Legal notice

A. SCOPE

The ten (10) principles that make up the Personal Information Protection Policy (hereinafter the “Policy”) should be read in conjunction with accompanying notes.

This Policy applies to Metro Ontario Inc., as well as its subsidiaries and affiliates (including Metro Ontario Pharmacies Limited, a wholly owned subsidiary of Metro Ontario Inc. – please see additional provisions at the end of this Policy), that offer various food and drug retail services (hereinafter “Metro”).

This Policy applies to Metro’s operations in Ontario. With regard to Metro Richelieu Inc.’s operations in Quebec, see Metro Richelieu Inc.’s Privacy Policy, located under the Confidentiality Policy at the Quebec section of www.metro.ca. Whenever you deal with Metro, you benefit from the rights and security measures specified herein.

This Policy applies to the Personal Information that Metro collects, uses or discloses regarding any of its Customers.

This Policy applies to the management of Personal Information be it in verbal, written or electronic form.

This Policy does not apply to the Collection, Use or Disclosure of Personal Information that is available to the public and that Metro obtained without using special means, such as:

(i) any Personal Information available to the public like a Customer’s name, address and telephone number, when such information is listed in a directory or available through any kind of directory listing, including online; or

(ii) any other Personal Information available to the public.

This Policy complies with the ten (10) principles set out in the Model Code for the Protection of Personal Information provided in the Personal Information Protection and Electronic Documents Act.


B. DEFINITIONS

“Chief Privacy Officer” means an individual or individuals at Metro who are in charge of ensuring compliance with and application of this Policy.

“Collection” means the act of collecting, acquiring or obtaining Personal Information in any way or by any means whatsoever, including from a Third Party.

“C onsent” means the freely given agreement to the Collection, Use and/or Disclosure of Personal Information for the purposes specified by Metro. Consent may be express or implied, and may be given directly by the person or by that person’s authorized agent. Express Consent may be given orally, electronically or in writing. However it must always be clear. Implied Consent refers to Consent that can be reasonably inferred from a person’s action or inaction.

“Customer” means an individual who (i) buys or orders products or services at or from a store under any banner of Metro; (ii) corresponds with Metro; (iii) enters a promotional contest organized by Metro; (iv) is a member of the Thunder Bucks Program or any other loyalty program offered by Metro, Metro Ontario Pharmacies Limited’s on-line pharmacy service, www.metro.ca, or any other program or website offered by Metro; or (v) accesses any other customer service offered by Metro.

“Disclosure means the act of revealing Personal Information to a Third Party.

“Personal Health Information” means identifying information about a Customer in oral or recorded form related to the physical or mental health of the Customer, as further detailed in section 4 of the Personal Health Information Protection Act, 2004, as amended, including, but not limited to, medical history information, OHIP number, and drug benefit information.

“Personal Information” means any information about a Customer that can be used to identify that Customer, including, but not limited to, the Customer’s name, addresses, email addresses, date of birth, credit information, Metro program or application member number.

“Third Party” means a person other than a Customer, Metro or an agent of Metro.

“Use” means Metro’s processing, handling and management of Personal Information.

C. PRINCIPLES

Principle 1 – Accountability

Metro is responsible for the Personal Information that it has in its possession and must designate a Chief Privacy Officer who shall ensure compliance with the principles set out in this Policy.

1.1 It is the Chief Privacy Officer’s duty to ensure compliance with and application of this Policy. Other Metro employees may also be designated to support the Chief Privacy Officer or see to the day-to-day Collection, Use and Disclosure of Personal Information.

1.2 Metro shall, upon request, provide the name of the Chief Privacy Officer whose contact information is provided below.

1.3 Metro is responsible for the Personal Information in its possession or custody, including Personal Information that has been transferred to a Third Party for processing.

1.4 Metro has developed various directives and practices for this Policy’s effective application, including:

(i) implementing procedures designed to protect Personal Information and ensure compliance with this Policy;

(ii) implementing procedures for receiving and handling complaints and inquiries; and

(iii) providing information and training to staff on Personal Information protection.

Principle 2 – Identifying Purposes

Metro shall identify the purposes for which Personal Information is Collected before or at the time of Collection.

2.1 Metro Collects Personal Information for the following purposes:

(i) to enable Customers to register for and participate in Metro-provided programs, applications, websites, services, activities, promotional contests, surveys, on-line purchasing, the newsletter and any other program offered by Metro or one of its partners; in the case of the metro.ca site, the Thunder Bucks Program and any other loyalty programs, rewards, special offers and targeted promotions to be made available to Customers; to enable the organization of promotional activities and communications with winners of promotional contests; product design, improvement and merchandising; improvement of store offerings (including marketing studies and surveys, where relevant); and identification checks of Thunder Bucks Program and other Metro loyalty program members and www.metro.ca members;

(ii) to establish and maintain business relations with Customers or any other person concerned and ensure services are performed;

(iii) to understand Customer needs and preferences;

(iv) to recommend particular products and services to Customers that meet Customer needs;

(v) to design, improve, market and provide products and services that meet Customer needs;

(vi) to operate its business;

(vii) to meet the requirements of all applicable legislation;

(viii) to handle complaints;

(ix) to communicate with Customers or any other person concerned; and/or

(x) to ensure the safety and security of Customers, Third Parties and employees.

2.2 Metro shall use its best efforts, as part of any Collection, to inform all persons concerned, electronically, verbally or in writing, of the purposes of said Collection of Personal Information. The persons Collecting the Personal Information shall explain, upon request, the purposes of the Collection or refer any person concerned to the appropriate department for an answer.

2.3 Subject to any legal provision to that effect, Metro may not Use or Disclose Personal Information it Collects about a Customer for a new purpose without first identifying and recording said purpose and obtaining the Customer’s Consent.

2.4 Phone calls handled by Metro may be recorded or monitored for quality control purposes. Closed circuit monitoring in Metro stores and offices is conducted to ensure Customer, Third Party and employee safety and security.

Principle 3 – Consent to the Collection, Use and Disclosure of Personal Information

T he Customer must be informed of and consent to the Collection, Use or Disclosure of their Personal Information, except if Metro is exempt from informing or obtaining such consent by law. In certain circumstances, the law permits Personal Information to be collected, used, or disclosed without the knowledge and Consent of the person concerned. Metro may avail itself, at any time, of any applicable legislative provision that exempts it from informing the Customers affected by the Collection, Use or Disclosure or obtaining their Consent.

3.1 For example, Metro may Collect, Use or Disclose a Customer’s Personal Information without the Customer’s knowledge and Consent:

(i) if it is clearly in the Customer’s best interest and it is impossible to obtain the Customer’s timely Consent, for example when the Customer forgot their credit card or loyalty program card at the store;

(ii) if seeking the Customer’s Consent might defeat the purpose of collecting the information, for instance an investigation regarding a breach of contract or a violation of a federal or provincial law;

(iii) in an emergency, when a person’s life, health or safety are in danger;

(iv) to disclose the Personal Information to counsel representing Metro, in order to recover a debt; or

(v) to comply with a summons, warrant or other court order, or as otherwise required by law.

3.2 Metro shall make reasonable efforts to ensure that the Customer is duly advised, when consenting to the Collection of his or her Personal Information, of the purposes for which it will be used or communicated. The purposes are to be stated clearly so that the Customer can understand them.

3.3 Typically, Metro shall seek a Customer’s at the time of Collection of the Customer’s Personal Information. However, Metro may seek this Consent after the Personal Information has been Collected, but must always obtain Consent before its Use or Disclosure for a new purpose.

3.4 For the purposes of this Policy, it is understood that a Customer’s purchasing products or using services constitute implied Consent to the Collection, Use and Disclosure of relevant Personal Information for the purposes identified by Metro.

3.5 A Customer may withdraw Consent at any time, subject to legal or contractual restrictions and reasonable notice. A Customer may contact Metro for information on the consequences of such withdrawal.

Principle 4 – Limiting Collection

Metro shall limit Collection of Personal Information to that which is necessary to fulfil the purposes identified and shall collect it by fair and legal means .

Metro may also collect Personal Information from other sources, including credit bureaus if necessary in the treatment of the Customer’s request.

Principle 5 – Limiting Use, Disclosure and Retention of Personal Information

Metro shall not Use or Disclose Personal Information for purposes other than those for which it was Collected, except with the Consent of the Customer or as permitted by law, and shall retain it only as long as necessary to fulfil the purposes for which it was collected.

5.1 Metro may also disclose Personal Information to:

(i) a person who Metro, acting reasonably, deems is requesting the Personal Information as the Customer’s representative or agent;

(ii) a Third Party who, as an agent, subcontractor or partner of Metro, is working with Metro in carrying out various tasks;

(iii) one or more Third Parties, when the Customer Consents to the Disclosure or the Disclosure is required by law.

5.2 Typically, Personal Information retained by Metro is kept in Canada. In certain cases, Personal Information Collected by Metro may be kept and processed in other countries for service provision purposes and may then be subject to the jurisdiction of these countries.

5.3 The only people to have access to Personal Information are those authorized by Metro and whose duties require it.

5.4 Metro retains Personal Information only so long as necessary for the identified purposes or as required by law. When access to the Personal Information is requested under this Policy, Metro will retain either the Personal Information or the reasons for the decision long enough to allow the Customer to access said Personal Information or reasons.

5.5 Metro shall establish controls, schedules and practices with respect to the retention and destruction or de-identification of Personal Information and files when they are no longer needed for the identified purposes or required by law.

Principle 6 – Accuracy of Personal Information

Personal Information shall be as accurate, complete and up-to-date as possible.

6.1 Personal Information Used by Metro must be as accurate, complete and up-to-date as possible to minimize the possibility that incorrect Personal Information may be Used.

6.2 Metro shall update Personal Information only as required to satisfy the identified purposes or after receiving an update request from the Customer.

6.3 The Customer is responsible for updating his or her Personal Information by contacting Metro as soon as reasonably possible and providing such updates to Metro.

Principle 7 – Safeguards

Metro shall take reasonable steps to protect Personal Information and use safeguards appropriate to the sensitivity of the Personal Information.

7.1 Metro shall take reasonable steps to protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, modification or destruction.

7.2 Metro shall take reasonable steps to protect Personal Information Disclosed to Third Parties under contractual agreements that will state the confidentiality of the information and the purposes for which it is intended.

7.3 All persons authorized by Metro to have access to Personal Information must respect the confidentiality of said information.

7.4 Metro understands the importance of protecting Personal Information and uses Internet security protocols to safeguard Personal Information collected via the Internet. However, Customers must remember that the Internet is not a secure means of communication. Consequently, Metro makes no representations or warranties as to the absolute security of Personal Information provided via the Internet. Customers acknowledge that they provide Personal Information to Metro via the Internet at their own risk.

Furthermore, Metro is in no way responsible for the Personal Information protection practices of other Internet websites that are neither owned nor controlled by Metro but that are accessible from Metro websites through links or hyperlinks.

Principle 8 – Openness

Metro shall make readily available to individuals specific information about its management of Personal Information.

Metro shall facilitate understanding of this Policy, namely by making the following information available upon request:

(i) the name of the Chief Privacy Officer whose contact information is provided below;

(ii) the procedure for gaining access to Personal Information; and

(iii) a description of the type of Personal Information held by Metro, including a general account of its Use.

Principle 9 –Individual Access by Customers

Upon request, Metro shall inform a Customer of the existence, Use and Disclosure of his or her Personal Information and shall give the Customer access to that information.

The Customer shall be entitled to contest the accuracy and completeness of the information and have it amended as appropriate.

9.1 Upon request, Metro shall give the Customer a reasonable opportunity to view the Personal Information in his or her file. The Personal Information must be provided or made accessible in a timely fashion, in a form that is understandable, and at reasonable cost to the Customer.

9.2 In certain situations, Metro may refuse, in whole or in part, a Customer’s request for access to his or her Personal Information, particularly if:

(i) it might reveal Personal Information on a Third Party or may place another person’s life or safety in danger;

(ii) Disclosure of the Personal Information would reveal confidential or strategic Metro commercial proprietary information;

(iii) the Personal Information is protected by professional privilege;

(iv) the Personal Information was obtained in a dispute resolution process; or

(v) the Personal Information was obtained in an investigation regarding a breach of contract, actual or possible litigation, or breach of law.

Upon request, Metro shall provide the reasons for denying access to the Personal Information.

9.3 Upon request, Metro shall inform the Customer of the Use and Disclosure of the Personal Information and, when available, of the source of the information. As for a record of Disclosure of Personal Information, when Metro cannot produce a list of the specific organizations to which it has Disclosed Personal Information about the Customer, it shall provide the list of those to which it may have Disclosed such information.

9.4 For the protection of the Personal Information, Metro may require a Customer to submit a written request, with proof of identity, before informing the Customer of the existence, Use and Disclosure of his or her Personal Information and authorizing his or her access to his or her file.

9.5 Upon being advised of Personal Information that is deemed to be inaccurate or incomplete, Metro shall promptly correct or complete it. Any disagreement as to the accuracy or completeness of a Customer’s Personal Information shall be recorded in the Customer’s file.

9.6 Any Customer may, via Metro’s Customer Service Department, ask the Chief Privacy Officer for all or part of his/her Personal Information.

Principe 10 – Challenging Compliance

An individual shall be entitled to address a challenge concerning compliance with the above principles to the Chief Privacy Officer.

10.1 Metro shall put procedures in place to receive and respond to complaints or inquiries about this Policy.

10.2 Metro shall inform individuals of the existence of the complaint procedures and how to make a complaint.

10.3 The Chief Privacy Officer is accountable for the Policy’s application and may, at his/her sole discretion, seek advice from any person before providing a final response to any complaint.

10.4 Metro shall review all Policy compliance complaints. If a complaint is found to be justified, Metro shall take appropriate measures, including, if necessary and where reasonable, amending its Policy and practices. The complainant shall be informed of the steps taken regarding the complaint.

D. Amendment of this Policy

This Policy may be amended at any time at Metro’s sole discretion without notice.

E. Questions or concerns about the protection of your personal information

For more information on this Policy or on Metro’s commitment to the protection of Personal Information, contact Metro’s Customer Care Department at:

Metro Ontario Inc.

Customer Care Department and Privacy Commitment Team

Attention: Chief Privacy Officer

5559 Dundas Street West

Etobicoke ON M9B 1B9

Click “Contact us” at www.metro.ca

Telephone (toll free) 1-877-763 7374

F. METRO ONTARIO PHARMACIES LIMITED

Metro Ontario Pharmacies Limited (“MOPL”), a subsidiary of Metro Ontario Inc., operates pharmacies across Ontario under the names of Pharmacy and Metro Pharmacy, located in select Metro and Food Basics stores. In addition to the Policy above:

Collection of information – In order to provide pharmacy services, MOPL may Collect the following information about a Customer:

(i) Personal Information about a Customer: the Customer’s name, address, telephone number, and date of birth;

(ii) Personal Health Information: the Customer’s previous and current medical conditions, medical history, allergies, previous medication history, health care providers’ information;

(iii) additional Personal Information and /or Personal Health Information necessary and applicable to service the Customer’s health needs, such as OHIP number, drug plan information, pregnancy/lactation status, weight, and smoking history; and

(iv) email address if the Customer wishes to be contacted by email.

In addition, MOPL Collects Customers’ Personal Information to enable MOPL to offer Customers, through MOPL’s on-line pharmacy service, personalized services such as access to their prescription history, prescription refills, medication reminder tracking, consultation of documentation, and health-related information and services, to better understand Customer needs and to improve MOPL’s product and service offering.

Use of Personal Information - MOPL pharmacies Uses Customers’ Personal Information and Personal Health Information for the following purposes:

- To enable MOPL pharmacists and other health care professionals at MOPL pharmacies to meet Customers’ health care needs, and to assist physicians and other health care providers in managing Customers’ health care needs;

- To offer Customers, through MOPL’s on-line pharmacy service, personalized services such as access to their prescription history, prescription refills, medication reminder tracking, consultation of documentation, and health-related information and services;

- To manage an accurate database of Customers’ health information to assist other health care professionals as needed;

- To allow third party public and private drug benefit administrators access to sufficient information to pay for the medication(s) and service(s) provided;

- To develop new services to better serve MOPL’s Customers;

- To contact the Customer after the prescription filling process to follow up on the Customer’s drug therapy; and/or

- To contact Customers or their health care providers in the case of a product recall.

Disclosure of Personal Information

- MOPL pharmacy employees and management: Access to any Customer’s Personal Information is limited to a select group of pharmacy employees and management who Collect, Use or Disclose it only for purposes explained in the previous sections. Unauthorized access to, misuse and/or disclosure of Customer Personal Information by employees or MOPL management personnel is strictly prohibited. All MOPL employees and members of management are expected to maintain the confidentiality of Customers’ Personal Information and Personal Health Information at all times and failing to do so will result in appropriate disciplinary measures.

- Outside service suppliers: MOPL uses an outside organization to process prescription purchases, Customers’ prescription records and insurance coverage/reimbursements. MOPL may also use outside organizations to supply web site support and logistics, and to provide prescription reminder services. MOPL sometimes uses outside organizations to provide services such as analysis, market research, data processing and printing. MOPL pharmacies may utilize additional health information services, but will only Disclose a Customer’s Personal Information (or Personal Health Information if required) to these service providers as required to provide the additional service. All these suppliers are legally bound or bound by contracts to protect the privacy and security of Customers’ Personal Information and Personal Health Information, and they are given only the information necessary to perform those services. They are also prohibited from storing, analyzing or Using Customers’ Personal Information for any other purpose.

Access to Personal Information: Requests for access to Personal Information or Personal Health Information Collected at MOPL pharmacies or online through MOPL’s on-line pharmacy service must be addressed to the applicable pharmacy or to Metro Ontario Pharmacies Limited, at the following address:

Metro Ontario Pharmacies Limited

Attention: Chief Privacy Officer

5559 Dundas Street West

Etobicoke, Ontario M9B 1B9

Or contact Metro Ontario Inc. Customer Care at Telephone (toll free) 1-877-763 7374

Or Click “Contact us” at www.metro.ca