Introduction
With the development of new communication tools, it is necessary to pay particular attention to the protection of privacy. That’s why we’re committed to respecting the confidentiality of the personal information we collect.
First name
Postal address
Postal code
E-mail address
Telephone
The personal information we collect is gathered through forms and through the interactivity established between you and our website. As indicated in the following section, we also use cookies and/or log files to gather information about you.
Forms and interactivity:
Your personal information is collected through forms, namely:
- Website registration form
We use the information collected for the following purposes:
Information / Promotional offers
Contact
Your information is also collected through the interactivity that may be established between you and our Web site in the following ways:
Comments
Correspondence
Procedure for storing, destroying and anonymizing personal information
- Overview
Implementing a procedure for retaining, destroying and anonymizing personal information is important to ensure the protection of individual privacy, comply with privacy laws, prevent privacy incidents involving personal information and security breaches, maintain customer confidence and protect the organization’s reputation.
- Objective
The purpose of this procedure is to ensure the protection of the privacy of individuals and to comply with legal obligations regarding the protection of personal information.
- Scope
The scope of this procedure should cover the entire life cycle of personal information, from collection to destruction. It concerns all employees and stakeholders involved in the collection, processing, retention, destruction and anonymization of personal information in accordance with legal requirements and good privacy practices.
- Definitions
Personal information: any information that directly or indirectly identifies a natural person.
Retention: secure storage of personal information for the required period of time.
Destruction: deletion, elimination or permanent erasure of personal information.
Anonymization: the process of modifying personal information in such a way as to no longer allow it to be identified, directly or indirectly, at any time and in an irreversible manner.
- Procedure
4.1 Retention period
4.1.1 Personal information is categorized as follows:
– information concerning the company’s employees,
– information concerning members of the organization,
– customer information.
4.1.2 The retention period for each of these categories has been established as follows:
Company employees: 7 years after termination of employment.
Members: variable, depending on the type of personal information.
Customers: variable, depending on the type of personal information.
Please note that specific retention periods may apply.
4.2 Secure storage methods
4.2.1 Personal information is stored in the following locations: One Drive, Hostinger
4.2.2 The degree of sensitivity of each of these storage locations has been established.
4.2.3 These storage locations, whether paper or digital, are adequately secured.
4.2.4 Access to these storage facilities has been restricted to authorized persons only.
4.2.5 To ensure the security of your personal information, we use the following measures:
SSL protocol
SET Protocol
Access management – authorized person
Access management – person concerned
Network monitoring software
Computer backup
Login / password
Firewall
We are committed to maintaining a high degree of confidentiality by incorporating the latest technological innovations to ensure the privacy of your transactions. However, since no mechanism offers maximum security, there is always an element of risk when using the Internet to transmit personal information.
4.3 Destruction of personal information
4.3.1 Personal information on paper must be completely shredded.
4.3.2 For digital personal information, it must be completely deleted from devices (computers, telephone, tablet, external hard drive), servers and cloud tools.
4.3.3 The destruction schedule according to the retention period established for each category of personal information shall be drawn up. Planned destruction dates must be documented.
4.3.4 It must be ensured that destruction is carried out in such a way that personal information cannot be recovered or reconstituted.
4.4 Anonymization of personal information
4.4.1 Personal information should be anonymized only if the organization wishes to retain and use it for serious and legitimate purposes.
4.4.2 The chosen method of anonymizing personal information is as follows: it will be deleted after the retention period.
4.4.3 It will be necessary to ensure that the remaining information no longer irreversibly allows the direct or indirect identification of the individuals concerned, and to regularly assess the risk of re-identification of anonymized data by carrying out tests and analyses to guarantee their effectiveness.
Please note that, at the time of writing, the anonymization of personal information for serious and legitimate purposes is not possible. A government regulation must be adopted to determine the criteria and modalities.
4.5 Staff training and awareness
4.5.1 Employees shall be provided with regular training on the procedure for retaining, destroying and anonymizing personal information, as well as on the risks associated with breaches of privacy.
4.5.2 This also includes raising staff awareness of good data security practices and the importance of complying with established procedures.
Procedure for requesting access to personal information and handling complaints
- Overview
Since an individual may request access to the personal information that an organization holds on him or her, or may also make complaints, it is important to have predefined guidelines for responding to this type of request.
- Purpose
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly and accurately, while respecting the rights of the individuals concerned.
- Scope
The scope of this procedure concerns internal actors responsible for processing access requests and handling complaints, as well as individuals wishing to access their own personal information.
- Access request procedure
4.1 Submitting a request
4.1.1 Individuals wishing to access their personal information must submit a written request to the organization’s Privacy Officer. The request may be sent by e-mail or regular mail.
4.1.2 The request must clearly indicate that it is a request for access to personal information and provide sufficient information to identify the individual and the information sought.
4.1.3 This information may include name, address and any other information relevant to reliably identifying the individual making the request.
4.2 Receipt of request
4.2.1 Once a request has been received, an acknowledgement of receipt will be sent to the individual to confirm that the request has been processed.
4.2.2 The request must be processed within thirty (30) days of receipt.
4.3 Identity verification
4.3.1 Before processing the request, the individual’s identity must be reasonably verified. This may be done by requesting additional information or by verifying the individual’s identity in person.
4.3.2 If identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Responding to incomplete or excessive requests
4.4.1 If a request for access to personal information is incomplete or excessive, the Privacy Officer will contact the individual to request additional information or clarification.
4.4.2 The organization reserves the right to refuse a request if it is manifestly abusive, excessive or unjustified.
4.5 Processing the request
4.5.1 Once identity has been verified, the Privacy Officer responsible for processing requests for access to personal information proceeds to collect the requested information.
4.5.2 The Privacy Officer consults the relevant files to collect the personal information requested, taking care to respect any legal restrictions.
4.6 Examination of information
4.6.1 Before disclosing personal information to the individual, the person in charge carefully examines the information to ensure that it does not contain confidential third-party information or information likely to infringe other rights.
4.6.2 If third-party information is present, the person in charge assesses whether it can be dissociated or whether it should be excluded from disclosure.
4.7 Release of information
4.7.1 Once verifications have been completed, personal information is communicated to the individual within a reasonable period of time, in accordance with applicable legal requirements.
4.7.2 Personal information may be communicated to the individual electronically, by secure mail or in person, depending on the individual’s preference and appropriate security measures.
4.8 Follow-up and documentation
4.8.1 All steps in the process of handling a request for access to personal information must be recorded accurately and completely.
4.8.2 The details of the request, the actions taken, the decisions made and the corresponding dates must be recorded in an access request tracking log.
Date request received ;
Date of acknowledgement of receipt ;
Date of identity verification ;
Method of identity verification ;
Decision – access request accepted or refused ;
Date of release of information (if applicable).
4.9 Protection of confidentiality
4.9.1 All personnel involved in processing requests for access to personal information must respect confidentiality and data protection.
4.10 Handling complaints and appeals
4.10.1 If an individual is dissatisfied with the response to his or her request for access to personal information, he or she must be informed of the complaint procedures and remedies available before the Commission d’accès à l’information.
4.10.2 Complaints must be handled in accordance with internal complaint management policies and procedures (next section).
- Complaints handling procedure
5.1 Receipt of complaints
5.1.1 Complaints may be made in writing, by telephone, by e-mail or via any other official communication channel. They must be recorded in a centralized register, accessible only to designated personnel.
5.1.2 The employee must immediately inform the person responsible for receiving complaints.
5.2 Preliminary assessment
5.2.1 The designated person in charge reviews each complaint to assess its relevance and seriousness.
5.2.2 Complaints that are frivolous, defamatory or without obvious foundation may be rejected. However, a justification must be provided to the complainant.
5.3 Investigation and analysis
5.3.1 The person in charge of the complaint conducts an investigation by gathering evidence, interviewing the parties concerned and collecting all relevant documents.
5.3.2 The person in charge must be impartial and have the necessary authority to resolve the complaint.
5.3.3 The person in charge must maintain the confidentiality of information relating to the complaint and ensure that all parties involved are treated fairly.
5.4 Complaint resolution
5.4.1 The person responsible for the complaint shall propose appropriate solutions to resolve the complaint as soon as possible.
5.4.2 Solutions may include corrective measures, financial compensation or any other action necessary to satisfactorily resolve the complaint.
5.5 Communication with the complainant
5.5.1 The person in charge of the complaint will communicate regularly with the complainant to keep him/her informed of the progress of the investigation and resolution of the complaint.
5.5.2 All communications should be professional, empathetic and respectful.
5.6 Closing the complaint
5.6.1 Once the complaint has been resolved, the person in charge of the complaint shall provide a written response to the complainant, summarizing the measures taken and the proposed solutions.
5.6.2 All information and documents relating to the complaint must be kept in a confidential file.
Procedure for requesting de-indexation and deletion of personal information
- Overview
This procedure is designed to address the privacy and confidentiality concerns of our customers.
- Objective
The purpose of this procedure is to provide a structured mechanism for managing de-indexation and deletion requests for personal information from our customers.
- Scope
This procedure applies to our internal team responsible for managing requests for de-indexation and deletion of personal information. It covers all information published on our online platforms, including our website, mobile applications, databases or any other digital media used by our customers
- Definitions
Deletion of personal information: action of completely erasing data, making it unavailable and irretrievable.
De-indexing personal information: removing information from search engines, making it less visible, but still directly accessible.
Deletion permanently eliminates data, while deindexing limits its online visibility.
- Procedure
5.1 Receipt of requests
5.1.1 Requests for de-indexation and deletion of personal information must be received by the designated team responsible.
5.1.2 Customers may submit their requests via specific channels such as the online form, dedicated e-mail address or telephone number.
5.2 Verification of identity
5.2.1 Before processing the request, the identity of the individual must be reasonably verified.
5.2.2 This may be done by requesting additional information or by verifying the individual’s identity in person.
5.2.3 If the identity cannot be satisfactorily verified, the organization may refuse the request.
5.3 Evaluation of requests
5.3.1 The responsible team shall carefully review requests and the personal information concerned to determine its eligibility for de-indexation or deletion.
5.3.2 Requests shall be treated confidentially and within the specified time limits.
5.4 Reasons for refusal
5.4.1 There are also perfectly valid reasons why we may refuse to delete or de-index personal information:
To continue to provide goods and services to the customer;
For reasons required by employment law;
For legal reasons in the event of litigation.
5.5 De-indexing or deleting personal information
5.5.1 The responsible team shall take the necessary steps to de-index or delete personal information in accordance with eligible requests.
5.6 Communication of follow-up
5.6.1 The responsible team is responsible for communicating with applicants throughout the process, providing acknowledgement confirmations and regular updates on the status of their application.
5.6.2 Any delays or problems encountered in processing applications must be communicated to applicants with clear explanations.
5.7 Follow-up and documentation
5.7.1 All requests for de-indexation and deletion of personal information, and the actions taken in response, shall be recorded in a dedicated tracking system.
5.7.2 Records should include details of requests, actions taken, dates and results of actions taken.
Procedure for managing security incidents and breaches of personal information
- Overview
A response plan is essential for managing cyber incidents effectively. In these moments of crisis, it’s not always clear how to act and prioritize actions. A contingency plan reduces the stress of forgetting important things.
- Objective
The aim of this procedure is to ensure that the organization is ready to respond to a cyber incident so that it can quickly resume its activities.
- Scope
The scope of this procedure includes all networks and systems, as well as the stakeholders (customers, partners, employees, subcontractors, suppliers) who access these systems.
- Recognizing a cyber incident
A cyber security incident may not be immediately recognized or detected. However, there may be indicators that a security breach has occurred, that a system has been compromised, that unauthorized activity has taken place, and so on. Always be on the lookout for signs that a security incident has occurred or is in progress.
Some of these indicators are described below:
Excessive or unusual login and system activity, especially from any inactive user ID (user account).
Excessive or unusual remote access within your organization. This may involve staff or third-party suppliers.
The appearance of any new visible or accessible wireless (Wi-Fi) network.
Unusual activity related to the presence of malware, suspicious files or new or unapproved files and executable programs.
Lost, stolen or misplaced computers or devices containing payment card data, personal information or other sensitive data
- Contact details
Entreprise : Forges Urbaines Inc.
Code postal : J4Y 0B6
Courriel : info@forgesurbaines.com
Site web : www.forgesurbaines.com / www.lesmetalliers.com
- Privacy breach – Specific intervention
If it has been confirmed that a security incident related to a breach of personal information has occurred, the following steps must be taken:
Complete the privacy incident log to document the incident.
Review the breach to determine whether personal information has been lost due to unauthorized access, use, disclosure or breach, and whether there is a risk of serious harm to the individuals involved
In such a case, report it to the Commission de l’accès à l’information au Québec.
And, also notify the individuals whose personal information is affected by the incident.
- Ransomware – Specific intervention
If it has been confirmed that a ransomware security incident has occurred, the following steps should be taken:
Immediately disconnect devices affected by ransomware from the network
DO NOT DELETE anything from your devices (computers, servers, etc.)
Examine the ransomware and determine how it infected the device. This will help you understand how to eliminate it.
Contact local authorities to report the incident and cooperate in the investigation.
Once the ransomware has been removed, a full system scan should be performed using antivirus, anti-malware and any other latest security software available to confirm that it has been removed from the device.
If the ransomware cannot be removed from the device (often the case with stealth malware), the device must be reset using the original installation media or images.
Before resetting from backup media/images, check that they are not infected by malware.
If data is critical and needs to be restored, but cannot be recovered from unaffected backups, look for decryption tools available at nomoreransom.org.
The policy is not to pay the ransom, subject to the stakes involved. It is also strongly recommended to use the services of a breach coach.
Protect systems from further infection by implementing patches to prevent further attacks.
- Account hacking – Specific intervention
If it has been confirmed that account hacking has occurred, the following steps must be taken:
Notify our customers and suppliers that they may receive fraudulent e-mails from us, and instruct them not to reply or click on any links in these e-mails.
Check whether you still have access to your online account.
If not, contact platform support to try to regain access.
Change the password used to log on to the platform.
If the password is used elsewhere, change all these passwords as well.
Enable two-factor authentication for the platform.
Delete non-legitimate connections and devices from the connection history.
- Lost or stolen equipment – Specific intervention
If it has been confirmed that a loss of equipment has occurred, the following steps should be taken:
Theft or loss of an asset, such as a computer, laptop or mobile device, must be reported immediately to the local police authorities. This includes loss/theft outside normal business hours and at weekends.
If the lost or stolen device contained sensitive data and is not encrypted, carry out an analysis of the sensitivity, type and volume of the stolen data, including any payment card numbers potentially involved.
Wherever possible, lock/deactivate lost or stolen mobile devices (e.g. smartphones, tablets, laptops, etc.) and perform remote data wiping.
Législation
We undertake to comply with the legislative provisions set out in:
Quebec legislation
Modifications
This Privacy Policy may be amended from time to time to maintain compliance with the law and to reflect any changes to our data collection process. We recommend that our users check our policy from time to time to ensure that they are aware of any updates. If necessary, we may notify users by e-mail of changes to this policy.
Last updated: August 2024