Protection of personal information
The management of personal information is essential to the services of ARM Collection Agency (hereinafter « ARM »), and we are committed to protecting the confidentiality and security of the personal information we collect in the course of our debt collection and recovery operations, whether this information relates to our customers, their respective clientele, or members of our staff. We manage this information with the utmost discretion and rigor, and in compliance with applicable legal, regulatory and contractual requirements.
Our protection of personal information is supported by our ethical rules, standards of conduct and various information security policies and procedures. As such, ARM holds PCI and SOC2 type 2 certifications. Through these certifications, ARM wishes to demonstrate both its rigor and its commitment to diligently managing information security, including the protection of personal information.
This policy describes the principles and practices that ARM follows in handling personal information. It applies to ARM, its employees and its service providers.
ARM is responsible for the protection of personal information in its possession and control, including any personal information that has been transferred to a third party for regulatory, legal or processing purposes. All our employees, subcontractors and suppliers are therefore responsible for complying with our privacy principles and practices.
We make our employees aware of the importance of protecting personal information by requiring them to sign a confidentiality undertaking when they are hired, as well as all our information security policies. In addition, we provide our employees with regular training on this subject, and issue clear directives outlining their role and obligations in this respect.
Specifically, ARM has appointed a Privacy Officer to oversee privacy governance. This function is assumed by the company’s Chief Executive Officer.
In addition, under the terms of our Information Security Policy, the protection of personal information and information security are the responsibility of various stakeholders, namely: Advisory Committee, Chief Security Officer, Director of Human Resources, Director of Legal Affairs, Physical Security Officer, Application Security Officer, IT Security Officer and finally, the Privacy and Security Team.
What is personal information?
It is any information about an identifiable individual or that, taken separately or in combination with other data, allows an individual to be identified. This includes, but is not limited to, a person’s name, address, e-mail address, telephone number, gender, banking information, employment, health or other information. This notion excludes the name and title of an employee of an organization, and the addresses and telephone numbers of his or her place of work. It also excludes information relating to corporations and other legal entities.
Personal information is protected regardless of the medium in which it is held or its form: written, graphic, audiovisual, computerized or other.
Collection of personal information
ARM collects personal information about its customers, its customers’ debtors (hereinafter referred to as « debtor »), and its candidates and employees.
The information collected depends on the status of the person being collected:
- Customer: information on their organization and members, banking information, financial information relating to the management of accounts receivable, the extent of their bad debts, as well as details of various internal processes. This information is collected directly from the data subject during interactions (telephone, e-mail, SMS, etc.) or when using our secure Customer Portal. We also collect data on physical access to our premises.
- Debtor: details of debts owed, name, date of birth, telephone numbers, address, e-mail address, social insurance number, driver’s license, vehicle registration, banking and financial data, credit report, credit card number, employment information and any other relevant information enabling us to trace the debtor, contact him/her and proceed with the collection and recovery of debts owed. This information is obtained from our customers, credit bureaus and reporting agencies, or directly from the debtor during various interactions (telephone, e-mail, SMS, etc.) or when using our secure debtor portal. They may also be collected when consulting publicly available sources, registers or media.
- Candidate: name, contact details, previous jobs, date of birth, current address, previous addresses, telephone number, e-mail address, curriculum vitae, credit record. We also collect data on physical access to our premises. This personal information is obtained directly from the person concerned when he or she submits a job application via our website or other job posting sites, by e-mail or in person when completing authorization and consent forms. The information collected is used only if the person’s application is accepted. Otherwise, the information collected is securely destroyed.
- Employee: name, contact details, date of birth, current address, previous addresses, telephone number, e-mail address, curriculum vitae, previous jobs, credit record, diplomas, skills cards, work permits, social insurance number, banking information. Other information may be collected sporadically for as long as the employment relationship lasts, and is consolidated in the employee’s file (data relating to working conditions, training, performance evaluation, absenteeism follow-up, accident report, disciplinary and administrative notes, medical information for absenteeism management or in the event of a request for accommodation). We also collect data on physical access to our premises.
ARM limits the amount and type of personal information it collects to that which is necessary for the company’s business, for the fulfillment of the purpose for which it is collected, and as permitted by law.
We collect personal information for the following purposes:
- Identify the contact or user of an online service ;
- Manage our customers’ files, from opening to closing;
- To provide debt collection and recovery services and to administer and perform our services (identify, trace and contact debtors in order to collect and recover debts);
- Marketing and business development activities;
- To recruit candidates, i.e. to enable us to process job applications and assess the suitability of the candidate’s profile to the requirements of the position. Regardless of the position, all candidates must share sufficient personal information with us to enable us to prove their identity, detect any criminal or penal offenses, establish their financial health, where applicable, and take up references from previous employers;
- Manage our employees’ working conditions, training activities, performance appraisals, absenteeism, accident reports, disciplinary and administrative measures, termination of employment – in other words, all aspects of human resources management;
- Collect payments owed to us;
- Any other purpose identified at or before the time personal information is collected.
Use of the ARM website
Data exchanged automatically when accessing the site
When a person accesses the www.agencederecouvrement.com website, their computer and the ARM server automatically exchange data, without their intervention. This exchange in no way identifies the user personally. Rather, it is necessary for the server to send her a file compatible with the computer equipment she is using. The data exchanged is as follows:
- identification of your Internet service provider (domain name);
- IP address, the numerical address that identifies and locates your computer;
- browser (Chrome, Explorer, etc.) and operating system (Windows, Mac OS, etc.);
- date and time of access to the site;
- Web pages visited;
- address of the site that directed the person to our website, if applicable
This information is used in anonymous form for statistical purposes, in particular to count the number of visitors and identify the pages consulted.
You can deactivate cookies by modifying your browser settings. However, deactivating cookies may affect certain functions on our website.
Links to external sites
Retention, use, disclosure and destruction of personal information
Except as otherwise permitted or required by applicable law or regulation, ARM retains personal information only as long as necessary for the fulfillment of the purposes for which it was collected, including satisfying any legal, accounting or notice requirements of the appropriate governmental and regulatory authorities, all in accordance with our Data Retention and Destruction Guide.
The personal information we hold is recorded in a file whose purpose differs according to the status of the person concerned (customer, debtor, candidate, employee).
The vast majority of personal information held by ARM is consolidated on secure servers and computer directories. We take physical precautions to ensure that the servers and computer directories on which personal information is hosted and archived are secure, and that access to these servers is protected. Encryption is also used to protect personal information.
Paper-based personal information is kept in a locked filing cabinet or locked office.
We take and apply the necessary and appropriate security measures to ensure the confidentiality of personal information in our possession (physical, organizational, contractual and technological measures).
We ensure that the personal information contained in our files is accessible only to those persons who have a right to know about it and who consult it only when necessary for the performance of their duties (principle of minimal right of access).
Our access management model (network, applications and physical access) is based on this principle of minimum access rights. These are granted in accordance with an access profile charter, according to what is necessary for the strict performance of tasks, both for employees and for third parties. Each user therefore has the accesses specific to his or her profile, as well as certain specific accesses, if applicable. Each member is responsible for the diligent use of his or her accesses.
ARM educates and trains its employees about their obligations to protect personal information, and requires its third-party suppliers to take similar protective measures.
We will only use personal information for the purpose for which it was collected, unless the individual to whom the information relates has given consent to use it for another purpose or as required by law.
ARM will not communicate personal information contained in a person’s file to a third party unless the person consents in writing or unless the Act respecting the protection of personal information in the private sector, or any other applicable law, provides for the right to communicate such information without the person’s consent. For example, ARM is entitled to communicate personal information concerning a debtor without the debtor’s consent, since the information is required for the purposes of collecting a debt for another party, and ARM requires it for this purpose in the performance of its duties.
Any transfer of personal information, whether authorized or permitted by law, is carried out in accordance with our Information Transfer Policy, the purpose of which is to ensure the security of information and software when exchanged within or outside the company.
ARM has a legal obligation to take appropriate security measures to ensure the protection of information, even when it is destroyed. The appropriate means of destroying a document or piece of information depends on the nature of its medium.
- Information contained in operational databases: ARM’s preferred method for destroying personal information entered in its SQL database is to desensitize the information, i.e. to remove all personal information from accounts created for the purpose of anonymization.
- Information contained in a recorded call: Calls are deleted by the network administrator after obtaining specifications from the IT Security Manager.
- Information recorded on paper: This is stored in a locked cabinet, maintained by a specialized company that certifies the destruction of the information.
Consent to the collection, use or disclosure of personal information
ARM considers that an individual’s consent to the collection, use or disclosure of personal information about him or her will be validly provided if i) it is given expressly by written or oral acquiescence, or ii) if the individual voluntarily provides personal information about him or her for an obvious purpose.
In some cases, ARM may collect and disclose personal information about an individual without consent, in accordance with the Act respecting the protection of personal information in the private sector or any other applicable legislation. For example, ARM is entitled to collect and communicate personal information about a debtor without the debtor’s consent because the information is required for the purposes of collecting a debt for another party and ARM requires it for this purpose in the performance of its duties.
ARM uses reasonable efforts to maintain the accuracy of the personal information it holds and to ensure that it is complete and up-to-date.
ARM collects personal information about its customers and employees directly from them. As such, we regularly ask them to update or correct their personal information via their Secure Portal (customers) or Dashboard (employees), as the case may be, or to .
ARM also asks its customers to communicate any relevant changes or updates to their debtors’ personal information.
Right of access and rectification
An individual has the right to access his or her personal information held by ARM. Requests for access should be made in writing to Mr. Jean-François Gingras, President and Chief Executive Officer and Privacy Officer, by mail at 795, 5e Rue de la Pointe, C.P. 151, Shawinigan (Québec) G9N 1G2 or by e-mail at firstname.lastname@example.org.
This request must be detailed enough to identify the documents containing the personal information to which the person wishes to have access.
The Privacy Officer may need to validate the identity of the signatory and the status of the request.
Certain fees may apply for access to personal information (transcription, reproduction or transmission).
An individual also has the right to ask ARM to rectify any personal information it holds about him or her, by contacting Mr. Jean-François Gingras, President and Chief Executive Officer and Privacy Officer, by e-mail at email@example.com or by telephone at 1 866 343-3327 (toll-free).
Withdrawal of consent
Once an individual has given his or her consent to the collection, use and transfer of his or her personal information, he or she has the right to withdraw that consent, as the case may be, by contacting Mr. Jean-François Gingras, Chief Executive Officer and Privacy Officer, by e-mail at firstname.lastname@example.org or by telephone at 1 866 343-3327 (toll-free).
In such a case, ARM may no longer be able to provide the service requested, implement instructions or follow up on a contract entered into. In such a case, we will notify the person concerned should this situation arise. The same applies if a person refuses to provide personal information concerning him or her.
Any individual who has a question, concern or complaint regarding the protection of his or her personal information or ARM’s privacy practices may do so in the following manner:
By contacting Mr. Jean-François Gingras, Chief Executive Officer and Privacy Officer, and providing his name, contact information, the nature of the request or complaint and any other relevant information.
Jean-Francois Gingras, President and General Manager
795, 5e Rue de la Pointe. P.O. BOX 151
Shawinigan (Quebec) G9N 1G2
or by email: email@example.com
You can also contact the appropriate provincial or federal agency responsible for privacy protection.
We reserve the right to modify this policy at any time.
Revised on : September 20, 2023