1. INTRODUCTION AND PURPOSE

Beyond Technologies Consulting Inc. and its affiliates (“Beyond” or the “company”) consider privacy to be a high priority as new technologies are emerging to collect, access, use, manage, disclose or otherwise process Personal information. The purposes of this policy are to identify, monitor and mitigate privacy risk, notify the user of Beyond's practices, ensure individual rights are met, and ensure compliance with applicable privacy regulatory requirements.

2. SCOPE AND APPLICATION

This policy encompasses the collection, access, use, retention, disclosure, disposition, protection and safeguarding of Personal information it controls in accordance with its obligations under the applicable privacy regulatory requirements, or processes in the context and in accordance with contractual agreements, such as Data Processing Agreements. Beyond is the data controller of Personal information it collects from employees, job applicants and business contacts in the course and for the purpose of its activities. Beyond may act as a data processor of Personal information controlled by Beyond’s clients, the whole as instructed by the latter for specific purposes and services that involve Personal information processing. This policy applies to all Beyond employees and service providers acting on behalf of Beyond.

2.1 Applicable Privacy Regulatory Requirements

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and the Canada Anti-Spam Legislation (CASL).

Quebec: Act Respecting the Protection of Personal Information in the Private Sector.

European Union: General Data Protection Regulation (GDPR).

United States: New Jersey Personal Information and Privacy Protection Act.

South Africa: Protection of personal information Act (POPIA).

3. DEFINITIONS

Personal information: information about an identifiable individual. It includes information that on its own or combined with other pieces of data, can identify an individual.

Privacy Incident: Any loss, theft, intentional or inadvertent unauthorized access to, use, or disclosure of Personal information.

4. ROLES AND RESPONSIBILITIES

COO

- Ensures that the extent of the collection and the processing of Personal information is limited to the purposes identified by Beyond.

- Ensures that identification of risks that may arise from third parties and/or outsourced activity and monitors overall corporate risks.

CTO

- Ensures the confidentiality of data and identifies privacy risk when conducting information security risk analyses and informs the appropriate stakeholders.

- Selects and/or recommend controls to mitigate privacy risks and ensures controls are properly implemented.

Chief Legal and Privacy Officer

- Designated Personal Information Protection Officer.

- Defines contractual terms with third parties to ensure compliance with the Privacy policy and other legal and regulatory requirements.

- Communicates with the appropriate regulatory authorities regarding a Privacy incident

- Ensures completion of privacy/risk assessments where necessary.

Service Owners and departmental managers

- Is Responsible for managing privacy risk that arises from owned business processes.

- Ensures appropriate controls are in place to protect the confidentiality of Personal information.

- Ensures Personal information follows applicable data retention periods.

Personnel including Contractors and Consultants

- Is aware of and complies with the Privacy policy. Completes mandatory privacy training and awareness program.

- Ensures all appropriate actions are taken to ensure the confidentiality and protection of Personal information based on the established procedures.

- Reports any risks, threats to the protection and confidentiality of Personal information, including any Privacy Incidents and/or Personal Information breaches.

5. POLICY REQUIREMENTS

This policy supports Beyond’s ongoing commitment to respect and protect the privacy of Personal information of:

a) All members of the public from whom Personal information is collected;

b) Representatives of past, current and prospective Beyond clients and suppliers required to provide Personal information to establish a business relationship with Beyond;

c) Past, current and prospective Beyond employees;

d) All other Personal information collected or processed in the course of Beyond’s activities.

5.1 Privacy policy Principles

The guiding principles of this policy are the fair information principles outlined in the applicable jurisdictional regulation.

1. Accountability: Beyond maintains established specific roles and responsibilities for the management of privacy.

2. Identifying purposes: Beyond informs individuals about the purposes for which Beyond collects, uses, retains and discloses their Personal information. Beyond collects, uses retains and discloses Personal information only for legitimate business, legal or regulatory purposes.

3. Consent: Beyond obtains the individual’s consent, to the extent required by law, to collect, use or disclose Personal information and uses Personal information only for the purpose for which it is collected, unless otherwise permitted.

4. Limiting collection: Beyond limits collection of Personal information to information necessary for Beyond’s identified purpose.

5. Limiting use, disclosure and retention: Beyond limits use and disclosure of Personal information to only those purposes for which the Personal information was collected or transferred for processing, except if the individual gives consent for other uses or the law requires otherwise.

6. Accuracy: Beyond takes all reasonable and appropriate measure to ensure that Personal information in its control is as accurate, complete and up to date as is need for its use.

7. Security of Personal information: Beyond maintains appropriate safeguards to protect Personal information against loss and theft, as well as unauthorized access, disclosure, copying, use or modification.

8. Openness: Beyond shall document the purposes for which Personal information is collected and used.

9. Individual access: Upon request, Beyond can provide individuals with access to their Personal information in Beyond’s control.

10. Challenging compliance: An individual may challenge Beyond’s privacy practices and compliance with this policy and/or applicable legislation by filing a complaint with the privacy contact or a regulatory body.

5.2 Privacy Framework and Privacy Risk Assessments 

Beyond’s privacy framework aligns with the NIST Privacy Framework. 

5.3 Privacy Incidents / Personal information Breaches 

When a member of Personnel suspects or becomes aware of a Privacy incident, he must immediately notify the Chief Legal and Privacy Officer. 

Assessing an Incident 

When the Chief Legal and Privacy Officer receives a notice of an incident relating to Personal information, he must investigate and confirm whether the incident qualifies as a Privacy Incident. If it is deemed to be a Privacy incident, he shall determine its materiality. If an incident is not material, the Chief Legal and Privacy Officer will determine how to proceed with the incident. 

A Privacy incident that entails a real risk of significant harm to the individual(s) concerned is considered a privacy breach. 

Declaration - notification 

A privacy breach shall be reported to the appropriate authorities: 

Canada: The Office of the Privacy Commissioner of Canada

Quebec: The Information Commissioner of Quebec 

European Union: The French Data Protection Authority – CNIL 

South Africa: The Information Regulator 

Affected individuals shall be notified with details on when the incident occurred, the Personal information impacted, Beyond’s next steps and contact details. 

Beyond’s clients acting as controllers of Personal information affected by a Privacy Incident shall be notified in accordance with the applicable agreements. 

A privacy breach log must be maintained by Beyond to track incident details and remedial measures. 

5.4 Security of Personal information

For details about the security controls in place to protect Personal information, see the Information Security policy. 

5.5 Retention of Personal information

Beyond must retain the Personal information under its control for the period required for the identified use and applicable legal requirements. The Personal information must thereafter be destroyed or anonymized. 

5.6 Privacy Training and Awareness

Beyond shall in include privacy awareness in its employee training. 

The review and undertaking to process Personal information in accordance with this policy is mandatory in the course of onboarding of new employees. 

5.7 Request for Access by Law Enforcement and/or Government Agencies

Beyond may be compelled by law enforcement or government agencies to disclose or provide access to Personal information in the event of a legally valid request, such as a search warrant or court order. In the event a request is made, Beyond will take the following actions: 

- Verify the identity of the law enforcement official; 

- Verify the authority for the proposed disclosure of Personal information; 

- Unless legally prevented from doing so, notify Beyond’s clients acting as controller of Personal information encompassed by a request; 

- Ensure that disclosure decisions are approved by the Chief Legal and Privacy Officer; 

- Where appropriate, conduct an internal review and engage specialized external legal counsels prior to disclosing to law enforcement; 

- Take reasonable steps to ensure that the Personal information is accurate and up to date; 

- Document requests, court orders and disclosure decisions; 

- Unless legally prevented from doing so and where appropriate, notify individuals whose information was disclosed; 

6. MONITORING, REPORTING AND NON-COMPLIANCE

The ongoing monitoring of the potential impact of existing and potential risks and the effectiveness of controls occurs in the normal course of management activities.

7. INDIVIDUAL PERSONAL INFORMATION PROTECTION RIGHTS

Beyond aims to ensure users are fully aware of individual personal information rights and works to ensure the privacy policy and associated business processes enable users to be aware of and exercise their rights. 

8. APPLICABLE INTERNAL POLICIES

Privacy Notice

Information Security Policy 

Information Classification Guide 

Information Security Incident Response and Management Plan 

9. REVIEW OF PRIVACY POLICY

This policy will be periodically reviewed and updated in order to maintain compliance with legal requirements and industry best practices. This policy was last updated in October 2021. 

10. CONTACT 

Email: [email protected]

10.1 Contacting the Appropriate Authorities 

Canada: The Office of the Privacy Commissioner of Canada 

Quebec: The Information Commissioner of Quebec 

European Union: The French Data Protection Authority- CNIL 

United States: New Jersey Office of Information Technology 

South Africa: The Information Regulator 

Contact

Canada

111 Robert-Bourassa Blvd, Suite 4500
Montréal (Québec) H3C 2M1
____________________________

185 The West Mall, Suite 1010
Etobicoke (Ontario) M9C 1B8

United States

111 Town Square Pl., Suite 1515
Jersey City, New Jersey, 07310

France

93, avenue Charles de Gaulle
92200 Neuilly-sur-Seine

South Africa

Knightsbridge Office Park
33 Sloane Street
Block B, 1st Floor, Gauteng
Bryanston, 2191
____________________

1st Floor
27 Somerset Road
Green Point
Cape Town 8005

Telephone: 514 227-7323
Fax: 1 888 679 0002
Toll Free: 1 877 449-7323

Contact