Policies for managing and protecting personal information

The personal information Donati Maisonneuve collects is used only in the course of its professional activities, solely to provide the services requested and in accordance with legal requirements. We never sell the personal information we hold.

Personal information is any information concerning a natural person that allows that person to be identified, directly or indirectly, and that is not public information under the Act respecting the protection of personal information in the private sector.

The reasons why this information is needed are explained to clients in order to obtain their informed consent.

Our policies for managing and protecting personal information

The following policies are intended to provide a general framework for the protection of personal information concerning the firm’s members, its consultants and service providers, as well as the firm’s customers, suppliers and business partners, in compliance with the laws and regulations applicable to the firm.

We are committed to protecting the personal and confidential information collected in the course of carrying out the mandates entrusted to us and to ensuring the security of the information held by implementing security measures appropriate to the circumstances.

To this end, we have adopted policies outlining our governance of this personal and confidential information to ensure its protection. Detailed information on these policies is provided below.

The personal and confidential information thus protected includes its physical or technological medium as well as the information system or technology by which such information is processed, transmitted or stored for the purposes of its intended use (the “Information”).

Our policies apply to our employees, lawyers, associates, consultants, suppliers and business partners (the “Users”).

1. Confidentiality and protection of personal information policy

Information collected

Depending on the specific needs of a mandate, the Information we collect from the client or from third parties may be, for example, the client’s surname, first name, date of birth, postal address, e-mail address, telephone number, credit card number or banking information, passport number, driver’s licence, health or social insurance number and any other information relevant to the performance of the service contract and mandate.

Collection method

Information may be collected in person, via secure file/folder sharing platforms, by e-mail, through forms or by telephone. It may also be collected from third parties, with your consent, and from parties involved in mandates entrusted to us.

Purposes for which Information is collected

We collect the necessary Information in order to be able to identify the client, to communicate with him, to offer a service or to carry out the mandate in a personalized way, to carry out the payment of the invoices, to offer him to participate in training, to improve the services rendered or to accomplish any other purpose which is authorized by the law.

Disclosure of Information to third parties

As part of the mandate or service contract, we may communicate the Information obtained with Users in Quebec and outside Quebec, as well as with other parties involved in the mandates entrusted to us. In all cases, communication is made solely for the principal and legitimate purpose for which it was collected, or for purposes compatible with that purpose.

Storage and destruction of Information

All Information collected, regardless of the medium, is stored in a secure environment against unauthorized access. Information is retained for the period necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Information will then be destroyed in accordance with applicable laws.

Right of access and rectification

Clients may have access to Information concerning them. Clients may also request that Information be corrected or destroyed. Such a request may be made to the person in charge of the protection of personal information.

Right to withdraw consent

Clients may withdraw their consent to the collection, use and retention of their Information by contacting the person in charge of the protection of personal information.

Consent may be withdrawn at any time, subject to legal and contractual restrictions and reasonable notice. In some cases, if consent is withdrawn, the firm may no longer be able to maintain its relationship with the client or provide certain products or services.


Cookies are used during visits to our Web site to identify, for example, the type of browser used, the preferred language, the referring site, and the date and time of the visit to the site. This data is collected in order to better understand how users use our website and to improve its efficiency.

A consent banner is automatically displayed on arrival at our website to allow users to activate cookies.

Information security

All Information collected, regardless of the medium, is kept in a secured environment against unauthorized access, disclosure, copying, use or modification, as well as against loss or theft.

These security measures include the use of firewalls and secured servers, encryption, the deployment of appropriate access rights management systems and procedures, careful selection of processors and training of our personnel who have access to Information in the course of their duties.

Confidentiality incident

Despite our best efforts, no method of electronic transmission or storage is completely secured. As a result, we cannot guarantee the security of any Information transmitted to us, or that such Information will not be obtained, accessed, disclosed, altered or destroyed as a result of a breach of security and protection measures.

In the event of an incident affecting the protection of personal information, we undertake to take the measures required to reduce the risk of harm being caused and to prevent further incidents of a similar nature from occurring, in accordance with the Information security incident management policy set out below.

Person in charge of the protection of personal information

Donati Maisonneuve’s Managing partner is in charge for the protection of personal information and can be contacted at the following coordinates:

René Vallerand
2000, McGill College Avenue
Suite 2150
Montréal, Québec
H3A 3H3

Direct line : 514-499-7481

2. Information security policy

This policy defines the responsibility of each User, depending on the circumstances and the degree of sensitivity of the Information to which they have access, to ensure its protection and reasonable and appropriate use, to reduce the risk of incidents and to minimize their effects, where applicable.

Therefore, Users formally undertake not to disclose or use the Information for any purpose other than in the performance of their duties and in compliance with professional secrecy, and not to disclose it without first obtaining the consent of the person about whom the information is held or of his or her representative, unless authorized to do so by law.

Users also commit to accessing Information only in the context of Donati Maisonneuve’s operations and only through tools provided and approved by Donati Maisonneuve. Users shall not attempt to access or store Information on systems other than those provided by us or using commercial cloud services not approved by us.

Users must use robust passwords and take all necessary measures to prevent unauthorized disclosure of these passwords. Unattended laptops, cell phones and other IT tools must be physically secured and inaccessible to unauthorized persons.

We provide reasonable and appropriate physical and electronic safeguards to prevent unauthorized access to Information, both in our physical facilities and in our computing environment. The User’s two-factor identification method is used for remote access.

When Information must be shared with an agent, supplier, subcontractor or consultant in the performance of our duties or in the execution of a professional mandate, we obtain, prior to any access on their part, a written undertaking to take the necessary measures to ensure the confidentiality and integrity of the Information within the meaning of our Information security policy and applicable laws, and not to retain any Information beyond the period required by the mandate or contract.

3. Information security incident management policy

An information security incident (“Incident”) means an event that compromises or is likely to compromise the availability, integrity or confidentiality of information held by Donati Maisonneuve, including the Information.

Applied in conjunction with our Information security policy, the objective of this policy is to ensure, in a reasonable manner given the circumstances, that every potential, apprehended or actual information security Incident is detected, identified, reported, contained, documented, analyzed and promptly remedied, in accordance with legal requirements, so as to minimize any negative impact.

Therefore, any real or suspected Incident must be reported to the policy manager and Donati Maisonneuve’s IT department. Examples include access to information or computer systems by an unauthorized person, physical access to a secure or sensitive area, unauthorized sharing of login IDs or passwords, loss of a device containing information, hacking, software or hardware malfunctions, or sending information to the wrong recipient.

This report triggers an investigation to gather all relevant information, assess the seriousness of the Incident and promptly take all reasonable and appropriate corrective measures required, if any, to contain any actual or potential breach of Information security without delay. When the Incident is contained and the Information secured, an assessment of the extent and impact of the Incident is made after full investigation and collection of any information that can be gathered. Once the cause of the Incident has been identified, a remediation strategy is planned and implemented.

This policy also covers the manner in which affected persons will be notified if the Incident presents a risk of serious harm to them. Thus, in the event that a client’s Information has been compromised, a written notice will be sent to the client within a maximum of thirty days, providing, in particular, a general description of the Incident, a list of the compromised Information, a description of the measures we have taken to protect the Information and prevent the occurrence of a similar Incident, and the contact details of the person who can be reached to obtain further information. A notice will also be sent to the Commission d’accès à l’information.

4. File closing policy

Information obtained and held by Donati Maisonneuve is for the purposes of the professional mandates entrusted to it and for the management and day-to-day operations of the company.

Information obtained and held for the purposes of entrusted professional mandates must be kept in each of the files opened specifically for each mandate and used to provide the agreed professional services.

Our lawyers’ professional obligations require us to keep a copy of the file, including the Information, for a period of seven (7) years after the end of the mandate entrusted to the firm. Once this period has elapsed, the file and the Information it contains are securely destroyed.