The Regional Tourist Association of the Îles de la Madeleine is a non-profit organization (NPO) that handles personal information as part of its activities. It is also known under the trade name Tourisme Îles de la Madeleine.
To simplify the text of this policy, the term ATR is used to refer to all entities.
This policy aims to ensure the protection of personal information and to govern how ATR collects, uses, communicates, retains, and destroys or otherwise manages it.
Additionally, it aims to inform any interested person about how ATR processes their personal information. It also covers the processing of personal information collected by ATR through technological means.
This policy applies to ATR, which includes its directors, employees, members, consultants, and interns, as well as any person who otherwise provides services on behalf of ATR. It also applies to ATR's website (https://www.tourismeilesdelamadeleine.com/), and all websites controlled and maintained by ATR.
It covers all types of personal information managed by ATR, whether from visitors, potential or current members, employees, or any other individuals (such as visitors to its websites or others).
For the purposes of this policy, personal information refers to any information relating to an individual that can directly or indirectly identify them. Examples include names, first names, addresses, email addresses, phone numbers, etc.
Sensitive personal information is information with a high reasonable expectation of privacy, such as health information, bank details, date of birth, etc. (for employees).
Generally, professional or business contact details do not constitute personal information, for instance, a person's name, title, address, email address, or work phone number. Specifically, under Quebec's Act respecting the protection of personal information in the private sector, and starting September 22, 2023, sections 3 (collection, use, communication), 4 (retention and destruction), and 6 (data security) do not apply to a person's information related to their role within a business, such as their name, title, position, as well as the address, email address, and phone number of their workplace.
These sections also do not apply to personal information that is public by law upon the implementation of this policy.
Most services, including access to websites, require only a limited amount of data. In such cases, we will ask you to provide your name, a way to contact you (such as a phone number or email address), and, if applicable, a postal address with a zip code.
If you subscribe to our newsletters or request to receive documents on tourist offers and information about our services, we will need your email address, province, country, zip code, and details about your interests to provide you with relevant information.
The same data may be required if you participate in our contests or visit the tourist information office physically, or contact us by phone or email.
If you are a current or potential member, we collect basic data about the individuals we communicate with, such as their names, email addresses, full addresses, mobile numbers, roles, and companies.
If you apply for a position at ATR, we will collect the data you provide by email.
ATR will also inform concerned individuals, at the time of collecting personal information, of any additional information collected, the purposes for which it is collected, and the means of collection, in addition to other information required by law.
ATR applies the following general principles regarding the collection, use, and communication of personal information:
ATR must implement measures to limit access to personal information only to employees and individuals within its organization who need it in the performance of their duties. ATR will seek the individual's consent before granting access to any other person.
Use of Cookies:
ATR-controlled websites use cookies notably to:
ATR-controlled websites use the following types of cookies:
ATR also collects personal information through technological means such as web forms integrated into an ATR-controlled website (e.g., its contact form).
If ATR collects personal information by offering a technological service with privacy settings, ATR must ensure these settings offer the highest level of privacy by default (cookies are not included).
Unless a minimum retention period is required by applicable law or regulation, ATR will only retain personal information for as long as necessary to achieve the purposes for which it was collected.
Personal information about ATR staff is retained for at least seven years after the end of the fiscal year in which the person left ATR (end of employment).
Personal information about ATR members, clients, and visitors is retained indefinitely.
At the end of the retention period or when personal information is no longer needed, ATR will ensure to:
destroy it; or anonymize it (so it no longer irreversibly identifies the person and it is no longer possible to link the person to the personal information) for serious and legitimate purposes.
The destruction of information by ATR must be done securely to ensure the protection of this information.
This section may be supplemented by any policy or procedure adopted by ATR concerning the retention and destruction of personal information, if applicable. Please contact the ATR Personal Information Protection Officer (indicated in this policy) for more information.
Generally, ATR is responsible for the protection of the personal information it holds.
The ATR Personal Information Protection Officer is the Digital Promotion and Communications Advisor. They must generally ensure compliance with applicable legislation regarding personal information protection. The officer must approve policies and practices governing the management of personal information.
More specifically, this person is responsible for implementing this policy and ensuring it is known, understood, and applied. In case of absence or inability to act of this officer, the ATR Member Services Officer will perform the functions of the Personal Information Protection Officer.
ATR staff members with access to personal information or otherwise involved in managing it must ensure its protection and comply with this policy.
The roles and responsibilities of ATR employees throughout the lifecycle of personal information may be specified by any other ATR policy in this regard, if applicable.
The ATR commits to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium, and sensitivity of the information. This means that information classified as sensitive (see the definition provided in section 2) will be subject to more significant security measures and better protection.
Notably, and in accordance with what was previously mentioned concerning restricted access to personal information, the ATR must implement the necessary measures to impose constraints on the usage rights of its information systems so that only employees who need access are authorized to access it.
To exercise their rights of access, rectification, or withdrawal of consent, the concerned individual must submit a written request to the ATR's Personal Information Protection Officer at the email address provided in section 9.
Subject to certain legal restrictions, individuals can request access to their personal information held by the ATR and request corrections if the information is inaccurate, incomplete, or ambiguous. They can also demand the cessation of the dissemination of personal information concerning them or request the deindexing of any hyperlink attached to their name that allows access to this information by technological means, when the dissemination of this information violates the law or a judicial order. They may also request the reindexing of the hyperlink that allows access to this information if certain conditions provided by law are met.
The ATR's Personal Information Protection Officer must respond in writing to these requests within 30 days of receiving the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In such cases, the response must indicate the legal remedies available and the time limit for exercising them. The officer must assist the applicant in understanding the refusal if needed.
Subject to applicable legal and contractual restrictions, individuals may withdraw their consent to the communication or use of the collected information.
They can also request from the ATR what personal information has been collected about them, the categories of persons within the ATR who have access to it, and the duration of its retention.
Anyone who wishes to file a complaint regarding the application of this policy or, more generally, the protection of their personal information by the ATR must do so in writing, addressing the ATR's Personal Information Protection Officer at the email address provided in the following section.
The individual must include their name, contact details, including a phone number, as well as the subject and reasons for their complaint, providing enough detail for it to be assessed by the ATR. If the complaint is not sufficiently specific, the Personal Information Protection Officer may request any additional information deemed necessary to evaluate the complaint.
The ATR commits to handling all received complaints confidentially.
Within 30 days of receiving the complaint or receiving all additional information deemed necessary and required by the ATR's Personal Information Protection Officer to process it, the officer must evaluate it and provide a written, reasoned response via email to the complainant. This evaluation aims to determine if the ATR's handling of personal information complies with this policy, any other policies and practices in place within the organization, and applicable laws or regulations.
If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons justifying the extension, the progress of the complaint's processing, and the reasonable timeframe needed to provide a definitive response.
The ATR must create a separate file for each complaint it receives. Each file contains the complaint, the analysis, and the supporting documentation of its evaluation, as well as the response sent to the complainant.
This policy is approved by the ATR's Personal Information Protection Officer, whose business contact details are as follows:
Person in charge of Personal Information Protection:
Michel Bonato
General Manager
128 chemin Principal
Cap-aux-Meules, QC
G4T 1C5
Email:
For any request, question, or comment regarding this policy, please contact us by email.
This policy is published on the ATR's website and on all websites controlled and maintained by the ATR, to which this policy applies, concerning the personal information collected there. This policy is also disseminated by any means appropriate to reach the concerned individuals.
We reserve the right to update this Policy at any time. The most recent version of the Policy can be consulted by visiting our website. Your use of our website may also be subject to additional terms described in the Terms of Use and elsewhere on the website.
Last updated: May 1, 2024