Français 1 800 561-6560 info@invessa.com
Cabinet partenaire de Synex assurances

Protection of Personal Information Policy

2023-09-27

 

1. PREAMBLE

Synex Business Performance Inc. and its partner firms Synex Insurance and Synex Group Solutions (hereinafter "Synex") recognizes the importance of privacy and is committed to protecting the personal information it collects and processes in the course of its activities.

2. OBJECTIVES

The purpose of the Personal Information Protection Policy (hereinafter the "Policy") is to set out the principles applied by Synex with respect to the personal information protection practices (hereinafter the "PRI") of Data Subjects.

The Policy describes the PRI standards and practices applied by Synex in order to:

  • Protect personal information collected by Synex throughout its life cycle, from collection, use, disclosure and retention to destruction or de-identification, in accordance with applicable legislation;
  • Ensure compliance with applicable legal requirements, including the Act respecting the protection of personal information in the private sector (Quebec), the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and the Personal Information Protection and Electronic Documents Act (Canada), and with recognized PRI practices;
  • Ensure the trust of all stakeholders and demonstrate transparency regarding Synex's handling of personal information and PRP measures.

3. SCOPE OF APPLICATION

This Policy applies to any identified or identifiable individual about whom Synex collects Personal Information in the course of its business.

4. DEFINITION

Personal Information (PI) means any information relating to a natural person that enables that person to be identified directly or indirectly.

5. PRIVACY REQUIREMENTS

The Policy reflects Synex's ongoing commitment to comply with the PRI requirements of the following persons:

  1. Synex customers who are natural persons (excluding companies);
  2. Employees of Synex customers whose PRP is disclosed to Synex in the course of Synex's commercial insurance business;
  3. Representatives of Synex service providers who are required to provide PR in order to establish a business relationship with Synex, except for business contact information;
  4. Current or former employees and other personnel of Synex and applicants for employment;
  5. Visitors to Synex websites;
  6. Any other natural person whose PR is collected or processed in the course of Synex's activities.

(Collectively, the "Data Subjects")

5.1. Guiding principles

Synex's PRI practices are defined and applied in accordance with the following PRI guiding principles, consistent with applicable law:

  1. 5.1.1 Accountability: Synex is responsible for the handling of PRP in its possession, including information that is entrusted to third parties. A Privacy Officer, whose contact details can be found in paragraph 7, has been appointed and ensures that the Policy is applied and that Synex complies with applicable laws and regulations relating to PRP.

  2. 5.1.2. Purposes of Collection: Synex identifies the purposes for which it collects, uses, discloses and retains PRP before collecting it. Synex ensures that it only collects PR that is necessary to fulfill the predetermined purposes. The purposes for which PR will be used will be specifically identified at the time of collection. As of the date of adoption of the Policy, the purposes for which PR is used include, but are not limited to:

    • To evaluate, qualify and underwrite risks;
    • Assess customer needs and offer products and services that meet those needs;
    • Manage customer files;
    • Establish and maintain communication with customers;
    • Confirm the identity and verify the accuracy of PR provided in applications, and update them;
    • Detect and prevent fraud or other illegal activity;
    • Manage risk, security and regulatory compliance;
    • Manage the relationship with job applicants and employees.

  3. 5.1.3. Collection: Synex limits the collection of PI to that which is necessary for the identified purposes. Synex collects PR directly from the Data Subject, unless it has obtained the Data Subject's consent to collect PR from third parties or is otherwise permitted by law. Synex may also receive PR from its partners.

  4. 5.1.4. Limiting use, disclosure and storage

    5.1.4.1 Limitation
    Synex restricts the use of PR to the purposes for which it was collected and to which the Data Subject has consented, subject to exceptions provided by law or to obtaining new consent.

    Synex limits access to the PR it holds to only those persons for whom access is required for the performance of their duties and provides PRP training to its staff. Synex employees are also bound by a confidentiality undertaking, which covers in particular the confidentiality of PR processed in the course of their duties.

    5.1.4.2 Communication
    Synex may communicate the PR of Data Subjects to various business partners, suppliers or other third parties in the course of its activities. It may also disclose to courts, regulators, government officials or prosecutors, or any other investigative or law enforcement party. Synex ensures that PR is only disclosed for the purposes identified and consented to by the Data Subject, unless the Data Subject gives consent to the new purposes or unless exceptions are provided by law.

    5.1.4.3 Retention
    Synex uses systems and technology service providers that ensure the retention of Data Subjects' PR in a manner that maintains its confidentiality. Synex retains data and documents containing PR for the length of time necessary to fulfill the purpose for which it was collected and for the retention periods required by law.

    PR is generally kept in the province of Quebec. It is possible, however, that the disclosure of PR to certain service providers may result in the transfer of PR outside of Quebec, in which case Synex will consult the applicable PRP laws and practices in the relevant jurisdiction and ensure that PR is adequately protected through a privacy impact assessment and that the contractual framework stipulates appropriate PRP commitments.

    5.1.5. Security measures: Synex applies security measures that are proportionate to the sensitivity of the PR it holds in order to prevent breaches of confidentiality and integrity, in accordance with its information security frameworks.

    5.1.6. Transparency: Synex documents its PR management practices simply and clearly, and makes them available on its websites. Synex provides the prescribed information to the Data Subject when the collection is made through the use of technology that includes functionalities that allow the Data Subject to be identified, located or profiled through the use of technology.

    Rights of Data Subjects: Synex has procedures in place to deal with requests for the exercise of rights by Data Subjects, including requests for access, rectification and withdrawal of consent. Requests for the exercise of rights must be forwarded to the office of the PRP Manager, whose contact details appear in paragraph 7, for processing in accordance with the law.

    Synex respects the rights granted to Data Subjects in respect of their PRP and has procedures in place to deal with the following requests:

    a) Access: a Data Subject has the right to request a copy of, or to consult, his or her PR held by Synex. However, the communication of PR concerning a Data Subject is not possible when its disclosure would reveal PR about another person or would constitute a violation of applicable laws.

    Access to PR is free of charge. In certain circumstances, in particular if the request is excessive or unfounded, Synex may charge the Data Subject an administration fee for the transcription, reproduction or transmission of his or her PR. Before granting a request, Synex will inform the Person concerned if a fee is to be charged.

    b) Accuracy: Synex aims to ensure that the PI it collects and retains is accurate and validates this with Data Subjects as part of its activities. Synex invites Data Subjects to contact the PRP Manager, whose contact details appear in paragraph 7, in order to advise him/her if certain PRs are not accurate or if changes need to be made.

    c) Withdrawal of consent: in certain circumstances, a Data Subject may object to the processing of his or her PR and request Synex to block, delete and restrict access to it for purposes that are not essential to the management and administration of its products and services. Withdrawal of consent for a purpose essential to the provision of Synex services will terminate the relationship between Synex and the Data Subject requesting such consent.

    d) Portability : any Data Subject may, on request, obtain a copy of the Personal Data collected about him or her. If the Person's PR is computerized, he or she may request that it be communicated to him or her in the form of a written and comprehensible transcript.

    e) Complaints: If a Data Subject believes that his or her PRP rights may have been infringed, he or she has the right to file a complaint with the PRP Manager, the applicable supervisory authority or to have recourse to the courts.

    Synex will respond to all requests within 30 days of receipt of such a request. Where Synex is unable to meet this deadline, or if additional time is required to satisfy a request, it will inform the Person concerned in writing.

7. THE PRIVACY OFFICER

Synex has appointed a Privacy Officer who is responsible for Synex's compliance with applicable privacy legislation.

If you have any questions regarding the collection, use, disclosure or retention of PR by Synex, you may contact the PRP Officer as indicated below:

Privacy Officer
Civic address: 2828, boul. Laurier, Suite 1300, Quebec City, Quebec G1V 0B9
Phone: 1-866-321-2233
E-mail: confidentialite@synexcorp.ca

8. ADOPTION AND MODIFICATION OF THE POLICY

This Policy has been adopted by the Synex Executive Board and takes effect on the date of adoption. It replaces all previous versions. Historical versions of the Policy may be obtained from the PRP Manager upon request. The collection, use, disclosure and other processing of a Data Subject's PRP by Synex will be governed by the version of the Policy in effect at the time of processing.

The PRP Manager is responsible for the Policy and its revision. The Policy may be amended at Synex's discretion to reflect changes in applicable requirements or Synex's practices and will be reviewed at least every three years.

Invessa

A team of enthusiastic people sharing the same human values

Contact us