GENERAL INFORMATION | DEFINITIONS | PROCESSING OF PERSONAL INFORMATION | YOUR RIGHTS | COOKIES AND OTHER TRACKING TECHNOLOGIES | SECURITY MEASURES | CHANGES TO THIS PRIVACY POLICY | LINKS TO THIRD-PARTY WEBSITES | INVISIBLE RECAPTCHA | INDIVIDUALS UNDER THE AGE OF 14 | APPLICABLE LAWS

1. General Information

1.1 INTRODUCTION

Privacy is important to Groupe Premier Médical Inc. / Premier Medical Group Inc. operating as « GPM régimes collectifs / GPM Group Benefits » (hereinafter « Entity », « We », « Us », « Our »). For this reason, We have implemented safeguards and sound management practices for your Personal Information in accordance with applicable laws in Quebec and Canada.

This Privacy Policy (the « Policy »), describes Our practices with respect to the collection, use, disclosure, and retention of Personal Information of our clients, visitors, and users.

By using Our Websites gpm.ca, conseiller.gpm.ca, participants.gpm.ca and administration.gpm.ca (the « Website »), Our mobile application « GPM mobile » or any of Our services, you agree that We may collect, use, disclose and retain your Personal Information in accordance with the terms described herein Privacy Policy. If you do not agree to abide by and be bound by this Policy, you are not permitted to visit, access, or use Our Website, GPM mobile application, or Services, or to share your Personal Information with Us.

This Policy does not apply to the Personal Information of the Entity's employees, representatives, and consultants, or to any other person affiliated with the Entity, as well as to any information that does not constitute Personal Information as defined by the laws applicable in Quebec and Canada.

1.2 DATA PROTECTION OFFICER

Questions, comments, and complaints regarding the Entity's Privacy Policy and practices may be directed to Our Data Protection Officer at:

Data Protection Officer
Phone number: 450.667.7737 ext. 333
Email: rprp@gpm.ca
Address: 250-2 Laval place, Laval (Quebec) H7N 5N6

2. Definitions

The following words and expressions, when they appear with a first capital letter in the Policy, shall have the meaning ascribed below, unless otherwise implied or explicitly stated in the text:

« Service Provider » :
means any natural or legal person who processes Personal Information on behalf of the Entity. These are third-party companies or individuals employed by the Entity to facilitate the Services, provide the Services on behalf of the Entity, perform services related to the Services, or assist the Entity in analyzing the use of the Services.

« Personal Information » :
means any information that relates to a natural person and allows him or her to be identified, i.e. that directly or indirectly reveals something about the identity, characteristics (e.g., skills, preferences, psychological tendencies, predispositions, mental capacities, character and behaviour of the person concerned) or activities, regardless of the nature of the support tool and regardless of the form in which the information is accessible (written, graphic, audio, visual, computerized, or otherwise).

« Data Protection Officer » :
means the person who is responsible for the application of this Policy and whose contact information is identified in Section 1 of this Policy.

« Services » :
Services refers to the gpm.ca website, to the conseiller.gpm.ca, participants.gpm.ca and administration.gpm.ca websites, to the GPM mobile application and our social media pages.

3. Processing of Personal Information

3.1 COLLECTION OF PERSONAL INFORMATION

In the course of our business, We may process different types of Personal Information depending on the activities you perform on Our Website or GPM mobile application, such as the forms you complete or the questionnaires you answer. By way of example, Personal Information may include the information listed below:

• Identification information such as your first and last name, address, email address and telephone number, date of birth, gender, social insurance number, etc. ;
• Financial information such as your bank account number, void cheque, etc. ;
• Employment-related information such as your annual salary, employment status, etc. ;
• Location information collected automatically when you use the Website and Our Services, such as your IP address, time, and date of connection, precise or approximate location determined from your IP address, etc.

In each case, such Personal Information is processed in accordance with the legitimate and necessary purposes listed in Section 3.2 below.

3.2 USE OF PERSONAL INFORMATION

We may use your Personal Information for the legitimate purposes described below:

• Operate, maintain, supervise, develop, improve and deliver all features of Our Website;
• Present and/or provide Services;
• Develop new products and improve Our Services;
• To carry out our contractual obligations to you;
• Send messages, updates, security alerts;
• For marketing and business development purposes, if you have previously consented to the processing of your Personal Information for these purposes;
• Answer your questions and provide you with the assistance as needed;
• Collect reviews and feedback in connection with Our Services;
• Conduct surveys, research, analysis and statistics in connection with Our business and Services;
• Detect and prevent fraud, errors, spam, abuse, security incidents, and other harmful activities;
• For any other purpose permitted or required by law.

3.3 DISCLOSURE OF PERSONAL INFORMATION

We may share your Personal Information with our employees (including human resources and IT departments), contractors, consultants, agents, service providers and other trusted third parties (collectively, “ Service Providers ”), who need the information to help Us operate Our Website, conduct Our business activities or serve you, provided that such Service Providers have previously agreed in writing to ensure the confidentiality of your Personal Information in accordance with applicable laws and Our information governance program.

We do not sell, trade, or otherwise disclose your Personal Information to third parties.

3.3.1 Service Providers and Other Third Parties

Although We try to avoid sharing your Personal Information with third parties, We may use Service Providers to perform various services on Our behalf, such as IT management and security, marketing, and data analytics, hosting, and storage. We have defined below some cases in which such sharing may take place:

• • We use Google Analytics to analyse the Website's audience, compile statistics and communicate with clients and prospects. Check out their Privacy Policy;
  • We use the services of Pipedrive CRM. Check out their Pipedrive CRM privacy policy;
  • We use Metatracer to ensure Our compliance with the privacy laws that apply to Us. View their Privacy Policy.

Before disclosing your Personal Information to Service Providers outside the province of Quebec or depending on the nature of the Personal Information disclosed, We conduct privacy impact assessments. When We disclose your Personal Information to Service Providers, We insure that the Personal Information disclosed and provided is strictly necessary to carry out their mandate. As part of the contracts with our Service Providers, We are committed to adhering to the principles set out in this Policy. Our Service Providers are required to use Personal Information securely and confidentially, as directed by us, and only for the purposes for which it was provided. We provide sufficient assurances that adequate safeguards are in place to commensurate with the sensitivity of the Personal Information processed or disclosed. When Our Service Providers no longer need your Personal Information, We require them to destroy that data appropriately.

3.3.2 Complying with Legislation, Responding to Legal Requests, Preventing Harm and Protecting Our Rights

We may disclose your Personal Information when We believe such disclosure is authorized or necessary, including:

• • To respond to requests from public and government authorities, including public and government authorities outside your country of residence;
  • To protect Our business;
  • To comply with legal process;
  • To protect Our rights, privacy, safety, property, yours or those of others;
  • To enable Us to pursue available remedies or limit the damages that We may sustain; and
  • In accordance with applicable laws, including laws outside your country of residence.

3.3.3 Business Transaction

We may share, transfer or communicate, in strict accordance with this Policy and the provisions of the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (the “Private Sector Act”) and the Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25 (the “Bill 25”) (assented to September 22, 2021), your Personal Information in the event of a sale, transfer, or assignment, in whole or in part, of the Entity or Our assets (e.g., as a result of a merger, consolidation, change of control, reorganization, bankruptcy, liquidation or other business transaction, including in connection with the negotiation of such transactions). In this case, We will notify you before your Personal Information is transferred and is governed by a different privacy policy.

3.4 CONSENT TO PERSONAL INFORMATION

To the extent possible, the Entity obtains consent directly from the data subject to the collection, use, and disclosure of their Personal Information. However, if you provide Personal Information about other individuals to Us, you must ensure that you have given them due notice that you are providing their information to Us in addition to obtaining their consent to such disclosure.

We will collect your explicit, clear, free, and informed consent and identify specific purposes for which consent is required before using or disclosing your Personal Information for purposes other than those set out herein. We will also collect your explicit consent whenever sensitive Personal Information is involved in any of the Entity's processing activities. We will ask for your consent for each specific purposes in plain and clear terms, and distinctively from any other information.

BY USING OUR WEBSITES, BY SUBMITTING YOUR PERSONAL INFORMATION BY EMAIL OR THROUGH AN ONLINE FORM, YOU CONSENT TO THIS PRIVACY POLICY AND TO THE COLLECTION AND PROCESSING OF YOUR PERSONAL INFORMATION IN ACCORDANCE WITH THE PRIVACY POLICY.

If You do not consent, please stop using the Website. Except where otherwise required by law, You may withdraw your consent at any time upon reasonable notice. Please note that if You choose to withdraw your consent to the collection, use or disclosure of Your Personal Information, certain features of Our Website may no longer be available to You or we may no longer be able to offer You some of Our services.

3.5 RETENTION OF PERSONAL INFORMATION

Subject to applicable law, We retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, unless you consent to your Personal Information being used or processed for another purpose. As an indication, the duration of certain information may extend up to 7 years following the end of the Services rendered by the Entity to you. In addition, Our retention periods may be changed from time to time due to legitimate interests (e.g., to ensure the security of Personal Information, to prevent abuse and breaches, or to prosecute criminals).

For more information on the duration for which your Personal Information is retained, please contact Our Data Protection Officer using the contact information provided in section 1b) of this Policy.

4. Your Rights

As a data subject, you may exercise the rights set out below by contacting Our Data Protection Officer in writing at the contact information provided in section 1b) of the Policy. Please note that We may ask you to verify your identity before responding to any of these requests.

• You have the right to be informed of the Personal Information We hold about you, its use, disclosure, retention and destruction, subject to the exceptions provided by applicable law;
• You have the right to access your Personal Information, to request a copy, including hard copy, of the documents containing your Personal Information, subject to the exceptions provided by applicable law, and to obtain, where applicable, additional details about how we use, disclose, retain, and destroy it;
• You have the right to have the Personal Information We hold about you corrected, amended, and updated if it is incomplete, ambiguous, out of date, or inaccurate;
• You have the right to withdraw or modify your consent to the Entity's collection, use, disclosure, or retention of your Personal Information at any time, subject to applicable legal and contractual restrictions;
• You have the right to ask Us to stop disseminating your Personal Information and to de-index any link to your name that provides access to that information if such disclosure would contravene the law or a court order;
• You have the right to request that your Personal Information be disclosed to you or transferred to another organization in a accessible and commonly used technological format;
• You have the right to be notified of a privacy incident involving your Personal Information that may cause you serious harm. To this end, we maintain a register of all confidentiality incidents and assess the harm they may cause to data subjects;
• You have the right to file a complaint with the Commission d'accès à l'information, subject to the conditions set out in applicable law.

In order to comply with your request, you may be asked to provide appropriate identification or otherwise identify yourself.

5. Cookies and Other Tracking Technologies

We use cookies and other similar technologies (collectively, “Cookies”) to aid in the operation, protection, and optimization of the Website and Services we provide. Cookies are small text files that are stored on your device or browser. They collect certain information during your visits to the Website, including your language preference, browser type and version, device type, and unique device identifier. If any of the Cookies We use are deleted after the end of your browser session, other “Cookies” remain stored on your device or browser to enable us to recognize your browser the next time you visit the Website. The Personal Information collected through these Cookies is not intended to identify you. They ensure the Website's functionality, enhance user browsing experience, provide insights into Website traffic and interactions, and aid in detecting certain types of fraud. Cookies do not harm your device and cannot be utilized to extract your Personal Information. We collect various data through Cookies, including your IP address, information about your device and operating system or browser, your browsing history, and your browsing history on Our Website, as well as your queries and your browsing preferences (such as the languages used), etc.

Upon visiting Our Website, you will encounter a banner informing you about the use of Cookies. For further details on how We use Cookies, please refer to our Our “Cookie Policy”.

6. Security Measures

The Entity has implemented physical, technological, and organizational security measures to adequately protect the confidentiality and security of your Personal Information against loss, theft, or any unauthorized access, disclosure, copying, communication, use, or modification. These measures include, but are not limited to:

On the administrative side, the adoption of a series of policies and procedures as part of the implementation of Our information governance program, such as:

• Governing access, communication, retention, de-identification (including the anonymization and/or, where applicable, destruction) of Personal Information;
• Determining the roles and responsibilities of Our employees throughout the life cycle of the Personal Information and documents;
• Establishing procedures for responding to confidentiality incidents;
• Overseeing the process for requests and complaints relating to protection and processing of Personal Information.

On the technical level, the use of several means such as:

• The use of a secure server. All sensitive information provided is transmitted via Secure Socket Layer (SSL) technology and then encrypted in Our database, accessible only by authorized persons with special access rights, who are required to maintain confidentiality;
• Employment of backup systems, network monitoring software, etc.;
• Adoption of encryption and segregation of duties systems, access controls, and internal audits.

We have not exhaustively listed the set of measures we are putting in place given the public nature of this Policy.

While the aforementioned measures are in place, We cannot guarantee the absolute security of your Personal Information. Should you have reason to believe that your Personal Information is no longer protected, please contact Our Data Protection Officer immediately using the contact information provided in Section 1.2 above.

7. Changes to this Privacy Policy

We reserve the right to modify this Policy at any time in accordance with applicable law. In the event of any changes, We will publish the updated Privacy Policy and amend the date in the header accordingly. We will also notify you within a reasonable delay prior to the effective date of the new version of Our Policy. If you do not consent to the revised terms of the Privacy Policy, kindly discontinue the use of Our Website and Services. By continuing to use Our Website or Services after the implementation of the new version of Our Policy, you are acknowledging and agreeing to abide by the updated terms of the Policy.

8. Links to Third-Party Websites

Occasionally, We may include references or links to products or services provided by third parties (“Third-Party Services”) on Our Website. Please note that these Third-Party Services are not operated or controlled by the Entity, and their privacy policies are entirely separate and independent from Ours. As such, We do not assume any responsibility for the content and activities of these third-party sites. Our Policy applies solely to the Website and the Services offered by Us. The Policy does not extend to Third-Party Services such as Our LinkedIn Page.

9. Invisible ReCAPTCHA

The invisible reCAPTCHA analyzes activity on a web page function (e.g., mouse movements and typing patterns) to discern whether a user is a robot.

The invisible reCAPTCHA service may collect information from your device, and the information collected is retained in accordance with its respective privacy policy.

10. Individuals Under the Age of 14

We do not knowingly collect or use Personal Information from individuals under the age of 14. If you are under the age of 14, please refrain from providing Us with your Personal Information without the consent of your parents or guardian. In the event that you, as a parent or guardian, become aware that your child has provided Personal Information to Us without consent, please contact Us using the contact information provided in Section 1(b) above to request that We delete that child's Personal Information from Our systems.

11. Applicable Laws

The laws of Canada and Quebec, excluding conflict of law rules, will govern this Agreement and your use of the Website. Your use of the Website may also be subject to other local, provincial, national, or international laws.

Last updated: April 4, 2024