These requirements apply to every supplier, contractor, consultant, consortium or joint venture partner (“Contracting Entity”) who enters into an agreement with Groupe CIMA+ inc. or an affiliate (“Company”). These Requirements apply to the collection, use, disclosure, storage and any other types of processing (collectively “processing”) of Personal Information and Company Data, defined below, provided to Contracting Entity (collectively “Company Data and Personal Information”) in order to perform services or work (“Services”) for or with the Company pursuant to any agreement entered into between the parties (“Agreement”). These requirements may be updated from time to time to ensure the Company complies with applicable laws and good industry practices in terms of personal information and data protection.
“Personal Information” means all information that identifies, relates to, describes, or is capable, by itself or in combination with other data, of being associated with any particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, biometrics information, address, telephone number, passport, driver’s licence or government identification number, insurance policy number, medical information or health insurance information, education, employment, bank account and credit or debit card number, or any other financial information.
“Company Data” means all information data, materials, works, expressions or other content, (i) disclosed or otherwise made available by Owner in relation to this Agreement; (ii) collected, downloaded or otherwise received by Engineer pursuant to this Agreement; and (iii) include all output, copies, reproductions, modifications, and other derivative works of, based on, or otherwise using any Company Data.
“Systems” means any computer, IT network and storage, application, device, mobile, equipment, software and other materials and facilities, operated in connection with this Agreement.
- Compliance with Data Protection Laws and Best Practices. Each of Company and Contracting Entity shall comply with applicable Canadian federal and provincial laws and regulations governing the processing of Company Data and Personal Information (“Data Protection Laws”) and all applicable industry standards concerning privacy, data protection, confidentiality or information security.
- Data Security Program. Contracting Entity is responsible for the security of its systems and shall maintain a comprehensive, information security program that contains safeguards that are appropriate for the protection and security of Company Data and Personal Information (“Security Program”). Contracting Entity’s Security Program shall include measures designed to: (a) protect the confidentiality, integrity, and availability of Company Data and Personal Information in its possession or control or to which Contracting Entity has access; (b) protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of the Company Data and Personal Information; (c) protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of the Company Data and Personal Information; (d) protect against accidental loss or destruction of, or damage to, Company Data and Personal Information; and (e) safeguard Company Data and Personal Information in accordance with Data Protection Laws.
- Purpose limitation. Any processing of Company Data and Personal Information by Contracting Entity shall be limited to what is necessary to provide the Services or such other purposes expressly authorized by Company.
- Sub-processors. If Contracting Entity is to appoint sub-processors to process Company Data and Personal Information it shall ensure that the arrangement between the Contracting Entity and the sub-processor is governed by a written contract which offers at least the same level of protection for Company Data and Personal Information as those set out in these Requirements. Contracting entity shall keep a list of such sub-processors and will provide details such as name, address, sub-processing activities and location which shall be made available to Company upon request. Contracting Entity shall be solely responsible for all actions and omissions of such third parties.
- Cross-border Transfers. Contracting Entity may only process, and shall ensure that sub-processors only process, Company Data and Personal Information in Canada, unless authorized in writing by Company. If processing is to take place outside the country, Contracting Entity shall provide satisfactory evidence that laws as stringent as the Data Protection Laws apply in such foreign jurisdictions and are legally enforceable.
- Notice of Process. In the event Contracting Entity receives a governmental or other regulatory request for any Company Data and Personal Information, it agrees to immediately notify Company to allow Company to have the option to respond.
- Data Incidents
- Informing Company of Data Incident. Contracting Entity shall immediately and without delay notify Company of any reasonably suspected or actual loss of, or unauthorized access to or use or disclosure of Company Data and Personal Information or any other breach or attempted breach, by any person of Contracting Entity’s Security Program implicating Company Data and Personal Information (“Data Incident”). While the initial phone notice may be in summary form, a comprehensive written notice shall be given within 24 hours to Company and updated thereafter. The notice shall summarize, in reasonable detail, the nature and scope of the Data Incident and the corrective action already taken or to be taken by Contracting Entity. The notice shall be timely supplemented with the details reasonably requested by Company, inclusive of relevant forensic reports. Contracting Entity shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Company in all reasonable efforts to mitigate the adverse effects of Data Incident and to prevent its recurrence.
- Notice of Data Incident. The parties will collaborate on whether any notice of the Data Incident is required to be given to any person (including impacted individuals and relevant regulators), and if so, the content of that notice. Company is solely responsible for deciding which party will report the Data Incident and Contracting Entity will bear all costs of the notice.
- Specific Services Requiring Additional Collaboration
- Privacy Impact Assessments. If the Services involve a collection, use, retention, disclosure, destruction or any other type of processing of Company Personal Information that requires Company to conduct a privacy impact assessment required under Data Protection Laws, Contracting Entity agrees to cooperate fully and promptly with Company in conducting any such assessments.
- Liability and Indemnification
- Limitation of Liability & Indemnification. Contracting Entity shall indemnify and hold Company harmless against any claims, demands, actions or proceedings brought against Company as a result of Contracting Entity’s (or its subcontractors or sub-processors) breach of any obligation under these Requirements. Any limitation of liability set forth in the Agreement shall not apply to Contracting Entity’s indemnity obligations and liability arising from its breach of any obligation under these Requirements.
- Security Review and Audit
- Subject to reasonable notice, Contracting Entity shall allow and reasonably cooperate with Company to carry out any verification and audits relating to the confidentiality and security of the Company Data and Personal Information.
- Interpretation, Termination and Secure Disposition
- In the event of any inconsistencies between the provisions of these Requirements and any other agreements between the parties, including the Agreement, these Requirements shall take precedence over the Agreement or any other agreements.
- Company may terminate the Agreement with cause immediately upon notice to Contracting Entity if Contracting Entity has materially breached these requirements and Contracting Entity has not remedied its breach and complied with section 7 hereof.
- Upon termination of the Agreement, Contracting Entity shall either securely return or dispose of all Company Data and Personal Information under its possession or in the possession of any third party to whom it transferred same, pursuant to Company’s instructions and as required by Data Protection Laws.
- These Requirements are intended to survive the termination, cancellation or expiry of the Agreement.
- IN WITNESS WHEREOF Company and Contracting Entity have executed this addendum attested to by the signatures of their duly authorized officers in that behalf as of the day and year set out above.
Version: June 30, 2022