GOVERNANCE POLICY RELATING TO PERSONAL INFORMATION AND CONFIDENTIALITY

Emblem Cranberry Inc. (“Emblem Cranberry” or “ we ”), is committed to ensuring the accuracy, security and confidentiality of personal information in accordance with applicable laws. This Policy constitutes an official statement of the principles and guidelines regarding the protection of the personal information of our customers, our service providers and other individuals (“you”).

Any reference to the “law” means the Act respecting the protection of personal information in the private sector ( chapter P-39.1) as well as its regulations.

Consent

BY PROVIDING PERSONAL INFORMATION TO EMBLEM CRANBERRY OR ITS SERVICE PROVIDERS AND AGENTS, YOU AUTHORIZE US TO COLLECT, USE AND DISCLOSURE SUCH PERSONAL INFORMATION IN ACCORDANCE WITH THIS POLICY AND AS PERMITTED OR REQUIRED BY LAW. Subject to legal and contractual requirements, you may refuse or withdraw your consent with respect to certain of the purposes identified at any time by contacting the Privacy Officer of Emblem Cranberry, whose contact details are provided below (the “ Manager ”, this designation may also designate from time to time any other person or committee whose power has been delegated by the Manager). If you provide Emblem Cranberry or its service providers and agents with personal information concerning another individual, you represent that you have the necessary authority to do so and/or that you have obtained all necessary consents from that individual. particular to enable us to collect, use and disclose this personal information for the purposes set out in this Policy.

Role of the Manager

The Manager and his governance committee have, in particular, but not limited to, the responsibilities described in Appendix A.

Collection of Personal Information

The definition of “personal information” under Canadian privacy legislation generally includes information about an identifiable individual or information that allows an individual to be identified. For the purposes of this Policy, “personal information” means information about an identifiable individual as defined from time to time in applicable privacy legislation. Generally speaking, personal information does not include that generally considered to be of a professional nature: name, title or functions, professional address as well as professional telephone and fax numbers or professional email address. The personal information that Emblem Cranberry may collect about you includes your name, your home address, your home telephone number, your home email address, any other personal information that you voluntarily transmit to us (for example, by sending us your resume or contact information via the website), billing and account information, etc.

We also collect from former employers and other third parties, as well as other publicly available sources, personal information about prospective or current employees, contractors and partners that is reasonably necessary to establish, maintain or terminate an employment relationship, contractual relationship or partnership.

Personal information may be obtained from time to time, in particular, but not limited to, via the Emblem Cranberry website, by email, by social networks, in person, etc. Depending on the required use, personal information may be used by Emblem Cranberry, including by its duly authorized employees in the exercise of their functions, all in accordance with this Policy as well as the internal governance policy. .

Why do we collect Personal Information?

In general, Emblem Cranberry collects, uses and communicates personal information concerning its customers and service providers for administrative and/or operational purposes. From time to time, Emblem Cranberry collects, uses and communicates personal information concerning candidates for vacant positions within the company, all in order to evaluate the application and decide whether there is reason to establish an employment relationship, contractual relationship or partnership (and subsequently maintain or terminate it). In particular, we collect, use and disclose your personal information for the following purposes:

establish and maintain relationships with customers and suppliers. This may include the communication of personal information for these purposes by Emblem Cranberry personnel;

  • communicate personal information to third parties and receive personal information from them in order to fulfill the operational and administrative obligations of Emblem Cranberry, particularly in matters of employment. These third parties may include business partners, suppliers, customers, outsourcing agencies, etc.
  • evaluate whether Emblem Cranberry should establish commercial relationships with customers, suppliers and other third parties;
  • establish and maintain business relationships with customers, suppliers and other third parties, including issuing invoices, administering accounts, collecting and processing payments and fulfilling contractual obligations;
  • establish, maintain or terminate an employment relationship, contractual relationship or partnership;
  • understand and respond to the needs and preferences of customers, suppliers and other third parties, including communicating with such parties and organizing surveys, research and evaluations, if desired by Emblem Cranberry;
  • develop, improve, market, sell or otherwise provide Emblem Cranberry products;
  • develop and manage the activities and operations of Emblem Cranberry;
  • undertake commercial operations, including purchase, sale, rental, merger, consolidation or any other type of acquisition, alienation or financing in which Emblem Cranberry takes part;
  • collect, use and communicate your personal information as permitted by legal or regulatory requirements or provisions and to comply with these requirements or provisions; and
  • collect, use and communicate your personal information for any other purpose to which you consent.

Personal Information may be communicated

From time to time, Emblem Cranberry may communicate your personal information to the following people:

  • service providers, including an organization or individual whose services have been retained by Emblem Cranberry to carry out certain functions on its behalf, such as subcontracting services, human resources agencies, services data processing, document management and administrative services;
  • a financial institution, on a confidential basis and solely in connection with the payment of salaries to employees, the assignment of a right to receive payment, the provision of security or other financing arrangements;
  • a person who, in the reasonable opinion of Emblem Cranberry, provides the information as your agent or seeks this information in that capacity;
  • members of Emblem Cranberry personnel, federal and provincial government authorities, insurers (including ours), benefit providers, consultants or agents to the extent that such personal information is reasonably necessary to protect the interests of Emblem Cranberry, to establish or maintain an employment relationship, a contractual relationship or a partnership, or to terminate it; and
  • one or more third parties, when you consent to this communication or if the communication is required or authorized by law.

Storage of the Personal Information

Your personal information is kept in secure locations and on servers, this access of which are controlled by Emblem Cranberry, located either in our offices or in the offices of our service providers.

How you can access your Personal Information?

Requests for access to personal information should be sent to our Manager.

Upon written request from you, Emblem Cranberry, subject to certain exceptions, shall keep you informed of the existence of personal information in your regard, of its use and of the fact that it has been communicated to third parties and shall allow you to have access to it.

Protection of your personal information

Emblem Cranberry uses administrative and technological security measures corresponding to the degree of sensitivity of your personal information in order to protect its confidentiality. We use secure data networks protected by industry standard firewalls and password protection systems. We ensure that customer personal information communicated to third parties for processing is protected.

Conservation and Destruction of Personal Information

Emblem Cranberry will retain documents, including documents containing commercially sensitive and personal information, for as long as necessary for the purposes for which they were collected or created, or for their use in accordance with this Policy.

Personal information that Emblem Cranberry no longer needs to retain for the purposes for which it was collected or created may nevertheless be retained in the following circumstances:

  1. a law requires or authorizes such retention of the personal information;
  2. the personal information is contained in a document or file that is the subject of an unfinished legal action or an access request or an unresolved complaint.

For any personal information that was used for the purposes for which it was collected and which must not be retained under the above, the personal information will be destroyed in a manner appropriate to its format:

  1. A paper document containing personal information, and all copies, will be shredded as part of the destruction process;
  2. Electronic data containing personal information will be deleted from the hardware hosting the data;
  3. Before hardware hosting electronic data is discarded or destroyed, electronic data containing personal information will be deleted.

Right to access, rectification, control of the communication and portability of personal information

At the request of a person concerned by the holding of personal information by Emblem Cranberry, Emblem Cranberry will confirm the existence of the holding of said personal information and will communicate it to them. Any person may request that personal information be deleted if its collection was not authorized by law.

A person may ask Emblem Cranberry to obtain a copy of the computerized personal information collected by the company or to transfer this personal information to any person or organization as authorized by law to collect such information. Emblem Cranberry, however, reserves the right to refuse to respond to a portability request if it raises serious practical difficulties.

A request for access, rectification, portability or to control the communication of personal information can only be considered by Emblem Cranberry if it is made in writing to the Manager by a person proving their identity as a person concerned within the meaning of the law. The request for rectification can only concern information deemed to be inaccurate, incomplete or equivocal.

Unless authorized by the Commission d’accès à l’information (“CAI ”) granting it a longer period (in particular during a request for data portability), Emblem Cranberry will respond to this request diligently and at most within 30 days of the date of receipt. If it fails to respond within the time limit, Emblem Cranberry is deemed to have refused to comply with the request. In the event of a refusal, Emblem Cranberry will communicate in writing with the applicant giving the reasons for the refusal based on the relevant legislative provisions, as well as informing the applicant of its right of appeal and the related deadline.

Access to personal information contained in a file is free. However, Emblem Cranberry reserves the right to charge reasonable fees from the applicant for the transcription, reproduction or transmission of information.

Handling complaints

Any complaint relating to the personal information protection practices of Emblem Cranberry or its compliance with the requirements of the Law must be sent to the Manager in writing.

Following receipt of the complaint, an acknowledgment of receipt will be sent to the complainant containing the following information:

  1. a description of the complaint received, specifying the complaint made against Emblem Cranberry;
  2. the alleged damage suffered or the corrective measure requested;
  3. the name and contact details of the person responsible for handling the complaint;

In the case of an incomplete complaint, a notice will be sent containing a request for additional information to which the complainant must respond within a set deadline, failing which the complaint is deemed abandoned.

All complaints are treated confidentially.

The Manager will process any complaint within 30 days following receipt of all the information necessary for its study, by sending a written response to the complainant. In the exceptional event that a complaint cannot be processed within the deadline, the complainant is informed of the reasons for the delay and the steps taken to date in processing their complaint. He is also informed of the deadline within which the decision will be transmitted to him.

Privacy incidents

A confidentiality incident constitutes any access, use or communication not authorized by law of personal information, or any loss or other attack on the protection of this information. If you become aware of a confidentiality incident of which Emblem Cranberry is not aware, please communicate in writing with the Manager as soon as possible.

In the presence of a privacy incident with a plausible risk of serious harm

The Manager will inform the following entities and persons:

  1. A notice will be sent to the CAI promptly, according to the formalities and procedures then required by the CAI;
  2. Notice will be provided, by any means possible, to the person(s) affected by the confidentiality incident, to the extent that they are at risk of serious harm. No notice will be sent if such notification is likely to hinder an investigation carried out by an entity responsible for preventing, detecting or repressing a violation of any law.
  3. A notice will be sent to any other relevant person if the situation requires it (e.g.: foreign authority, police forces, or others).

In the absence of a plausible risk of serious harm

The Manager determines whether it is appropriate to inform the person concerned of the privacy incident. It may choose to do so for reasons of transparency or business management. These reasons are then documented in the confidentiality incident log.

Emblem Cranberry maintains a confidentiality incident register allowing it to document confidentiality incidents that may arise from time to time.

For further information relating to the management of privacy incidents, do not hesitate to request a copy of the Privacy Incident Management Policy from the Manager.

Privacy Protection and Our Website

Cookies – When a visitor accesses the Emblem Cranberry website, we may use a browser device called a “cookie” to collect information such as IP address, language used, website referral (if applicable), the type of Internet browser and operating system the visitor is using, the domain name of the website the visitor came from, the date and duration of the visit, the number of visits, the average time the visitor spent on our website, the pages they viewed and the number of cookies accumulated. A cookie is a small text file containing a unique identification number that identifies the visitor's browser (but does not necessarily identify the visitor) to our computers each time someone visits our website. We do not know the identity of visitors who access our website unless they specifically tell us (e.g. by sending us correspondence from the website). In addition to the specific purposes described in our Policy, we may use this information from the website and share it with other organizations with whom we have commercial relationships in order to measure the use of our website, improve functionality and content and make it easier for visitors to use. Visitors can reset their browser to be notified when they receive a cookie or refuse cookies. However, if they refuse cookies, they may be unable to use some of the features of our website.

Online Communications – In order to receive a service or information, visitors to our website may voluntarily provide us with personal information in order to ask questions, request information, apply for a job, send us their resume, consult or to download publications.

Links – Our website may contain links to other websites. These links are provided for your convenience only. We advise visitors that third-party websites may have different privacy policies and practices than those of Emblem Cranberry and Emblem Cranberry disclaims all liability with respect to third-party websites.

Changes to the Policy

Emblem Cranberry reserves the right to modify or supplement this Policy at any time. If we make changes to this Policy, we will post those changes on our website and the amended policy and changes will be available upon request to the Manager. However, Emblem Cranberry will obtain the necessary consents required under applicable privacy laws if we intend to collect, use or communicate personal information about you for purposes other than those for which you have given your consent, unless otherwise authorized by law.

Other information

Emblem Cranberry has appointed Mr. Miguel Lavertu, Chief Financial Officer, CPA, to the position of Manager. The latter will be responsible for ensuring compliance with this Policy and applicable laws in this area. For further information, please contact the following address:

Mr. Miguel Lavertu , financial director, CPA

Emblem Cranberry Inc.

487, rue Bergeron

Sainte-Eulalie (Quebec) G0Z 1 E 0

+1 819 225-4141

mlavertu@emblemecanneberge.com

 

APPENDIX A

RESPONSIBILITIES OF THE MANAGER

 

Compliance obligations/efforts

  • Ensure compliance with respect to personal information protection, security and confidentiality;
  • Ensure that existing and new services comply with privacy and data security obligations;
  • Ensure the organization has and maintains appropriate privacy and confidentiality consent forms, authorization forms, information notices and documents that reflect current practices and requirements both internally and legally;
  • Ensure that the Policy is integrated in the operations of the company;
  • Maintain knowledge of privacy legislation and monitor developments in information technology relating to the protection of personal information to ensure that the organization adapts accordingly;

 

Collaboration within the organization

  • Work with operational teams and senior management to ensure they are made aware of “best practices” on issues related to the protection of personal information and data security;
  • Collaborate in the development of online personal information protection and cybersecurity policies and procedures;
  • Work in collaboration with relevant units of the organization to oversee consumers' information access rights;
  • Liaise regarding the protection of personal information;

 

Incident response

  • Mitigate the effects of unauthorized use or disclosure of personal information by employees or business partners;
  • Administer measures relating to any complaints about the organization's personal information protection policies and procedures in coordination and collaboration with other similar functions and, if necessary, legal advisors;

 

Employee training

  • Continuously organize training and awareness activities on the protection of personal information;

 

Data governance

  • Ensure that the use of technology has the effect of maintaining, and not eroding, the safeguards that apply to the use, collection and disclosure of personal information;
  • Carry out adequacy assessments to ensure that any communication of personal information outside Quebec offers adequate protection of the personal information concerned;
  • When required, conduct periodic privacy impact assessments and ongoing compliance monitoring activities;
  • Consider individual requests for communication or disclosure of personal or protected information and managing these requests;

 

Contracts with third parties

  • Develop and manage procedures for approving and verifying supplier compliance with policies and legal requirements regarding the protection of personal information and data security;
  • Ensure that written agreements entered into with data processing service providers appropriately address the risks identified in privacy impact assessments;
  • Collaborate with legal counsel regarding contracts with business partners;

 

Development and improvement of the personal information protection program

  • Develop and coordinate a risk management and compliance framework for the protection of personal information;
  • Establish a process for receiving, documenting, investigating and taking necessary action regarding any complaints regarding the organization's policies and procedures regarding the protection of personal information;
  • Lead the planning, design and evaluation of projects relating to personal information protection and data security;
  • Establish an internal audit program for the protection of personal information;
  • Periodically review the privacy program in light of changes to laws, regulations or company policies.

 

Grand Bleu Visit Grand Blue, our sister company.