Last updated: 2025-09-12

​

​

1) CONTEXT

​

Les Entrepreneurs Peintres B.S.R. inc. (hereinafter the “Company”) is a legal entity that processes personal information in the course of its activities. The Company was incorporated on January 14, 1981 under the incorporating regime of the Canada Business Corporations Act and underwent mergers on April 1, 2022 and April 1, 2023.

​

This policy aims to ensure the protection of personal information and to govern the way in which the Company collects, uses, discloses, retains, and destroys such information, or otherwise manages it. It also aims to inform any interested person about how the Company processes their personal information, including that collected through technological means.

​

​

​

2) APPLICATION AND DEFINITIONS

​

This policy applies to the Company, including its officers, employees, subcontractors, service providers, as well as any person providing services on its behalf. It also applies to clients, applicants, suppliers, and visitors to its website, as well as all websites controlled and maintained by the Company.

​

It covers all types of personal information managed by the Company, whether from current or potential clients, employees and applicants, suppliers and subcontractors, or website visitors.

​

• Personal Information: information relating to an individual that directly or indirectly identifies them (e.g., name, address, email, phone number, SIN, banking information).

​

• Sensitive Personal Information: information with a high reasonable expectation of privacy (e.g., health information, SIN, banking information, sexual orientation, criminal record).

​

• Professional Contact Information: a person’s business contact details (name, title or function, business address, business email address, and work phone number) constitute personal information, but the law provides that certain obligations (collection, use, disclosure, retention, and security) do not apply to such information when it relates solely to the performance of a function within a business.

​

​

​

3) COLLECTION, USE AND DISCLOSURE

​

In the course of its activities, the Company may collect various types of information for different purposes.

​

The Company mainly collects the following personal information:

​

• Clients and prospects: name, contact details, project and billing information.

​

• Employees and applicants: contact details, professional and administrative information necessary for HR management, payroll, and compliance with legal obligations.

​

• Suppliers and subcontractors: professional contact information and financial information related to payments and contracts.

​

• Website visitors: browsing data (cookies, IP address) and contact details voluntarily provided in contact forms.

​

This information is collected directly from the individuals concerned, through online forms or within contractual relationships.

​

The Company maintains a detailed inventory of its processing activities, available upon request from the Privacy Officer.

​

The Company will also inform individuals, at the time of collection, of any additional information collected, the purposes for which it is collected, and the means of collection, in addition to any other information required by law.

​

The Company applies the following general principles regarding the collection, use, and disclosure of personal information:

​

​

3.1 Consent

​

As a general rule, the Company collects personal information directly from the individual and with their consent, unless an exception is provided by law.

​

Consent must be explicit, free, informed, and given for specific purposes. It must be obtained for each of the purposes identified at the time of collection.

​

Where sensitive personal information is involved (e.g., SIN, financial, medical, or criminal record information), express consent must be obtained.

​

Consent may be implied in certain cases, such as when a person voluntarily provides their information after being informed of the intended uses and disclosures under this policy. However, this does not apply to sensitive personal information.

​

Normally, the Company must also obtain consent before collecting information from third parties, disclosing it to third parties, or making secondary use of it. However, the Company may act without consent in certain cases provided for by law (e.g., compliance with a legal obligation, fraud prevention, protection of an individual, safety, or a business transaction).

 

​

3.2 Collection

​

The Company collects information only when it has a valid reason and limits the collection to what is necessary to fulfill the intended purpose.

 

The Company does not knowingly collect personal information from minors without parental or guardian consent.

 

​

3.2.1 Collection from third parties

 

The Company may collect personal information from third parties. Unless an exception applies, the Company will obtain the individual’s consent before doing so. If collected from another organization, the individual may request the source of the information.

 

In certain cases, the Company may collect information without consent if it has a serious and legitimate interest, such as:

 

1. when collection is in the individual’s interest and it is not possible to obtain it directly in time; or

 

2. when necessary to ensure the accuracy of the information.

​

​

3.2.2 Technology-based collection

​

The Company uses technological means to collect information, including cookies, web analytics tools (e.g., Google Analytics), and online forms (contact form, newsletter, surveys).

​

Cookie use is governed by a separate “cookie policy” available on the Company’s website. Default privacy applies: only essential cookies are automatically active; non-essential cookies (analytics, marketing) require consent.

​

​

3.3 Retention and Use

​

The Company ensures that information is up-to-date and accurate when used for decision-making.

​

Personal information can only be used for the purposes stated at collection. Any new purpose requires new consent, express in the case of sensitive information.

​

However, secondary use without consent is permitted in cases such as:

​

1. when the use clearly benefits the individual;

 

2. when necessary to prevent or detect fraud;

 

3. when necessary to assess or improve protection and security measures.

 

​

3.3.1 Automated decisions

 

The Company does not currently make decisions based solely on automated processing.

 

​

3.3.2 Limited access

 

Access to personal information is restricted to authorized employees who need it to perform their duties. Consent must be obtained before granting access to others.

​

​

3.4 Disclosure

​

Except as provided in this policy or by law, consent is obtained before disclosure to third parties. Explicit consent is required for sensitive information.

​

Disclosure without consent may occur in cases such as:

​

1. to a public body (e.g., government) exercising its functions;

 

2. to service providers (e.g., legal advisors, cloud providers), subject to written contracts ensuring confidentiality, limited use, and compliance verification;

 

3. as part of a business transaction, under legal conditions.

​

​

3.4.1 Disclosure outside Québec

​

Personal information may be transferred outside Québec (e.g., cloud service providers or subcontractors abroad). Before any transfer, a Privacy Impact Assessment is conducted to ensure adequate protection, and transfers occur only if compliance with Québec’s standards is demonstrated.

​

​

​

4) RETENTION AND DESTRUCTION

​

Unless a minimum retention period is required by law, personal information is retained only as long as necessary.

​

Information used to make a decision about an individual must be retained for at least one (1) year following the decision, or up to seven (7) years after the fiscal year-end if tax implications apply (e.g., termination of employment).

​

Retention periods for categories of personal information are defined in the Company’s internal processing inventory, available on request.

​

At the end of retention, the Company will:

a) destroy the information; or

b) anonymize it irreversibly for legitimate purposes.

​

The Company maintains an internal register of retention and destruction practices, available on request.

​

​

​

5) COMPANY RESPONSIBILITY

​

The Company is responsible for the protection of the personal information it holds. The Privacy Officer (see section 10) ensures compliance, approves policies and practices, supervises implementation, and acts as the contact point. In their absence, the Company’s president assumes responsibility.

​

All employees with access to personal information must protect it and comply with this policy. The Company provides awareness and training activities to support this responsibility.

​

​

​

6) DATA SECURITY

​

The Company implements reasonable security measures proportionate to the purpose, quantity, distribution, medium, and sensitivity of the information. Sensitive information requires stronger protection.

Access restrictions are enforced to ensure only authorized employees can access personal information as needed.

​

6.1 Privacy Impact Assessments

​

The Company conducts Privacy Impact Assessments (PIAs) as required by Law 25, particularly:

​

• before disclosing personal information outside Québec;

​

• before acquiring, developing, or overhauling an IT system or electronic service involving personal information.

​

​

​

7) PRIVACY INCIDENTS

​

A privacy incident is any unauthorized access, use, disclosure, loss, or other breach of personal information.

If such an incident poses a risk of serious harm, the Company will:

​

• take prompt measures to mitigate risks and prevent recurrence;

​

• notify affected individuals (unless this could impede an investigation);

​

• notify the Commission d’accès à l’information du Québec when serious risk is involved;

​

• maintain an incident register as required by law.

​

The Privacy Officer supervises incident management and risk assessment.

​

​

​

8) RIGHTS OF ACCESS, RECTIFICATION AND CONSENT WITHDRAWAL

​

Individuals may exercise their rights by submitting a written request (including by email) to the Privacy Officer (see section 10).

​

Subject to legal restrictions, individuals have the following rights:

​

• Access: to know if the Company holds personal information about them and to receive it.

​

• Rectification: to correct inaccurate, incomplete, or ambiguous information.

​

• De-indexing: to request removal, de-indexing, or re-indexing of information published online under legal conditions.

​

• Portability: to obtain computerized personal information provided to the Company, in a structured, commonly used format.

​

• Withdrawal of consent: to withdraw consent for use/disclosure, subject to legal/contractual limits. Withdrawal applies prospectively.

​

• Information: to know categories of information collected, who has access, and applicable retention periods.

​

The Privacy Officer must reply in writing within 30 days. Any refusal must be justified, reference the legal provision, and indicate possible recourse and deadlines.

​

​

9) COMPLAINT HANDLING PROCESS

​

Anyone wishing to file a complaint regarding personal information protection may write to the Privacy Officer (see section 10).

​

The Company undertakes to handle complaints confidentially, in accordance with its internal procedure, and provide a response within 30 days.

​

If unsatisfied, the complainant may escalate to the Commission d’accès à l’information du Québec.

​

​

10) APPROVAL

​

This policy is approved by the Company’s Privacy Officer, who is responsible for its implementation, updates, and compliance. They also act as the contact point for access, rectification, withdrawal of consent, and complaints.

​

Privacy Officer:
Mr. David Lebrun
112, rue Prévost, Boisbriand, Québec, Canada
J7G 2S2
david@peintresbsr.com

​

For any request, question, or comment regarding this policy, you may contact the Privacy Officer by email or postal mail.