Bill 25 - Law modernizing legislative provisions on the protection of personal information. 

Bloc texte

Since September 22, 2022, Bill 25, also known as the Law modernizing legislative provisions on the protection of personal information, has been in effect. The main objective of this law is to strengthen the accountability of businesses, including non-profit organizations (NPOs), with regard to the personal data of Quebec residents.

All companies, without exception, must comply with these new regulations. In practical terms, Bill 25 mandates that companies justify their methods of collecting, using and managing personal data. This applies to any company that processes personal data of Quebec citizens.

This law was introduced in several stages. The initial set of legislative provisions came into effect on September 22, 2022. More recently, on September 23, 2023, new provisions took effect, including the obligation to establish a personal information governance policy. Further obligations are scheduled for September 2024.

The Commission d’accès à l’information du Québec (CAI) is responsible for overseeing compliance with Bill 25. In the event of non-compliance, the Commission is authorized to impose significant sanctions.

To help you understand this law and its intricacies, we have prepared a summary of the obligations and a list of practical tools, which you’ll find below.

Bloc texte

1. Designate a person responsible for the protection of personal information and publish the person's title and contact details on the company's website or, if you do not have a website, make them available by any other appropriate means.

2. In the event of a privacy incident involving Personal Information:

take reasonable steps to minimize the risk of harm to the persons concerned and to prevent further incidents of the same nature;
b. notify the Commission and the person concerned if the incident presents a risk of serious harm;
c. keep a register of incidents, a copy of which must be forwarded to the Commission at its request;

3. Respect the new framework for disclosing personal information without the consent of the person concerned for the purposes of a study, research or production of statistics, in the context of commercial transactions;

4. Conduct an "évaluation des facteurs relatifs à la vie privée (ÉFVP)" prior to disclosing personal information without consent for the purposes of a study, research or production of statistics;

5. Notify the Commission in advance of any verification or identity confirmation through biometric characteristics or measurements.

Bloc texte

1. Having established policies and practices governing the management of personal information and publishing detailed information about them in simple and clear terms on the company's website. If the company does not have a website, these details should be made available through any other appropriate means;

2. Conducting an "évaluation des facteurs relatifs à la vie privée (ÉFVP)" when required by law, for example, before disclosing personal information outside of Quebec;

3. Adhering to the new rules regarding consent for the collection, communication, or use of personal information;

4. Destroying personal information when the purpose of its collection is achieved, or anonymizing it for use in serious and legitimate purposes, subject to the conditions and retention period specified by law;

5. Complying with new obligations to provide information and transparency to citizens;

6. Adhering to the new rules for disclosing personal information without the consent of the individual (exercising a mandate or fulfilling a service or business contract);

7. Complying with the new rules for disclosing personal information outside of Quebec;

8. Adhering to the new rules for the use of personal information;

9. By default, providing settings that ensure the highest level of product or technological service privacy offered to the public;

10. Complying with the new rules regarding the collection of personal information concerning minors;

11. Respecting the right to cease dissemination, reindexing, or delisting (or the right to be forgotten);

12. Complying with the new rules for disclosing personal information to facilitate the grieving process.

Bloc texte

Respond to requests for portability of personal information.

Bloc texte



Privacy policy generator