PRIVACY POLICY

This version of the Policy is dated 01/09/2023.

Subject.

This Policy is established by the company DEMOCRATIK, the publisher of the website www.democratik.org (hereinafter the "website"), with its registered office located at 160 rue de Cazaux, J6Y 0H2 QUEBEC, Canada, under identification number: 9287-7372 Québec inc.

Hereinafter referred to as the "data controller."

The purpose of this Policy is to inform visitors to the website hosted at the following address: www.democratik.org

(Hereinafter referred to as the "website") about how data is collected and processed by the data controller.

This Policy is in line with the data controller's desire to act with full transparency, in accordance with its national provisions and the regulations of Law 25 of Quebec and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, concerning the protection of individuals with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC.

Hereinafter referred to as the "General Data Protection Regulation."

The data controller pays particular attention to the privacy protection of its users and commits to taking reasonable precautions to protect the data collected against loss, theft, disclosure, or unauthorized use.

"Personal data" is defined as any information that directly or indirectly identifies the user, i.e., any information that allows identification.

If the user wishes to react to any of the practices described below, they can contact the data controller at the postal address or email address specified in the "contact data" section of this Policy.

What data do we collect?

The data controller collects and processes, according to the modalities and principles described below, the following personal data about the website visitor:

  • Their domain (automatically detected by the data controller's server), including the dynamic IP address;
  • Their email address if the user has previously disclosed it, for example, by sending messages or questions on the website or by contacting the data controller by email or through the contact form;
  • All information about the pages the user has viewed on the website.

The data controller may also collect non-personal data. These data are classified as non-personal data because they do not allow the direct or indirect identification of a particular person. They may be used for various purposes, such as improving the website, the products and services offered, or the data controller's advertisements.

In the event that non-personal data is combined with personal data, enabling the identification of individuals, these data will be treated as personal data until their association with a particular person becomes impossible.

Collection/Processing Methods:

The data controller may process personal data in the following ways:

  • Contact form on the website;
  • Login data: Cookies;

Categories of collected data:

  • Identity: name, first name, email addresses, postal address, phone number, company;
  • Internet login data (cookies): IP, trackers, browsing data, audience measurements, etc.

Purposes and Legal Bases for Processing

Personal data is only collected and processed for the purposes mentioned below:

Treatment Data category Purposes Legal bases Duration of conversation
Contact form for Internet users
Name, first name, email, website, subject of the message.
Respond to Internet users' requests (information on a product, on delivery, on prices or general questions)
Legal basis is legitimate interest
- 3 years old count at last contact with the user.
- Mandatory request to the Internet user to extend the data retention period by 3 years collected.
Cookies
IP, trackers, navigation data, audience measurements, location.
User session, conversion tracking, message personalization
Legal basis is individual consent
13 months maximum, location data is not retained.
Telephone surveys
Survey questionnaire completed without the associated phone number and without personal information.
Public opinion polls
Mission of public interest
Maximum 3 years, personal data is never stored.
The data controller may be required to carry out processing operations which are not yet provided for in this Policy. In this case, it will contact the user before reusing their personal data, in order to inform them of the changes and give them the possibility, if necessary, to refuse this reuse.

The duration of the conversation

The retention period must be defined by the file processing manager. Generally speaking, the latter only retains personal data for the time reasonably necessary for the purposes pursued and in accordance with legal and regulatory requirements.

Concerning prospects (contact form):

Personal data relating to a non-customer prospect may be kept for a period of three years from their collection by the data controller or from the last contact from the prospect.

At the end of this three-year period, the data controller may contact the person concerned again to find out whether they wish to continue to receive commercial requests. In the absence of a positive and explicit response from the person, the data must be deleted or archived in accordance with the provisions in force, and in particular those provided for by the commercial code, the civil code and the consumer code.

In the event of exercising the right of access or rectification, data relating to identity documents may be kept for the period provided for in Article 9 of the Code of Criminal Procedure (i.e. one year). If the right of opposition is exercised, this data may be archived during the limitation period provided for in Article 8 of the Code of Criminal Procedure (i.e. three years).

Regarding the retention period of cookies:

Consent to be monitored may be forgotten by the people who expressed it at a given moment, the CNIL considers it necessary to limit its scope over time.

Consequently, cookies are kept for thirteen months after their first deposit in the user's terminal equipment (following the expression of consent)

Their lifespan is not extended during new visits to the site.

Enforcement of rights

For all the rights listed below, the data controller reserves the right to verify the identity of the user for the application of the rights listed below.

This request for additional information will be made within one month of the user submitting the request.

Data access and copying

The user may obtain free of charge the written communication or a copy of the personal data concerning him which has been collected.

The Data Controller may require payment of a reasonable fee based on administrative costs for any additional copies requested by the User.

When the user submits this request electronically, the information is provided in commonly used electronic form, unless the user requests otherwise.

Unless otherwise provided for by the general data protection regulations, a copy of their data will be communicated to the user no later than one month after receipt of the request.

Right to withdraw consent

For all processing based on consent, in this case cookies, the data subject has the right to withdraw consent at any time.

Right of rectification

The user can obtain free of charge, as soon as possible and at the latest within one month, the rectification of his personal data which is inaccurate, incomplete or irrelevant, as well as complete it if it turns out to be incomplete

Unless otherwise provided for by the general data protection regulations, the request for application of the right to rectification is processed within the month of its introduction.

Right to object to processing

The user may at any time, for reasons relating to his particular situation, object free of charge to the processing of his personal data, except when:

  • The processing is necessary for the execution of a mission of public interest or relating to the exercise of public authority vested in the controller;
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the person concerned is a child).

The data controller may refuse to implement the user's right of opposition when he establishes the existence of compelling and legitimate reasons justifying the processing, which take precedence over the interests or rights and freedoms of the user. , or for the establishment, exercise or defense of a legal right. In the event of a dispute, the user may lodge an appeal in accordance with the “claims and complaints” point of this Policy.

The user may also, at any time, object, without justification and free of charge, to the processing of personal data concerning him when his data is collected for commercial prospecting purposes (including profiling).

When personal data is processed for scientific or historical research purposes or statistical purposes in accordance with the General Data Protection Regulation, the user has the right to object, for reasons relating to his or her particular situation. , to the processing of personal data concerning him, unless the processing is necessary for the performance of a mission of public interest.

Unless otherwise provided for by the general data protection regulation, the data controller is required to respond to the user's request as soon as possible and at the latest within one month and to justify his response when he intends not to respond to such a request.

Right to object to processing

  • When the user contests the accuracy of data and only for as long as the data controller can check it;
  • When the processing is unlawful and the user prefers limitation of processing to erasure;
  • When, although no longer necessary for the pursuit of the purposes of the processing, the user needs it for the establishment, exercise or defense of his legal rights;
  • During the time necessary to examine the merits of an opposition request submitted by the user, in other words the time for the data controller to verify the balance of interests between the legitimate interests of the data controller and those of the user.

The data controller will inform the user when the restriction of processing is lifted.

Right to erasure (right to be forgotten)

The user may obtain the erasure of personal data concerning him, when one of the following reasons applies:

  • The data is no longer necessary for the purposes of the processing;
  • The user has withdrawn their consent for their data to be processed and there is no other legal basis for the processing;
  • The user has withdrawn their consent for their data to be processed and there is no other legal basis for the processing;
  • Personal data has been the subject of unlawful processing;
  • Personal data must be erased for compliance with a legal obligation (under Union or Member State law) to which the controller is subject;
  • Personal data was collected as part of the provision of information society services aimed at children.

However, erasure of data is not applicable in the following cases:

  • When the processing is necessary for the exercise of the right to freedom of expression and information;
  • When the processing is necessary to comply with a legal obligation which requires processing provided for by Union law or by the law of the Member State to which the controller is subject, or to carry out a task in the public interest or relating to the exercise of public authority vested in the person responsible;
  • When the processing is necessary for reasons of public interest in the field of public health;
  • When the processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes and insofar as the right to erasure is likely to make it impossible or seriously compromise the realization of the ◦ objectives of the processing in question;
  • When the processing is necessary for the establishment, exercise or defense of legal rights.

Unless otherwise provided for by the general data protection regulation, the data controller is required to respond to the user's request as soon as possible and at the latest within one month and to justify his response when he intends not to respond to such a request.

Right to “data portability”

The user may at any time request to receive their personal data free of charge in a structured, commonly used and machine-readable format, in particular with a view to transmitting them to another data controller, when:

  • Data processing is carried out using automated processes; and when
  • The processing is based on the consent of the user or on a contract concluded between the latter and the controller.

Under the same conditions and according to the same modalities, the user has the right to obtain from the controller that the personal data concerning him or her be transmitted directly to another person responsible for the processing of personal data, provided that this is technically possible.

The right to data portability does not apply to processing which is necessary for the execution of a mission of public interest or relating to the exercise of public authority vested in the controller.

Data recipients and disclosure to third parties

Internal recipients:

The recipients of the data are only personnel authorized by the company DEMOCRATIK, in charge of security and commercial relations.

Subcontractors

Personal data is also processed by the company Amazon Web, a subcontractor of the company DEMOCRATIK responsible for managing the website. The data is stored on a server within Canada.

In the event that the data is disclosed to third parties for direct marketing or commercial prospecting purposes, the user will be informed in advance so that they can choose to accept the transfer of their data to third parties.

Since this transfer is based on the user's consent, the user may, at any time, withdraw their consent for this specific purpose.

The data controller complies with the legal and regulatory provisions in force and will in all cases ensure that its partners, employees, subcontractors or other third parties with access to this personal data comply with this Policy.

The data controller discloses the user's personal data in the event that a law, legal procedure or order from a public authority makes this disclosure necessary.

No further transfer of personal data outside the European Union is carried out by the controller.

Security

The data controller implements appropriate technical and organizational measures to ensure a level of security for the processing and data collected in relation to the risks presented by the processing and the nature of the data to be protected, adapted to the risk. It takes into account the state of knowledge, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of users.

The data controller always uses encryption technologies that are recognized as industry standards within the IT sector when transferring or receiving data on the website.

The data controller has implemented appropriate security measures to protect and prevent the loss, misuse, or alteration of information received on the website.

Data Breach Notification

In accordance with Law 25 on the protection of personal data, DEMOCRATIK undertakes to inform users promptly and transparently in the event of a personal data breach that could result in a high risk to the rights and freedoms of the individuals concerned. This notification will include:

The nature of the personal data breach;
The categories and approximate number of individuals concerned;
The categories and approximate number of personal data records concerned;
A description of the potential consequences of the personal data breach;

A description of the measures taken or proposed by DEMOCRATIK to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse effects. If you have any questions about this policy or how we process your personal data, please contact us at RGDP@democratik.org

In the event that the personal data controlled by the data controller were to be compromised, it will act promptly to identify the cause of the breach and take appropriate remedial measures.

The data controller informs the user of this incident if required by law.

Claim and complaint

If the user wishes to react to one of the practices described in this Policy, it is recommended to contact the data controller directly.

The user can also submit a complaint to their national supervisory authority; you can send a complaint online to the CNIL or by post:

National Commission for Information Technology and Liberties (CNIL)

3 Place de Fontenoy

TSA 80715

75334 Paris cedex 07

Tel: +33 1 53 73 22 22

In addition, the user has the possibility of filing a complaint before the competent national courts.

Contact data

For any questions and/or complaints relating to this Policy, the user can contact the data controller at the following address:

By email: RGPD@democratik.org

Or by mail:

DEMOCRATIK
160 Rue de Cazeau
Terrebonne, Québec, J6Y 0H2
Edit

The data controller reserves the right to modify the provisions of this Policy at any time. The changes will be published directly on the website of the controller.

Applicable law and competent jurisdiction

This Policy is governed by the national law of the principal place of establishment of the data controller in Europe and by Law 25 in Quebec.

Any dispute relating to the interpretation or execution of this Policy will be submitted to the courts of respective national law.