Data privacy and security

We are committed to maintaining the confidentiality and security of all personal information we may collect, use and disclose in compliance with applicable laws and regulations. Data privacy and security are of utmost importance to the Corporation and we have strict policies in place to ensure the personal information entrusted to us is protected.

Commitment

We have formalized our commitment to protecting the information we collect and generate in the policies that govern the way in which we conduct our business. In these policies, we have established specific guidelines relating to the collection, use and disclosure of personal information. We also have policies and procedures relating to the protection of confidential information from theft, loss, unauthorized disclosure, access or destruction or other misuse. 

Our Code of Business Conduct and Ethics and Third Party Code of Conduct outline our broad expectations regarding the treatment of personal information for both our personnel and third parties we work with. These expectations are further detailed in our formal policies that cover personal information collected from the public, employee personal information, cybersecurity and record retention. 

Our Privacy Policy establishes guidelines for the collection, use and disclosure of personal information from the public, including from those using our websites and third-party social media sites, or subscribing to our e-mail notification service. 

We also have a separate Employee Privacy Policy that establishes the guidelines for the collection, use and disclosure by Power Corporation of personal information regarding our employees for the purposes of establishing, maintaining and concluding the employment relationship. 

Our Security of Technology and Intellectual Property Policy (the “Cybersecurity Policy”) sets forth the Corporation’s expectations for all employees, consultants and contractors with respect to the proper use of the Corporation’s technology and intellectual property and the protection of cybersecurity.

Furthermore, our Record Retention Policy ensures that our records, including personal information, are retained, processed, and destroyed appropriately and in accordance with applicable laws.

Implementation

In accordance with applicable privacy laws, we collect personal information that is necessary to our business where we have consent to do so or as permitted or required by law. Each officer and employee is provided with a copy of our various policies and procedures. 

Through our annual corporate policies training sessions, we educate our employees on the application of our policies and procedures, including those related to data privacy, security and cybersecurity. The training process is facilitated by a web-based platform, through which the mandatory training module covering Power Corporation’s Code of Business Conduct and Ethics and key corporate policies is being conducted. At the end of the module, as part of our annual certification requirement, employees are required to certify their compliance with our Code of Business Conduct and key corporate policies.

We have implemented a cybersecurity awareness training program, which includes the delivery of mandatory and on-demand training to all employees. In addition, from time to time, our personnel receive training on more specific issues, as new risks are identified or new systems are implemented.

We have established a comprehensive information and cybersecurity program, benchmarked our capabilities to sound industry practices, and we have implemented threat and vulnerability assessments and response capabilities, including an information technology security incident response protocol, which is administered and implemented by both the Vice-President and Controller and the Information Technology Director. Through an external specialist firm, we periodically conduct an assessment of the robustness of our cybersecurity. Our information technology defenses are continuously monitored and adapted to both prevent and detect cyber-attacks, and then recover and remediate. 

It should be noted that as a holding company, we have no clients of our own. Our group companies are responsible for implementing their own policies and procedures to protect the privacy of their clients’ information. 

As part of our active ownership approach, we are committed to fostering compliance with data privacy and security legislation by our subsidiaries.

Responsibility

Proper use and protection of information is the responsibility of our entire organization and relies on the diligence of each member of our personnel. The Vice-President and General Counsel is responsible for providing oversight of data privacy programs, as well as training and compliance regarding our policies and procedures. The Vice-President and Controller is responsible for administering our Cybersecurity Policy. Both report to the Audit Committee of the Board of Directors as needed.

Reporting mechanisms 

To report any concerns, inquiries or complaints regarding our privacy policies, our employees and the public should contact the Corporation's Privacy Officer. 

Monitoring and review

We continuously monitor and enhance our information technology defenses and procedures to prevent, detect, respond to and manage cybersecurity threats, which we recognize are constantly evolving. We also receive and review threat intelligence and critical security threats facing the global financial services sector in order to proactively respond to emerging threats.

We conduct periodic audits of our information security systems to ensure proper implementation of our policies as well as compliance with evolving regulations, including the European General Data Protection Regulation (GDPR). We make necessary improvements to adapt to regulations.