1. Who we are
2. When and how we collect your personal data
We respect your privacy and aim to minimize the collection of data from you. We also aim to be transparent, which is why we detail below the limited circumstances in which we may collect and process your personal data.
2.1 Direct Interactions
We may collect your personal data in the context of the following direct interactions with you:
- When you apply for admission to one of our programs;
- When you apply to the Foundation for financial assistance;
- When you voluntarily fill out one of the forms available on our Website, notably to register for training or to provide us with feedback on one of our products or services;
- When you create an “employer” account on the Website to post job or internship offers;
- When you make a reservation on the Website or on one of the reservation platforms offered by our technology partners;
- When you communicate with us about the services and products we offer, such as when you request a quote or information about the Organization, or when you register for a workshop, information session, individual information meeting, or open house;
- When you enter into a contractual relationship with us to obtain a product or service, in particular to fulfill our obligations to you or to follow up on the product or service delivered to you;
- When you contact us to ask a question, submit a comment or make a complaint;
- When you complete your subscription to our mailing lists, e-mail communications, and messaging services to receive news, updates, and promotional offers;
- When you request to be added to the Graduate Business Directory;
- When you update your contact information with the Alumni Office;
- When you apply for a job;
- When you make a donation or participate in a Foundation fundraising activity;
- When you apply for a professional certificate of merit;
- When you make a request to our library services, including a request for information, a purchase, a loan, or a digitization;
- When you interact with us through social media.
2.2 Automated online technologies or interactions
We may collect certain types of information electronically when you interact with our Website, via emails, social media accounts, online advertising, or through the use of our or a third party’s technologies, which include cookies, web beacons or single pixel gifs or analytics engines. This information helps us understand what actions you take when you interact with these technologies and allow them to work properly.
The technologies we use include:
- Cookies, which are small text files that are saved on your computer when you visit a website so that information can be saved between visits, such as your login credentials or language preferences. For example, cookies allow you to log in quickly when you visit our Website.
- Web beacons, and single pixel gifs, which are small image files that have information about you, such as your IP address, that can be downloaded when you visit a website or open an e-mail. This allows us to understand your online behaviour, monitor our email delivery, and provide you with interest-based advertising. These tools also allow our third-party tracking tools to gather information, such as your IP address, and provide this back to us in an anonymized, aggregate form (i.e., in a manner that prevents us from identifying you personally). Aggregate information refers to personal data compiled and expressed in a summary form where no personal identifiers are included.
- Analytics engines, which pull Usage data from multiple sources and help manage and collect this data to use for personalization, interest-based advertising, customizing content and other methods to gain insights into the needs and preferences of visitors to our Website.
- Tools that help protect against inappropriate uses, such as Google Invisible reCAPTCHA, which collects hardware and software information, such as device and application data and the results of integrity checks, as well as unique online identifications such as IP address, and sends that data to Google for analysis.
2.3 Third Party Sources
More specifically, the Organization obtains some of your personal data from third parties in the following circumstances:
- You apply for admission through a technology platform operated by a third party (e.g., SRAM or COBA platforms);
- You apply for a job through a technology platform operated by a third party (e.g., SOFE platform); or
- You make a reservation through a technology platform operated by a third party (e.g., LIBRO, OPERA CLOUD, LOUNGE UP or LUXURY RES platforms).
3. What personal data we collect
We may collect, use, store and transfer different kinds of personal data about you. The type of personal data that we may collect is described in the table below, along with an indication as to whether this information is mandatory or facultative in order for the Organization to fulfill its activities.
|Type of Personal Data||Mandatory or Optional|
|Contact data includes name, surname, pronoun, email address, title, telephone number, postal address and contact preferences||Mandatory: to respond to any of your requests, to process your admission, internship, or job application and to provide products or services that you have requested|
Optional: for all other purposes
|Demographic data includes date of birth or gender||Mandatory: the date of birth will be used to process your scholarship application or to update your graduate profile|
Optional: all other uses
|Geographical data, including country, province, administrative region, city or postal code||Mandatory: to respond to your requests, to process your application for admission, internship or volunteer work, or to provide you with the products or services you have requested.|
Optional: for any other purpose
|Data relating to employment or professional activities, which includes all personal data that may be presented in a cover letter, curriculum vitae, or other similar documents submitted in support of a job application, internship application or volunteer offer||Mandatory: to process your job application and manage any subsequent employment relationship|
Optional: for all other purposes
|Social media data includes information associated with your social media accounts and related profiles, such as name, username, email address, profile picture, date of birth and gender||Optional|
|Technical data includes IP (Internet Protocol) address, your login data, clickstream and other related information, such as the websites you visited immediately before and immediately after visiting our Website, your time zone and location settings, information about your Internet service provider and other technologies on the devices you use to access our Website||Optional|
|Usage data includes the number of visits to our Website and the date and average time spent on our Website||Optional|
|Marketing and communication data includes your preferences in receiving marketing from us and third parties with whom we have a connection and your communication preferences||Mandatory: in order to provide you with marketing communications that you have consented to receive or which is allowed by applicable laws|
Optional: for all other purposes
We do not collect any sensitive personal data that includes details about racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership, nor any genetic or biometric data for the purpose of uniquely identifying a natural person, nor any data concerning the health, sexual life, or sexual orientation of a natural person.
If you fail to provide personal data
When we need to collect personal data by law, or pursuant to the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform such contract. In this case, we may have to cancel the delivery of a product or the performance of a service that you have requested from us should your refusal make it impossible to perform our obligations. If so, we will notify you in due time.
4. How we use the personal data we collect about you
We limit the collection of personal data to what is reasonably required to fulfill the purposes for which it is collected. Most commonly, we will use your personal data in the circumstances described below.
- With your consent: for instance, we will obtain your consent before sending marketing communications to you;
- For reasons consistent with the reasons why the personal data was collected: for instance, processing your data where it is necessary to answer your questions or requests, for the performance of a contract to which you are a party, or to take steps on your behalf or at your request before entering into such a contract;
- For purposes that are clearly to your benefit: for instance, to perform a contractual or other obligation that we have towards you;
- Otherwise as permitted by law and when we have to comply with a legal obligation: comply with a legal obligation means processing your personal data where it is expressly permitted by applicable privacy laws or necessary for compliance with a legal obligation that we are subject to.
From time to time, we may use your personal data to conduct surveys in order to improve our products and services. In such cases, we will not collect sensitive personal data and the survey results will be anonymous. We do not use your personal data for automated decision-making. In the event that we conduct a survey for purposes other than those identified above or make an automated decision, a privacy statement will be communicated to you before these activities take place.
5. How we disclose your personal data
We may share your personal data with third parties in the circumstances described below.
- Third-party providers: We may share all of the categories of personal data identified in Section 3 above with third parties who provide services to the Organization such as online reservation services, accounting services, payment processing services, electronic communications (marketing) services, advertising services or analysis services (for example, monitoring the effectiveness of our marketing campaigns and analyzing the use of our Website), online training services. These third parties are only permitted to use your personal data for the purpose of delivering such services to the Organization and are not permitted to use your personal data for their own internal purposes.
- External partners: We may disclose your personal data to an external partner when you request information, registration or participation in an internship or other activity offered in collaboration between the Organization and that external partner. In all cases, the name of the partner to whom your personal data will be disclosed will be mentioned in the information provided to you regarding the activity in question.
- The Foundation: we may disclose your personal data to the Foundation, a non-profit legal entity whose mandate is to obtain funding to support the Organization in carrying out its mandate and mission. Certain personal data collected through the Website is communicated to the Foundation, namely:
- when you apply for a scholarship from the Foundation;
- when you create a “donor’ account on the Website;
- when you make a donation to the Foundation;
- when you register for a fundraising activity organized by the Foundation; or
- when you apply to volunteer with the Foundation.
- to evaluate a scholarship application;
- to evaluate the application of an individual who wishes to volunteer with the Foundation;
- to administer the donation made to the Foundation;
- to administer fundraising activities in which you have requested to participate;
- to send you electronic communications with your consent or otherwise in accordance with applicable laws.
- Judicial purposes: We may disclose your personal data when requested or required for judicial purposes. More precisely, the Organization and its third-party providers may disclose your personal data in response to a search warrant or other legally valid inquiry or order, or where necessary to respond to an investigative body in the event of a breach of agreement or a violation of the law, or as otherwise required or permitted by law. We may also disclose personal data where necessary for the establishment, exercise or defense of legal claims, to prevent actual or suspected loss, to avoid personal injury or property damage.
- Sale, transfer of business or other transactions: We may share your personal data with another entity if we sell part or all of our business or if we sell or transfer assets as part of a business transaction or as part of a merger, a change in our incorporation or organizational structure, or any other legal transaction relating to the legal form of the Organization. In the event the transaction is completed, your personal data will remain protected by applicable privacy laws. In the event the transaction is not completed, we will require the other party not to use or disclose your personal data in any manner whatsoever and to completely delete such data, in compliance with applicable laws.
- Other permitted reasons: Applicable laws may permit or require the use, sharing, or disclosure of personal data without consent in specific circumstances (e.g., when investigating and preventing suspected or actual illegal activities, including fraud, or to assist government and law enforcement agencies). These circumstances include situations when permitted or required by law or when necessary to protect our group of companies, our employees, our customers, or others. If this happens, we will not share more personal data than is reasonably required to fulfill that particular purpose.
6. Transfers of personal data to other countries
As the Organization is headquartered in Canada, your personal data will be accessible from that location. The personal data that we collect from you may be transferred to, or stored at, a destination outside Canada. We will take reasonable steps, in accordance with applicable privacy laws, to ensure that any personal data transferred outside Canada is treated securely and will receive an adequate level of protection. However, it is possible that local laws in the country of destination may not provide the same level of protection as privacy laws in Canada.
7. How we handle and protect your personal data internally
7.1 How we protect your personal data
We have put in place and use administrative, technical and physical safeguards to protect the personal data we hold about you against unauthorized access, use, modification and disclosure including, without limitation:
- We limit our employees’ technological and physical access to your personal data by implementing an access management process;
- We carry out security audits, penetration tests and vulnerability tests on internal and external networks to identify and correct any weaknesses;
- We offer regular training to our employees on personal information security issues;
- We have set up an Access to Information and Privacy Committee, which constantly monitors issues relating to the protection of personal information;
- We have adopted an Information Security Policy and a Directive on Protection against Cyber Threats and Reporting of Cyber Security Incidents, which are communicated to all of our employees.
Security measures are also taken when we dispose of or destroy your personal data with a view of completing these processes in a confidential and secure manner. Further, we use reasonable safeguards to ensure that our service providers protect your personal data wherever it is used or stored.
7.2 Who has access to your personal data and how it is handled
7.3 Our policies related to security incidents
We also take special measures to assess the potential risks applicable to the disclosure of your personal data. In the event of a security breach or a confidentiality incident, namely if your personal data is lost, accessed, used, disclosed without your authorization, or becomes accessible to an unauthorized person, we will inform you of such breach if it poses a risk of serious harm. For example, a risk of serious harm includes reputational damage, credit report damage, identity theft, bodily harm, humiliation, loss of professional opportunities or financial loss. If the breach poses a risk of serious harm, we will notify you directly as soon as possible. If we cannot notify you directly, we will notify you of the breach by public communication. We will provide you with the information required to understand the significance of the security breach and take the necessary steps to reduce the risk of harm that may arise from it. We will also report the security breach to the government and any other organization that we believe may reduce the risk of harm that may result from this breach. We keep records of all security breaches or confidentiality incidents. Following a security breach or a confidentiality incident, the Organization investigates the causes of the breach or incident and reviews the safeguards in place to prevent a reoccurrence.
7.4 Retention of personal data
7.5 Internal training and privacy awareness program
7.6 Responsibilities of our Privacy Officer
Attention: Déwi Collin, Assistant Corporate Secretary
Mailing address: 3535, Saint-Denis St, Montréal Québec H2X 3P1
Email: [email protected]
Our Privacy Officer is also responsible to handle any privacy complaint that you may have in relation to how our Organization processes your personal data. Our Privacy Officer will handle each complaint in the following manner:
- contact the complainant in writing to acknowledge receipt of the complaint;
- investigate the complaint and assess its merits when sufficient information is available to the Privacy Officer; and
- respond to the complaint in writing including details of the Organization’s privacy practices related to the complaint.
8. Your legal rights
In relation to your personal data, you have the rights detailed below:
- Request access to your personal data: this enables you to receive a copy of the personal data that we hold about you.
- Request the correction or update of the personal data we hold about you: this enables you to have any incomplete, inaccurate or outdated data we hold about you corrected or updated. However, we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Request to transfer your personal data to you or to a third party: we will provide you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated or computerized personal data.
You will not have to pay any fees to access your personal data (or to exercise any of the other rights set out above).
If you want to exercise any of the above-mentioned rights, we may need to ask you for specific information to help us confirm your identity and ensure your right to access your personal data (or to exercise your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you for further information in relation to your request to speed up our response.
We will respond to all legitimate requests within twenty (20) days.
9. Changing your privacy settings
Electronic communications: At any time, you can have your name removed from our mailing lists for promotional or marketing electronic communications by unsubscribing from our emails.
Targeted advertising: You may opt out of personalized advertising from third-party advertisers and advertising networks that are members of the Digital Advertising Alliance of Canada (DAAC) by visiting the DAAC Opt-Out Page.
11. How to contact us