Groupe Grandio<\/p>\n\n\n\n
Personal Information Protection Program<\/p>\n\n\n\n
Last revised: May 13, 2025<\/p>\n\n\n\n
In the course of their activities, Groupe Grandio (13401537 Canada Inc., hereinafter the \u201cParent Company\u201d), its subsidiaries, affiliated companies, and groups of companies (collectively, \u201cGrandio\u201d) process personal data, including that of their restaurants\u2019 guests, visitors to their websites and apps, loyalty program members, employees, as well as directors and executives. As such, Grandio understands the importance of respecting privacy and protecting the personal data it holds.<\/p>\n\n\n\n
To fulfill its obligations under Qu\u00e9bec\u2019s Private Sector Privacy Act, Grandio has adopted the following policy. It outlines the guiding principles applicable to the protection of personal data throughout its lifecycle, the rights of individuals, and the roles of stakeholders in implementing the law at Grandio.<\/p>\n\n\n\n
This policy completes the Data Security and Cybersecurity Policy regarding the protection of personal data.<\/p>\n\n\n\n
This policy:\u00a0<\/p>\n\n\n\n
<\/p>\n\n\n\n
This policy applies to personal information collected or held by the Parent Company and any affiliated company or group of companies that holds personal data in the frame of its activities. It applies to any person processing personal data on behalf of these companies. When the Parent Company acquires a new company, the latter must implement the personal data protection program no later than six months following the completion of the transaction, with support from the Privacy Protection Committee, if required.<\/p>\n\n\n\n
The Parent Company, affiliated companies, and groups of companies include, but are not limited to:<\/p>\n\n\n\n
<\/p>\n\n\n\n
This list is not exhaustive.<\/p>\n\n\n\n
Compliance with this policy is mandatory, and Grandio is committed to upholding it. <\/p>\n\n\n\n
Any request for an exemption from this policy must be duly justified and submitted to the Privacy Officer for approval, and communicated to the Board of Directors of the Parent Company by the Privacy Officer. A request for an exemption is submitted and processed in accordance with Grandio\u2019s documentary framework, where applicable. <\/p>\n\n\n\n
This policy is the foundational document for Grandio\u2019s compliance program for personal data protection, from which other policies, guidelines, procedures, or documents may derive, covering topics such as:<\/p>\n\n\n\n
<\/p>\n\n\n\n
Grandio\u2019s compliance program is based on a documentary framework defined as follows:<\/p>\n\n\n\n
<\/p>\n\n\n\n
For the purposes of this policy, the following terms mean:<\/p>\n\n\n\n
\u201cJust-in-time notice\u201d: The transparency notice provided to an individual when their personal data is requested. <\/p>\n\n\n\n
\u201cDocumentary Framework\u201d: The set of legal governance documents adopted under this policy to implement Grandio\u2019s personal data protection program. <\/p>\n\n\n\n
\u201cCAI\u201d: The Commission d\u2019acc\u00e8s \u00e0 l\u2019information du Qu\u00e9bec. <\/p>\n\n\n\n
\u201cPrivacy Protection Committee\u201d: The committee established by the Parent Company to ensure compliance with and implementation of personal data protection laws. <\/p>\n\n\n\n
\u201cProfessional contact details\u201d: Personal data relating to the performance of a role within a company, such as name, title, position, and the postal address, email address, and telephone number of the workplace. <\/p>\n\n\n\n
\u201cLife\u201d: The set of stages involved in processing personal data, including collection, use, disclosure, retention, and destruction. <\/p>\n\n\n\n
\u201cPrivacy Impact Assessment (PIA)\u201d: The process aimed at protecting personal data and respecting personal privacy. It is a form of impact analysis, evolves over time, and must be reviewed throughout the project. <\/p>\n\n\n\n
\u201cPrivacy incident\u201d: Any unauthorized access, use, or disclosure of personal data under the law, or any loss or other breach of its protection. <\/p>\n\n\n\n
\u201cLaw\u201d: The Private Sector Privacy Act (Quebec) and any regulations arising from it. <\/p>\n\n\n\n
\u201cData Subject\u201d: A natural person to whom the personal data relates. <\/p>\n\n\n\n
\u201cPresident and Chief Executive Officer of the Parent Company\u201d: The person with the highest authority within the parent company. <\/p>\n\n\n\n
\u201cProfiling\u201d: The collection and use of personal data to assess an individual\u2019s characteristics, especially for analyzing work performance, economic situation, health, personal preferences, interests, or behavior. <\/p>\n\n\n\n
\u201cPersonal data\u201d: Any data relating to an individual that allows them to be identified directly through that data alone or indirectly by combining it with other data. <\/p>\n\n\n\n
\u201cPublicly available personal data\u201d: Personal data declared public by any applicable law. <\/p>\n\n\n\n
\u201cSensitive personal data\u201d: Personal data which, due to its nature (e.g., medical, biometric, or otherwise personal) or the manner in which it is used or disclosed, gives rise to a high reasonable expectation of privacy. \u201cPrivacy Officer\u201d: The person in the Parent Company and each of its subsidiaries and affiliated companies who ensures compliance with and the implementation of personal data protection laws.<\/p>\n\n\n\n
Personal data is protected throughout its lifecycle in accordance with the following principles, except as provided for by law. Professional contact details and publicly available personal data are not subject to these guiding principles<\/p>\n\n\n\n
6.1.1. Grandio collects only the personal data required for its activities. Before collecting personal data, Grandio determines the purposes of its processing.<\/p>\n\n\n\n
6.1.2. At the time of collection, and subsequently upon request, Grandio informs individuals of the mandatory content required by law, including the purposes of collection, the use of technologies enabling profiling (if applicable), and the right to withdraw consent to the use or disclosure of personal data by Grandio.<\/p>\n\n\n\n
6.1.3. The information referred to in paragraph 6.1.2 is provided in clear and simple terms through a privacy policy or a just-in-time notice.<\/p>\n\n\n\n
6.1.4. An individual who provides their personal data after receiving the information in paragraph 6.1.2 is presumed to consent to its use and disclosure for the stated purposes. <\/p>\n\n\n\n
6.2.1. Grandio uses personal data only for the purposes for which it was collected. However, Grandio may modify these purposes with the individual\u2019s prior consent.<\/p>\n\n\n\n
6.2.2. It may also use the data for other purposes without the individual\u2019s consent in cases permitted by law.<\/p>\n\n\n\n
6.3.1. Subject to exceptions provided for by law, Grandio may not disclose any personal data without the individual\u2019s consent. <\/p>\n\n\n\n
6.3.2. When personal data is disclosed outside Quebec, Grandio conducts a Privacy Impact Assessment (PIA) in accordance with section 7 of this policy.<\/p>\n\n\n\n
6.3.3. Grandio maintains a register of any disclosures of personal data without consent. The register records disclosures required by law, including:<\/p>\n\n\n\n
6.4.1. Grandio takes all reasonable measures to ensure that the personal data it holds is up-to-date, accurate, and complete for the purposes for which it is collected or used.<\/p>\n\n\n\n
6.4.2. Grandio retains personal data for as long as required to fulfill the purposes for which it was collected, subject to any applicable retention obligations, in accordance with Grandio\u2019s retention schedule.<\/p>\n\n\n\n
6.5.1. When the purposes for which the personal data was collected are achieved, the information is destroyed or, in some cases, anonymized in accordance with Grandio\u2019s retention schedule and, where applicable, Grandio\u2019s documentary framework.<\/p>\n\n\n\n
7.1. Conducting a Privacy Impact Assessment (PIA) is a process that helps demonstrate that Grandio has met all its obligations regarding the protection of personal data and that all appropriate measures have been taken to effectively protect such data.<\/p>\n\n\n\n
7.2. Grandio conducts a PIA, particularly in the following cases:<\/p>\n\n\n\n
7.3. When conducting a PIA, Grandio considers the sensitivity of the information to be processed, the purposes of its use, its quantity, distribution, and medium (or storage medium), as well as the proportionality of the measures proposed to protect personal data. Grandio also considers the criteria established by law for each PIA.<\/p>\n\n\n\n
7.4. All PIAs are conducted in accordance with Grandio\u2019s documentary framework.<\/p>\n\n\n\n
8.1. At the request of a data subject, Grandio must inform them of:<\/p>\n\n\n\n
8.2. To the extent provided by law, any data subject about whom Grandio holds personal data has the following rights:<\/p>\n\n\n\n
8.3. The Privacy Officer shall respond in writing to requests to exercise the rights outlined in paragraph 8.1 promptly and, in any case, no later than 30 days from the date of receipt of the request.<\/p>\n\n\n\n
8.4. Any request to exercise rights is handled in accordance with Grandio\u2019s documentary framework. conform\u00e9ment au cadre documentaire de Grandio.<\/p>\n\n\n\n
9.1. Grandio implements reasonable security measures to ensure the confidentiality, integrity, and availability of personal data collected, used, disclosed, retained, or destroyed. These measures take into account the sensitivity of the data, the purpose of its collection, and its quantity, location, and medium.\u00a0<\/p>\n\n\n\n
9.2. Grandio manages its personnel\u2019s access rights to ensure that only personnel subject to a confidentiality agreement (where applicable) and requiring access to it to perform their duties have access to personal data. <\/p>\n\n\n\n
10.1. Any privacy incident is handled in accordance with Grandio\u2019s documentary framework.<\/p>\n\n\n\n
10.2. In accordance with the law, Grandio maintains a privacy incident register.<\/p>\n\n\n\n
10.3. If a privacy incident poses a risk of serious harm to individuals, Grandio promptly notifies them and the CAI.<\/p>\n\n\n\n
10.4. The register is maintained for five years following the date of the last incident or the end of the period of the last incident.\u00a0<\/p>\n\n\n\n
11.1. Grandio provides training and awareness-raising activities to its personnel regarding personal data protection.\u00a0<\/p>\n\n\n\n
11.2. Failure to complete the required training and awareness-raising activities violates Grandio\u2019s documentary framework, and individuals may face sanctions depending on the nature and severity of the violation.des sanctions.<\/p>\n\n\n\n
12.1. The protection of personal data held by Grandio relies on the commitment of all those who process such data, particularly the following stakeholders:<\/p>\n\n\n\n
12.2. President and Chief Executive Officer:<\/p>\n\n\n\n
12.3. Board of Directors of the Parent Company:<\/p>\n\n\n\n
12.4. Privacy Protection Committee:<\/p>\n\n\n\n
12.5. Privacy Officer:<\/p>\n\n\n\n
12.6. Any person processing personal data on behalf of Grandio:<\/p>\n\n\n\n
Any complaint regarding Grandio\u2019s personal data protection practices or compliance with legal requirements concerning personal data is forwarded to the Privacy Officer, who shall respond within thirty (30) days.<\/p>\n\n\n\n
Compliance with this policy and all other documents forming the governance framework is mandatory across Grandio. Personnel who fail to comply may face disciplinary measures ranging from a disciplinary notice to termination or, for consultants, contractual sanctions and penalties, which may include, among other things, contract termination and claims for damages. Additional training and awareness-raising may also be provided in cases of non-compliance.\u00a0<\/p>\n\n\n\n
To keep pace with changes in applicable personal data protection laws and to improve Grandio\u2019s personal data protection program, this policy may be updated as needed, at least every three years.\u00a0<\/p>\n\n\n\n
This policy is the responsibility of the Privacy Officer.<\/p>\n\n\n\n
This policy comes into force upon its adoption by the Board of Directors of the Parent Company, based on the Privacy Officer\u2019s recommendation.<\/p>\n\n\n\n
Effective Date: March 28, 2024.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Groupe Grandio Personal Information Protection Program Last revised: May 13, 2025 1. PREAMBLE In the course of their activities, Groupe Grandio (13401537 Canada Inc., hereinafter the \u201cParent Company\u201d), its subsidiaries, affiliated companies, and groups of companies (collectively, \u201cGrandio\u201d) process personal data, including that of their restaurants\u2019 guests, visitors to their websites and apps, loyalty program […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-3684","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\n