Visit Act 25or An Act to modernize legislative provisions respecting the protection of personal informationtransforms Quebec's legal landscape in terms of privacy. It modernizes privacy act and also strengthens the access to information actby incorporating increased obligations for companies and extended rights for citizens.
📄 Read the full text of the Bill 25 in PDF format on the official Quebec government publications website.
Modernizing for the protection of personal data
With the increasing digitization of business activities, the personal data protection has become a priority. Law 25 imposes high standards and requires organizations to adopt a privacy policy clear and transparent.
She now oversees :
- The collection, use, communication and storage of personal data.
- The obligation to carry out a information evaluation sensitive.
- The execution of a Privacy Impact Assessment (PIA)an essential process in many cases.
What is a Loi 25 PIA?
L'PIA Act 25 is a key requirement introduced by the reform. It applies to the implementation of any project involving personal information, such as :
- Integration of new management software.
- Data sharing with foreign suppliers.
- Automation of processes using personal information.
This assessment identifies potential privacy risks and proposes mitigation measures. It is an essential step in demonstrating compliance with Bill 25.
Obligations for companies
Here are the main responsibilities imposed on organizations:
1. Draft a clear privacy policy
Each company must publish a privacy policy easily accessible and written in simple terms. It must indicate :
- Types of information collected.
- Objectives of their use.
- User rights.
- Contact information for the person responsible for protecting information.
Need a model? Find a policy example Loi 25or a privacy policy example Quebec. For even more relevance, we recommend that you choose templates based on your sector (e-business, professional services, etc.).
2. Privacy Impact Assessment (PIA)
Prior to any new use or disclosure of personal information, a privacy impact assessment must be carried out. It documents the potential impact on privacy and proposes solutions for complying with legislation.
3. Informed consent
Bill 25 requires a explicit, free and informed consent for any collection of personal information, especially that of minors or sensitive data.
4. Incident management
In the event of a security incident involving personal information, the company must :
- Inform the Commission d'accès à l'information.
- Notify the people concerned if the risk of harm is serious.
- Document the incident in a logbook.
5. Right to portability and oblivion
Anyone can :
- Request portability personal information.
- Demand their removal (right to oblivion) by withdrawing consent.
Significant penalties for non-compliance
The penalties provided for in the Privacy Act are significant:
- Fines of up to 25 million dollars or 4 % of worldwide sales.
- Civil remedies available to citizens.
Conclusion: a privacy policy that complies with Bill 25 is essential
To comply with Bill 25, each company must :
- Develop a compliant privacy policyinspired by a privacy policy example Act 25.
- Perform a information evaluation prior to any new project.
- Making PIA systematically.
- Raise their teams' awareness and implement robust internal procedures.
