Law 25 – Internal policy on the protection of personal information in the private sector

Latest update July 2023


DÉCARIE TRANSEARCH Executive search and leadership consulting, hereinafter referred to as ‘the firm,’ attaches great importance to the confidentiality and protection of personal information of its employees, clients, and candidates, ensuring that all personal or confidential information is handled securely and responsibly, in compliance with Law 25 and the Law about personal information protection in the private sector.

Personal Information Protection Office

In accordance with the Law, which stipulates that in any business, it is mandatory to designate a person who can effectively assume the role of Personal Information Protection Officer, Robert Bonneau, Senior Partner, has been designated as the individual responsible for the protection of personal information. To address any questions regarding this matter, please contact our coordinator at the following address, who will follow up with the management:

Collection, use, disclosure, protection, retention, and destruction of data

In the course of its research activities, the firm collects, uses, discloses to third parties, retains, or destroys personal information provided by clients, candidates, or through other legal means and third parties. The firm only collects personal information necessary for the execution of its business activities and is committed to not using this information for purposes other than those for which it was collected.

The firm shares personal information only with individuals and entities necessary for the achievement of the purposes for which they were collected, or when required by law.

Before sharing personal information, employees must take appropriate measures to protect its confidentiality and security. Additionally, the firm retains personal information for the time necessary to achieve the purposes for which it was collected, as well as for the follow-up of its processes. To this end, appropriate security measures are implemented to protect this information against unauthorized access, loss, disclosure, or destruction.

These security measures, designed to ensure the protection of personal information collected, used, disclosed, retained, or destroyed, are detailed in a procedure that each employee acknowledges, signs an acknowledgment of receipt, and commits to follow and respect in the course of their duties. These measures are reasonable, taking into account, in particular, the sensitivity, purpose, quantity, distribution, and medium of the personal information.

Obligations of the firm and its employees

  • Obtain consent from individuals before collecting their personal information from a third party.
  • Obtain consent from individuals before disclosing their personal information to a third party.
  • In the event of a breach of confidentiality (e.g., recipient error, loss or theft of a paper version, hacking, or cyberattack), the employee involved must promptly contact the Senior Partner and the Coordinator to provide them with all relevant information to effectively address the incident.
  • If the firm has reason to believe, or if one of its employees informs the firm, that a privacy incident involving personal information they hold has occurred, it:
    • Takes reasonable steps to reduce the risks of harm and to prevent further incidents of a similar nature from occurring.
    • Notifies the Commission d’accès à l’information du Québec (CAI) if the privacy incident poses a risk of serious harm, and notifies the individuals whose information is affected.
    • Maintains a record of privacy incidents, including the following information: circumstances of the incident, relevant dates, number of affected individuals, assessment of the severity of the risk of harm, and measures taken in response to the incident.

Rights of the individuals concerned

Any individual has the right to access their personal information, to have them corrected or deleted, or to object to their use. To exercise these rights, the individual must submit a written request to the Personal Information Protection Officer, namely the Senior Partner, via the coordinator. The firm commits to responding to these requests within the timelines specified by law.

Training and awareness, assessment and review

The firm ensures that all its employees are informed of this internal policy, as well as being sensitized and trained on best practices regarding the protection of personal information.

Regular internal assessments are conducted to verify compliance with this internal policy. If necessary, modifications will be made to ensure that the firm’s practices regarding the protection of personal information remain up-to-date and effective. The internal policy is consequently subject to periodic revisions, as needed.