Imperial Tobacco Canada - Employee Privacy Policy

Employee Privacy Policy

Imperial Tobacco Canada (“ITCAN”) and its Canadian subsidiaries (ITCAN and its Canadian subsidiaries being hereinafter collectively referred as “Imperial Tobacco”, “we”, “us”) are sensitive to the confidential nature of the personal information of their respective employees and recognizes the need for appropriate protection of such information.

The purpose of this policy is to provide principles for the management of personal information in a manner that acknowledges both the right of employees to personal information protection and the need for Imperial Tobacco to collect, use and disclose that information in the course of its employer-employee relationship.

Any violation of this policy will be taken seriously and may result in disciplinary action that may include suspension or dismissal.

1. Scope and application

The British American Tobacco Group (“BAT”) is a family of affiliated companies with operations in more than 180 countries. This policy applies to and governs the activities of Imperial Tobacco and applies only to the personal information concerning individuals who seek to be, are or were employed by Imperial Tobacco or employed by BAT and on a secondment at Imperial Tobacco (collectively the “employee”).

Employee personal information is any information which relates to an employee and allows that employee to be identified, whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized or other. Employee personal information includes, but is not restricted to, such information that is stored on and which can be accessed through the HR systems.

This policy is meant to comply with all applicable Canadian legislation and, when applicable, with the General Data Protection Regulation (“GDPR”). It applies to employee personal information that is in Imperial Tobacco’s possession or that is under its control, including information that it may exchange with other BAT entities and information that it may transfer to a third party for warehousing or processing purposes.

In addition to this policy, Imperial Tobacco has adopted a series of policies in order to address other specific privacy concerns that may affect its employees. Compliance with these policies, as amended from time to time, is mandatory, in particular , the Standards of Business Conduct, the IT Security policy, the IT Security Instructions, the IT Security Instructions for USB Flash Drives, the IT Security Instructions for Wireless Networking, the IT Mobile Devices Policy, IT Security - Temporary Account Reassignment Instructions, the Retention Policy. If you are unsure as to which policies apply to you or if you wish to obtain more information regarding the present policy, please contact Imperial Tobacco’s Privacy Officer, whose contact info appear in section 6 below.

2. Consent

Consent of the employee concerned to the communication or use of his or her personal information must be manifest, free and enlightened. It must be given for specific purposes and in a manner which allows for the employee concerned to understand the nature, purpose and consequences of the collection, use and disclosure of his or her personal information.

Depending on the nature and sensitivity of the personal information, the consent can be express and positive (express and positive consent may be oral, in writing or electronic), or implied (such as providing information voluntarily).

Consent is usually valid for the whole employer-employee relationship although, where indicated, more specific consent could only be valid for the length of time needed to achieve the purposes for which it was requested. Consent can be withdrawn at any time, subject to legal and contractual restrictions and reasonable notice.

Generally, Imperial Tobacco will seek consent for the use or disclosure of employee personal information at the time of collection, except as required or in cases authorized by law.

3. Collection and use of employee personal information

Imperial Tobacco will generally obtain personal information directly  from the employee concerned, orally or by completing a form. However, Imperial Tobacco may also collect personal information from outside sources with the employee’s consent or without his or her consent if the law so authorizes, notably when the collection from a third person is necessary to ensure the accuracy of the information (e.g. background check, investigation, etc.), if the third person is authorized to communicate such information.

Imperial Tobacco collects personal information about its employees that is necessary for the purposes of establishing, managing and maintaining the employment relationship including, but not restricted to, identification information such as name, home address, telephone, email address and date of birth, and:

  •  for determining eligibility for initial employment, including the verification of references and qualifications, and for selection, promotion and management purposes: information about education, training, work experience,  employment history, employment and personal references, initial curriculum vitae or application form submitted for consideration of employment and updated curriculum vitae or form, credit score and criminal files and pre-employment medical exam (when required);
  •  for human resources management and administrative purposes: letters of offer and acceptance of employment, employment contracts and policy sign-off sheets, years of employment record and salary records;
  •  information required for payroll processing including, but not limited to, social insurance number, financial institution and account number;
  •  forms relating to the application for, or with respect to changes to, employee health and welfare benefits including short and long term disability, medical and dental care, health and medical status information, and processing employee work-related claims (e.g. worker compensation, insurance claims, etc.);
  •  information obtained from colleagues, managers and clients on the employee’s behaviour and performance of his or her duties, for example in the course of performance reviews, for determining performance requirements, for establishing training and development requirements, to assess qualifications for a particular job or task and in the course of an investigation, to gather evidence for disciplinary action or termination;
  •  information required for identification and security purposes;
  •  beneficiary and emergency contact information to establish a contact point in the event of an emergency;
  •  any other information required or authorized by law (notably to comply with applicable labour or employment statutes or to compile internal directories);
  •  for accomplishing the above-mentioned purposes with other BAT entities when necessary.

Personal information shall not be used for purposes not relevant to the object of the file except with the consent of the employee concerned or as required or authorized by law.

4. Communication of employee personal information

Imperial Tobacco recognizes that, except in the cases and under the conditions described hereinafter, the communication of personal information generally requires the consent of the employee concerned when the personal information is communicated to a third person.

Access within Imperial Tobacco does not require the consent of the employee concerned but is strictly limited to the persons for whom such information is necessary for the performance of their functions and duties. Similarly, the exchange of employee personal information between Imperial Tobacco and other BAT entities will not require the consent of the employee concerned if it is necessary for them to assist Imperial Tobacco for the purposes of establishing, managing and maintaining the employment relationship.

Imperial Tobacco may also share personal information, without the consent of the employee concerned, with outside agents, mandataries, consultants, data processors, service providers and other parties who require such information in connection with Imperial Tobacco’s activities or to assist Imperial Tobacco with administering the employment relationship. Such agents, mandataries, consultants, data processors, service providers and other parties will ensure that they will use the personal information conveyed by Imperial Tobacco exclusively to provide specific services and that they will keep it confidential in accordance with this policy and return it to Imperial Tobacco once the service has been provided and without keeping any copy.

Imperial Tobacco may also, without the consent of the employee concerned, communicate personal information contained in a file it holds on that person as authorized or required by law. Employee personal information communicated abroad may also be subject to disclosure as required by law.

In each situation where Imperial Tobacco may disclose employee personal information, it will endeavour to not disclose more personal information than is required under the circumstances.

Please note that in the event that the third party to whom Imperial Tobacco discloses employee personal information is located in a foreign jurisdiction, local laws may otherwise allow that information to be accessed by third parties without the consent of the employee concerned.

5. Accuracy and safeguards

Imperial Tobacco has put in place a series of security safeguards to protect employee personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

These security safeguards may vary given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored, and include:

  •  physical measures such as:
    limited access to office buildings by non-personnel; locked filing cabinets and restricted access to offices and floors;
  •  organizational measures such as:
    restricted access to employee personal information; authorization to communicate employee personal information, when required; digitization and centralization of certain employee personal information on the SAP system and in HR Department (vault); sensitive information (e.g. information pertaining to employee health and welfare, employee medical files, credit score and criminal records) stored in separate files with limited access;
  •  technological measures such as:
    company computers and laptops protected (certificates, passwords, screen lock, local hard drive encryption, host intrusion prevention system, antivirus, automated patching and group policies); information stored on the SAP system is protected by access codes; limited accesses are granted to employees, managers and third party processors on a “need to know” basis; all accesses to systems, including SAP require proper management approval; IT approved encrypted Flash Devices; off-site third party archiving companies are required to have systems which prevent unauthorized release of confidential information; Imperial Tobacco network is protected by firewalls and its remote access protected via a virtual private network; all passwords are subject to controls: Length, expiration, complexity, lock down policy, history, etc.

Imperial Tobacco takes the necessary measures to ensure that all its managers and employees are advised on the contents of this policy and understand that they are required to conform to it at all times.

Imperial Tobacco further recognizes that it is important to keep personal information accurate, complete and up-to-date and takes reasonable steps to ensure the accuracy and completeness of the personal information it uses to make a decision in relation to the person concerned. However, employees are responsible to inform Imperial Tobacco of any significant change in their personal information which may occur during the course of their employment.

Imperial Tobacco will destroy, erase or make anonymous employee personal information that is no longer required to fulfill the identified purposes, legitimate business purposes or legislative requirements.

When required by law, Imperial Tobacco will notify any competent authority without undue delay of any breach of security if there are reasons to believe that the breach creates a real risk of harm to employees’ personal information and will also notify as soon as possible the employees affected by the security breach. Imperial Tobacco will keep a record of such security breach.

6. Complaint procedure and access and rectification requests

All questions or concerns regarding this policy or about the collection, use and disclosure of employee personal information, including requests for access or rectification, should be made in writing to Imperial Tobacco’s Privacy Officer:

Privacy Officer
Imperial Tobacco Canada Limited
3711, St-Antoine West
Montréal (Québec) H4C 3P6

data_protection_donnees@bat.com

As a general rule, every employee has the right to consult and obtain communication of personal information which concerns him or her and which is contained in a file held by Imperial Tobacco. An employee can also request that information which is inaccurate, incomplete or equivocal be rectified and that information not justified by the purpose of the file be deleted.

Imperial Tobacco will respond to every request for access and rectification within 30 days of receiving the written request. In the event that Imperial cannot provide access to or rectify personal information, it will inform the employee concerned of the reasons why, subject to any legal or regulatory restrictions, and it will provide the person with any recourse available.

If an employee believes that this policy has been violated or has concerns regarding its application, he or she should provide a detailed written complaint to the Privacy Officer as soon as possible. The complaint should include the name of individuals involved as well as the name of any witnesses and other relevant evidence related to the complaint.

Every complaint is confidential and will be investigated by the Privacy Officer. Imperial Tobacco will not retaliate against any employee for complaining or providing evidence in good faith concerning any alleged violation of this policy or any misuse of Imperial Tobacco’s resources. If you are not satisfied with the way Imperial Tobacco respond to your requests or handle your personal information, you may file a complaint to the competent supervisory authority, such as the Commission d’accès à l’information du Québec (http:// www.cai.gouv.qc.ca/  ) or the Office of the Privacy Commissioner of Canada (https:// www.priv.gc.ca/  ).

7. Processing of personal information of employees in the European Economic Area (EEA)

This section only applies to the processing of personal information of employees in the EEA, to the extent that such processing occurs while the employees concerned are in that area and where the processing activities are related to offering goods or services or the monitoring of their behavior that takes place in the EEA. With respect to such processing, the provisions of this section shall take precedence over other provisions of the Privacy policy, insofar as they deviate from each other.

7.1 Consent

If consent is given in a written declaration that relates to other matters, Imperial Tobacco will make sure that the request for consent to the processing of personal information is clearly distinguishable. Imperial Tobacco is required to obtain your explicit consent for the processing of data relating to ethnic origin, a person’s sex life or sexual orientation, political opinions, religious or philosophical beliefs or trade union membership, data concerning health or genetic or biometric data.

7.2 Collection, retention and use of personal information

As stated above, Imperial Tobacco will not keep personal information for longer than necessary to achieve the purposes for which it was collected and Imperial Tobacco will make reasonable efforts to specify in advance the time period during which personal information will be retained, or the criteria used to determine that period.

7.3 Automated decision-making

Imperial Tobacco recognizes that employees have the right to know if their personal information is being processed by an automated decision-making process. Upon request, Imperial Tobacco will provide employees with information about the reasoning behind the automation. Unless otherwise required or authorized by law, employee have the right not to be subjected to a decision based solely on automated decision-making process, if said decision produces legal effect on employees.

7.4 Data protection impact assessment

Imperial Tobacco will carry out a data protection impact assessment prior to using new technologies if it is likely to result in a high risk to the rights and freedoms of employees, including the right to privacy.

7.5 Right to erasure

If the law so authorizes, employees have the right to obtain from Imperial Tobacco the erasure of their personal information without undue delay.

7.6 Accuracy and safeguards

Imperial Tobacco will implement, before the collection of personal information, appropriate technical and organizational measures such as pseudonymisation and data minimisation.

Imperial Tobacco only shares personal information with other BAT entities or outside agents, mandataries, consultants, data processors or service providers which provide sufficient guarantees that appropriate safeguards are in place to protect employees’ personal information. The processing of personal information by BAT or outside agents, mandataries, consultants, data processors or service providers is governed by a contract or another legal document.

7.7 Accountability

Imperial Tobacco ensure it can account for and demonstrate compliance with the GDPR in its processing of personal information. This is notably achieved by maintaining a record of processing when applicable, and training its employees on data protection compliance.

7.8 Complaint procedures, right of access and rectification

Imperial Tobacco will facilitate the right of employees to access, rectify and obtain their personal information. Employees can always obtain from Imperial Tobacco a confirmation as to whether or not their personal information is being processed.

Any rectification or erasure request of employees’ personal information shall be communicated to each third party to whom the personal information has been disclosed.

8. Interpretation and policy review

Interpretation of this policy rests with the Privacy Officer. If an inconsistency should arise between this policy and the applicable Canadian privacy laws or GDPR, this policy shall be interpreted to give effect to and comply with such privacy laws and GDPR.

This policy may be updated from time to time. Any update or revision will be promptly made available to all ITCAN employees and other individuals that may have access to ITCAN employee personal information.

Effective the 21 day of December 2012. Last updated on February 23, 2021 (only the Privacy Officer’s title and email address were updated. No other changes were made to this document since the previous update on January 14, 2019).