Privacy policy » Le Groupe Réfraco

PERSONAL INFORMATION MANAGEMENT POLICY (PIMP)
Effective Date: 2026-01-13
Under the Responsibility of: Jean-Benoît Pineault, CEO

Please note that the Groupe Réfraco entity includes the following companies: Benoit Pineault, Réfraco, Réfraco BC,
and Robexco.

INTRODUCTION
This policy is intended to meet legal requirements and reflect our organization’s commitment to respecting its
personnel and inspiring confidence among its partners. To this end, our policy outlines appropriate measures to
protect personal information (PI) against unauthorized access, theft, and improper alteration, while ensuring its
integrity, confidentiality, and availability solely to authorized individuals.

OBJECTIVES
As part of its operations, our organization collects, holds, uses, and communicates PI. This information may be legal,
administrative, financial, customer-management related, or of another nature, and is essential to our activities.
The objectives of this policy are to:
• Ensure the protection of PI collected, held, and communicated by our organization through sound PI management
practices.
• Implement protective measures to reduce privacy breach risks, including unauthorized access to PI and information
theft.
• Preserve information integrity throughout its lifecycle.

SCOPE
This policy applies to any natural or legal person (regular or occasional partner) who has access to PI, regardless of
employment status, including owners, executives, permanent or temporary employees, directors, suppliers, and any
other parties interacting with our organization.

APPLICATION
Employees are informed of the existence of this policy, must review it periodically, and comply with all stated
requirements. Furthermore, service providers entrusted with PI as part of our operations must adhere to the principles
outlined in this PIMP.
Senior management, in collaboration with the person(s) responsible for personal information protection (PIPO),
ensures the implementation of this policy and promotes a culture of PI security throughout the organization.

INFORMATION COVERED
This policy applies to any information that directly or indirectly identifies a person, or that could reveal private (e.g.,
marital status) or sensitive/intimate information (e.g., medical data) about an individual.
1. Collection
This policy authorizes only the collection of PI necessary for conducting our activities. Such PI may only be obtained
from authorized persons, with the knowledge and approval of the individual concerned, unless otherwise required by
law. Whenever possible, the organization ensures that collected PI is accurate, up to date, reliable, and traceable.
2. Use
This policy requires that the purposes for collecting PI be identified before any collection occurs. PI may only be
collected, used, and retained for the purposes for which it was requested. Such PI may only be communicated to
individuals or organizations requiring it as part of our operations and, when required, only with the approval of the
concerned individual. However, certain PI may be disclosed without consent where required by law.
3. Protection
This policy provides that the organization shall take all necessary measures to ensure that its executives and
employees respect the confidentiality of PI and protect it against unauthorized disclosure, access, or use.
Confidentiality agreements shall also be established with all external stakeholders used by our organization
(suppliers, consultants, etc.).
To this end, the following measures have been implemented:
• Categorization of PI according to value and risk exposure, limiting disclosure solely to authorized individuals based
on operational necessity and legal requirements.
• A complaint handling procedure regarding PI protection.
• Controls and preventive measures to reduce confidentiality incidents, fraud, information leaks, cyberattacks,
accidental errors, deliberate acts, and privacy breaches.
• Awareness and training measures for executives, employees, and stakeholders regarding PI risks, security, and
protection responsibilities.
• An obligation to promptly report any PI-related issue or suspected confidentiality/security incident to the competent
authority.
• A procedure for notifying the Commission d’accès à l’information when a confidentiality incident may cause serious
harm.

4. Retention
This policy also addresses the secure retention of PI. Our organization uses standardized methods for filing and
naming documents. Secure retention also includes storing physical documents under lock and ensuring secure
electronic storage of PI where applicable.
PI shall only be retained for the period justified by its intended use, unless otherwise required by law. A PI retention
schedule has therefore been established.

5. Destruction
This policy states that PI that has become unnecessary for its intended purpose shall be securely destroyed in
accordance with organizational policies and applicable laws. Secure destruction means that the media containing PI
must be physically destroyed or otherwise rendered unrecoverable after disposal. This provision also applies in the
event of the death of the individual concerned.

6. De-indexing
Where applicable, this policy provides that PI shall be de-indexed to the greatest extent possible, including removal
from internet search engines and organizational websites where appropriate.

7. Rights of the Individual Concerned
This policy strictly respects the rights of individuals to require consent before their PI is used, to refuse to provide
certain PI subject to applicable laws, to correct or complete their PI, to access their PI at any time, and to obtain
answers to questions regarding their PI.

PRIVACY IMPACT ASSESSMENT (PIA)
A PIA is required if the organization plans any of the following projects (the PIA must be completed before or at the
beginning of the project):
• Any acquisition, development, or redesign of an information system or electronic service involving the collection,
use, communication, retention, or destruction of PI.
• Communicating PI outside Québec.
• Using biometric data.
• Conducting studies, research, or statistical production.

ROLES AND RESPONSIBILITIES
• Julie Potvin, Administrative Director, is responsible for implementing this policy and ensuring it is properly
communicated to all executives, employees, and stakeholders.
• Executives/employees/stakeholders: Each individual commits to complying with all elements of this policy, failing
which appropriate disciplinary measures, including dismissal, may apply. They also undertake to report any known act
likely to constitute an actual or suspected breach of security rules, or any anomaly that could compromise the security
and protection of PI.

REVIEW
This policy commits to keeping all related elements up to date and shall therefore be revised whenever circumstances
require, along with any resulting protection and security measures