Objective

BGM Informatique Inc. and its subsidiaries are committed to maintaining personal data protection standards that are aligned with industry best practices and, at a minimum, meet the requirements of applicable data protection legislation, including Law 25, as well as BGM’s contractual obligations.

As part of this commitment, BGM requires its members and all third parties providing goods and/or services to BGM, including third-party suppliers and subcontractors, to take appropriate measures to protect personal data in the performance of their duties.

To demonstrate transparency regarding the data we use, we have developed this Personal Data Protection Policy to inform you about how we collect and process your personal data, the reasons for doing so, BGM’s data protection practices, and your rights as a data subject.

Categories of data subjects

As part of its activities, BGM collects and processes personal data relating to:

• Current and prospective clients in the public and private sectors;
• Clients of current and prospective clients in the public and private sectors;
• Service providers, advisors, suppliers, contractors, and subcontractors;
• Any other third party.

Collection of personal information and/or data

Identification information

• Full name
• Mailing address
• Telephone number
• Email address
• Identification number, such as a client number

Professional information

• Professional title
• Company name
• Business address
• Business telephone number
• Personal mobile phone number
• Professional and/or personal email address

Authentication and access information

• Usernames and passwords

Financial information

• Credit card information
• Banking informatio

Service usage data

• Transaction history
• History of IT service usage
• System access log data

Interaction data

• Communication history, including emails, messages, SMS, call recordings, etc.
• Client comments and feedback

Geographic data

• Physical location, where relevant to the services provided, such as for IT asset management

Device and software data

• Information about the devices used, such as computers, smartphones, etc.
• Hardware and software configuration
• IP addresses

Security data

• Security information, such as incident logs, intrusion detections, etc.

Forms and collection methods

• Your personal information is collected through the following methods:
• Website contact form
• Account opening, through a paper and/or electronic form
• By telephone, when submitting a support or order request
• By email or SMS, for example, when submitting a technical support request, quote request, and/or order

2. Purpose of collection

Provision of Services:

• Managing client accounts
• Providing IT services, such as hosting, maintenance, network management, etc.
• Customizing services according to clients’ specific needs

Communication and Client Support:

• Responding to client inquiries and questions
• Providing technical support and assistance

Management of Financial Transactions:

• Processing payments and financial transactions related to the services

Security and Fraud Prevention:

• Monitoring user activity to detect and prevent fraudulent activities
• Strengthening the security of IT systems

Customization and Improvement of Services:

• Analyzing usage data to improve service quality
• Personalizing the user experience based on preferences and behaviours

Marketing Communications:

• Sending marketing communications, newsletters, service updates, etc.
• Conducting marketing analyses to improve advertising campaigns

Compliance with Legal Obligations:

• Meeting legal obligations related to data retention and compliance
• Responding to requests from government agencies or court orders

Product and Service Development:

• Analyzing market trends to develop new products and services
• Collecting client feedback to improve existing offerings

Security and Access Management:

• Managing access to systems and sensitive information
• Ensuring the security of data and IT infrastructure

3. Use of Each Type of Personal Information

4. Data Sharing

We share client data with third parties only when necessary for the provision of our services or when we are legally required to do so. The disclosure of personal information to third parties is sometimes necessary. Accordingly, personal information may be disclosed to third parties without the consent of the person concerned in certain cases, including, but not limited to, the following: BGM may disclose personal information, without the consent of the person concerned, to a public body that, through one of its representatives, collects it in the exercise of its duties or in the implementation of a program under its management.

We require these third parties to maintain the confidentiality of the data. Personal information may be disclosed to service providers when it is necessary to communicate such information to them, without the consent of the person concerned.

For example, these service providers may include BGM subcontractors designated to carry out mandates under programs administered by BGM, as well as cloud service providers. In such cases, BGM enters into written contracts with these providers specifying the measures they must take to ensure the confidentiality of the personal information disclosed, that such information may only be used in the performance of the contract, and that they may not retain this information after the contract has expired.

In addition, these contracts must provide that the providers must notify BGM’s Privacy Officer, identified in this Policy, of any breach or attempted breach of confidentiality obligations concerning the personal information disclosed, and must allow this Privacy Officer to conduct any verification related to such confidentiality.

Data Security

‍ We implement security measures to protect our clients’ data against unauthorized access, loss, disclosure, or destruction. This includes the use of security technologies, staff training, and strict data security policies.

Server Security: Our servers are hosted in secure environments and monitored on an ongoing basis. We implement advanced firewalls and intrusion detection systems to prevent unauthorized access.

Strict Access Control: Access to personal data is strictly limited to employees who need it to perform their work. All access is logged and monitored.

Ongoing Training: Our team receives regular training on data security best practices. This ensures ongoing awareness of potential risks and the ways to prevent them.

Incident Management: In the event of a data security breach, we have implemented clear incident management protocols to minimize any impact on your personal information. We will promptly inform you of any security breach in accordance with legal requirements.

Regular Backups: We perform regular backups of your data to ensure its continued availability and to minimize the risk of data loss.

5. Password Storage and Management

I understand that the passwords associated with my accounts and services will be securely stored in a vault protected by advanced security measures. Access to the secure vault is strictly limited to authorized employees of the Receiving Party. These employees are subject to access controls and continuous monitoring.

BGM clients’ infrastructures are stored with an external provider located in Québec that complies with very high confidentiality standards in terms of security and uses ISO 27001 and/or SOC 2 standards. For more information, you may consult the policy. https://www.ibm.com/support/customer/csol/terms/?id=Z126-7745&lc=fr

Cloud backups, such as M365, Azure, and disaster recovery plans, are stored with an external provider located in Québec, but stored in Canada, and comply with the standards of the GDPR (General Data Protection Regulation) and PIPEDA (Personal Information Protection and Electronic Documents Act). BGM and its subsidiaries do not retain any data, copies, or decryption keys. It is the client’s responsibility to keep this key in a secure environment. BGM shall not be held liable in the event of data loss.

Data Security Measures

6. Data retention

Data retention

We retain client data for as long as the business relationship continues in order to provide our services or comply with legal obligations. When the data is no longer required, we destroy it securely.

Retention purpose

Personal data is retained only to the extent necessary to achieve the purposes for which it was collected, unless the law permits or requires a longer retention period.

Retention criteria

We determine the retention period based on the nature of the personal data and the purposes of its processing.

If you have a user account, we retain your information for as long as your account remains active and for a reasonable period thereafter.

Retention for legal or regulatory purposes

In certain cases, we may be required to retain your personal data to comply with legal or regulatory obligations.

Retention for dispute management

We may retain certain information to manage potential disputes, enforce our agreements, and protect our legal rights.

Retention after account termination

If you choose to terminate your account, we retain your personal data for a reasonable period in order to meet legal, regulatory, audit, or dispute management requirements.

Following communication of the end date of the agreement with the client, BGM Informatique Inc. and its subsidiaries will delete all client data on the 14th day, with the exception of previously issued invoices.

Anonymization or deletion

Once the data is no longer required for the purposes for which it was collected and there is no legal obligation to retain it, we securely delete it or shred it if it is in paper format.

7. Right to withdraw consent

I understand that I have the right to withdraw this consent at any time by contacting BGM at protectionrenseignements@bgm.ca or by phone at 418-668-0744, by addressing Mr. David Gagnon, Privacy Officer, or Stéphanie Munger, Assistant Privacy Officer.

However, please note that withdrawing consent may affect the delivery of the services received by our company and that, due to legal obligations, we must retain certain information, such as previous invoices and transaction histories.

8. Access and rectification

I acknowledge that I have the right to access my personal information held by BGM Informatique Inc. and its subsidiaries and to request its rectification if necessary.