Introduction

With the enactment of Law 25, it is essential to ensure that data management is carried out in a systematic and reliable manner to comply with legal retention requirements, such as those set out in applicable data and personal information protection laws. Enforcing data retention measures also reduces costs and risks of disclosure associated with retaining unnecessary information.

This data retention policy and the accompanying data retention schedule have been developed to inform and assist Carrus Technologies (Carrus) as well as its customers in managing the data retained either by Carrus (via the cloud storage service offered to Carrus customers), or directly by Carrus customers using on-site product versions (SMS or JMS) where records are kept. This policy is provided as a guideline. Each Carrus client or partner is responsible for complying with applicable data and personal information protection laws.

The policy and schedule outline the proposed length of time that different types of data should be retained and how they should be stored, transferred, and destroyed. If you have any questions about anything in this policy, please contact the Carrus Technologies Customer Service Team.

Objective

The aim of this policy is to help Carrus Technologies customers to:

• identify and capture accurate and authentic records,
• retain data to meet the business needs of Carrus and its customers,
• dispose of records that are no longer required in an appropriate manner;
• protect vital records, and
• comply with statutory and regulatory requirements relating to data retention

What is personal data or information?

Information is personal when it concerns a natural person and allows, directly or indirectly, the identification of that person. Here is what characterizes it:

• it must reveal information to someone;
• it must have a relationship with a natural person;
• it must be capable of distinguishing that person from another or of recognizing their nature.

Note: This definition includes employees.

Réf.: Gouvernement du Québec ( https://www.quebec.ca/gouvernement/travailler-gouvernement/travailler-fonction-publique/services-employes-etat/conformite/protection-des-renseignements-personnels/definitions-concepts/concepts)

Data retention

Records should be retained for as long as required by applicable laws and regulations and in line with your business needs. The suggested retention periods in the Appendix have been established by data type to help you meet those needs and requirements.

If multiple record types describe the same data, Carrus suggests retaining that data in accordance with the longest retention period. Carrus may in the future amend the suggested schedule with additional record types, and such updates will be provided to all Carrus customers.

Carrus recommends that data be destroyed or anonymized upon the expiration of the applicable retention period, as set forth in the Appendix. Data should ideally not be retained for longer than this period and should be disposed of or anonymized as described below under “Data Disposal or Anonymization.”

Duplicates, backups and convenient copies

Carrus recommends that you retain a duplicate copy of data only when required for valid business reasons and never for longer than the applicable retention period set out in the Appendix or any applicable suspension period.

Responsibilities

It is understood that the “recording controller” is the person or department that wrote or created the record, received an externally created record, or is otherwise primarily responsible for the record. It is the responsibility of the record controller to properly retain the record and data and to dispose of/anonymize it in a timely and appropriate manner.

Data deletion or anonymization

Carrus recommends that all its customers follow this policy to dispose of records in the normal course of business. Proof of deletion or anonymization of records should be kept by the record controller.

References

Government of Quebec

https://www.quebec.ca/gouvernement/travailler-gouvernement/travailler-fonction-publique/services-employes-etat/conformite/protection-des-renseignements-personnels/a-propos

ANNEX - DATA RETENTION SCHEDULE

This Data Retention Schedule accompanies and is included for reference in the Carrus Data Retention Policy. It defines the periods during which Carrus suggests retaining different types of data and records for business and legal purposes.

The list of record types included in this annex is a non-exhaustive list suggested by Carrus, and the suggested retention periods are based on business logic and the usual requirements related to businesses in Quebec. This list is not exhaustive and should be used as an aid to understanding Bill 25. Please refer to the Government of Quebec website for more information.