Skip to content

Donor Confidentiality Policy 

Purpose of the policy 

The CHU Sainte-Justine Foundation is firmly committed to safeguarding personal information and being transparent about the information we hold on all Sainte-Justine Foundation donors and stakeholders. A better understanding of our donors allows us to provide them with the best possible experience as donors and users of Foundation platforms and services. 

The purpose of this policy is to clearly explain how we collect and handle personal information, including information donors may provide when making a donation, requesting a tax receipt or subscribing to our newsletters. 

We use the information that we collect in accordance with the following two pieces of legislation: 

  • The federal Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Quebec’s Bill 64, enacted An Act to modernize legislative provisions as regards the protection of personal information, scheduled to come into force on September 22, 2023. 

This policy explains the following: 

  1. The kind of personal information that we are permitted to collect
  2. How personal information is collected
  3. Lawfully permitted use of personal information
  4. Limitation on disclosure of personal information to third parties
  5. The security of personal information
  6. Data retention
  7. Donor rights
  8. Notification of changes to our Donor Confidentiality Policy
  9. Addresses and additional information 

If you have any questions concerning this policy, contact the CHU Sainte-Justine Foundation’s data protection officer at the address indicated at the end of this policy.  

1. The Kind of Personal Information that we are Permitted to Collect

Personal information means information about an identifiable individual. It does not encompass anonymous data, which is data that does not contain any identifying information. 

We are permitted to collect, use, store and transfer various kinds of personal information, which we have categorized as follows: 

  • Identifying information: includes a donor’s first name, surname, title, user name or similar identifier, date of birth and gender; 
  • Contact information: includes a donor’s billing address (for tax receipts), email address and telephone numbers;
  • Payment information: includes credit or debit card details;
  • Donation details: includes past donations made by donors or on their behalf, along with other donation-related details and services received by individual donors;
  • Technical data: includes the donor’s Internet Protocol (IP) address, login information, browser type and version, time-zone setting and location, browser plug-in type and version, operating system and platform, and other technologies on donor devices used to access our websites; 
  • Usage data: includes information on how donors use our websites and our services;
  • Marketing and communications information: includes donor preferences regarding receiving marketing communications from the Foundation and from third parties, as well as donor communication preferences and the fact that we may take note of conversations we have had with donors in person and/or donor communications sent to the Foundation. This helps us to manage donor relations and ensure that they will receive only relevant communications in accordance with their stated preferences.  
  • Job applicant data: includes all data submitted by a job applicant in an application for employment with the CHU Sainte-Justine Foundation. 


Aggregate data derived from personal data: We also collect, use and share aggregate data, such as statistical or demographic data, for all purposes. Although aggregate data may be derived from personal information, it is not regarded in law as personal information as it is not, directly or indirectly, identifying. For example, donor usage data can be aggregated to calculate the percentage of users who access a specific functionality of our websites. However, should we combine or connect the aggregated data with a donor’s personal data in such a way that, directly or indirectly, it could identify the donor, we would treat the combined data as personal information to be used in accordance with this Donor Confidentiality Policy. 

We do not collect any information regarding a donor’s race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions or physical health. Nor do we collect any genetic or biometric data.  

2. How Personal Information is Collected 

We collect different types of information in several ways. 

Personal information provided by donors 
When someone makes a donation, subscribes to our newsletter, registers for an event or contacts our customer service, we store the personal information provided to us by that person such as first and last name, email address, mailing address, phone number and payment card details. We also keep track of all donations and, occasionally, a donor’s communications with us. 

Personal information collected via technologies or automated interactions  
When donors interact with our website, we can automatically collect technical data regarding their computer equipment and their browsing activities and patterns. We collect such personal information using cookies and other similar technologies. 

Personal information provided by third parties  
Occasionally we receive personal information from third parties as described below: 

  • analytics providers such as Google Analytics; 
  • advertising networks such as Facebook and Google Ads; 
  • search information providers such as Google; 
  • publicly available personal information. 

3. Lawfully Permitted Use of Personal Information

We use personal information only to the extent permitted by law. 

We most commonly use personal information in the following circumstances: 

  • when it is required for the legitimate interests of the Foundation (or those of a third party) unless a donor’s interests and fundamental rights take precedence over such interests; 
  • when we are required to comply with a legal or regulatory obligation; 
  • when we have obtained a donor’s express consent to use his or her personal information in a specific situation. Generally, we do not rely on donor consent as the legal basis for handling personal information, and donors can withdraw their consent at any time by contacting us. The relevant contact information is provided at the end of this policy. 

The purposes for which we use personal information 
The following table provides a description of all the ways in which we plan to use personal information, and the legal basis for doing so. We have also indicated what our legitimate interests are, where relevant. 

It should be noted that we may process personal information for more than one lawful purpose in relation to the specific purpose for which we use the information. Please contact us if you would like greater detail of the specific lawful purpose for which we process personal information where more than one purpose is identified in the table below. 

To register individuals as donors (a) Identifying information 
(b) Contact information 
(a) (b) Signing contracts with donors    
To process donations and issue tax receipts (a) Identifying information 
(b) Contact information 
(c) Payment details 
(d) Donation details 
(e) Marketing and communications information 
(a) Signing contracts with donors  
(b) Required for our legitimate interests 
To solicit donations (a) Identifying information 
(b) Contact information 
(c) Payment details 
(d) Donation details 
(e) Marketing and communications information 
(a) (b) (c) (d) (e) Required for our legitimate interests (developing and expanding our services and activities)  
To manage donor relations, including: 
(a) informing donors of changes to our Conditions of Use or our Donor Confidentiality Policy 
(b) seeking donor participation in surveys 
(a) Identifying information 
(b) Contact information 
(c) Donor profiles 
(d) Marketing and communications information 
(a) Entering into contracts with donors 
(b) Required for compliance with a legal obligation  
(c) Required for our legitimate interests (keeping our records up to date and analyzing donor preferences) 
To manage and protect the Foundation and its websites (including troubleshooting, data analysis, tests, system maintenance, user assistance, data reporting and data hosting). (a) Identifying information 
(b) Contact information 
(c) Technical information 
(a) (c) Required for our legitimate interests (management of the Foundation, administrative, technological and IT services, system security, fraud prevention) 
(b) Required for our legitimate interests and legislative compliance 
To provide donors with relevant content and marketing through external websites, social platforms and our newsletters, and to assess or gain insight into the effectiveness of our marketing. (a) Identifying information 
(b) Contact information 
(c) Donor profiles 
(d) Use of information 
(e) Marketing and communication information 
(f) Technical information 
(a) (b) (c) (d) (e) (f) Required for our legitimate interests (analyzing how donors use our services, build on them, focusing on Foundation growth and shaping our marketing strategy). 
To use data analysis to improve our websites, our services, our marketing and our communications, relations and interactions with donors. (a) Technical information 
(b) Use of information 
(a) (b) Required for our legitimate interests (defining the types of donors for services, keeping our websites current and relevant, expanding our core activity and shaping our marketing strategy). 
To make suggestions and recommendations regarding donations or services and events that may be of interest to donors. (a) Identifying information 
(b) Contact information 
(c) Technical information 
(d) Usage  
(e) Donor profiles 
(a) (b) (c) (d) (e) Required for our legitimate interests (developing our services and expanding our core activity) 
To receive and consider donor job applications.  (a) Identifying information 
(b) Contact information 
(c) Job applicant data 
(a) (b) (c) Required for our legitimate interests (assessing job applications, arranging job interviews) 

4. Limitation on Disclosure of Personal Information to Third Parties

In some circumstances, we are legally entitled or legally obliged to disclose donors’ personal information to the following third parties: 

Foundation service providers and fund-raising partners who process data for us at our direction: We require all third parties to respect the confidentiality of personal information and to process it as required by law. We do not permit third party service providers to use a donor’s personal information for their own purposes. They are authorized only to process that information for specific purposes and as per our instructions 

Government bodies and law enforcement agencies: We may be under a legal obligation to disclose personal information to government authorities and law enforcement agencies further to legislation or a court order. 

We do not sell personal information to third parties for any purpose whatsoever. 

5. Security of Personal Information

We have implemented appropriate safeguards (both in our information collection practices and in the technology we use) to ensure the security of all personal information. We require that the third parties to whom we subcontract the processing of donors’ personal information do the same and that they process personal information in accordance with our instructions. They are also subject to a strict confidentiality obligation. 

Credit or debit card information 
When a donor uses a credit or debit card to make a donation to the Foundation, we ensure that the transaction is secure and in compliance with Payment Card Industry Data Security Standard (PCI-DSS). We never store credit or debit card numbers or their three- or four-digit security codes in our systems. 

6. Data Retention 

We retain donors’ personal data only as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, accounting or reporting requirements. 

In determining the appropriate retention period for personal data, we consider the amount, type and sensitive nature of the personal information, the risk of possible harm from unauthorized use or disclosure, the purposes for which it was collected and the possibility of achieving those purposes by other means, as well as all applicable legal requirements. 

7. Donor Rights 

In certain circumstances, donors have the following rights under data protection legislation regarding their personal information: 

(a) The right to access personal information 
Donors are entitled to request a copy of the personal information that the Foundation holds on them. Any donor wishing to exercise this or any of the following rights should contact the data protection officer whose contact information is indicated at the end of this policy.  

(b) The right to correct personal information  
Donors are entitled to ask us to correct the personal information we hold on them, but it should be noted that we may need to verify the accuracy of the new information donors may provide. Any donor wishing to exercise this right should contact the data protection officer whose contact information is indicated at the end of this policy 

(c) The right to removal of personal information (“the right to be forgotten”) 
Donors are entitled to ask us to remove or delete personal information if we no longer have a valid reason for continuing to use it. However, we may not always be able to comply with a request for deletion if we have specific legal reasons for retaining the information, in which case we would provide those reasons on request. 

(d) The right to object to the processing of personal information 
Donors may object to the processing of personal information despite the legitimate interest of the Foundation or a third party in having that information if, because of their particular situation, they believe that their fundamental rights and freedoms are or will be adversely affected.  Donors are also entitled to object where their personal information is used for direct marketing purposes. Note that in certain cases, we may be able to argue that our legitimate interests in processing personal information overrides personal rights and freedoms. 

(e) The right to request a restriction on the processing of personal information 
Donors are entitled to request that the processing of their personal information be suspended in the following situations: (a) where a donor wants us to establish the accuracy of that information; (b) where our use of the information may be unlawful, but a donor nevertheless does not want it deleted; (c) where a donor wants us to retain the information even though we no longer have any use for it because the donor wishes to establish, exercise or defend certain legal claims; or (d) where a donor objects to our use of the personal information but we want to verify if we have preponderant legitimate reasons for using it. 

(f) The right to withdraw consent 
Where we require donor consent to process personal data, donors are entitled to withdraw their consent at any time. However, note that information processed before consent is withdrawn is lawful. Note that where consent is withdrawn, we may be unable to provide the donor with certain products or services. If this is the case, we would advise the donor when consent is withdrawn. 

As a general rule, we do not charge a fee for exercising any of the above rights 
Donors are entitled to access their personal information (or to exercise any of the other rights listed above) free of charge. An exception to that rule is if a request for access is clearly unfounded, repetitive or excessive, in which case we may charge a reasonable fee or refuse to comply with the request. 

What we may need from a donor wishing to exercise any of the above rights 

We may request specific information to help us confirm the donor’s identity in order to ensure that the donor is entitled to access the personal information (or exercise any other right). This security measure ensures that personal information is not disclosed to someone not entitled to receive it. We may also contact donors and request additional information related to their requests to expedite our response. 

Time limit for responding to requests or objections 

Our goal is to respond to all legitimate requests or objections within 30 days. Occasionally, it may take up to 60 days if a request or objection is particularly complex or if multiple requests or objections are involved, in which case, we would notify the donor keep him or her informed of the progress of the request or objection. 

8. Notification of changes to our Donor Confidentiality Policy 

Please check this page of our website regularly for changes to our Donor Confidentiality Policy. 

9. Contact Details and Additional Information 

If you have any questions about any aspect of this Donor Confidentiality Policy, and in particular if you wish to object to any processing of personal information for our legitimate organizational interests, feel free to contact us. 

Also, please contact us if you have any questions concerning the personal information we hold on you or to change your donor contact preferences: 

Send us an email: 


Write to: 

Pierre-André Vungoc 

Data Protection Officer 
5757 Decelles Avenue, Suite 500 

Montreal, Quebec  H3S 2C3