Privacy Policy
The Modernization of Legislative Provisions for the Protection of Personal Information Act, also known as Bill 25, aims to protect the population of Quebec by holding businesses accountable for the personal information they possess.
Some of the new legislative provisions of Bill 25 came into effect on September 22, 2022. Other provisions will take effect in September 2023 and 2024, including the obligation to implement a policy governing the management of personal information.
The Commission d’accès à l’information du Québec is the body responsible for monitoring the application of Bill 25. In case of non-compliance with the law, the Commission can impose significant penalties, up to $25 million or 4% of the company’s global revenue.
Objective of the Privacy Policy
This policy aims to ensure the protection of personal information and to outline how Dialekta collects, uses, discloses, retains, protects, destroys, or manages it. Additionally, it aims to inform any interested individual about how Dialekta processes their personal information, as well as the accessibility and portability of such information.
The objective here is to communicate best practices related to the use of customer primary data to comply with the requirements of Bill 25 and minimize the risks of incidents involving personal data, all while upholding our performance values.
The following policy is structured according to six (6) requirements:
- Data Governance
- Consent
- Collection and Security
- Use of Suppliers
- Portability and Incidents
- Indirect Clients
1. Data Governance
Since September 2023, Dialekta collects personal information transparently and with the explicit consent of the individuals concerned.
The information collected is used only for the purposes for which it was collected, unless the individual provides explicit consent.
Data is retained for the duration necessary for the purposes for which it was collected. Once this period has passed, data is archived or securely destroyed. Additionally, for added security, the Operations team ensures regular monitoring and cleaning of our internal server every six months to remain compliant with the requirements of Bill 25.
During the destruction of information, Dialekta takes all necessary precautions to ensure that the information is completely irretrievable.
Dialekta establishes procedures to monitor and keep the collected information up to date, ensuring its accuracy, and every individual has the right to access their personal information, correct it, or withdraw their consent at any time.
This policy is approved by Dialekta’s Chief Privacy Officer, whose business contact information is as follows:
Chief Privacy Officer:
Cyril Chaib
4051 Molson Street, Suite 100
Montreal, Quebec, H1Y 3L1
cyril@dialekta.com
For any inquiries, questions, or comments regarding this policy, please contact the Chief Privacy Officer by email.
2. Consent
In general, Dialekta collects personal information directly from the individuals concerned and with their consent, unless an exception is provided by law. No personal information will be disclosed, rented, or sold to third parties without the explicit and prior consent of the individual.
As stated in Bill 25 regarding user privacy protection, consent can be obtained implicitly in certain situations. Thus, even if there is implicit consent, the individual retains the rights described in this policy.
3. Collection and Security
Dialekta collects personal information transparently and with the explicit consent of the individuals concerned.
Only necessary information is collected, and it is used only for the purposes for which it was collected unless explicit consent is obtained from the individual.
Dialekta is also committed to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, support, and sensitivity of the information.
This means that information that can be classified as sensitive* is subject to more significant security measures and better protection. Specifically, Dialekta has implemented necessary measures to restrict access rights to its information systems so that only employees who need access are authorized to do so.
*A sensitive personal information is information for which there is a high degree of reasonable privacy expectation, e.g., health information, banking information, biometric information, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.
4. Use of Suppliers
Generally, and unless an exception is indicated in this policy or otherwise provided by law, Dialekta must obtain the consent of the individual concerned before disclosing their personal information to a supplier.
However, in the context of Dialekta’s services, the disclosure of personal information to third parties is sometimes necessary. Thus, personal information may be disclosed to third parties without the consent of the individual in certain cases, including, but not limited to, a public entity (such as the government) that collects it through one of its representatives in the exercise of its powers or the implementation of a program under its management.
5. Portability and Incidents
To exercise their rights of access, rectification, or withdrawal of consent, the individual concerned must submit a written request to the Chief Privacy Officer of Dialekta at the email address indicated in section 1.
Subject to certain legal restrictions, individuals concerned may request access to their personal information held by Dialekta and request its correction if it is inaccurate, incomplete, or ambiguous. They can also demand the cessation of the dissemination of personal information concerning them or the de-indexing of any hyperlink attached to their name that provides access to this information through technological means when the dissemination of this information violates the law or a court order. They can do the same or demand that the hyperlink providing access to this information be re-indexed when certain conditions provided by law are met.
The Chief Privacy Officer of Dialekta must respond in writing to these requests within thirty (30) days of receiving the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In these cases, the response must indicate the remedies available under the law and the time frame for exercising them. The Chief Privacy Officer must assist the requester in understanding the refusal if necessary.
Subject to applicable legal and contractual restrictions, individuals concerned may withdraw their consent to the disclosure or use of the information collected.
They may also request from Dialekta what personal information has been collected from them, the categories of persons within Dialekta who have access to it, and the duration of its retention.
Finally, in the event of an incident, Dialekta commits to contacting the Commission d’accès à l’information within a maximum of seventy-two (72) hours after the discovery of the incident and within one (1) week for the affected clients.
6. Indirect Clients
To the extent possible, Dialekta commits to ensuring that client data has been obtained securely.
Clients of our services undertake to have obtained authorization to collect and use the data, including for activities managed by Dialekta. Dialekta cannot be held responsible for any breach.
Dialekta will systematically refuse for the client to send personal data by email or any other means (such as WeTransfer, shared Google Drive, etc.) without the data being anonymized via native platform connection or using the hashing tool proposed by our team.