Privacy

Context

The COGIRES Group is divided into three (3) different entities, namely Hôtel Château Laurier Québec, Hôtel Château Bellevue, Le Georges V – Banquet and Catering Services, Inc. (including Le Croquembouche bakery).  Each of our entities operates in different sectors, but shares a common commitment to excellence and privacy. The different entities also share the same Privacy Officer and the same computing equipment.

The protection of personal information and the management of privacy incidents are societal issues that the COGIRES Group considers seriously. This is why the COGIRES Group diligently complies with the requirements of Law 25 and therefore adheres to the definitions related to it. The term “Privacy Incident” is defined as any access, use or disclosure of Personal Information unauthorized by law, as well as the loss of Personal Information or other breach of protection of Personal Information.

In addition, the term “Personal Information” is defined as any information, taken alone or in combination with other available information, about an individual that identifies him or her, such as information about his or her financial situation, lifestyle or health. However, the name of an individual, as well as his or her professional contact information, such as title, address, telephone number and professional email address, are not Personal Information subject to Law 25.

Personal Information must be protected regardless of the nature of its medium and regardless of its form: Written, graphic, audio, visual, computerized or otherwise.

Accountability

The COGIRES Group is responsible for all Personal Information in its possession or management, including Personal Information received directly—for example from COGIRES customers and staff.

The COGIRES Group adheres to good cybersecurity practices by conducting, together with its IT partner, a holistic and rigorous cybersecurity program based on the NIST Cybersecurity Framework. A cyber risk assessment of the company’s IT assets was conducted, as well as a cyber risk management strategy aimed at implementing a series of mitigation measures to protect IT assets, including Personal Information.

The COGIRES Group has also assigned a Privacy Officer and delegated certain cybersecurity responsibilities to its IT partner through a range of managed cybersecurity services. The cybersecurity program executed in partnership with an IT firm ensures the protection of privacy and Personal Information on behalf of the COGIRES Group. A publication was also made on the website and the staff were informed of the existence of the Privacy Policy and the Governance Policies and Practices Regarding Personal Information, as well as the role everyone should play in ensuring the privacy of all guests and team members.

For questions about the practices of the COGIRES Group on the matter, contact the Privacy Officer via email at confidentialite@vieuxquebec.com or by phone at 418-522-3848 ext. 1633.

Purposes for Which Personal Information Is Collected

The COGIRES Group collects, uses and discloses Personal Information about team members to comply with laws, regulations and professional standards, to provide benefits, to administer performance management tools, to administer, manage, monitor and enforce the programs and policies of the COGIRES Group and its relations with its employees, and, generally, to establish, manage or terminate bonds of employment or association.

The COGIRES Group may also collect and use Personal Information about individuals who apply for employment with the company in order to assess the possibility of hiring.

The COGIRES Group may also collect and use Personal Information belonging to customers in order to be able to offer the best possible service during a present or future stay.

Personal Information may be collected without notice or consent, to the extent permitted by law.

Consent

The COGIRES Group ensures that it obtains the valid consent of the individuals concerned before collecting, using or disclosing their Personal Information, except as authorized or required by law.

Collection Limits

The COGIRES Group collects by legitimate and legal means only Personal Information that it may reasonably deem necessary to meet its legal obligations, offer its services and carry out its business activities.

Limitation of Use and Disclosure

The COGIRES Group uses and discloses your Personal Information only for the purposes for which it has obtained your consent, or as permitted or required by law. If the COGIRES Group requires the need to use or disclose Personal Information about an individual for a purpose not previously reported, the COGIRES Group will first seek the consent of the individual concerned, unless the law requires or permits the use or disclosure of Personal Information without the consent of the individual.

The COGIRES Group retains your Personal Information for as long as necessary to fulfill the identified purposes except as permitted or required by law. All human resources files and other records that contain Personal Information about the employees of the COGIRES Group are destroyed when such information can no longer reasonably be considered necessary for legal, regulatory or administrative purposes.

The COGIRES Group does not sell Personal Information to third parties and does not use or disclose Personal Information for purposes other than those for which it is collected, unless the COGIRES Group obtains the express consent of the individual concerned, in an emergency (i.e., to protect the life, health or property of a person) or as required by law.

Accuracy

In order to ensure that the Personal Information collected is relevant to the purposes for which it is used, the COGIRES Group makes reasonable efforts to maintain the integrity of the Personal Information of individuals and to update it regularly.

Individuals to whom the collected Personal Information relates must communicate in writing to the Privacy Officer to make a request for rectification.

Safety Measures

The COGIRES Group is committed to protecting your Personal Information by implementing its cybersecurity program based on the NIST Cybersecurity Framework. The COGIRES Group adheres to good cybersecurity practices by conducting a holistic and rigorous cybersecurity program based on the NIST Cybersecurity Framework. A cyber risk assessment of its IT assets has been completed and will be reviewed on a regular basis, and a cyber risk management strategy has been developed to define and implement a series of risk mitigation measures to protect IT assets including Personal Information.

Transparency

The COGIRES Group may make available to interested persons, upon request, information on its Privacy Policy and on its Governance Policies and Practices Regarding Personal Information.

The COGIRES Group also undertakes to respond to any request for information related to its policies and practices for the management of Personal Information, submitted in writing to the Privacy Officer.

Access to Personal Information

The individuals concerned have the right to examine their Personal Information in the possession of the COGIRES Group and to obtain a copy of it. For this purpose, they must contact the Privacy Officer.

The right to access Personal Information is subject to certain legal restrictions, and the COGIRES Group will take reasonable steps to verify the relevance of the request and the identity of individuals before granting such access.

Should an individual have any concerns about access, he or she can contact the Privacy Officer via email at confidentialite@vieuxquebec.com or by phone at 418-522-3848 ext. 1633. Apart from a few exceptions, applicants will receive a response within thirty (30) days.

Complaint Processing Procedure

The COGIRES Group knows that it is important to ensure the protection of privacy and Personal Information. If you have any questions or concerns about privacy and Personal Information, and the role the COGIRES Group plays in this regard, contact the Privacy Officer via email at confidentialite@vieuxquebec.com or by phone at 418-522-3848 ext. 1633.

The COGIRES Group has established a procedure for receiving and processing complaints about this Policy and about its Personal Information handling practices. An individual about whom the COGIRES Group has personal information may complain about non-compliance with this Policy. Any privacy complaint should be directed to the Privacy Officer at the address above. Apart from a few exceptions, applicants will receive a response within thirty (30) days.

If an individual is dissatisfied with the COGIRES Group’s response to a complaint or the COGIRES Group’s policies and practices regarding the processing of Personal Information, he or she may file a complaint with the Commission d’accès à l’information du Québec on the Commissioner’s website at www.cai.gouv.qc.ca.

Policy Update

The COGIRES Group undertakes to review this Policy every three (3) years. It will also need to be updated whenever there are any substantial changes to legislation or regulatory requirements.

Chat