Privacy Policy

1. Context

MASKA is a federally regulated not-for-profit legal entity that processes personal information as part of its operations.

This policy aims to ensure the protection of personal information and to govern how MASKA collects, uses, discloses, retains, destroys, or otherwise manages such information. It also aims to inform any interested party about how MASKA handles their personal information. Additionally, the policy covers the processing of personal information collected by MASKA through technological means.

2. Scope and Definitions

This policy applies to MASKA, including but not limited to its executives, employees, consultants, volunteers, and any other individuals who provide services on behalf of MASKA. It also applies to MASKA’s website and to all websites controlled and maintained by MASKA.

It covers all types of personal information managed by MASKA, including information related to its clients (current or potential), consultants, employees, members, or any other individuals (such as visitors to its websites or other platforms).

For the purposes of this policy, personal information refers to any information about an individual that allows them to be identified, directly or indirectly. For example, this may include a person’s name, address, email address, telephone number, gender, banking details, health information, ethnic origin, language, etc.

Sensitive personal information refers to data for which there is a high degree of reasonable expectation of privacy — for example, health information, banking details, biometric data, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, and so on.

These provisions do not apply to personal information that is considered public by law, effective from the date this policy comes into force.

3. Collection, Use, and Disclosure

As part of its operations, MASKA may collect various types of personal information for different purposes. The types of information MASKA may collect, the purposes for which it is used, and the methods by which the information is collected are outlined in Appendix A of this policy.
MASKA will also inform individuals, at the time of collecting personal information, of any additional information being collected, the purposes for which it is being collected, and the methods of collection, in addition to any other information required by law.

MASKA adheres to the following general principles regarding the collection, use, and disclosure of personal information:

Consent:

In general, MASKA collects personal information directly from the individual concerned and with their consent, unless an exception is provided by law. Consent may be obtained implicitly in certain situations — for example, when a person chooses to provide their personal information after being informed through this policy of its intended use and disclosure (see Appendix A for more details). As such, this policy and the information it contains will be available for consultation by the individual at the time their personal information is collected.

Normally, MASKA must also obtain the individual’s consent before collecting their personal information from third parties, disclosing it to third parties, or using it for secondary purposes. However, MASKA may act without consent in certain situations provided by law and under the conditions established by those legal provisions. The main situations in which MASKA may act without consent are described in the relevant sections of this policy.

Collection:

In all cases, MASKA only collects personal information when it has a valid reason to do so. Furthermore, the collection is limited to the information necessary to fulfill the intended purpose.

Please note that MASKA’s services and programs are not intended for minors. More generally, MASKA does not knowingly collect personal information about minors (in such cases, the information cannot be collected without the consent of a parent or legal guardian).

Collection from third parties. MASKA may collect personal information from third parties. Unless an exception is provided by law, MASKA will seek the individual’s consent before collecting personal information about them from a third party. If the information is not collected directly from the individual but rather from another organization, the individual may request the source of the collected information from MASKA.

In certain situations, MASKA may also collect personal information from third parties without the individual’s consent if it has a serious and legitimate interest in doing so, and a) the collection is in the best interest of the individual and it is not possible to collect the information from them in a timely manner, or b) the collection is necessary to ensure the accuracy of the information.

This collection through third parties may be necessary to access certain services or programs, or to otherwise conduct business with MASKA. When required, MASKA will obtain the individual’s consent at the appropriate time.

Retention and Use

MASKA ensures that the personal information it holds is up to date and accurate at the time it is used to make a decision concerning the individual in question.
MASKA may only use a person’s personal information for the purposes outlined in this policy or for any other purposes disclosed at the time of collection. If MASKA intends to use this information for a different purpose, new consent must be obtained from the individual. This consent must be explicit if the information is considered sensitive personal information. However, in certain cases provided by law, MASKA may use the information for secondary purposes without the individual’s consent, for example:

  • when the use clearly benefits the individual;
  • when it is necessary to prevent or detect fraud;
  • when it is necessary to evaluate or improve protection and security measures.

Limited Access. MASKA must implement measures to restrict access to personal information only to employees and individuals within the organization who are authorized to view it and for whom the information is necessary in the course of their duties. MASKA will seek the individual’s consent before granting access to any other person.

Disclosure:

Generally, and unless an exception is specified in this policy or otherwise provided by law, MASKA will obtain the individual’s consent before disclosing their personal information to a third party. Moreover, when consent is required and the information is sensitive personal information, MASKA must obtain the individual’s explicit consent before disclosing the information.

However, disclosure of personal information to third parties is sometimes necessary. Therefore, personal information may be shared with third parties without the individual’s consent in certain cases, including but not limited to the following:

  • MASKA may disclose personal information, without the individual’s consent, to a public body (such as a government entity) that collects it through one of its representatives in the performance of its duties or the implementation of a program it manages.
  • Personal information may also be disclosed to service providers when necessary, without the individual’s consent. For example, these service providers may include event organizers, subcontractors designated by MASKA to carry out tasks related to programs it administers, and cloud service providers. In such cases, MASKA must have written agreements with these providers specifying the measures they must take to ensure the confidentiality of the personal information disclosed. These agreements must state that the information is only to be used for the execution of the contract, must not be retained after the contract ends, and must include provisions requiring providers to notify MASKA’s Privacy Officer (as identified in this policy) of any breach or attempted breach of confidentiality obligations. The agreements must also allow the Privacy Officer to conduct any necessary audits regarding confidentiality.
  • If necessary for the conclusion of a commercial transaction, MASKA may also disclose personal information, without the individual’s consent, to the other party to the transaction, in accordance with the conditions provided by law.

Cross-border Disclosure: It is possible that personal information held by MASKA may be disclosed outside of Québec — for instance, when MASKA uses cloud service providers whose servers are located outside Québec or when MASKA works with subcontractors based in other provinces or countries.

Additional Information on Technologies Used:

  • Use of Cookies
    Cookies are data files sent to a visitor’s computer by their web browser when they visit a website, and they can serve various purposes.

Websites controlled by MASKA use cookies for the following purposes:

  • To remember visitor settings and preferences, such as language selection and to enable session tracking;
  • For statistical purposes, to understand visitor behavior, view content engagement, and support website improvements.

MASKA-controlled websites use the following types of cookies:

  • Session cookies: Temporary cookies stored in memory for the duration of the website visit only.
  • Persistent cookies: Stored on the device until they expire, and retrieved upon future visits.

Some cookies may be disabled by default, and visitors can choose whether or not to enable these features when browsing MASKA’s websites.

It is also possible to enable or disable the use of cookies by adjusting the settings in the visitor’s web browser.

  • Use of Google Analytics

Some of MASKA’s websites use Google Analytics to support continuous improvement. Google Analytics helps analyze how visitors interact with a MASKA website. It uses cookies to generate statistical reports on visitor behavior and content engagement.

Information generated by Google Analytics will never be shared with third parties by MASKA.

A browser add-on is available to disable Google Analytics, should users wish to opt out.

  • Other Technological Tools (e.g., Facebook, Hotjar)

MASKA also collects personal information through technological means such as web forms embedded in its websites (e.g., contact forms, membership forms, newsletter and seminar registration forms), online questionnaires accessible via its platforms and applications, and other form platforms or tools (e.g., Microsoft Forms).

If MASKA collects personal information through a technological product or service that includes privacy settings, MASKA must ensure that those settings offer the highest level of privacy by default (cookies excluded).

4. Retention and Destruction of Personal Information

Unless a minimum retention period is required by applicable laws or regulations, MASKA will retain personal information only for as long as necessary to fulfill the purposes for which it was collected.

Personal information used by MASKA to make a decision about an individual must be retained for at least one year following the decision, or up to seven years after the end of the fiscal year in which the decision was made if it has tax implications — for example, in the case of employment termination circumstances.

At the end of the retention period, or when the personal information is no longer needed, MASKA will:

  1. either destroy the information; or
  2. anonymize it (meaning it can no longer, irreversibly, identify the individual or be linked to them) so it may be used for serious and legitimate purposes.

The destruction of personal information by MASKA must be carried out in a secure manner to ensure the protection of such information.

This section may be supplemented by any other policy or procedure adopted by MASKA concerning the retention and destruction of personal information, if applicable. Please contact MASKA’s Privacy Officer (identified in this policy) for further details.

5. Responsibilities of MASKA

In general, MASKA is responsible for protecting the personal information it holds.

MASKA’s Privacy Officer is the organization’s Director of Operations. This person is generally responsible for ensuring compliance with applicable privacy legislation. The Privacy Officer must approve the policies and practices governing the management of personal information. More specifically, this individual is responsible for implementing this policy and ensuring that it is known, understood, and applied. In the event that the Privacy Officer is absent or unable to act, the President of MASKA will assume the Privacy Officer’s responsibilities.

MASKA personnel who have access to personal information or who are otherwise involved in its management are responsible for protecting that information and for complying with this policy.

The roles and responsibilities of MASKA employees throughout the personal information lifecycle may be further defined by other MASKA policies, where applicable.

6. Data Security

MASKA is committed to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place are adapted to factors such as the purpose, volume, distribution, format, and sensitivity of the information. This means that any information considered sensitive (as defined in Section 2) must be subject to stronger security safeguards and better protection.

In particular, and as previously mentioned regarding limited access to personal information, MASKA must implement the necessary controls to restrict the usage rights of its information systems, ensuring that only employees who require access to the information as part of their duties are authorized to access it.

7. Rights of Access, Correction, and Withdrawal of Consent

To exercise their rights of access, correction, or withdrawal of consent, individuals must submit a written request to MASKA’s Privacy Officer at the email address provided in the next section.

Subject to certain legal restrictions, individuals may request access to their personal information held by MASKA and request its correction if it is inaccurate, incomplete, or ambiguous. They may also request that the dissemination of personal information concerning them cease, or that any hyperlink attached to their name allowing access to such information via technological means be deindexed, when the dissemination of that information violates the law or a court order. They may make the same request, or request that the hyperlink be reindexed, when certain legal conditions are met.

MASKA’s Privacy Officer must respond in writing to these requests within 30 days from the date the request is received. Any refusal must be justified and include the legal provision supporting the denial. In such cases, the response must indicate the recourse available under the law and the applicable time limits for pursuing it. The Privacy Officer must assist the requester in understanding the refusal, if necessary.

Subject to applicable legal and contractual restrictions, individuals may withdraw their consent to the disclosure or use of the personal information collected.

They may also ask MASKA which personal information has been collected about them, the categories of individuals within MASKA who have access to it, and the retention period.

8. Complaint Handling Process

Reception

Any person wishing to file a complaint regarding the application of this policy or, more broadly, the protection of their personal information by MASKA must do so in writing by contacting MASKA’s Privacy Officer at the email address provided in the next section.

The individual must include their name, contact information (including a phone number), as well as the subject and reasons for their complaint, providing sufficient detail to allow MASKA to assess it. If the complaint is not specific enough, the Privacy Officer may request any additional information deemed necessary to properly evaluate it.

Processing

MASKA is committed to handling all complaints confidentially.

Within 30 days of receiving the complaint—or within 30 days of receiving all additional information deemed necessary by MASKA’s Privacy Officer to assess the complaint—the Privacy Officer must evaluate it and provide a written, reasoned response to the complainant by email. This evaluation will determine whether MASKA’s handling of personal information complies with this policy, any other policies and practices in place within the organization, and applicable laws or regulations.

If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons for the delay, the status of the complaint’s review, and the reasonable timeframe needed to provide a final response.

MASKA must create a separate file for each complaint received. Each file must include the complaint, the analysis, supporting documentation, and the response sent to the complainant.

It is also possible to file a complaint with the Commission d’accès à l’information du Québec or with any other privacy oversight body responsible for enforcing the applicable law.

However, MASKA encourages anyone concerned to first contact its Privacy Officer and wait for the outcome of MASKA’s internal complaint process.

9. Approval

This policy has been approved by MASKA’s Privacy Officer, whose business contact information is as follows:

Privacy Officer:

Véronik Bordeleau
(819) 479-9306
530 rue Raygo La Présentation J0H 1B0
[email protected]

For any request, question, or comment regarding this policy, please contact the Privacy Officer by email.

10. Publication and Amendments

This policy is published on MASKA’s website, as well as on all websites controlled and maintained by MASKA to which this policy applies, with respect to the personal information collected on those sites. It is also distributed by any means appropriate to reach the individuals concerned.

MASKA must do the same for any amendments to this policy, which must also be subject to notification in order to inform affected individuals.

*Notes: The use of the masculine gender in this policy is intended solely to simplify the text and make it easier to read.

Version History and Changes Table:

VersionEffective dateChanges from Previous Version
1.0July 18, 2024N/A – First version

Appendix A

Below is a non-exhaustive list of the types of personal information MASKA may collect, the purposes for which it is used, and the methods by which the information is collected. This includes, but is not limited to, the following items.

Please note that most of the personal information managed by MASKA pertains to employees, job applicants, and consultants. For the other categories of individuals listed in the table below, the information provided is, in most cases, professional or business in nature (see Section 2 regarding professional contact information). It should also be noted that, in most cases, MASKA collects individuals’ professional title or role, the name of their organization, and/or the organization’s address (see Section 2 regarding professional contact information).

Relationship with MASKA, services, program, etc.Type of personal informationPurpose of collection / UsesMethod of data collection
 Either of these pieces of information, when necessary:

Used for:

May be collected
Through the website
Client
  • Name
  • City
  • Phone
  • Number
  • Address
  • Postal Code
  • Email
 Using form on the website.
Our locations
We're hiring!
Scroll to Top
  • Available positions

We’re recruiting champions!

Fill out our short form and our HR team will contact you quickly.

Contact me