POLICY REGARDING CONFIDENTIALITY AND THE PROTECTION OF PERSONAL INFORMATION OF CLIENTS AND CANDIDATES

Approved by the person in charge of the protection of personal information

1) General purpose

This policy aims to inform you of the practices of Sistemalux Inc. (hereinafter “Sistemalux”) in matters of governance and confidentiality of the personal information of its clients and candidates.

It also aims to ensure the security and protection of personal information collected, held, used, communicated and kept by Sistemalux against unauthorized consultation, use or disclosure thereof. It also aims to protect this information against any attack on its integrity.

In addition, the purpose of this policy is to establish the rules relating to access to such information, its communication, its use, its retention and its destruction as well as rights of rectification.


2) Basis

Sistemalux is a private company subject to the Act respecting the protection of personal information in the private sector (CQLR, c P-39.1), the Act to establish a legal framework for information technology (CQLR, c C-1.1), the Civil Code of Quebec (CQLR 1991, c 64) and the Privacy Act (RSC 1985, c P-21).

Sistemalux Inc. is the legal entity registered under the Canadian Business Corporations Act. Sistemalux may collect personal information.

Sistemalux recognizes the importance of privacy, security and the protection of personal information. It therefore undertakes to comply with the provisions, values and principles established by all applicable legislation, including any related updates.

Sistemalux ensures that it implements the necessary physical, IT and technological security measures to guarantee the confidentiality of the personal information communicated to it in the context of its business.


3) Scope

This policy applies to all employees, agents, suppliers and partners of Sistemalux who may have access to personal information in the performance of their duties.

This policy applies to clients and users of the Sistemalux website (hereinafter the “Client”) as well as candidates for job offers. However, it does not apply to the protection of employees’ personal information since another internal policy has been adopted and brought to their attention.


4) Objectives

This policy aims to define the type of personal information that Sistemalux collects and how Sistemalux protects this information.

It also specifies the standards for collection, keeping, use, communication, destruction of this information as well as the rights of access and rectification of personal information by the company or by a third party, regardless of the nature of their medium or the form in which it may be accessed: written, graphic, audio, visual, computerized or other.


5) Definition of personal information

Any information which concerns a natural person, which allows them to be identified directly or indirectly and which is not public in nature under law.

However, Divisions I and II of the Act respecting the protection of personal information in the private sector which concern the collection, holding, use, communication, storage and destruction do not apply to personal information which concerns the exercise by the data subject of a function within a company, such as their name, their position, as well as the address, email address and telephone number of their place of work.

5.1       General principles

Sistemalux takes appropriate security measures to ensure the protection of personal information collected, used, communicated, kept or destroyed and which are reasonable taking into account, in particular, its sensitivity, the purpose for which it is to be used, its quantity, its distribution and the medium on which it is stored, in particular by ensuring the following:

  • Integrity of the information, so that it is not destroyed or altered, in any way, without authorization and in compliance with applicable laws, and that the support of such information allows its desired stability and durability;

  • Confidentiality of personal information, by limiting its disclosure only to those authorized to have access to it;

  • Identification and authentication, so as to confirm, when required, the identity of a person or the identification of a document or device;

  • Compliance with legal, regulatory or business requirements to which Sistemalux is subject.


6) Collection of personal information

Sistemalux is a family company founded in 1984 which distributes and manufactures European lighting systems. Its website allows the purchase of lighting systems. As part of its activities, Sistemalux collects personal information about its clients. Sistemalux also collects personal information from candidates (hereinafter “candidates”) who apply for employment within Sistemalux through its website. Sistemalux may namely collect the following information:

  • Contact details, such as a first and last name, a postal address, an email address, an IP address, a telephone number;

  • Billing information, such as billing address, banking information, credit card details or payment system data;

  • Information relating to the use of Sistemalux services, including technical information on visits or any other information collected through cookies;

  • Any other personal information requested and provided.


7) Consent to collection

The collection of personal information by Sistemalux is carried out in complete transparency and with the prior, free and informed consent of the client or candidate, which is obtained through one or more consent forms detailed in simple and clear language.

In compliance with applicable laws, when Sistemalux collects personal information, it requires the consent of the client or candidate by disclosing in advance the purposes for which such information is collected and how it will be used.

Sistemalux will seek to obtain a new, separate consent before using the personal information held for purposes that are not compatible with those for which it was initially collected.



8) Method of collection

The collection of personal information may be carried out in person, by email, through forms, telephone interviews, questionnaires, social media, text messages or electronically through the website.

Sistemalux collects personal information from its clients or candidates with their prior consent and namely provides in simple and clear language the following information during collection and subsequently upon request:

  • The name of Sistemalux;

  • The purposes for which such information is collected;

  • The means by which such information is collected;

  • The rights of access and rectification provided for by law;

  • The right to withdraw consent to the disclosure or use of the information collected;

  • The name of the third party for whom the collection is carried out, as the case may be;

  • The name of the third parties to whom it will be necessary to communicate the personal information;

  • The possibility that personal information will be disclosed outside Quebec.

Upon request, Sistemalux will inform its clients and candidates of the personal information collected from them, the categories of persons who have access to such information within the company, the retention period of such information, as well as the contact details of the person in charge of the protection of personal information (hereinafter the “Privacy Officer”).



9) Use

Sistemalux collects, uses and keeps the personal information of its clients and candidates in order to:

  • Verify their identity;

  • Communicate with them;

  • Conduct job interviews with candidates;

  • Send personalized offers to clients via the newsletter;

  • Share personal information with third parties in order to keep it;

  • Provide customer service;

  • Provide updates and other information relating to its website;

  • Marketing and promotion;

  • Any other compatible purpose;

  • As permitted or required, for any applicable legal or regulatory obligation or provision;

  • Carry out profiling;

  • Assert its rights, if applicable.

Sistemalux uses the information collected and held only for the purposes for which consent was obtained. Thus, without specific consent, Sistemalux does not communicate, sell, rent, give, exchange, share or disclose any personal information held to third parties.

 Such information is only accessible to employees as well as suppliers or agents of Sistemalux who need it to carry out their duties and the latter are required to respect the confidential nature of such information.



10) Retention and security of personal information

Any personal information collected, regardless of its medium, is kept in a secure environment against unauthorized access, disclosure, copying, use or modification as well as against loss or theft. These security measures include, as the case may be, the use of firewalls and secure servers, encryption, deployment of appropriate access rights management systems and processes, careful selection of processors, sufficient training of Sistemalux personnel having access to personal information in the context of their duties, as well as other essential measures to ensure appropriate protection of personal information against any unauthorized use or dissemination. Sistemalux uses information technology to support its business processes to offer better service delivery and appropriate security for the information it holds.

Sistemalux implements adequate security and access management measures to ensure the confidentiality, integrity and availability of the personal and confidential information it holds based on the sensitivity of such information, the risks to which it is exposed and Sistemalux obligations.



11) Disclosure of personal information to third parties

Sistemalux requires the consent of the client or candidate before communicating personal information concerning them to a third party, unless applicable laws authorize communication without such consent.

Sistemalux may, as part of the services offered, communicate, in compliance with applicable legal requirements, personal information to its external suppliers who are located in Quebec and outside Quebec. These providers include companies such as Cardknox for online payment. In this case, Sistemalux’s external service providers are subject to confidentiality agreements and legal restrictions prohibiting the use of the information communicated for purposes other than those for which Sistemalux collected it. Sistemalux may also agree to service agreements with its external suppliers, in accordance with the law, to facilitate the communication of personal information between them and with other stakeholders.

Sistemalux and its suppliers may be required to provide personal information held as a result of a court order, administrative investigation or other circumstances provided for by law.

In the context of a sale, buyout, acquisition or any other restructuring of Sistemalux’s business, the latter may be required to disclose personal data, which may be assimilated to personal information, to potential or existing acquirers and their advisors for the purposes of said transaction. Sistemalux will ensure that it complies with the requirements of applicable laws before any communication.



12) Rights of access, rectification or withdrawal

Any person who requests it has the right to access the personal information concerning them and which is held by Sistemalux, except as otherwise provided for in applicable laws. The request may be made through the Privacy Officer.

A person may request that their personal information be corrected, rectified, destroyed or no longer used for the purposes for which it was collected.

Any data subject may also, at any time, withdraw their consent to the processing of their personal information by contacting the Privacy Officer. This withdrawal of consent will only be effective for the future, upon receipt by Sistemalux of such withdrawal. Upon receipt of the notice of withdrawal of consent, Sistemalux undertakes to cease all processing of the personal information concerned and to destroy it, subject to any legal or regulatory obligation relating to its conservation.

Sistemalux will also notify any person or entity to whom such personal information has been communicated in accordance with the consent obtained so that these people or entities also stop processing such personal information and destroy it, as the case may be.

However, it is possible that Sistemalux may not be able to honour its obligations in the event of a hasty request for withdrawal of consent or destruction. In such a case, Sistemalux cannot be held responsible for any damage suffered by the client or candidate.



13) Destruction

Personal information is kept for the necessary period to achieve the purposes intended for its collection and is subsequently destroyed. Personal information may be retained beyond the purposes intended for its collection when another preservation period provided for by another law applies. It will be destroyed in accordance with applicable laws.



14) Responsibility of the client or candidate

Any person who provides information to Sistemalux is responsible for its accuracy.

Any person who transmits information to Sistemalux must also ensure that the system or equipment with which such person transmits to or receives information from Sistemalux is sufficiently secure and must exercise vigilance. Sistemalux cannot be held responsible for unauthorized access to information resulting from negligence or vulnerabilities of the equipment or system of a client or candidate.

In the event that the confidentiality of their information is compromised or their identity usurped, the client or candidate is required to notify Sistemalux as quickly as possible by contacting the Privacy Officer identified below.



15.         Confidentiality incidents and actions to undertake

A confidentiality incident refers to the access not authorized by law to personal information, the use not authorized by law of personal information, the communication not authorized by law of personal information or the loss of personal information or any other breach of the protection of such information. In the event of a confidentiality incident, Sistemalux will quickly take the required measures to reduce the risk of injury to the client or candidate and to prevent new incidents of the same nature from occurring. In the event of a risk of serious injury to the data subject, Sistemalux will inform the latter as well as the Commission d’accès à l’information.



16.         Register of confidentiality incidents

Sistemalux keeps a register of all confidentiality incidents, as the case may be, even those which do not present a risk of serious injury to the data subject.

Sistemalux will allow consultation of this register to the Commission d’accès à l’information and will send a copy to it upon request.



17.         Cookies and privacy settings

List of cookies

The use of technical session cookies (non-persistent) is strictly limited to what is necessary for safe and efficient browsing on the sites. Cookies are not used for user profiling. The only processing carried out concerns the production of statistics, with anonymized data. The configuration adopted specifically excludes the processing of identification data, by collecting the IP address and masking it by setting the last 2 bytes to zero (xxx.xxx.0.0).

It is possible to manage the use of these cookies on the Sistemalux website by opening the cookie settings.

 

A consent banner is automatically displayed upon landing on the website to allow the client or candidate to activate cookies. The effectiveness of certain services offered by the website may be affected if the client or candidate refuses the activation of cookies.

Any person who provides personal information in accordance with this section consents to its use and communication for the purposes for which such information is collected.

18) Affiliated sites

Some of Sistemalux’s services may be offered in connection with other websites. The personal information that a person communicates to these sites may be sent to Sistemalux to ensure service. This information is processed in accordance with this policy. Affiliated sites may have different privacy practices, so Sistemalux recommends reviewing their applicable policies and practices.




19) Links

Sistemalux may display links in a format that allows it to determine whether those links have been followed. This information is used to improve the quality of personalized content and ads.




20) Complaint management

Any person who wishes to file a complaint concerning the collection, retention, use, communication, destruction or rights of access or rectification to their personal information by Sistemalux must send it to the Privacy Officer of Sistemalux. The Privacy Officer will analyze it and provide a response within thirty (30) days of receipt of the complaint.




21) Dissemination of this policy

Sistemalux publishes this policy on its website and disseminates it by any means likely to reach the data subject. Sistemalux does the same for the notice necessary for any modification to this policy.




22) Privacy Officer

The Human Resources Director of Sistemalux is the Privacy Officer. Mr. Steeve Dumont can be reached at the following address: privacy@iguzzini.com or by telephone: 514-523-1339, extension 240.

The Privacy Officer is a member of Sistemalux staff and has roles and responsibilities throughout the life cycle of personal information within the company.



Effective date

This policy will become effective on the day of its approval by the Privacy Officer of Sistemalux.

 

On December 22, 2023