GUIDELINE: PROTECTION OF PERSONAL INFORMATION

​

One of the fundamental rights proclaimed by the Charter of Human Rights and Freedoms is the right to respect for privacy. Every person has the right to control access to and the sharing of information concerning them. If a broker uses SMS, MMS, or RCS messages as the preferred method of communication with collaborating brokers and buyers, the exchanges must not include sensitive information related to the transaction or the disclosure of personal information.

​

The Real Estate Brokerage Act and its regulations, the Civil Code of Quebec, and the Act on the Protection of Personal Information in the Private Sector (Private Sector Act) set out specific obligations for license holders regarding the protection of personal information. In addition, license holders must also comply with the Act on the Protection of Personal Information and Electronic Documents, which governs the communication of personal information outside Quebec.

​

A license holder who does not comply with these rules may be subject to sanctions both ethically and in terms of civil and criminal liability.

1. Personal Information

Personal information is any information about an individual that allows them to be identified, directly or indirectly. Personal information can be held in various forms: written (paper document, email, text message), audio (conversation recording, voicemail), or visual (photo, video).

​

2. Role and Responsibility of the Agency's Director

The Director of the Agency (DA) is responsible for the protection of personal information within the agency. However, this function may be delegated to a third party. This person must possess the necessary competencies and have decision-making authority related to their role.

The title and contact details of the person responsible for the protection of personal information must be published on the agency's website or, if no website exists, made accessible through any other appropriate means.

​

The agency is the legal "holder" of the personal information. Therefore, the broker acting on behalf of the agency must immediately transmit all the information they collect during a mandate to the agency. While the broker may retain a copy of the information during the course of the mandate, they must immediately destroy their copy when the information is no longer necessary for the execution of their duties (for example, after the real estate transaction is completed or after the offer to purchase is refused, etc.). Before destruction, the broker must ensure that all documents and information (including emails and text messages) have been forwarded to the agency or stored in the agency's document management system (GED).

​

2.1 Policy and Procedure for Processing Complaints Regarding the Protection of Personal Information :

Means: Personal information is collected by ZAX and/or the broker in the following ways: voluntarily, when such personal information is provided to an employee or an authorized representative via your chosen method; automatically, through your connection to our website or via cookies; or through web forms, for instance, when you create a user account.

​

Purposes: Personal information is collected and used for the following purposes by ZAX and/or the broker : Allow clients to create a user account to personalize their browsing experience on the agency's and/or the broker's website ; Save your preferences and send notifications to provide you with specific information during your use of the agency's and broker’s websites ; Connect you with the agency in relation to your interest in acquiring or renting a property ; Generally communicate with you to provide various information, offer products and/or services that may interest you ; Conduct periodic follow-ups to ensure you are satisfied with the various programs and tools deployed by ZAX and the broker ; Develop, improve, and promote the different programs and tools deployed by ZAX, including generating and publishing depersonalized statistical data from personal information of multiple clients ; Evaluate the effectiveness of ZAX's efforts to acquire visitors to the agency’s and broker’s websites ; Assess which information offered by ZAX and which actions it takes generate interest among visitors to the agency's and/or the broker's websites ; Improve the performance of the agency’s and broker’s websites and their effectiveness in retaining visitors ; Identify the legislative framework to which the personal information of website visitors is subject ; Manage and account for ZAX’s operations ; Fulfill our legal and contractual obligations as your employer or service provider ; If applicable, review your job or engagement application with ZAX.

​​

Communications: Personal information is shared with the following entities : ZAX employees and representatives who need access to this personal information in pursuit of the purposes mentioned above ; External service providers of ZAX ; Any other person or entity when required or permitted by applicable legislation, or with the consent of the concerned client.

​

Your Rights: You have the right to access, correct, and withdraw consent for the use of your personal information. For more details on how to exercise your rights, please refer to sections 9 and 10 of this Policy. You can also file a complaint by following the instructions outlined in section 11 of this Policy.

​

Consent: By providing one or more pieces of personal information to ZAX through (i) direct or indirect contact with an authorized representative of ZAX; (ii) your use of the ZAX website and/or (iii) your authorization for a ZAX partner to transmit such information to ZAX, you consent to ZAX collecting, using, sharing, and retaining your personal information in accordance with the terms, conditions, and provisions of this Policy.

Details: This Policy outlines the measures and practices implemented by ZAX to govern the protection of personal information and safeguard the personal information of its clients—individuals from whom ZAX collects personal information through direct or indirect contact with an authorized representative of ZAX, or through the agency’s or broker's website.

​

In this Policy, the term "personal information" refers to any information collected by ZAX and the broker that allows, either alone or in combination with other information, the direct or indirect identification of a client.

​

The purpose of this Policy is primarily to inform clients about : The means used by ZAX to collect personal information ; The nature of the personal information collected by ZAX and the purposes for which it is collected ; How ZAX may use personal information and the third parties to whom ZAX may disclose this information, if applicable ; The rights you have regarding the personal information collected by ZAX, including your right to access your personal information or request the correction of any inaccurate personal information, if applicable ; The security measures implemented by ZAX to protect the confidentiality of personal information ; How personal information is stored, destroyed, and/or anonymized ; How you can contact ZAX to address questions, share comments, or, if applicable, file a complaint related to this Policy. 

​​

By providing one or more pieces of personal information to ZAX through (i) direct or indirect contact with an authorized representative of ZAX; (ii) your use of the agency's and/or broker’s website; and/or (iii) your authorization for a ZAX partner to share such information with ZAX, you expressly consent to ZAX collecting, using, sharing, and retaining this personal information in accordance with the terms, conditions, and provisions of this Policy.

​

ZAX reserves the right to modify the terms, conditions, and provisions outlined in this Policy at any time and at its sole discretion. In such a case, ZAX will provide you with a version of this Policy reflecting the changes made. Your use of the agency’s and broker’s websites following receipt of this updated version will be deemed to constitute your express acceptance of the changes made.

​

This Policy, as well as any modified versions of it, is subject to the applicable laws of the province of Quebec.

​

1. How does ZAX collect personal information?

ZAX collects personal information through the following means: (i) when such personal information is voluntarily provided to an employee or authorized representative of ZAX, and (ii) when you use the agency’s and broker’s website. In general, the purpose of the agency’s and broker’s websites is to provide information related to ZAX, including, among other things, its mission, history, activities, achievements, programs, tools, involvement, partners, and affiliated entities. However, like any other website, the agency’s and broker’s websites need to collect certain personal information in order to allow access to those wishing to use the websites and to fulfill the purposes identified in section 4 related to the websites.

As such, personal information provided during your use of the agency's and broker’s websites may be submitted directly by the visitor (for example, if they complete a web form or send an email) or collected automatically (see the list of personal information automatically collected in section 3).

2. What personal information does ZAX collect?

​

The personal information that ZAX may collect includes :

Personal information you provide when creating your user account on the agency’s and broker’s websites (your first name, last name, email address, preferred language) ; Personal information you provide to be connected with the agency (your first name, last name, and phone number) ; Your exchanges and communication history with us (call recordings, email communications, or communications through third-party platforms) ;

Personal information generated by you during your use of the agency's and broker's websites (consent evidence, complaints, notices, information requests, comments, responses to surveys, and personalized messages when contacting the agency) ; Personal information provided as part of a job application or engagement with ZAX (your first name, last name, contact details (home address, email address, phone number), gender (or gender identity), date of birth, languages spoken, citizenship, educational background, work experience, and professional affiliations) ; Personal information that you are required or invited to provide to ZAX due to the nature of your relationship with the company (for example, employees must provide their social insurance number and certain financial information, while administrators must provide identification documents in accordance with the law aimed primarily at improving business transparency) ; Personal information automatically collected during your use of the agency’s and broker’s websites (see section 3).

​​

3. Personal Information Collected Automatically or Through Cookies
To ensure the functionality of the agency’s and broker’s websites, as well as for the purposes outlined below, ZAX collects the following personal information from clients visiting the agency’s and broker’s websites : The domain name of their Internet service provider ; Their IP address ; Their browser (e.g., Explorer, Firefox) and operating system (e.g., Windows, Mac OS) ; The date and time of their visit ; Their country of origin ; The pages they viewed and the time spent on those pages ; The referring site address ; Crash data.

​

All of this information is automatically collected as soon as a client connects to the agency's and broker’s websites. Some of this personal information is collected through the placement of temporary cookies or "web beacons" (sometimes referred to as "invisible pixels"). These files or beacons also allow us to improve the performance of the agency’s and broker’s websites and certain features.

​

4. Why does ZAX collect personal information?
ZAX collects your personal information for the following purposes : Allow clients to create a user account to personalize their browsing experience on the agency’s and broker’s websites ; During your use of the agency’s and broker’s websites, save your preferences and send notifications to provide you with specific information. In doing so, ZAX uses technology to perform profiling, with functions that need to be activated by the client from the agency’s and broker’s websites by clicking the "Notification Settings" hyperlink that appears after clicking on your user profile icon (in the top right corner of the agency’s and broker’s websites) ; Connect you with the agency regarding your interest in purchasing or renting a property ; Generally communicate with you to provide various information related to different programs and tools deployed by ZAX and offer products and/or services that may interest you ; Conduct periodic follow-ups to ensure you are satisfied with the various programs and tools deployed by ZAX ; Develop, improve, and promote the different programs and tools deployed by ZAX, including generating and publishing depersonalized statistical data from personal information collected from multiple clients ; Evaluate the effectiveness of ZAX's efforts to acquire visitors to the agency’s and broker’s websites ; Evaluate which information offered by ZAX and which efforts generate interest among visitors to the agency’s and broker’s websites ; Identify which actions of our partner sites helped acquire visitors to the agency’s and broker’s websites ; Improve the performance of the agency’s and broker’s websites and their effectiveness in retaining visitors ; Identify the legal framework to which the personal information of visitors to the agency’s and broker’s websites is subject ; Fulfill our legal and contractual obligations as your employer or service provider ; If applicable, review your job application or engagement request with ZAX.

​

Subject to exceptions provided by applicable legislation, ZAX will ensure to obtain your consent before using your personal information for purposes other than those listed above. Please note that you are responsible for obtaining consent from any individual before providing ZAX with their personal information, including family members. In this regard, ZAX does not knowingly collect personal information about minors under the age of fourteen (14) unless (i) consent has been obtained from the person holding parental authority or the guardian, as applicable, or (ii) the collection is clearly for the benefit of the minor concerned.

​

5. Who may ZAX share your personal information with?
In general, ZAX uses its clients’ personal information for internal purposes only. However, ZAX may share your personal information with the following individuals or entities : Its employees and representatives who need access to this personal information to fulfill the purposes listed in section 4 above ; Its partners and external service providers with whom ZAX has a contractual agreement under which the external service provider is required to take appropriate measures to : Ensure the confidentiality of the shared personal information ; Ensure that the personal information is only used for the purpose of performing the services provided to ZAX ; Ensure that the shared personal information is not retained after the termination of the contractual agreement ; Notify ZAX promptly of any breach or attempt to breach any obligation relating to the confidentiality of the shared personal information ; Allow ZAX to perform any checks related to the confidentiality of the shared personal information.

​

For example, the service provider hosting and maintaining the agency’s and broker’s websites may have access to personal information in the specific course of providing services under a contractual agreement with ZAX. Any other person or entity when required or permitted by applicable law, or with the consent of the client concerned. It is possible that ZAX may share your personal information with entities from the categories listed above that are located outside the boundaries of the province of Quebec. However, ZAX will only do so if a privacy impact assessment shows that the receiving party can ensure adequate protection of the personal information, especially with regard to generally recognized privacy protection principles. In such cases, ZAX will contractually require the entity receiving your personal information to comply with various conditions ensuring the protection of your personal information, including but not limited to all the conditions outlined in section 5(2).

​

6. How does ZAX and the broker protect the confidentiality of your personal information?
ZAX takes appropriate physical, technological, and administrative protection measures to safeguard your personal information and reduce the risks of unauthorized and/or illegal access, use, disclosure, and destruction.

​

Without limiting the generality of the above, ZAX : Verifies the identity and criminal background of all its employees ; Has implemented governance policies such as a policy for the collection, retention, and destruction of personal information, a telecommuting policy, and an IT usage policy ; Stores personal information on secure physical and technological devices located in locked premises, accessible only to authorized ZAX employees ; Stores personal information on secure backups located within Quebec ; Limits access to your personal information to authorized personnel who need such access for one or more purposes listed in section 4 of this Policy.

​

In addition, the agency's and broker’s websites are equipped with certain security mechanisms designed to protect your personal information, including : All exchanges between ZAX’s servers and user devices are encrypted ; All user passwords are encrypted ; ZAX’s IT service provider is required to adhere to various security obligations, including periodic validation of security practices and processes and continuous monitoring and updating of the software components of the agency’s and broker’s websites.

​

All privacy settings applicable to your use of the agency’s and broker’s websites are set by default to the highest level of confidentiality, without any action required on your part. Any technology enabling profiling is therefore disabled by default and will only be activated if you expressly consent. Please note that these principles do not apply to login cookies, web beacons, and log files, which are addressed in section 3 of this Policy.

​

7. What measures has ZAX implemented regarding confidentiality incidents?
ZAX maintains a record of confidentiality incidents in compliance with applicable legislation. In the event of a confidentiality incident that presents a risk of serious harm to you, ZAX will take the necessary measures to notify you in accordance with the applicable legislation. The assessment of the risk of serious harm is made considering factors such as the sensitivity of the personal information involved in the confidentiality incident, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes.

​

8. How long does ZAX retain your personal information?
In accordance with our secure retention and destruction procedures, we only retain your personal information for as long as necessary to fulfill the purposes listed in section 4 of this Policy or for the duration required to comply with our statutory obligations, whichever is later.

ZAX reserves the right to close a client’s file where no administrative action has been taken for a consecutive period of at least three (3) years, or in the case of ZAX employees, for a consecutive period of at least seven (7) years from the end of employment, subject to any statutory obligation requiring a different retention period. The closure of a file entails the complete and final destruction of the personal information it contains or its anonymization for legitimate and serious purposes. In the case of the closure of a file related to a client who is not an employee or representative of ZAX, the personal information it contains will be destroyed or anonymized after a period of 7 years following the closure of said file.

In this Policy, the term "anonymization" refers to the process whereby personal information no longer allows the direct or indirect identification of the client it relates to, in an irreversible manner.

​

9. How can you access, rectify, update, and/or obtain a copy of your personal information?
ZAX acknowledges the right of its clients to access, rectify, update, and obtain a copy of the personal information concerning them by submitting a written request to ZAX using the contact details provided in section 13 below. If such a written request is submitted to ZAX, we will respond in writing and promptly, no later than thirty (30) days after receiving the request.

​

A request to rectify personal information will be granted under certain circumstances, including : The personal information is inaccurate ; The personal information is outdated ; The personal information is ambiguous ; The personal information is incomplete ; The personal information was collected unjustifiably.

​

In the event that ZAX agrees to any request for a copy of computerized personal information made by a Client, ZAX will ensure that it provides this copy (or to any person or organization authorized by law to collect such personal information, as per the Client's request) in a structured and commonly used technological format. This paragraph does not apply (i) if providing this copy in such a technological format raises serious practical difficulties and/or (ii) with regard to any computerized personal information that was created or inferred from other personal information.

In the event that ZAX refuses to comply with any request for access, correction, or update made by a Client, ZAX will communicate the reasons for the refusal to the Client, as well as the available recourse and the timeframe within which these can be exercised. If requested by the Client, ZAX will also assist in helping the Client understand the reasons for the refusal.

​

In the event that a written request is submitted by a Client, ZAX may also cease the dissemination of any personal information about the Client and/or de-index or re-index, as applicable, any hyperlink associated with the Client's name, subject to the criteria established by the applicable legislation in force at the time.

​

In principle, the exercise of a right by a Client under this section is free of charge. However, reasonable fees may be charged to the Client to cover the costs of transcription, reproduction, or transmission of their personal information. In such cases, the Client will be informed of the fee amount before their request is processed.

​

10. How can you withdraw your consent to the use or communication of your personal information?
Subject to your contractual obligations with ZAX and applicable legislation, you can withdraw or modify your consent to the collection, use, and/or communication of your personal information. To do so, you must submit a written request to ZAX, using the contact details provided in Section 13 below. Please note that withdrawing or modifying your consent may limit or prevent ZAX from providing you with Services, including access to and use of the Agency’s and Broker's websites. Please also note that withdrawing or modifying your consent will have no effect on personal information that has been destroyed or anonymized in accordance with this Policy.

​

11. How to File a Complaint?
You can file a complaint regarding our methods, practices, and policies related to the protection of personal information by writing to our Privacy Officer whose contact details are provided in Section 13 of this Policy. Any complaint will be handled directly by our agency manager and/or the Privacy Officer. A response will be provided within 30 days of the complaint. If the complaint is accepted, a brief summary of the changes made in relation to the subject of the complaint will be provided. If you are not satisfied with the handling of your complaint, you may also contact the Commission d'accès à l'information du Québec. A written complaint can be filed with the Commission by visiting the following page: https://www.cai.gouv.qc.ca/diffusion-de-linformation/services-et-formulaires/.

​

12. ZAX Has No Responsibility or Obligation Regarding Third-Party Products : The Agency and Broker websites may contain links directing to other third-party websites or products and services (collectively, "Third-Party Products"). Third-Party Products may be subject to terms of use and privacy policies that differ from those of ZAX. ZAX cannot be held responsible or liable in any way for the content of the terms of use and/or privacy policies of these Third-Party Products. Without limiting the generality of the foregoing, ZAX has no responsibility or obligation regarding your personal information that may be collected, used, communicated, and stored by any person or entity in connection with your access or use of Third-Party Products.

​

Any link available on the Agency and Broker websites leading to a Third-Party Product does not imply or mean that ZAX assumes or accepts responsibility for the content or use of such Third-Party Product. ZAX makes no representations regarding the quality, safety, suitability, or reliability of Third-Party Products, nor the content or materials they contain. When you access or use Third-Party Products, you should review the terms of use and privacy policy related to those products.

​

13. How Can You Contact ZAX's Privacy Officer?
We are responsible for your personal information. As a result, we have designated an individual to serve as the Privacy Officer within ZAX. To exercise any of your rights, ask questions, provide comments, or file a complaint regarding this Policy or our handling of your personal information, please contact the Privacy Officer at the following details : Attn: Steven A.J. Buck, Agency Executive, ZAX, Real Estate Agency, 2, Place du Commerce, Île-des-Sœurs (Verdun), Québec, H3E 1A1, 450-770-2825. Email: stevenbuck@zax.immo. Please note that ZAX is required to verify your identity before responding to any request, question, comment, or complaint directed to its Privacy Officer.

​

3. Privacy of Personal Information and the Consent Principle
3.1 Essential Principles in Regulation
In accordance with the right to privacy, two essential principles emerge from the regulation and must be adhered to : The default confidentiality of personal information. The necessity of obtaining the consent of the individual concerned for the collection, use, disclosure, and storage of personal information, unless an exception is expressly provided by law. Articles 31 and 33 of the Regulation on the conditions for carrying out a brokerage operation, the ethics of brokers, and advertising reflect this principle of confidentiality : "31. The license holder must respect the confidentiality of information entrusted to them, as well as the secrecy of any personal information collected in the course of their activities, unless an express provision of a law, a court order, or the exercise of their activities exempts them from this obligation. 33. The license holder must take all reasonable steps to ensure that any person they employ or authorize to act on their behalf does not disclose personal information collected in the course of their activities. The license holder must ensure that their tools of work, as well as the records and files they maintain, are installed or stored in such a way as to preserve the confidentiality of the documents or information contained therein."

​

3.2 Valid Consent

At every stage of processing personal information, consent from the concerned individual must be obtained, except in cases explicitly outlined by law. While the law does not explicitly require it, it is strongly recommended to systematically obtain written consent, which allows the license holder, in the event of a dispute, an OACIQ inspection, or a syndic investigation, to demonstrate compliance in this regard. Whether consent is written or verbal, the license holder must document proof of the consent given, such as keeping a telephone recording and written exchanges, as well as noting the date and purpose of the consent.

​

3.2.1 Express, Free, and Informed Consent

Consent must be clear and unequivocal. The concerned person must be aware of the reasons for collecting their information and how it will be used. Since the license holder often collects sensitive personal information related to a client's family or financial situation, consent must be expressed explicitly. The license holder should use social media cautiously. Before writing a post or comment, they should always question the relevance of their publication and verify whether it complies with privacy protection regulations.

​

3.2.2 Consent for Specific Purposes and Limited Duration, in Simple and Clear Terms

Consent must be limited to the purpose of the file and is valid only for the time necessary to achieve the purposes for which it was given. If the consent period has expired or the purposes for which it was granted have been fulfilled, new consent is required to continue using the information. A person cannot give general consent for the unlimited use of their personal information. To ensure the validity of consent, it is better to specify as concretely as possible the purpose of the file and the reasons for collecting the information and disclosing it to third parties, if applicable.

​

3.2.3 Consent for Secondary Use

If the license holder wishes to continue using the personal information after the purpose of the file has been accomplished, explicit and specific consent must be obtained from the concerned individual. For example, this is the case if they wish to send invitations, holiday cards, or birthday cards.

​

Conditions for Valid Consent Regarding the Collection of Personal Information : When consent is requested in writing, the request must be presented separately from any other information communicated to the individual. Consent must be requested for each purpose for which the information is collected. Consent must be written in simple and clear terms and must include specific information. Consent is valid only for the duration necessary to achieve the purposes for which it was requested. At the request of the concerned individual, the license holder must assist them in ensuring they understand the scope of the consent being asked.

​

4. Collection of Personal Information

The license holder is required to collect personal information in several situations, for example: during the client interview, by taking handwritten or computer notes; by using software to record phone conversations; by completing forms (brokerage contract, promise to purchase, seller declarations, etc.). They must always ensure that no one else can overhear their communications with the client during the collection of personal information. It is not recommended to collect personal information in the following situations: during a “hands-free” conversation in a car with another person present; in a public place (e.g., at a restaurant) where conversations may be overheard by third parties. It is particularly discouraged to conduct negotiations in a public place, for example, to fill out a promise to purchase.

​

During property visits: With the increasing presence of smart home surveillance devices (e.g., Google Home, smart home systems, interactive alarm systems, cameras), brokers and their clients may be unknowingly monitored (filmed, recorded) during a visit. Therefore, brokers must exercise extra caution during their conversations and notify clients that such a situation is possible. It is recommended not to exchange confidential or strategic information during property visits.

​

4.1 Principles to Follow

License holders must respect the following principles when collecting personal information : Determine in advance the purposes of collecting personal information: There must be a serious and legitimate interest in collecting personal information about a person. Only necessary personal information, i.e., information that is essential and not merely useful, should be collected. In case of doubt, the license holder should refrain from collecting the information. If the license holder collects personal information for commercial prospecting, only the necessary information for this purpose, such as name and phone contact, may be collected in order to reach potential clients and offer services. If the concerned individual refuses to provide the necessary information for the file's purpose, the license holder may need to refuse to provide services to the person. Under no circumstances should the license holder violate their ethical obligations in this regard.

​

4.2 Duty to Inform During the Collection of Personal Information

In accordance with the principle of transparency, the broker who collects personal information must inform the concerned individual of the information described below and required by law. It is strongly recommended to do this in writing.

​

4.2.1 Mandatory Information

This information must be included in the written consent form that the license holder may have the client sign : The purposes for which personal information must be collected (see section 4.1). For example: the execution of the real estate brokerage contract, submitting a promise to purchase a property, selling a property, identity verification. The right to withdraw consent: The individual must be informed of their right to withdraw consent at any time for the collection of personal information. In this case, if the information is necessary for the execution of the brokerage contract, the license holder has the right to refuse to continue providing services to the individual. The right to access and correct: The individual must be informed of their right to access their personal information held by the license holder and to correct inaccurate, incomplete, or ambiguous information, or if its collection, communication, or storage is not authorized by law. To do so, they may send a request to the DA (Data Administrator) or the person responsible for protecting personal information.

​

4.2.2 Optional Information

The following information must be communicated to the individual upon request : The duration of the retention of personal information. The contact information of the person responsible for personal information protection within the agency. The nature of the personal information collected. The categories of individuals within the agency who may have access to their information.

​

4.2.3 Information about Connection Cookies

A connection cookie (or cookie) is a text file placed by a server on a device (such as a computer or mobile device) when a person visits a website. The collection of personal information through cookies is governed by the privacy policy implemented by the agency and the broker. When a person visits the website of a license holder, a "cookie" banner should appear (a "pop-up") allowing the person to manage the connection cookies and possibly activate features for profiling for advertising purposes.

​

Important: When a cookie enables the identification of a person, geographical location, or profiling (especially for advertising purposes), it must be disabled by default.

​

5. Use of Personal Information

Personal information may only be used for the purposes for which it was collected. Once the purpose of the file is completed (e.g., the real estate sale has been completed or the promise to purchase has been rejected), the license holder must no longer use the personal information in the file.

​

5.1 Exceptions: Use Without Consent

Secondary use is compatible with the purposes for which the information was initially collected. There must be a direct and relevant link to the original purposes. Commercial prospecting is expressly excluded from compatible purposes. The use must be for the benefit of the individual concerned. The use is necessary for study, research, or statistical purposes, but the information must be anonymized to prevent direct identification of the individual concerned.

​

5.2 Security Measures When Using Personal Information

The agency and the broker are required to take reasonable security measures to ensure the protection of the personal information they hold. These measures must take into account the sensitivity of the information, its intended use, its quantity, its distribution, and its storage medium. As part of these security measures, physical and IT access (e.g., Document Management System) to the information should be restricted to those who need it in the course of their duties.

​

Other brokers in the agency should not have access to personal information related to transactions that do not concern them. However, if the buyer is represented by a team of brokers under an agency agreement, team members will have access to personal information in order to fulfill their client representation obligations. The agency and the license holders must ensure that the medium chosen to hold and use personal information is stable, secure, and ensures confidentiality at all times.

​

5.2.1 Confidentiality Incident

A confidentiality incident is defined as an event that may compromise the confidentiality of personal information when used by a business, such as : Unauthorized access to personal information by law, Unauthorized use of personal information by law, Unauthorized communication of personal information by law, Loss of personal information or any other breach of its protection.

​

Confidentiality Incident: Events and Reporting

Events such as theft, fraud, loss (caused by a virus or security breach, a leak, a cyberattack, an error), deliberate action (e.g., extraction of information by an employee or unauthorized person), etc., can constitute a confidentiality incident. If an incident occurs and presents a serious risk of harm, the license holder must report it promptly to the affected individuals and the Commission d'accès à l'information (CAI). The license holder must notify the Agency Director (DA) without delay, and at their discretion, may also inform any entity that could help mitigate the risk by sharing only the necessary information without the affected person's consent (e.g., the police, their GED provider, their IT provider, etc.).

​

To assess the risk of harm to an individual whose personal information is involved in a confidentiality incident, factors such as the sensitivity of the information, the anticipated consequences of its use, and the likelihood it will be used for harmful purposes must be considered. In cases where unauthorized access to information increases the risk of identity theft (e.g., identification document details), it should be considered a serious risk, and the incident must be reported. The agency must maintain a register of confidentiality incidents. Managing and reporting these incidents should be taken seriously due to the severe administrative sanctions that may be imposed by the CAI for non-compliance with the new rules.

​

6. Communication of Personal Information

6.1 Consent to Communication

The principle of consent also applies when communicating personal information to third parties. A person who consents in accordance with the law to provide their personal information is presumed to consent to its communication for the purposes for which it was collected. Information may only be communicated without the person's consent in exceptional circumstances, namely when : Such a situation is expressly provided for by law, The personal information is considered public under the law.

​

6.2 To Whom Can the License Holder Communicate Personal Information?

The license holder may be required to communicate personal information to various individuals and entities, including : Other license holders (when transmitting information to services for information sharing between agencies or brokers, e.g., Centris), The parties involved in the transaction, The agency's staff, when required for the performance of their duties, Other professionals (e.g., notary, building inspector, certified appraiser, etc.), Financial institutions, Companies providing services for commission advances.

​

6.3 Specifics Related to Real Estate Brokerage Practice

6.3.1 Communication of the Listing Agreement to the Information Dissemination Service

When a listing agreement is transmitted to an information dissemination service (e.g., Centris), certain personal information must be redacted. This includes, among others, information regarding identity verification (clauses 1.1 and 1.2). Such information should not be permanently deleted, as the license holder must keep the original document in their files. Those using GED systems should print the contract, redact the confidential information, and then transmit the document to the dissemination service. Information contained in the listing agreement and other property-related details can only be transmitted to the information dissemination service if the client has expressly consented to this.

​

6.3.2 Communication of the Seller's Declarations to the Information Dissemination Service

The Seller’s Declarations (DV) form must be attached to the property description sheet, but it is only accessible to agencies and brokers subscribed to the information dissemination service, not to the general public. The seller's broker must ensure that other brokers have access to the DV form so they can draft a promise to purchase with full knowledge of the factors that may affect the transaction. Therefore, the DV form must be provided without the buyer's broker needing to request it, considering the obligation to inform all parties of relevant facts and the duty to cooperate.

However, documents that the seller must provide with the DV form (e.g., invoices, leases, inspection reports, etc.) do not need to be attached to the sheet. They should be provided to any broker or buyer who requests them or can be obtained through clause 9.1 of the Promise to Purchase form ("Examination of Documents by the Buyer"). If applicable, any amendments to the DV form must also be attached to the sheet.

Important Note: The seller’s name and signature on the DV form are considered personal information and must only be used in the context of the specific real estate transaction, namely for drafting a promise to purchase. Therefore, the signed DV should not be shared with anyone attending an open house, for example, but only with a prospective buyer for the purpose of drafting a promise to purchase.

​

6.3.3 Communication of the Sale Price and Comparables

As long as the deed of sale has not been published in the Land Registry, the price listed is considered personal information regarding the buyer and seller if they are individuals. Thus, the sale price, whether it matches the listed price or not, should not be publicized before publication in the Land Registry. It is also prohibited to disseminate information that could hint at the sale price.

​

6.3.3 Communication of the Sale Price and Comparables

However, with the authorization given by the client through clause 6.1 of the Brokerage Agreement, the achieved sale price may be communicated to subscribers of an information dissemination service. These subscribers need to know that the property has been sold so they can promptly stop offering it to their buyer clients. They must also know the sale price to establish reliable comparables and set realistic prices for new listings. It is important to note that the database of "sold" properties is only accessible to license holders and cannot be used for advertising purposes or disseminated to the general public. To maintain the confidentiality of the sale price before it becomes available in the Land Registry, the comparable sheets cannot be shared with clients unless the information that directly or indirectly identifies the seller (such as photos, address, name of the owner, etc.) is redacted.

​

6.3.4 Buyer's Information in the Previous Inspection Report

When a broker takes steps to identify factors that may negatively affect the parties, they must, in particular, check with the seller whether a prior inspection report exists for the property. If such a report exists, it must be provided to the potential buyer. When transmitting information, brokers must redact all personal information that appears in the report (e.g., postal address, email, phone number, etc.).

​

6.3.5 Key Box Codes, Alarm System Codes, and Phone Numbers in Property Descriptions

Key box codes, alarm system codes for properties, and phone numbers are confidential information. These are considered personal data that should never be shared without the explicit consent of the person concerned, after being fully informed of the risks involved. This applies even if the sharing of these personal details is only done with subscribers of the information dissemination service between brokers or agencies.

Without the explicit consent of the person concerned, the license holder cannot share these codes and numbers with the buyer's broker or a collaborating broker without a brokerage agreement prior to a visit. For example, if a seller does not provide consent, the seller's broker should be present during the visits and arrange for a substitute if that is not possible.

​

Additionally, when a ZAX broker represents a buyer, they must be present at the visits and also arrange for a substitute if this is not possible. It is also not permitted to sign an Exclusive Brokerage Agreement – Purchase to obtain the key box code through the seller’s broker, allowing the buyers to visit the property on their own.

​

6.3.6 Prohibition on Communicating Marketing Lists

License holders are prohibited from using or communicating their clients’ nominative lists to third parties for commercial prospecting purposes without having first obtained the express consent of the individuals concerned. The nominative list includes a person’s name, phone number, postal and email addresses. License holders who use personal information for commercial solicitation must request express consent for solicitation, identify themselves to these individuals, and inform them of their right to withdraw consent at any time for the use or communication of their information.

 

Consent for solicitation cannot be implicit.

6.3.7 Communication to Debt Collection Agencies

Some companies offer commission advance services and require license holders to transmit documents that may contain personal information regarding the parties to a transaction, such as the promise to purchase, bank approval for financing, and the brokerage contract. Among the exceptions for communicating personal information under the Private Sector Act, there are cases related to debt collection: communication to a person who can collect debts for others and requires the information for that purpose; communication to a person if the information is necessary for recovering a debt of the company.

​

However, the actions carried out by some companies specializing in commission advances are not necessarily covered by the exceptions applicable to debt collection. In certain cases, after an agreement between the broker or agency and the company, the company advances the commission amount, with the broker agreeing to remit the amount to the company once it is received. In this case, the company does not acquire the broker's or agency’s right to the commission debt following an assignment of that debt. It is always the broker or agency that receives the commission. In such situations, there is no right to communicate personal information to these companies without the consent of the affected individuals. Therefore, the individual must be informed in advance of the possibility of their information being shared with such a company and must consent to this (see section 5.2.1).