Privacy Policy of the Regional Tourist Association of the Îles-de-la-Madeleine

1. Context

The Regional Tourist Association of the Îles de la Madeleine is a non-profit organization (NPO) that handles personal information as part of its activities. It is also known under the trade name Tourisme Îles de la Madeleine. 

To simplify the text of this policy, the term ATR is used to refer to all entities. 

This policy aims to ensure the protection of personal information and to govern how ATR collects, uses, communicates, retains, and destroys or otherwise manages it.

Additionally, it aims to inform any interested person about how ATR processes their personal information. It also covers the processing of personal information collected by ATR through technological means.

2. Application and Definitions

This policy applies to ATR, which includes its directors, employees, members, consultants, and interns, as well as any person who otherwise provides services on behalf of ATR. It also applies to ATR's website (https://www.tourismeilesdelamadeleine.com/), and all websites controlled and maintained by ATR.

It covers all types of personal information managed by ATR, whether from visitors, potential or current members, employees, or any other individuals (such as visitors to its websites or others).

For the purposes of this policy, personal information refers to any information relating to an individual that can directly or indirectly identify them. Examples include names, first names, addresses, email addresses, phone numbers, etc.

Sensitive personal information is information with a high reasonable expectation of privacy, such as health information, bank details, date of birth, etc. (for employees).

Generally, professional or business contact details do not constitute personal information, for instance, a person's name, title, address, email address, or work phone number. Specifically, under Quebec's Act respecting the protection of personal information in the private sector, and starting September 22, 2023, sections 3 (collection, use, communication), 4 (retention and destruction), and 6 (data security) do not apply to a person's information related to their role within a business, such as their name, title, position, as well as the address, email address, and phone number of their workplace.

These sections also do not apply to personal information that is public by law upon the implementation of this policy.

3. Collection, Use, and Communication

Most services, including access to websites, require only a limited amount of data. In such cases, we will ask you to provide your name, a way to contact you (such as a phone number or email address), and, if applicable, a postal address with a zip code.

If you subscribe to our newsletters or request to receive documents on tourist offers and information about our services, we will need your email address, province, country, zip code, and details about your interests to provide you with relevant information.

The same data may be required if you participate in our contests or visit the tourist information office physically, or contact us by phone or email.

If you are a current or potential member, we collect basic data about the individuals we communicate with, such as their names, email addresses, full addresses, mobile numbers, roles, and companies.

If you apply for a position at ATR, we will collect the data you provide by email.

ATR will also inform concerned individuals, at the time of collecting personal information, of any additional information collected, the purposes for which it is collected, and the means of collection, in addition to other information required by law.

ATR applies the following general principles regarding the collection, use, and communication of personal information:

Consent:

• Generally, ATR collects personal information directly from the concerned individual and with their consent. Consent may be implied in certain situations, for example, when the individual decides to provide their personal information after being informed by this policy about its use and communication for the indicated purposes. Thus, this policy and the information it contains can be consulted by the concerned individual at the time of personal information collection.
• ATR obtains some personal information from the Corporation de l'industrie touristique du Québec (CITQ), for which consent has already been obtained by the Ministry of Tourism.

Collection:

• In all cases, ATR only collects information if it has a valid reason to do so. Moreover, the collection is limited to the necessary information needed to achieve the intended purpose.
• Please note that ATR's services are not aimed at minors, and generally, ATR does not intentionally collect personal information about minors (in such cases, information cannot be collected from them without parental or guardian consent).
• In certain situations, ATR may also collect personal information from third parties without the individual's consent if it has a serious and legitimate interest in doing so and a) if the collection is in the individual's interest and it is not possible to collect it from them in a timely manner, or b) if this collection is necessary to ensure the accuracy of the information.
• This collection through third parties may be necessary for certain services or to otherwise do business with ATR. When required, ATR will obtain the individual's consent at the appropriate time.

Retention and Use:

• ATR ensures that the information it holds is up to date and accurate at the time of use to make decisions about the concerned individual.
• ATR can only use personal information for the reasons stated in this policy or any other reason provided at the time of collection. If ATR wants to use this information for another reason, new consent must be obtained from the concerned individual, which must be expressly obtained if it involves sensitive personal information. However, in some cases provided by law, ATR can use the information for secondary purposes without the individual's consent, for example:
• when this use is clearly beneficial to the individual;
• when necessary to prevent or detect fraud;
• when necessary to evaluate or improve security measures.

Limited Access:

ATR must implement measures to limit access to personal information only to employees and individuals within its organization who need it in the performance of their duties. ATR will seek the individual's consent before granting access to any other person.

Communication to Third Parties:

• Communication of personal information to third parties is sometimes necessary in ATR's mission. Thus, personal information may be communicated to third parties without the individual's consent in certain cases, including but not limited to the following:
• ATR may share information it holds about visitors with external firms for analysis and statistics purposes. These data do not contain sensitive personal information.
• ATR may also share certain member information with external entities such as the Alliance de l'industrie touristique du Québec.
• ATR may communicate personal information, without the individual's consent, to a public body (such as the government) that collects it in the exercise of its duties or the implementation of a program under its management.
• Any violation or attempted violation of confidentiality obligations regarding communicated personal information must allow the responsible party to perform any verification related to this confidentiality.
• Communication Outside Quebec: It is possible that personal information held by ATR is communicated outside Quebec, for example, Campaign Monitor, which is used to send newsletters to members.

Additional Information on Used Technologies:

Use of Cookies:

• Cookies are data files transmitted to a visitor's computer by their web browser when they visit a site and can serve multiple purposes.

ATR-controlled websites use cookies notably to:

• Remember visitor settings and preferences, such as language choice and to enable current session tracking.
• For statistical purposes to understand visitor behavior, viewed content, and to improve the website.

ATR-controlled websites use the following types of cookies:

• Session cookies: These are temporary cookies stored during the site visit only.
• Persistent cookies: They are stored on the computer until they expire and will be retrieved during the next site visit.

Other Technological Means Used:

ATR also collects personal information through technological means such as web forms integrated into an ATR-controlled website (e.g., its contact form).

If ATR collects personal information by offering a technological service with privacy settings, ATR must ensure these settings offer the highest level of privacy by default (cookies are not included).

4. Retention and Destruction of Personal Information

Unless a minimum retention period is required by applicable law or regulation, ATR will only retain personal information for as long as necessary to achieve the purposes for which it was collected.

Personal information about ATR staff is retained for at least seven years after the end of the fiscal year in which the person left ATR (end of employment).

Personal information about ATR members, clients, and visitors is retained indefinitely.

At the end of the retention period or when personal information is no longer needed, ATR will ensure to:

destroy it; or anonymize it (so it no longer irreversibly identifies the person and it is no longer possible to link the person to the personal information) for serious and legitimate purposes.

The destruction of information by ATR must be done securely to ensure the protection of this information.

This section may be supplemented by any policy or procedure adopted by ATR concerning the retention and destruction of personal information, if applicable. Please contact the ATR Personal Information Protection Officer (indicated in this policy) for more information.

5. ATR Responsibilities

Generally, ATR is responsible for the protection of the personal information it holds.

The ATR Personal Information Protection Officer is the Digital Promotion and Communications Advisor. They must generally ensure compliance with applicable legislation regarding personal information protection. The officer must approve policies and practices governing the management of personal information.

More specifically, this person is responsible for implementing this policy and ensuring it is known, understood, and applied. In case of absence or inability to act of this officer, the ATR Member Services Officer will perform the functions of the Personal Information Protection Officer.

ATR staff members with access to personal information or otherwise involved in managing it must ensure its protection and comply with this policy.

The roles and responsibilities of ATR employees throughout the lifecycle of personal information may be specified by any other ATR policy in this regard, if applicable.

6. Data Security

The ATR commits to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium, and sensitivity of the information. This means that information classified as sensitive (see the definition provided in section 2) will be subject to more significant security measures and better protection.

Notably, and in accordance with what was previously mentioned concerning restricted access to personal information, the ATR must implement the necessary measures to impose constraints on the usage rights of its information systems so that only employees who need access are authorized to access it.

7. Individual Rights

To exercise their rights of access, rectification, or withdrawal of consent, the concerned individual must submit a written request to the ATR's Personal Information Protection Officer at the email address provided in section 9.

Subject to certain legal restrictions, individuals can request access to their personal information held by the ATR and request corrections if the information is inaccurate, incomplete, or ambiguous. They can also demand the cessation of the dissemination of personal information concerning them or request the deindexing of any hyperlink attached to their name that allows access to this information by technological means, when the dissemination of this information violates the law or a judicial order. They may also request the reindexing of the hyperlink that allows access to this information if certain conditions provided by law are met.

The ATR's Personal Information Protection Officer must respond in writing to these requests within 30 days of receiving the request. Any refusal must be justified and accompanied by the legal provision justifying the refusal. In such cases, the response must indicate the legal remedies available and the time limit for exercising them. The officer must assist the applicant in understanding the refusal if needed.

Subject to applicable legal and contractual restrictions, individuals may withdraw their consent to the communication or use of the collected information.

They can also request from the ATR what personal information has been collected about them, the categories of persons within the ATR who have access to it, and the duration of its retention.

8. Complaint Handling Process

Receiving a Complaint Related to Personal Information

Anyone who wishes to file a complaint regarding the application of this policy or, more generally, the protection of their personal information by the ATR must do so in writing, addressing the ATR's Personal Information Protection Officer at the email address provided in the following section.

The individual must include their name, contact details, including a phone number, as well as the subject and reasons for their complaint, providing enough detail for it to be assessed by the ATR. If the complaint is not sufficiently specific, the Personal Information Protection Officer may request any additional information deemed necessary to evaluate the complaint.

Handling a Complaint Related to Personal Information

The ATR commits to handling all received complaints confidentially.

Within 30 days of receiving the complaint or receiving all additional information deemed necessary and required by the ATR's Personal Information Protection Officer to process it, the officer must evaluate it and provide a written, reasoned response via email to the complainant. This evaluation aims to determine if the ATR's handling of personal information complies with this policy, any other policies and practices in place within the organization, and applicable laws or regulations.

If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons justifying the extension, the progress of the complaint's processing, and the reasonable timeframe needed to provide a definitive response.

The ATR must create a separate file for each complaint it receives. Each file contains the complaint, the analysis, and the supporting documentation of its evaluation, as well as the response sent to the complainant.

9. Approval

This policy is approved by the ATR's Personal Information Protection Officer, whose business contact details are as follows:

Person in charge of Personal Information Protection:

Michel Bonato
General Manager
128 chemin Principal
Cap-aux-Meules, QC
G4T 1C5
Email: 114,112,64,116,111,117,114,105,115,109,101,105,108,101,115,100,101,108,97,109,97,100,101,108,101,105,110,101,46,99,111,109|114,112,64,116,111,117,114,105,115,109,101,105,108,101,115,100,101,108,97,109,97,100,101,108,101,105,110,101,46,99,111,109,60,47,97,62|Courriel via www.tourismeilesdelamadeleine.com|||

For any request, question, or comment regarding this policy, please contact us by email.

10. Publication and Modifications

This policy is published on the ATR's website and on all websites controlled and maintained by the ATR, to which this policy applies, concerning the personal information collected there. This policy is also disseminated by any means appropriate to reach the concerned individuals.

We reserve the right to update this Policy at any time. The most recent version of the Policy can be consulted by visiting our website. Your use of our website may also be subject to additional terms described in the Terms of Use and elsewhere on the website.

Last updated: May 1, 2024