Contact
Book an appointment

Sustainability policy

Accueil Sustainability policy

Version: 1.0

Effective Date: 2022-10-03     

 

 

  1. Policy Statement

 

At S&E Cloud, we process the personal data of individuals for our internal administrative purposes, such as to manage our employees, and to provide services to our clients. We understand that the processing of personal data can pose risks for individuals, including in case of a personal data breach. This Personal Data Protection Policy (the “policy”) sets forth principles which govern our processing of personal data, and are foundational to our privacy compliance program (“PCP”). The policy provides a framework for implementing, maintaining and improving the PCP to meet our clients’ expectations, comply with privacy laws, and maintain a trust-based relationship with our employees by respecting their privacy. 

 

Our Privacy Officer oversees the PCP to ensure that we apply technical and organisational measures to protect personal data at all phases of its lifecycle.

Figure 1 – Data Lifecycle

  1. Policy Statement

This policy sets forth the foundation of a PCP, along with principles guiding our processing of personal data. It seeks contributes to the compliance framework applicable by:

  • Establishing the governance structure for the PCP.
  • Assigning roles and responsibilities for the protection of personal data.
  • Establishing mechanisms for continual improvements of the PCP.
  • Complying with our contractual obligations regarding personal data.
  • Ensuring a risk-based approach to information privacy.
  • Implementing legal requirements affecting personal data.

This policy is the foundation of our PCP, which consists of documented measures designed to achieve the privacy principles described and maintaining accountability.

 

  1. Definitions

 

Personal data” means data which can either directly identify an individual (e.g., name, social security number) or indirect (e.g., online identifier, IP address). In some cases, data may not be personal on its own, but may become personal data once combined with other data. 

 

Personal data breach” means (a) a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data; (b) a breach of our policies and standards regarding the processing of personal data.

 

Privacy laws” means any laws, regulations, treaties, mandatory guidelines, and other legal obligations that apply to our processing of personal data.

 

Processing” means any operation or set of operations which is performed on personal data or a set of personal data, whether or not by automated means, e.g. accessing, transmitting, disclosing, collecting, aggregating, communicating, or storing personal data.

 

  1. Scope

 

This policy applies to S&E Cloud Experts, Inc., and all its subsidiaries worldwide (“S&E”). More specifically, it applies to all our employees, contractual resources, directors, and officers (our “personnel”). This policy only applies to our processing of Personal data, as defined above.

  1. Roles & Responsibilities 

 

The Board of Directors adopted this policy and allocated roles and responsibilities below for its application and maintenance.

 

Role Responsibilities
Data Governance Committee (“DGC”)
  • Performs management reviews of this policy
  • Approves risk treatment plans and exception requests in case of moderate to high risks to personal data
  • Reviews results internal audits and risk assessments relating to personal data
  • Allocates appropriate resources for privacy
  • Reports directly to the board of directors
Privacy Officer
  • Ensures the implementation and respect of privacy laws
  • Implements, maintains and improves the PCP
  • Assists concerned individuals for the exercise of their privacy rights
  • Participates in the response to personal data breaches
  • Maintains the Registry of personal data breaches and the Registry of processing
  • Conducts privacy impact assessments (“PIA”) as required by privacy laws, ensures remediation plans are documented and informs the DGC of material risks to personal data
  • Participates and votes in the DGC as a mandatory member
Data Protection Officer (“DPO”)
  • Exercises an advisory role on personal data which are subject to the General Data Protection Regulation, including, where applicable, the laws of the United Kingdom (together, the “GDPR”)
  • Acts as a point of contact for data subjects in the European Union (“EU”) or in the United Kingdom (“UK”), as applicable
  • Acts as a point of contact for supervisory authorities in the EU and UK, as applicable
VP Finances and administration
  • Develops, implements and maintains measures to ensure the confidentiality, availability and integrity of personal data, including by leveraging cryptography and independent reviews
  • Maintains an incident response plan to adequately detect and respond to personal data breaches
  • Contributes to privacy-by-design by ensuring that security is considered within the architecture of our processing systems
  • Participates in the DGC
  • Ensures that a business continuity strategy is in place for the availability of personal data, including through a data recoverability program that is frequently tested
  • Contributes to the application of the PCP at the team level, including by developing standard operating procedures and ensuring compliance within the team

 

  1. Compliance

 

S&E processes personal data in various jurisdictions, including in Canada and in the EU, depending on where our clients, partners and their end users are located. We are required to comply with several laws, including the GDPR and the Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c. 25, recently enacted in Quebec, where we are headquartered. 

 

You may contact our Privacy Officer for any questions regarding our PCP, for any complaints that you may have, or to exercise your rights regarding your personal data.

 

Privacy Officer
Name : Thomas Séguin
E-mail: privacy@secloud.ca
Phone : 514-663-6613

Our PCP relies on a PDCA approach that ensures continual improvement and ongoing risk management in relation to personal data. 

 

Our compliance approach must be tailored based on the needs and expectations of interested parties (e.g. employees, clients, and investors), as well as on the contextual environment in which we grow. When planning the PCP, we consider contextual factors relating to our partners’ technology, clients’ expectations, regulatory, organisational and strategic changes, and new processing technologies.

 

We seek to apply proportional and cost effective technical and organisational measures to protect personal data informed by risks to individuals. The Privacy Officer reports to the DGC on material risks, and obtains approval on related risk treatment plans.

 

The PCP must be designed to respond to the risks affecting personal data and concerned individuals. In accordance with privacy laws, these risks must include those related to the rights and freedoms of concerned individuals, along with the harm that they could suffer because of our processing of personal data, including because of a personal data breach.  

 

The Privacy Officer ensures that appropriate awareness and training activities are performed regarding the processing of personal data by members of the personnel. Training activities should take into consideration the degree of autonomy granted to the personnel in the processing of personal data, and the nature of their expertise within the community, where applicable. It should not be a checkbox exercise, and it should be as flexible as necessary to ensure that the activities are effective for the targeted individuals. The documents relating to training and awareness communications are available in French and English, to ensure that all members of the personnel are properly informed.

 

The effectiveness of the PCP must be validated, verified, and measured to ensure that the measures implemented are adequate to mitigate risks to personal data as well as risks of non-compliance with privacy laws. Compliance with the PCP must be verified and enforced. Concerned individuals should be encouraged to report concerns or make complaints about how their personal data is processed by S&E. It also means that individuals should be empowered to exercise their rights regarding their personal data without prejudice or reprisal. We will take these reports seriously and conduct the appropriate inquiries.

 

The Privacy Officer investigates non-conformities to the PCP. A remediation plan to prevent the recurrence of similar non-conformities must be documented and shared with the DGC for approval. Members of the personnel can also proactively report any risk or non-conformity to the Privacy Officer. We will protect your confidentiality. 

Exceptions to the PCP must be approved by the Privacy Officer. If the exception request raises high risks for individuals, the request must also be approved by the DGC. 

 

  1. Privacy Principles

 

Our PCP is based on the privacy principles identified below. These principles provide a framework for the implementation of technical and organisational measures for the processing of personal data by the Privacy Officer, under the supervision of the DGC. The PCP leverages mechanisms such as PIAs and vendor due diligence exercises to ensure that the privacy objectives set forth in this policy are considered at all phases of our processing of personal data.

 

  1. Transparency & Trust

 

Transparency and trust are pillars of our PCP. The more trusted our brand is, the more willing individuals are to share data with us, and the more likely we can develop long lasting relationships with our clients. To build trust, we must be transparent by providing explanations on our practices and making transparency notices available to concerned individuals from whom we collect information. Our policy is to inform individuals on the types of personal data that we collect, the purposes of the collection, the third parties with whom we share personal data and attempt to consult stakeholders when reasonable, such as when performing PIAs.

 

Privacy laws contain obligations regarding the information that must be disclosed to individuals, and the timing at which it must be disclosed. Automated decision-making, profiling, and processing techniques such as interest-based advertising and artificial intelligence should trigger more transparency.  

 

  1. Fair & Lawful Processing

 

We ensure that our processing of personal data is necessary and proportional. We do not collect personal data “just in case” and our processing of personal data should not outweigh risks to the rights and freedoms of individuals. Our processing of personal data must be fair and must be based on a lawful basis. Obtaining a consent from concerned individuals is a frequent lawful basis for processing, but there are other lawful purposes and legislative exceptions in privacy laws.

 

If consent is used as a lawful basis, we ensure that the consents are informed, freely given, unambiguous and specific. Depending on the circumstances, consent may be explicit (e.g., with sensitive personal data) or implicit. We must provide clear and meaningful information to individuals when we request their consents and maintain evidence of these consents and of the information that we provided at the time of requesting the consent. Individuals have a right to withdraw their consents and should be informed accordingly. Deceptive and manipulative schemes to obtain consent are neither permitted, nor authorised by S&E.

  1. Data Minimization

 

The processing of personal data must be in accordance with the principle of data minimization, or in other words, our processing of personal data should be limited to the purpose of collection. We should also proactively reduce the scope of our processing, such as by applying retention periods, disposal methods and using techniques such as de-identification and anonymization. S&E leverages PIAs to ensure that this principle is applied when processing personal data.

  

  1. Privacy-by-Design

 

Privacy-by-design means to include privacy assurance in how we engineer infrastructure and systems for processing personal data, including in the provision of our services to clients. By default, we should ensure that the functionalities that we configure have been configured with parameters which are the most protective of confidentiality and privacy given technological limitations. For instance, personal data sharing should not be turned “on” for customers, but should be turned “off” by default. 

 

When we acquire new technologies, we attempt to consider privacy enhancing techniques, designs and technologies to facilitate the management of these parameters by users, and avoid unlawful designs such as dark patterns.

 

  1. Accuracy & Quality 

 

When using personal data to make decisions about individuals, including through automated means, it is important to ensure that this personal data is accurate and of sufficient quality for the intended processing. The more a decision is likely to adversely affect an individual or their rights and freedoms, the more efforts should be deployed to ensure the accuracy and quality of the relevant personal data. Measures for achieving accuracy and quality can vary from confirming the identity of a caller as part of technical support to performing integrity scans on environments containing personal data that can be used for analytic purposes. 

 

  1. Information Security 

 

Personal data must be protected by safeguards adequate to the risks affecting them, taking into consideration factors such as the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. The confidentiality, integrity and availability of personal data must be considered as part of PIAs, and embedded within our practices. We mitigate risks relating to information security by providing access to personal data on a need to know basis, and removing these accesses as required. We apply the principle of least privilege, and maintain data hygiene.

  1. Data Privacy Rights

 

Privacy laws grant various rights to individuals over their personal data, and contain directives on responding to corresponding requests. The Privacy Officer ensures that adequate measures are in place to respond to these rights, and for documenting our response for accountability. Responding to these requests may require ensuring technological compatibility, developing methods for extracting personal data, and collaborating with third parties. S&E prioritises the use of third party tools and vendors that provide self-service, automated or otherwise appropriate configurations to facilitate the management of these requests. 

The principle of data minimization plays a significant role in reducing compliance efforts required to respond to data privacy rights. The PCP ensures that adequate inventories and cartography exercises are performed to facilitate our response to data privacy rights. 

 

  1. Data Mobility

 

There are restrictions affecting the transfers of personal data from one jurisdiction to another that are designed to ensure that individuals do not lose protection over their personal data due to a transfer that we made (e.g. in a country that does not allow the same level of protection). The PCP must ensure that personal data transfers are managed in accordance with privacy laws.

 

Transfers can occur easily in a digital world, and several laws contain prerequisites to international transfers, such as performing a PIA or entering specific contractual provisions. We may also have contractual limitations with our clients. When processing personal data, members of the personnel must be mindful to avoid unauthorised transfers, such as by uploading personal data through online services located in other countries. The Privacy Officer approves transfers, once the requirements of privacy laws are fulfilled, upon validation with counsel. Members of the personnel cannot transfer personal data without prior authorization, such as through unapproved third-party services, applications, or products.

 

  1. Vendor Management

 

Prior for allowing a vendor to process personal data on our behalf, the following requirements must be complied with:

  • The vendor must have sufficient measures in place to comply with the principles in this policy when processing personal data on our behalf, taking into consideration the risks to the personal data.
  • The vendor’s capability to respond to data privacy’ rights requests must be validated, and vendors should be assessed for their capabilities to comply and facilitate compliance with privacy laws.
  • Appropriate contracts must be in place to respond to the risks and context specific to the vendor, including any international transfers of personal data. Vendors should not be authorised to process personal data for secondary purposes.

  1. Personal Data Breaches

All potential or actual personal data breaches must be reported to the Privacy Officer, without undue delays, in the following manner:

 

Email sent to privacy@secloud.ca

 

The Privacy Officer maintains a registry of personal data breaches. Some personal data breaches may need to be reported to the authorities, third parties and concerned individuals. The Privacy Officer determines if such notification is required by consulting with counsels and referring S&E’s procedures for responding to such incidents. The registry documents whether a personal data breach was notified, the justification for the decision to notify or not the personal data breach, and to whom it was notified. 

 

We will not tolerate reprisals against members of the personnel who report or escalate an event of interest relating to a personal data breach. We will attempt to protect the identity of anyone who reports such circumstances to us in good faith, although we may have to reveal some information to the authorities in certain cases (e.g. criminal inquiry).  

 

  1. Compliance

 

Compliance with this policy is mandatory for all members of the personnel. The personnel who do not comply may be subject to disciplinary actions ranging from verbal notices to the termination of employment.

 

  1. Revision History

 

Version Date Author Notes
1.0 2022-10-03 Privacy Officer Creation of the policy 

 

SE Cloud Experts

Ready for your digital transformation? Let’s get started!

Contact us