Quebec add'l document
Roles and Responsibilities of Festool Personnel Throughout the Lifecycle of Personal Information
Festool Canada Inc. (“Festool” or the “Company”) takes steps to process personal information in a manner that respects the confidentiality of such information, protects the integrity of the information so that decisions will be made based on accurate information, and accomplishes the purposes for collecting the data. Festool’s overall goal is to comply with all applicable legal and regulatory requirements, as well as develop and follow practices for managing data in a manner that builds and maintains the trust and confidence of its personnel and clients, while still permitting efficient and effective operation of our organization and delivery of our services.
Company personnel will have the following roles and responsibilities with respect to handling personal information throughout its lifecycle within our organization:
- Chief Executive Officer
- Overall responsibility for ensuring that the Company complies with applicable privacy and data protection legislation, including the Act respecting the protection of personal information in the private sector (Quebec)
- Delegating necessary functions to ensure the Company’s compliance with applicable privacy and data protection legislation, including the Act respecting the protection of personal information in the private sector (Quebec)
- Privacy Officer
- Promoting privacy and data protection within our organization.
- Developing policies, standards, and procedures to appropriately manage and safeguard personal information in accordance with applicable laws and contractual requirements.
- Developing appropriate consent processes for collection, use and disclosure of personal information.
- Confirming that appropriate security controls are developed, implemented and maintained to protect personal information in a manner that is consistent with the sensitivity of the information.
- Developing and/or facilitating delivery of privacy and data security training to personnel.
- Managing and responding to demands or requests for access and rectification of personal information, and other data subject requests.
- Directing and managing compliance with court orders and other legal processes requiring disclosure of personal information.
- Receiving, investigating and responding to privacy complaints.
- Developing an appropriate data retention schedule.
- Communicating with privacy regulators, including in the event of a complaint or investigation.
- Chief Information Security Officer
- Defining, implementing, maintaining and enforcing policies, procedures and safeguards related to information technology and systems of record.
- Designing, implementing and maintaining computing hardware, software, processes and controls, as needed to support the effective, compliant management of records throughout their lifecycle.
- Developing data back-up policies and procedures. Regularly testing back-ups.
- Conducting vulnerability assessments, as well as security threat and risk assessments. Developing and managing risk mitigation plans.
- Notifying the Privacy Officer of any data breach, technology failure, or other incident that results in (or may result in) loss of or unauthorized access to or disclosure of personal information (or other confidentiality incident). Participating and fully cooperating in any investigation into such incidents (including cooperating with outside investigators, where applicable).
- Other Personnel
All Company Personnel who have access to personal information are responsible for
- Notifying individuals of the purposes for which their personal information will be collected, used and disclosed, and obtaining consents in accordance with Company policies and procedures, where applicable.
- Limiting collection of personal information to what is needed to accomplish the purposes identified to individuals, in accordance with Company policies, standards and procedures.
- Refraining from accessing, using, or disclosing personal information unless required for performance of their job duties and permitted by applicable policies, standards and procedures.
- Taking reasonable steps to confirm that information is accurate and up-to-date before using personal information, where appropriate.
- Regularly identifying and disposing of transitory information, which is no longer needed to support business activities, in a secure manner and in accordance with the Company’s retention and destruction policies and procedures.
- Seeking guidance from the Privacy Officer if they are unsure of their obligations under the Company’s policies, standards and procedures or applicable law.
- Promptly notifying the Privacy Officer of any confidentiality incident or other loss or theft of, or unauthorized access to, use or disclosure of, personal information.
- Promptly notifying the Privacy Officer of any access request, privacy enquiry, complaint, or other data subject requests.
Company will take steps to communicate to personnel their roles and responsibilities in connection with processing personal information, as described above.
Record Retention and Destruction Policy
Festool USA LLC (“Festool” or the “Company”) has developed a records retention and destruction policy that aligns with the guidelines provided by the Office of the Privacy Commissioner of Canada and the Commission d’Accès à l’Information (Québec).
- Retention of Records
Company will retain records containing personal information (“Records”) only as long as necessary to accomplish the purposes for which such information was collected and to meet statutory, fiscal, contractual, administrative, and operational requirements.
Company undertakes to ensure that Records are accurate, complete, and are retained for the periods of time required pursuant to applicable laws and regulations.
The Records will be handled in accordance with a Document Management Procedure that includes the following components:
- identification of the types of Records containing personal information (e.g., human resources files, customer files, etc.);
- defining the levels of confidentiality of Records (e.g. protected, confidential and secret) according to factors such as sensitivity, purpose, quantity, distribution and medium;
- distinguishing the types of media to associate an appropriate method of retention and destruction for different types of Records (e.g. paper, computerized or electronic media);
- determining and implementing a retention schedule for different types of Records that meets legal requirements, including maximum and minimum retention periods that take into account legislative requirements and restrictions and appeal mechanisms (where applicable);
- destroying personal information that does not fulfill a specific purpose or is no longer required to fulfill an identified purpose. If information is to be retained solely for statistical purposes, effective de-identification or anonymization techniques will be used;
- ensuring that all personal information is completely deleted before recycling or disposing of electronic devices (e.g., computers, photocopiers, cell phones);
- using effective processes to destroy, erase or de-identify personal information;
- developing guidelines and implementing procedures for secure retention of personal information; and
- conducting periodic reviews to assess the need to retain personal information.
- Destruction of Records
- Types of Records
Company will determinate the appropriate destruction methods for the Record, depending on whether it is a Paper Record or an Electronic Record, as defined below:
Paper Records include physical representations of data, such as paper printouts, notes, memos, messages, correspondence, transaction records and reports in hard copy.
Electronic Records include information stored on electronic devices, such as computer hard drives, copier and printer hard drives, removable solid drives including memory, disks and USB flash drives, mobile phones and magnetic tapes. Electronic Records include emails, draft versions of documents saved on a server or document management system, scanned/imaged documents, faxes (where there is no paper copy), voicemails, metadata and any other information or data saved to or stored in electronic form.
- Destruction Techniques That May Be Used
Company will use the following destruction techniques recommended by the Office of the Privacy Commissioner in Canada, so that the personal information contained in such Records cannot be recovered:
- completely destroying the media, whether hard or electronic copy, so that the information stored on it can never be recovered. This can be accomplished using a variety of methods including disintegration, incineration, pulverizing, cross-shredding and melting;
- deleting information using methods that resist simple recovery methods, such as data recovery utilities and keystroke recovery attempts. One method for clearing media is overwriting, which can be done using software and hardware products that overwrite the media with non-sensitive data; and/or
- degaussing, in which magnetic media are exposed to a strong magnetic field to make data unrecoverable. This can be used to protect against more robust data recovery attempts, such as a laboratory attack using specialized tools (for example, signal processing equipment). Degaussing cannot be used to purge nonmagnetic media, such as CDs or DVDs.
Without limiting the above, Paper Records (i) may not be deposited in open office recycling bins, but rather, must be placed in special shredding bins with high security locks accessible only by authorized persons, and (ii) must be shred using a cross-cut shredder with one cut shredded to a width of 1cm or less, and the other cut at 15 mm or less, to ensure that the information in such Record is obliterated. The use of home or standard office shredders is not permitted and the resulting material must be recycled or pulped.
Onsite destruction of Records must occur in an area that is accessible only by Company’s authorized personnel.
- Destruction by a Third Party Service Provider
Festool may engage the services of a third party service provider to destroy Records, including where it does not possess the equipment necessary to allow for secure and definitive destruction.
When Company uses the services of a third party service provider, Company will ensure that the contract for the provision of Record destruction services specifies:
- the process used for destruction;
- an acknowledgement by the service provider that the information being processed is confidential;
- that the service provider will inform Company if it uses a subcontractor for the destruction of Records;
- that a confidentiality agreement will be signed by the service provider’s employees who have access to the Records;
- that secure storage of the Records is required prior to destruction (e.g., stored in secure premises with limited access);
- that Company has the right to access the service provider’s premises during the term of the contract to confirm compliance with the contract;
- that the service provider is required to report regularly to Company on the destruction of the Records.
In the event that the third party service provider fails to comply with its obligations, Company will take appropriate measures, including to obtain the return of the Records and terminate the contract.
Process for Handling Inquiries & Complaints
Festool USA LLC (“Festool” or “Company”) strives to be transparent about its data handling practices. Individuals have the right to make inquiries or complaints about the collection, use, disclosure or other processing of their personal information by the Company, or otherwise regarding the Company’s compliance with applicable privacy and data protection laws.
Company personnel who receive or are made aware of an inquiry or complaint must:
- Record the date on which the inquiry or complaint is received, together with its nature; and
- Immediately refer or forward the inquiry or complaint to the Vice President of Operations at email@example.com (the “Privacy Officer”).
The Privacy Officer shall be responsible for undertaking a reasonable investigation into and responding, in writing, to all such inquiries and complaints. In particular, the Privacy Officer shall:
- Acknowledge receipt of the inquiry or complaint promptly;
- Validate/confirm the identity of the individual/claimant;
- Seek clarification regarding the inquiry or complaint, as needed;
- Fairly and impartially evaluate the validity of a complaint, having regard to all relevant factors;
- Notify the individual of the response to their inquiry or outcome of their complaint clearly and promptly, together with any steps taken as a result of the inquiry or complaint, within the time period required by applicable law;
- If a complaint is found to be justified, take appropriate measures to address and rectify the substance of the complaint and to ensure compliance with the applicable laws, including, if necessary, correcting any inaccurate Personal Information and/or amending Company policies and procedures concerning the processing of personal information; and
- Ensure that relevant Company employees are aware of any changes to the Company’s policies and procedures as a result of an inquiry or complaint, including arranging for necessary training to implement and give effect to such changes.
Records of decisions made with respect to an inquiry or complaint, and any personal information that is the subject of an access request or a request for rectification, will be maintained for as long as necessary to allow the relevant individual(s) to exhaust any recourse they may have under applicable laws. In particular, personal information that has been used to render a decision that directly affects an individual in British Columbia or Quebec must be retained for at least one year in order to give the individual a reasonable opportunity to request access to it. The Privacy Officer will approve an override of the Company’s regular retention and deletion schedule/practices where necessary to permit such retention.