top of page
Typing on a Computer

Data Protection Policy

ED4S is committed to protecting the privacy and security of all personal information we collect in the course of our business activities. This policy defines how personal data must be collected, used, stored, shared, and safeguarded in alignment with Canadian privacy laws and GDPR.

1. PURPOSE

​

ED4S is committed to protecting the privacy and security of all personal information we collect in the course of our business activities. This policy defines how personal data must be collected, used, stored, shared, and safeguarded in alignment with Canadian and Québec privacy laws.
 

Our objectives are to:
 

  • Protect the rights and privacy of employees, clients, suppliers, and training participants

  • Ensure transparency in how personal information is used

  • Minimize the risk of privacy incidents and data breaches

  • Maintain trust with all stakeholders

 

2. SCOPE
 

This policy applies to:
 

  • All ED4S employees and contractors

  • All suppliers who process personal information on behalf of ED4S

  • All systems, tools, and cloud platforms used to collect or store personal information
     

Personal information includes any identifiable data such as:
 

  • Names

  • Email addresses

  • Phone numbers

  • Job titles

  • Training participation data

  • Billing and contractual contact information

 

3. GOVERNANCE & RESPONSIBILITIES
 

3.1 Privacy Officer (Law 25 requirement)
 

ED4S designates the President & CEO as the Privacy Officer, responsible for:
 

  • Ensuring compliance with Law 25 and PIPEDA

  • Approving privacy practices and policies

  • Responding to access and correction requests

  • Managing and reporting privacy incidents

  • Overseeing third-party risk and data processing agreements
     

3.2 All Employees & Contractors
 

Every team member must:
 

  • Handle personal information securely and responsibly

  • Use only approved platforms (e.g., Microsoft 365, LMS platforms, CRM)

  • Report potential privacy incidents immediately

  • Follow secure password and access control practices
     

No staff member may collect or use personal information without a legitimate business purpose.
 

4. COLLECTION & USE OF PERSONAL INFORMATION
 

ED4S collects only the information necessary to:
 

  • Deliver training programs

  • Manage client accounts and communications

  • Administer supplier or contractor relationships

  • Improve services based on participant feedback

  • Meet legal and contractual obligations
     

We do not collect sensitive information such as health data, racial origin, political opinions, or biometrics unless required by law.
 

All data collection follows the principles of:
 

  • Consent

  • Purpose limitation

  • Data minimization

  • Transparency
     

5. DATA STORAGE & SECURITY
 

ED4S uses secure cloud-based tools compliant with Canadian and international security standards. These include:
 

  • Encrypted cloud storage (Google Workspace or equivalent)

  • Access control based on job requirements

  • Multi-factor authentication

  • Regular backups managed by the cloud provider
     

ED4S security rules:
 

  • Personal data must only be stored on approved systems

  • Devices accessing ED4S data must use passwords and automatic screen locks

  • Personal information must not be stored on USB keys or local hard drives

  • Printed personal information must be avoided; if printed, it must be securely destroyed

  • Data shared externally must be encrypted (e.g., secure sharing links)

 

6. DATA RETENTION
 

Personal information is:
 

  • Kept only as long as necessary for the original purpose

  • Deleted or anonymized when no longer required

  • Retained according to legal and contractual obligations

​

7. DATA ACCURACY
 

ED4S will ensure that personal information is:
 

  • Accurate

  • Complete

  • Up-to-date
     

Individuals may request corrections at any time.

 

8. INDIVIDUAL RIGHTS (LAW 25 + PIPEDA)
 

All individuals have the right to:
 

  • Know why and how their data is used

  • Access personal information held by ED4S

  • Request corrections

  • Withdraw consent (when applicable)

  • Complain to the Commission d’accès à l’information (CAI)
     

Access requests must be free of charge and responded to within the legal deadlines.


Requests can be made to: 
hi@ed4S.org

 

9. THIRD-PARTY SUPPLIERS
 

ED4S ensures that third-party service providers:
 

  • Meet equivalent privacy and security standards

  • Sign Data Processing Agreements when required

  • Use data only for the purposes defined by ED4S
     

Cloud providers may store data internationally; ED4S ensures safeguards are in place.

 

10. DATA BREACH MANAGEMENT
 

ED4S will:
 

  • Immediately contain and assess any suspected privacy incident

  • Notify affected individuals and the regulator (CAI) when required

  • Document all breaches and corrective actions

 

11. TRAINING & AWARENESS
 

All employees receive annual training on:
 

  • Privacy obligations under Law 25 and PIPEDA

  • Secure handling and sharing of personal information

  • How to identify and report a data breach

 

12. POLICY REVIEW
 

This policy is reviewed annually or when:
 

  • Legal requirements change

  • New systems or processes introduce privacy risks​

Last Reviewed

September 2025

bottom of page