PRIVACY PROTECTION POLICY

1. PREAMBLE

As part of its activities and mission, Tonic DNA processes personal information, particularly that of its employees and self-employed workers with whom it does business. As such, Tonic DNA recognizes the importance of respecting privacy and protecting personal information. Tonic DNA has adopted this policy to fulfill its obligations in this regard. It sets out the framework principles applicable to the protection of personal information held by Tonic DNA throughout its life cycle, as well as the rights of the persons concerned. Protecting personal information is the responsibility of everyone who handles this information.

2. SUBJECT

This policy:
- Sets out Tonic DNA’s governance principles regarding personal information throughout its life cycle;
- Sets a framework for exercising the rights of the persons concerned;
- Provides for the processing of privacy complaints;
- Defines Tonic DNA’s privacy protection roles and responsibilities; and
- Describes Tonic DNA’s staff training and awareness-raising activities.

3. REGULATORY FRAMEWORK

This policy is governed by the Act respecting the protection of personal information in the private sector and the applicable privacy protection regulations.

4. DEFINITIONS

For the purposes of this policy:
“CAI” means the Commission d’accès à l’information du Québec.
“Life cycle” means all the steps involved in handling personal information, i.e., its collection, use, communication, retention and destruction.
“Privacy Impact Assessment” or “PIA” means the preventive approach that aims to better protect personal information and respect the privacy of natural persons. It involves considering all the factors that could have a positive or negative impact on the privacy of the people concerned.
“Confidentiality incident” means any unauthorized access, use or communication of personal information, or any loss or other breach of the protection of such information.
“Act” means the Act respecting the protection of personal information in the private sector.
“Person concerned” means a natural person to whom personal information relates.
“Profiling” means the collection and use of personal information to assess certain characteristics of a physical person, in particular for the purpose of analyzing the physical person’s work performance, economic situation, health, personal preferences, interests or behaviour.
“Personal information” means any information relating to a natural person, which enables that person to be identified directly, either by recourse to that information alone, or indirectly, i.e., in combination with other information.
“Sensitive personal information” means any personal information that, because of its nature, including medical, biometric or otherwise intimate, or because of the manner in which it is used or disclosed, leads to a high reasonable expectation of privacy.
“Person in charge of the protection of personal information” or “PPPI” means the person within Tonic DNA who is responsible for ensuring compliance with and implementation of the Act. The designated person at Tonic DNA is the HR Supervisor.

5. SCOPE

This policy applies to personal information held by Tonic DNA and to any person who handles personal information for Tonic DNA, such as service providers or subcontractors.

6. HANDLING PERSONAL INFORMATION

Personal information is protected throughout its life cycle in accordance with the following principles, taking into account the exceptions under the Act.

6.1 COLLECTION

6.1.1 Tonic DNA only collects personal information that is necessary for carrying out its business. Before collecting personal information, Tonic DNA identifies the purposes for which it is to be used.
6.1.2 Personal information is collected from the person concerned, except where the Act permits collection from a third party.
6.1.3 At the time of collection, and thereafter upon request, Tonic DNA informs the persons concerned, at least, of:
– the purposes for which the information is collected;
– the means by which the information is collected;
– the rights of access and rectification under the Act;
– their right to withdraw consent to the communication or use of the information collected;
– where applicable, the name of the third party for whom the information is collected;
– where applicable, the names of third parties or categories of third parties to whom it is necessary to communicate the information for the stated purposes;
– when applicable, of the possibility that the information may be disclosed outside of Quebec; and
– where applicable, the use of technology that includes functions for identifying or profiling the person concerned.
6.1.4 The information listed in section 6.1.3 is given in simple and clear terms, through a confidentiality policy or a “just-in-time” notice.

6.1.5 The person concerned who provides their personal information after receiving the information in section 6.1.3 is presumed to consent to its use and communication for the stated purposes.
6.1.6 At the request of a person concerned, Tonic DNA shall also inform them of the following:
– personal information collected from them;
– the persons who have access to this information within Tonic DNA;
– how long the information will be retained; and
– contact details for Tonic DNA’s PPPI at vieprivee@tonicdna.com.

6.1.7 When consent is legally required, i.e., when it cannot be presumed in accordance with sections 6.1.3 and 6.1.5 and no exception to consent applies, it must be manifest, free, informed and given for specific purposes. Also, the use of clear, simple language is required for each of these purposes. This consent is valid only for the time necessary to achieve the purposes for which it was requested.

6.2 USE

6.2.2 Tonic DNA uses personal information only for the purposes for which it was collected. However, Tonic DNA may modify these purposes with the consent of the person concerned.
6.2.3 In any of the following cases, Tonic DNA may also use it for secondary purposes without the consent of the person concerned:
– when the use is for purposes compatible with those for which the information was collected (compatible purposes exclude commercial or philanthropic prospecting);
– when the use is clearly for the benefit of the person concerned;
– when its use is necessary to prevent and detect fraud or to evaluate and improve protection and security measures;
– when its use is necessary to provide or deliver a product or service requested by the person concerned;
– when its use is necessary for study, research or statistical purposes and the information is depersonalized; and
– when its use is necessary for tax purposes.
6.2.4 Where the proposed use for secondary purposes involves sensitive personal information, Tonic DNA must obtain the express consent of the persons concerned.

6.3 COMMUNICATION

6.3.1 Subject to the exceptions under the Act, Tonic DNA cannot communicate personal information without the consent of the person concerned. Consent must be given expressly when sensitive personal information is involved.
6.3.2 Tonic DNA may disclose personal information without consent to an agent or service provider in connection with a service mandate or contract. For this purpose, Tonic DNA must enter into a written agreement the with the agent or service provider, which stipulates, at a minimum, the measures to be taken by the agent or service provider:
– to protect the confidentiality of personal information;
– to ensure that this information is only used to carry out the mandate or contract; and
– so that the information is not retained by the agent or service provider after the expiration of the mandate or contract.
In addition, the agreement must specify the following:
– the agent or service provider shall promptly notify the PPPI of any breach or attempted breach by any person of any of the obligations relating to the confidentiality of the disclosed information;
– Tonic DNA’s PPPI reserves the right to carry out any verification relating to this confidentiality.
6.3.3 When personal information is disclosed outside of Quebec, Tonic DNA conducts a PIA in accordance with section 7 hereof.

6.4. RECORD OF COMMUNICATIONS

6.4.1 Tonic DNA maintains certain communications of personal information, which are:
– to a person or organization that has the power to compel Tonic DNA to disclose personal information and that requires such information to perform their duties;
– to a person who must receive the information because of a situation endangering the life, health or safety of the person concerned, or to whom Tonic DNA may communicate the information in order to prevent an act of violence, including suicide, in the event of a serious risk of death or serious injury to an identifiable person or group of persons;
– to an archive or to any person, in the latter case, if the document is more than 100 years old or if the person concerned has been deceased for more than 30 years;
– to a person or organization for the purposes of a service or business mandate or contract;
– to the other party to a commercial transaction if communicating the information is necessary to complete the transaction;
– to a person who may use the information for study, research or statistical purposes or to a person authorized by the CAI to use the information;
– to a person who is legally authorized to collect debts for others and who requires the information for this purpose in order to perform their duties; and
– to a person if the information is required to collect a debt owed to Tonic DNA.

6.5 RETENTION

6.5.1 Tonic DNA takes all reasonable steps to ensure that the personal information that it holds is up to date, accurate and complete for the purposes for which it is collected or used.
6.5.2 Tonic DNA retains personal information for as long as necessary to carry out its business, subject to reasonable retention periods established by the company.

6.6 DESTRUCTION AND ANONYMIZATION

6.6.1 Once the purposes for which the personal information was collected have been fulfilled, the information is destroyed or anonymized in accordance with Tonic DNA’s retention schedule and document management rules.

7. PRIVACY IMPACT ASSESSMENT

7.1 Under the supervision of the PPPI and the Security Committee, Tonic DNA conducts a PIA, particularly with regard to the following processing of personal information:
– before undertaking any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving personal information;
– before disclosing personal information without consent to a person or organization wishing to use the information for study, research or statistical purposes; and
– when Tonic DNA intends to communicate personal information outside of Quebec.
7.2 In conducting a PIA, Tonic DNA considers the sensitivity of the information to be processed, the purposes for which it is to be used, the amount, distribution and medium of the information, and the proportionality of the proposed measures for protecting personal information.
7.3 In addition, when personal information is communicated outside of Quebec, Tonic DNA ensures that it is adequately protected, in particular with respect to generally accepted principles for the protection of personal information.
7.4 Completing a PIA serves to demonstrate that Tonic DNA has complied with all personal information protection obligations and that all measures have been taken to effectively protect personal information.

8. RIGHTS OF PERSONS CONCERNED

8.1 Subject to applicable law, any person concerned about whom Tonic DNA holds personal information has the following rights, among others:
– the right to access and obtain a copy of personal information held by Tonic DNA, whether in electronic or non-electronic format;
o unless this raises serious practical difficulties, computerized personal information collected from a person concerned, and not created or inferred from personal information relating to them, is communicated to them in a structured and commonly used technological format, at their request. This information is also communicated, upon request, to any person or organization that is legally authorized to collect such information;
– the right to rectify any incomplete or inaccurate personal information held by Tonic DNA;
– the right to request the deletion of outdated or unjustified information, or to make written comments to Tonic DNA;
– the right to ask Tonic DNA to stop disseminating information or to deindex any hyperlink attached to its name by technological means when the dissemination of this information is in violation of the Act or a court order;
– the right to ask Tonic DNA to stop distributing information or to deindex or reindex any hyperlink attached to its name when the following conditions are met:
o the dissemination of this information causes serious damage to their right to respect for their reputation or their private life;
o this damage clearly outweighs the public interest in knowing the information or the interest of any person in expressing themselves freely; and
o the requested cease of dissemination, reindexing or deindexing does not exceed what is necessary to prevent the damage from persisting, taking into account, in particular, whether the person concerned is a public figure or not, whether the information concerns a minor, whether the information is up to date and accurate, the sensitivity of the information, the context in which the information is disseminated, the time elapsed between the dissemination of the information and the request made to Tonic DNA, whether the information concerns criminal or penal proceedings, the granting of a pardon or the application of a restriction on access to court registers.
– The spouse or close relative of a deceased person may ask Tonic DNA for any personal information it holds about that person, if knowledge of the information is likely to help them in the grieving process and the deceased person has not recorded in writing their refusal to grant this right of access.

8.2 Although the right of access may be exercised at any time, access to documents containing this information is subject to certain exceptions identified in the Act.

8.2.1 Tonic DNA may refuse to disclose personal information to a person where disclosure of the information could reasonably be expected to:
– interfere with an investigation conducted by its internal security department for the purpose of preventing, detecting or suppressing crime or breaches of the Act or, on its behalf, by an external department that has the same purpose or a security guard or investigation agency licensee in accordance with the Private Security Act; and
– have an effect on legal proceedings in which any of these persons has an interest.

8.2.2 Tonic DNA shall refuse to communicate any personal information:
– to a person concerned when its disclosure would likely reveal personal information about a third party or the existence of such information and such disclosure would be likely to seriously harm that third party, unless the latter consents to its disclosure or it is an emergency case endangering the life, health or safety of the person concerned; and
– to the liquidator of the estate, the beneficiary of life insurance or a death benefit, the heir or successor of the person to whom the information relates, unless such communication would jeopardize the interests and rights of the person requesting it as liquidator, beneficiary, heir or successor, subject to the right of the spouse or parent of a deceased person mentioned above.

8.3 The request for access to personal information must be sufficiently precise to enable the PPPI to identify said personal information. The right of access applies only to existing personal information.

8.4 The PPPI will respond to requests for access or rectification in writing, promptly and no later than 30 days from the date of receipt of the request.

8.5 Access to personal information contained in a file is free of charge. However, Tonic DNA may charge a reasonable fee for the transcription, reproduction or transmission of such information, after informing the applicant of the approximate amount payable, prior to proceeding with the transcription, reproduction or transmission of such information.

8.6 When the PPPI grants a request for correction or deletion, it notifies any person who has received the information in the previous six months and, where applicable, the person who holds the information, of the correction or deletion. Additionally, a copy of any personal information modified or added, or, in some cases, a confirmation of deletion of the personal information, is issued to the applicant free of charge.

8.7 Failing to respond within 30 days of receiving the request, Tonic DNA will be deemed to have refused to grant the request. That said, the PPPI must provide reasons for any refusal to approve a request, indicating the provision of the Act on which the refusal is based, the remedies available to the applicant under the Act and the time limit within which they may be exercised. They must also assist the applicant in understanding the refusal.

9. COMPLAINT PROCESS

Any complaints regarding Tonic DNA’s personal information protection practices or compliance with legal requirements regarding personal information will be forwarded to the PPPI, who will respond within 90 days.
The PPPI will present the complaint to Tonic DNA’s Safety Committee, which will carry out a detailed analysis. The aim is to determine the seriousness and consequences of the confidentiality incident, as well as the likelihood of personal information being used for harmful purposes. After reasonable recommendations have been issued, the PPPI will be responsible for following up on these recommendations to ensure that they have been implemented in the organization. The analysis will be recorded in a confidentiality incident report, which will be kept for a minimum period of five years.

10. SECURITY OF PERSONAL INFORMATION

10.1 While we cannot guarantee zero risk, Tonic DNA implements reasonable security measures to ensure the confidentiality, integrity and availability of personal information that is collected, used, disclosed, retained or destroyed. These measures take into account the sensitivity of the personal information, the purpose for which it is collected, as well as its quantity, location and medium.
10.2 Tonic DNA manages the access rights of its staff members so that only those who are subject to a confidentiality undertaking (if applicable) and who require access while performing their duties have access to personal information.

11. CONFIDENTIALITY INCIDENTS

11.1 Any confidentiality incident will be dealt with in accordance with Tonic DNA’s procedure. Tonic DNA then takes reasonable steps to reduce the risk of damage and to prevent further incidents of a similar nature. It updates its Privacy Protection Program as required.
11.2 All confidentiality incidents are reported to the PPPI and recorded in the confidentiality incident register, in accordance with section 12.1 of this policy.
11.3 If the confidentiality incident presents a risk of serious harm to the persons concerned, Tonic DNA will promptly notify them and the CAI in accordance with its incident response procedure.

12. CONFIDENTIALITY INCIDENT REGISTER
12.1 Tonic DNA maintains a confidentiality incident register in compliance with the Act and its regulations. Such a register includes:
– a description of the personal information affected by the incident or, if this information is not available, the reason why such a description cannot be provided;
– a brief description of the circumstances of the incident;
– the date or time when the incident took place or, if this is not known, an approximation of this occurrence;
– the date or time during which the organization became aware of the incident;
– the number of people affected by the incident or, if not known, an approximation of this number;
– a description of the factors that lead Tonic DNA to conclude whether a risk of serious harm to the persons concerned, such as the sensitivity of the personal information concerned, the possible malicious uses of this information, the apprehended consequences of its use and the likelihood that it will be used for prejudicial purposes;
– if the incident presents a risk of serious harm being caused, the dates on which notices were sent to the CAI and to the persons concerned, pursuant to the second paragraph of section 3.5 of the Act respecting the protection of personal information in the private sector, as well as a statement indicating whether public notices were given by Tonic DNA, as well as the reason, if applicable;
– a brief description of the measures taken by Tonic DNA, following the occurrence of the incident, to reduce the risk of damage being caused; and
– any other item provided for in the Regulation respecting confidentiality incidents.

13. ROLES AND RESPONSIBILITIES

13.1 The protection of personal information held by Tonic DNA relies on the commitment of all parties handling such information, particularly of those with the following roles:

13.2 The PPPI:
– is a role held by the HR Supervisor unless otherwise specified in writing by management;
– is designated in writing by the person with the highest authority within Tonic DNA;
– ensures that Tonic DNA complies with and implements the Act;
– ensures the establishment and implementation of policies and practices that oversee the company’s governance of personal information and that assure its protection, including by approving such policies and practices;
– is consulted, for the purposes of a PIA, at the outset of any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information;
– at any stage of a project covered by the previous point, the PPPI may suggest measures to ensure the protection of personal information involved in the project, such as:
o the appointment of a person to be responsible for implementing the personal information protection measures;
o measures to protect the personal information in any document relating to the project;
o a description of the project participants’ responsibilities with regard to the protection of personal information; or
o training activities for project participants on the protection of personal information.
– oversees the maintenance of the registers provided for in sections 6.4 and 13 of this policy;
– is involved in assessing the risk of serious harm associated with a confidentiality incident, particularly with regard to the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood of it being used for malicious purposes;
– collaborates with the relevant government authorities and stakeholders in the event of a confidentiality incident;
– where applicable, records the communication of a confidentiality incident to a person or organization likely to reduce the risk of harm;
– where applicable, verifies confidentiality obligations in connection with the communication of personal information under service mandates or contracts entrusted to third parties in accordance with section 6.3.2 of this policy;
– receives written requests from data subjects to exercise their rights and ensures compliance with sections 9.5 to 9.8 of this policy; and
– reports annually to the Executive Committee, comprised of the Partners and the Managing Director, on Tonic DNA’s compliance with legal requirements, and ensures that these are respected and implemented.
– The PPPI can be reached at vieprivee@tonicdna.com.

13.3 Any person who handles personal information held by Tonic DNA:
– integrates the principles set out in this policy into their activities;
– has access only to the information required to perform their duties;
– integrates and retains information only in files intended for the performance of their duties;
– retains these files in such a way that only authorized persons have access to them;
– protects access to personal information in their possession or to which they have access by means of a password;
– refrains from disclosing personal information that comes to their knowledge in the performance of their duties unless duly authorized to do so;
– refrains from retaining, at the end of their employment or contract, personal information obtained or collected while performing their duties and maintains their duty of confidentiality;
– destroys all personal information in accordance with Tonic DNA’s retention schedule;
– participates in awareness and training activities on the protection of personal information; and
– reports any breach, confidentiality incident or any other situation or irregularity that could compromise in any way the security, integrity or confidentiality of personal information in accordance with the procedure established by Tonic DNA.

13.4 Any member of the Management Committee, consisting of the Partners and the Managing Director:
– provides the support and resources needed to assist the PPPI in fulfilling their duties.

14. APPROVAL

This policy and all personal information protection-related policies arising from it are subject to the approval of the members of the Management Committee, represented by the Managing Director, and of the PPPI of Tonic DNA.

15. AWARENESS-RAISING ACTIVITIES

Tonic DNA offers its staff training and awareness activities on personal information protection. As part of these activities, TONIC DNA:
- offers a page of privacy protection resources and information accessible to all employees on the intranet;
- will raise awareness among all employees through ongoing communications; and
- will organize an information session when this policy comes into effect, including any major updates. These sessions will be recorded and accessible at all times.

16. SANCTIONS
Any person who violates this policy is liable to disciplinary action in accordance with the applicable regulatory framework.

17. UPDATE

In order to keep pace with changes in applicable personal information protection laws and to improve Tonic DNA’s Privacy Protection Program, this policy may be updated from time to time. Please refer to the policy on our intranet or contact PPPI for the latest version.

18. IMPLEMENTATION

This policy comes into effect upon its adoption by Tonic DNA’s Executive Committee and PPPI.