletion or de-indexing, such as:
– The information is needed to continue delivering goods or services to the client
– Employment law requirements
– Legal obligations or ongoing litigation
 

5.5 De-indexing or deletion of personal information
The responsible team must take appropriate action to de-index or delete personal information based on the eligibility of the request.
 

5.6 Communication and follow-up
The team must keep requesters informed throughout the process by providing acknowledgment of receipt and regular updates.
Any delays or issues encountered during processing must be communicated clearly to the requester, along with explanations.
 

5.7 Tracking and documentation
All de-indexing and deletion requests, along with the actions taken to address them, must be logged in a dedicated tracking system.

Records must

include details of the request, actions taken, dates, and outcomes.

Last updated: July 2025
 

Security Incident and Personal Information Breach Management Procedure
 

  1. Overview
    An incident response plan is essential to effectively manage cyber incidents. In times of crisis, it’s not always easy to know how to act or what to prioritize. A clear response plan helps reduce stress and ensures no critical steps are overlooked.
     

  2. Purpose
    The purpose of this procedure is to ensure the organization is prepared to respond quickly and effectively to cyber incidents and resume normal operations as soon as possible.
     

  3. Scope
    This procedure applies to all networks, systems, and stakeholders (clients, partners, employees, contractors, suppliers) with access to these systems.
     

  4. Identifying a Cyber Incident
    Cybersecurity incidents may not be immediately recognized. However, certain signs may indicate a security breach or unauthorized activity. It’s important to remain alert for signs of an active or potential incident, including:

– Unusual or excessive login/system activity, especially from inactive user accounts
– Unusual remote access patterns from staff or third-party providers
– The appearance of unknown or unauthorized Wi-Fi networks
– Suspicious malware activity or unknown executable files
– Lost or stolen devices containing personal data, payment information, or other sensitive records
 

  1. Contact Information

Organization: N.A
Contact Person: Denis Laflamme
Address: 4099 Chemin Selby
Email: info@renouveaudunham.ca
Phone: 514-912-3634
Website: https://www.renouveaudunham.ca/
 

  1. Personal Information Breach – Specific Response

If a security incident involving personal information is confirmed, the following steps must be taken:
– Complete the privacy incident log to document the breach
– Assess whether unauthorized access, use, or disclosure of personal information occurred, and if there is a risk of serious harm to affected individuals
– If so, report the breach to the Commission d’accès à l’information in Québec
– Notify all individuals whose personal data was affected by the incident
 

  1. Ransomware Attack – Specific Response

If a ransomware attack is confirmed, the following steps must be taken:
– Immediately disconnect the affected devices from the network
– Do NOT delete anything from the devices (computers, servers, etc.)
– Investigate how the ransomware infiltrated the system to understand how to eliminate it
– Report the incident to local authorities and cooperate with their investigation
– Once the ransomware is removed, run a full system scan with updated antivirus and anti-malware tools to confirm the device is clean
– If removal is not possible, reformat the device using original system installation media or images
– Before restoring from backup, ensure backups are not infected
– If critical data must be recovered and is not available from clean backups, look for decryption tools on nomoreransom.org
– The policy is not to pay ransoms, unless circumstances require reconsideration. It's strongly recommended to involve a cybersecurity breach coach
– Apply patches or security updates to prevent future attacks
 

  1. Account Hacking – Specific Response

If an account hack is confirmed, the following steps must be taken:
– Notify clients and suppliers that fraudulent emails may be sent from your address, and ask them not to click or respond
– Check if you still have access to the account
– If access is lost, contact platform support to recover it
– Change the compromised password
– If the same password is used elsewhere, change it on all affected accounts
– Enable two-factor authentication
– Remove unauthorized sessions and devices from the login history
 

  1. Lost or Stolen Device – Specific Response

If a loss or theft of equipment occurs, take the following steps:
– Report the loss to local law enforcement immediately, even outside normal business hours
– If the device contains unencrypted sensitive data, assess the type and volume of data involved, including any payment information
– Lock or remotely wipe lost/stolen mobile devices (e.g., smartphones, laptops, tablets) whenever possible

Last updated: July 2025

Legislation

We are committed to complying with applicable legislation in: Québec

Amendments – Law 25


This privacy policy may be updated occasionally to remain compliant with the law and reflect any changes to our data collection processes. We encourage users to review this policy periodically to stay informed of updates. When necessary, we may notify users by email of significant changes.

Updated: July 2025

bottom of page