CUSTOMER PERSONAL INFORMATION
1.1 This policy is divided into eleven chapters:
2. Accountability Principle;
3. Identifying Purposes Principle;
4. Customer's Consent Principle;
5. Limiting Collection Use, Retention & Disclosure Principle;
6. Accuracy Principle;
7. Safeguarding Personal Information Principle;
8. Openness Principle;
9. Customer Access Principle;
10. Challenging Compliance Principle; and
11. Related Procedures, Policies, and Practices
"Jean Machine" is a subsidiary of MRP Retail Inc of 4069 Gordon Baker Rd., Scarborough, Ontario, M1W 2P3, Canada.
"outsourcer" means a third party who is contracted by Jean Machine for the purposes of processing the personal information; assisting Jean Machine in protecting personal information; and assisting Jean Machine in conducting Jean Machine's direct marketing campaigns.
"personal information" means information about an identifiable individual but not aggregated information that cannot be associated with a specific individual. Personal information will cease to be personal information, where the information is destroyed, erased, or made anonymous.
1.3 Jean Machine is committed to the protection and fair use of personal information provided by its customers. Jean Machine will adhere to the nine principles as outlined in this policy.
1.4 Jean Machine's practices with regards to collection, use, retention, and disclosure of personal information will comply with this policy and any federal or provincial laws regarding the collection, use, retention, or disclosure of personal information.
1.5 Jean Machine will not sell, loan, otherwise transfer a customer's personal information to a third party without the consent of the customer, except for personal information sent to an outsourcer. Such consent is deemed implied.
1.6 Jean Machine will require that personal information provided to an outsourcer or a third party for the purposes of processing personal information on behalf of Jean Machine to adhere to this policy.
2.1 Jean Machine is responsible for personal information in its possession or custody, including information that has been transferred to an outsourcer. Jean Machine will use appropriate means to provide a comparable level of protection information for personal information that is being transferred to an outsourcer.
2.2 Jean Machine has designated a Customer Personal Information Compliance Officer ("Compliance Officer") to ensure compliance with this policy, the Personal Information Protection and Electronic Documents Act, and any provincial legislation concerning personal information protection.
2.3 Jean Machine will make known, upon request, the name and title of the person designated to serve as compliance officer (please refer to 11.5.4 for the Compliance Officer's contact information).
2.4 The Compliance Officer will have supervisory authority over all individuals delegated to assist the Compliance Officer or delegated to control the day-to-day collection and processing of personal information.
2.5 The Compliance Officer will document any future purpose for which the personal information is collected (also in compliance with #3 Identifying Purposes, #8 Openness Principle, and #10 Customer Access Principal).
2.6 The Compliance Officer will be responsible to review the safeguards employed to protect the collection, use, retention or disclosure of personal information. Such review includes safeguards against loss, theft, unauthorized access, unauthorized disclosure, unauthorized copying or modification, or improper use. Reviews will be conducted as stipulated in 11.5.2 below.
3. IDENTIFYING PURPOSES
3.1 Jean Machine will limit the collection of personal information to a customer's contact information, including his/her name, address, and e-mail address (see 4.2 for exceptions).
3.2 Jean Machine will only collect the information in 3.1 for the purposes of Jean Machine's direct marketing campaigns and to tailor Jean Machine special offers to the customer's needs.
3.3 Jean Machine will use reasonable efforts to inform customers of its purpose at the point the personal information is collected.
3.4 Where it appears that a customer was not informed and did not provide consent with respect to the collection, use, retention of their personal information, Jean Machine will not use the personal information, and will seek the customer's meaningful consent for its use (also in compliance with #4 Customer's Consent), unless 4.2 or 4.3 below applies.
3.5 If Jean Machine intends to use a customer's personal information for any other purpose than stipulated in 3.1 above, Jean Machine will seek the meaningful consent of the customer.
4. CUSTOMER'S CONSENT
4.1 Jean Machine will not collect, use, retain or disclose the customer's personal information without the meaningful consent of the customer, unless 4.2 or 4.3 below applies.
4.2 Jean Machine may collect, use, retain or disclose personal information without the meaningful consent of the customer, where consent may be impossible or inappropriate, such as when the customer is a minor, seriously ill or mentally incapacitated. In such circumstances, Jean Machine will only collect, use, retain, or disclose personal information in these circumstances if it is clearly in the customer's interest and where proper consent cannot be obtained in a timely way.
4.3 Jean Machine may use and disclose personal information without knowledge and consent of the customer to a lawyer representing Jean Machine to collect a debt, comply with a subpoena, warrant, court order, or as may be otherwise required by law.
4.4 Jean Machine will not require a customer to consent to the collection, use, retention or disclosure of personal information as a condition to purchase services or wares from Jean Machine. Jean Machine will only require a customer to consent to the collection, use, retention and disclosure of the customer's personal information for the purpose of the included in Jean Machine direct marketing campaigns.
4.5 The methods in which Jean Machine seeks consent may vary, depending on the circumstances and the type of information collected. Jean Machine will make reasonable efforts to obtain express consent when the information is likely to be considered sensitive.
4.6 A customer may withdraw consent at any time, subject to any legal or contractual restrictions and reasonable notice. Jean Machine will inform the customer of the implications of such withdrawal.
5. LIMITING COLLECTION, USE, RETENTION AND DISCLOSURE
5.1 Personal information by Jean Machine may be made available to an outsourcer. Marketing strategies will be conducted by Jean Machine or its outsourcer.
5.2 Jean Machine will limit the collection of personal information to that which is necessary for the purposes identified in this policy (see #3 Identifying Purposes).
5.3 Jean Machine will limit the use, retention and disclosure as required by its policies and practices.
5.4 Jean Machine will only apply fair and lawful means to collect personal information.
5.5 Jean Machine will not collect personal information indiscriminately.
5.6 Jean Machine will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
5.7 Jean Machine will only retain the personal information as long as necessary for the purposes it was collected. Jean Machine will purge information as provided for in 11.2 Information-Handling Sub-Policies and Practices below.
5.8 Personal information will be deemed purged or removed where it cease to be personal information (where the information is destroyed, erased, or made anonymous â€“ please refer to the definition of personal information above).
6. CUSTOMER ACCURACY
6.1 Jean Machine is committed to keeping the personal information accurate, complete, and up-to-date as is necessary for the purposes of its collection.
6.2 Jean Machine may request the customer update her or his personal information where it is necessary to fulfil the purposes for which the information was collected.
7. SAFEGUARDING PERSONAL INFORMATION
7.1 Jean Machine will protect customer's personal information by providing security safeguards appropriate to the sensitivity of the information.
7.2 Jean Machine will employ care in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
8.1 Jean Machine will make readily available to customers information about its policies and practices relating to the management of personal information.
8.2 Jean Machine will also make available to customers:
a. the name or title, and the address, of the compliance officer who is accountable for the Jean Machine's policies and practices and to whom complaints or inquiries can be forwarded;
b. the means of gaining access to personal information held by Jean Machine;
c. a description of the type of personal information held by Jean Machine, including a general account of its use;
d. a copy of any brochures or other information that explain Jean Machine's policies, standards, or codes; and
e. third parties for processing. Please refer to 11.5.4 for the Compliance Officer's contact information.
9. CUSTOMER ACCESS
9.1 Upon request, Jean Machine will inform a customer of the existence, use, and disclosure of his or her personal information and Jean Machine will give the customer access to that information.
9.2 Jean Machine is committed to providing the customer the opportunity to challenge the accuracy and completeness of that customer's personal information and have it amended as appropriate.
9.3 Where Jean Machine cannot provide access to all the personal information it holds about a customer and that customer inquires as to the reasons, Jean Machine will provide that customer with reasons for denying access. Such circumstances may include where the personal information is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. Jean Machine will take reasonable efforts to overcome such obstacles.
9.4 Jean Machine may request additional personal information to confirm the identity of the customer wishing to access her or his personal information. The information collected will only be used to verify the identity of the customer and that information will only be retained as a record of verification. That information will not be used for any other unrelated purpose.
9.5 Jean Machine will respond to a customer's request within a reasonable time at no cost, or a minimal fee if warranted (for example, reasonable photocopying charges will be requested if the photocopying is extensive). The requested information will be provided or made available in a form that is generally understandable.
9.6 When a customer demonstrates the inaccuracy or incompleteness of her or his personal information, Jean Machine will amend the information as required. This amendment may involve the correction, deletion, or addition of information, as required.
9.7 When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge will be recorded by Jean Machine. When appropriate, the existence of the unresolved challenge will be transmitted to outsourcers having access to the information in question.
10. CHALLENGING COMPLIANCE
10.1 Jean Machine has instituted, and will maintain, procedures where an individual may address a challenge to Jean Machine's Compliance Officer concerning compliance with the principles in this policy.
10.2 Jean Machine has instituted, and will maintain, procedures to receive and respond to complaints or inquiries about Jean Machine's policies and practices relating to the handling of personal information.
10.3 Jean Machine will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures.
10.4 Jean Machine will investigate all complaints. If a complaint is found to be justified, Jean Machine will take appropriate measures, including, if necessary, amending its policies and practices.
11. RELATED PROCEDURES, SUB-POLICIES AND PRACTICES
11.1.1 Related Procedures, Sub-Policies and Practices in this section are divided into:
• (11.2) Information-Handling Sub-Policies and Practices;
• (11.3) Related Staff Sub-Policies and Practices;
• (11.4) Public Dissemination Procedures;
• (11.5) Procedures to Oversee Jean Machine Compliance; and
• (11.6) Procedures to Receive and Respond to Inquiries or Complaints.
11.2 Information-Handling Sub-Policies and Practices
11.2.1 These procedures relate to the collection, use, retention and disclosure of personal information.
11.2.2 Jean Machine will only collect a customer's contact information, including the client's name, address, and e-mail address (see 4.2 or 4.3 above for exceptions).
11.2.3 Jean Machine will identify personal information of a customer to be removed after five (5) years of a customer's personal information being dormant. Personal information will be deemed dormant where a client does not respond to Jean Machine direct marketing campaign, or communicate with Jean Machine in another way for a period of five years.
11.2.4 Once a customer's personal information is identified for removal, Jean Machine will remove the information as soon as practicable, and no longer than thirty (30) days after the customer's personal information has been identified for removal.
11.2.5 Jean Machine will identify a customer's personal information for removal where the customer indicates she or he wishes to opt out or where the customer requests the personal information be removed, unless federal or provincial legislation provides otherwise.
11.2.6 Jean Machine will limit access to a customer's personal information to Jean Machine employees who require access in order to carry out their tasks.
11.2.7 Jean Machine will not provide individual property management with personal information, irrespective whether the information was collected at that participating property.
11.2.8 Jean Machine will limit third party disclosure to Jean Machine's outsourcer, except for those occasions where this limit contravenes federal or provincial law.
11.3 Related Staff Policies and Practices
11.3.1 These procedures involve the training and communicating this policy to Jean Machine employees.
11.3.2 Each Jean Machine employee will be provided a copy of this policy at the beginning of her or his employment.
11.3.3 Each independent contractor or outsourcer, who will be involved in the collection, use, retention or disclosure of personal information ("related contactors") will be provided a copy of this policy at the beginning of their contract.
11.3.4 Changes in policy will be communicated to employees and related contractors in a means selected by the Compliance Officer.
11.3.5 Staff at participating Jean Machine locations will be informed of the purposes of Jean Machine's collection, use, retention and disclosure of personal information.
11.4 Public Dissemination Procedures
11.4.1 These procedures relate to the dissemination of public information to explain these policy and practices.
11.4.2 Jean Machine will provide its policies and practices on its Web site ("online access"). Jean Machine's online access will not require subscription access.
11.5 Procedures to Oversee Jean Machine's Compliance
11.5.1 Jean Machine will designate an individual as a Compliance Officer to oversee the compliance of this policy and applicable federal or provincial legislation.
11.5.2 The Compliance Officer is responsible for the following internal duties:
a To oversee the policies, practices and procedures as they relate to Jean Machine;
b to oversee the dissemination of this policy to Jean Machine employees;
c to make Jean Machine employees aware of the importance of maintaining the confidentiality of personal information;
d to respond to Jean Machine employees' inquiries with respect to the protection of personal information;
e to maintain a publicly-available list of Jean Machine outsourcers.
f to amend this policy to comply with applicable federal or provincial legislation (where an inquiry or complaint demonstrates a flaw with this policy, the Compliance Officer will have this policy amended accordingly); &
g to annually review the safeguards employed by Jean Machine. The Compliance Officer will review safeguards as it relates to the (1) collection, (2) retention and storage, (3) use, and (4) disclosure of personal information. This will include a review of physical measures (such as locking filing cabinets and restricting access to rooms with data servers), technological measures (such as the control of access passwords, and the use of encryption), and organizational measures (such as limiting access of staff involvement).
11.5.3 The Compliance Officer is responsible for the following external duties:
a to maintain a telephone number, postal address, e-mail address dedicated to receiving and responding to inquiries or complaints concerning the collection, use, retention or disclosure of personal information (see 11.5.4 below).
b to timely review and respond to inquiries or complaints by the public. Timeliness will be determined by the complexity of the inquiry or the complaint and reasonableness in responding to such inquiry or complaint;
c to communicate, report, and liase with the Canadian Privacy Commission, where such communication is suggested or required; and
d to ensure that Jean Machine's outsourcers comply with this policy, and any other Jean Machine policy related to the protection of customers' personal information.
11.5.4 The Compliance Officer can be contacted at: Compliance Officer
4069 Gordon Baker Rd.
11.5.5 The Compliance Officer may delegate her or his duties as the Compliance Officer may determine. The Compliance Officer will retain supervisory control over those delegated with the Compliance Officer's responsibilities.
11.5.6 All requests to remove personal information sent to Jean Machine will be forwarded to the Compliance Officer.
11.5.7 Irrespective of the complexity of the inquiry or complaint, the Compliance Officer will ensure that a response is sent to the inquirer or complainant within thirty (30) days of receiving the inquiry or complaint. This response may be an interim response that does not fully satisfy the inquiry or complaint, but the response will provide an explanation of the delay.
11.6 Procedures to Receive and Respond to Inquiries or Complaints
11.6.1 Jean Machine will make reasonable efforts to confirm the identity of the customer who lodges a complaint, inquires, or makes a request with respect to her or his personal information.
11.6.2 Jean Machine will maintain records of all inquiries or complaints by a customer where Jean Machine's response is not to the satisfaction of the customer. Jean Machine will also preserve the personal information, even if it has been identified as personal information to be removed. These procedures are for the customer's protection, to provide the customer an opportunity to request a review by the Canadian Privacy Commission or a related provincial regulator.
LIST OF JEAN MACHINE OUTSOURCERS:
1260 University Street, 5th floor