The personal information that Stein Monast collects is only used in the context of its professional activities, solely to provide the services requested and in accordance with the applicable law. We never sell the personal information we hold.

Personal information means any information relating to a natural person, which allows them to be directly or indirectly identified and which is not public within the meaning of the Act respecting the protection of personal information in the private sector.

The reasons why this information is necessary are explained to our clients with a view to obtain their informed consent.

Our policies for the management and protection of personal information

We are committed to protect the personal and confidential information collected as part of the mandates entrusted to us and to ensure the security of the information held by implementing appropriate security measures.

To do this, we have adopted policies and practices in relation to our governance of this personal and confidential information aimed at ensuring its protection. Detailed information about these policies is presented below.

The personal and confidential information thus protected includes its physical or technological medium, as well as the system or information technology by which this information is processed, transmitted or stored for the purpose of the intended use (the “Information”).

Our policies apply to our employees, lawyers, notaries, associates, consultants, suppliers and business partners (the “Users”).

Confidentiality and Privacy of Personal Data

Information collected

Depending on the specific needs of a mandate, the personal information that we collect from the client or from third parties may be, for example, their first and last name, date of birth, postal address, email address, telephone number, credit card number or banking information, passport number, driver’s license number, health or social insurance number as well as any other information relevant to the performance of the service contract and mandate.

Method of collection

The collection may be carried out in person, by secure file/data sharing platforms, by email, through forms, telephone discussions or otherwise.

Purposes for which personal information is collected

We collect the required personal information to identify the client, to communicate with the client, to offer services or to carry out the mandate in a personalized manner, to pay invoices, to offer the client to participate in training and to improve the services provided.

Disclosure of personal information to third parties

As part of the mandate or the service contract, it is possible that we communicate the personal information obtained to third parties in Quebec and outside Quebec and in particular, to government authorities, to our own suppliers or partners and to the other parties involved in the file. In any case, the disclosure is made for the sole and legitimate purpose for which the information was collected or for compatible purposes.

Retention and destruction of personal information

All personal information collected, whatever its medium, is kept in a secure environment against unauthorized access. Personal information is kept for the period necessary to fulfill the purposes for which it was collected and for us to comply with the applicable law. The information will then be destroyed in accordance with the applicable law.

Right of access, rectification or withdrawal

The client can have access to its information. An access request can be made to confidentialite@steinmonast.ca.

The client may request the correction or destruction of personal information.

The client may also withdraw their consent to the collection, use and storage of personal information by contacting the privacy officer at confidentialite@steinmonast.ca.

Cookies

Cookies are used during visits of our website, which make it possible to know, for example, the type of browser used, the preferred language, the reference site, the date and time of the visit. This data is collected to better understand the use made of the website by users and to improve its efficiency.

A consent banner is automatically displayed as soon as you consult on our website to allow the user to activate cookies.

Information security

All personal information collected, whatever its medium, is kept in a secure environment against unauthorized access, disclosure, copying, use or modification as well as against loss or theft.

These security measures include the use of firewalls and secure servers, encryption, deployment of appropriate access rights management systems and processes, careful selection of processors, training of our staff with access to personal information in the context of their duties, etc.

Security incident

Despite our best efforts, no method of electronic transmission or storage is completely secure. Therefore, we cannot guarantee the security of personal information transmitted to us or that such personal information will not be obtained, accessed, disclosed, modified or destroyed as a result of a breach of security and protection measures.

In the event of an incident affecting the protection of personal information, we undertake to take the necessary measures to reduce the risk of harm and to prevent new incidents of the same nature from occurring in accordance with the Information Security Incident Management Policy presented below.

Information Security Policy

This policy defines the responsibility of each User, depending on the circumstances and the degree of sensitivity of the Information to which they have access, to ensure its protection and reasonable and appropriate use, to reduce the risk of incidents and to minimize impacts, if any.

Our Users formally undertake not to disclose or use the Information for purposes other than in the exercise of their duties and in compliance with professional secrecy, or without having previously obtained the consent of the person about whom information is held or of its representative, unless otherwise permitted by law.

Our Users also undertake to access Information only within the framework of Stein Monast’s operations and only through the tools provided and approved by Stein Monast. They must not attempt to access or save Information on systems other than those we provide them with or by using cloud services that we have not approved.

Our Users must use strong passwords and take all necessary measures to prevent the unauthorized disclosure of these passwords. Laptops, mobile devices and other IT tools left unattended should be physically secured and inaccessible to unauthorized persons.

Users do not benefit from any expectation of privacy in relation to the use they make of the information systems made available to them in the context of their work. We therefore retain the right to audit and monitor any use of the information systems at any time and without notice.

We provide reasonable and appropriate physical and electronic safeguards to prevent unauthorized access to Information, both at our physical facilities and in our IT environment. Users must use the double identification method for remote access.

When Information must be shared with an agent, a supplier, a subcontractor or a consultant in the exercise of our duties or in the context of a professional mandate, we first obtain from them a written commitment to take the necessary measures to ensure the confidentiality and integrity of the Information within the meaning of our Information Security Policy and applicable laws and not to keep any information beyond the duration necessary for the mandate or contract prior to their access to such Information.

Handling of complaints

The managing partner of Stein Monast is responsible of the privacy protection and can be contacted at the following address: confidentialite@steinmonast.ca.

Information Security Incident Management Policy

An information security incident (an “Incident”) means an event that affects or is likely to affect the availability, integrity or confidentiality of information held by Stein Monast, including any Information.

Together with our Information Security Policy, the purpose of this policy is to ensure, in a reasonable manner depending on the circumstances, that each potential, apprehended or actual Incident is detected, identified, reported, contained, documented, analyzed and remedied promptly, in accordance with the applicable law, so as to minimize any negative impact.

Any real or suspected Incident must therefore be reported to the policy manager and to Stein Monast’s Office IT Department. This may be, for example, access to information or computer systems by an unauthorized person, physical access to a secure or sensitive area, unauthorized sharing of a login ID or password, loss of a device containing Information, hacking, malfunction of software or hardware, sending information to the wrong recipient, etc.

This reporting triggers an investigation, which makes it possible to collect all the relevant information, to assess the seriousness of the Incident, to quickly take all the reasonable and appropriate corrective measures required, as the case may be, to contain without delay any actual or potential breach of Information security.

Once the Incident is contained and the Information secured, an assessment of the scope and impact of the Incident is carried out after a full investigation and collection of collectable information. When the cause of the Incident is identified, a correction strategy must be planned and implemented.

This policy also addresses how affected individuals will be notified. If client Information has been compromised, a written notice will be sent to the client within a maximum period of 30 days, with a general description of the Incident, the list of compromised Information, a description of the measures we have taken to protect the Information and to avoid the occurrence of a similar Incident as well as the contact details of the person who can be contacted for more information. A notice to the Commission d’accès à l’information will also be sent when the Incident presents a serious risk that harm will be caused.

File Closure Policy

The Information obtained and held by Stein Monast is for the purposes of the professional mandates entrusted to it and for the management and day-to-day operations of the company.

As for the Information obtained and held for the purposes of the professional mandates entrusted, it must be kept in each of the files opened specifically for each mandate and used to provide the agreed-upon professional services.

The professional obligations imposed on our lawyers and notaries state that we must keep a copy of the file, including the Information, for a period of seven (7) years after the end of the mandate given to a lawyer and ten (10) years in the case of a notary. When this period has elapsed, the file and the Information it contains are securely destroyed.