.svg "Logo White")
Quebec Law 25
Overview
Quebec Law 25, also known as the Act Respecting the Protection of Personal Information in the Private Sector, governs how businesses handle personal data in Quebec. The Act mandates specific rules regarding the collection, use, retention, and communication of personal information by enterprises, including provisions for transparency and security. Law 25 aims to ensure individuals' privacy rights are respected while establishing responsibilities for businesses to maintain the protection of personal information.
Regulation Summary
Timeline
-
Enacted: June 15, 1993
-
Updated: September 22, 2024
-
Enforcement Timeline:
-
September 22, 2022: Major provisions on the collection, use, and retention of personal information began to take effect.
-
September 22, 2023: New rights for data subjects, including the right to data portability, were enforced.
-
September 22, 2024: Full enforcement of all provisions, including privacy impact assessments and requirements for governance policies.
-
What Businesses Are Affected
- Private-sector organizations operating in Quebec.
- Companies processing personal information about Quebec residents.
Exemptions
- Public bodies.
- Personal domestic use.
Responsibilities for Businesses
- Designate a Privacy Officer.
- Conduct privacy impact assessments.
- Implement security measures and document practices.
Specific Responsibilities for Website Owners
- Present clear privacy notices.
- Obtain consent for data collection.
- Provide data access and enable withdrawal.
Additional Requirements
- Report confidentiality incidents.
- Maintain a record of incidents.
Data Subject Rights
- Access.
- Rectification.
- Anonymization.
- Withdrawal of consent.
Enforcement
- Authority: Commission d’accès à l’information (CAI).
- Fines: Up to CAD $25 million or 4% of global turnover.
- Investigations and penalties.
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message