Everything you need to know about Law 25

Prepare for the implementation of Law 25.

Emilie Arculeo

Directrice générale

Publication date

11 September 2023


Website recommandations


The Act to modernize legislative provisions regarding the protection of personal information requires that all organizations be responsible in the processing of personal information and that they ensure that the collection, use, disclosure, retention, protection and destruction are done in appropriate ways._ 

3 key dates

September 22, 2022 | September 22, 2023 | September 22, 2024

The Commission d'access à l'information du Québec is the body responsible for monitoring the application of law 25. In the event of non-compliance with the law, the Commission can impose significant sanctions, amounting to up to $10 million or 2% of the company's global revenue.




September 2022

Person responsible

Your company will need to designate a person responsible for protecting personal information. Their title and contact details must be provided and accessible on the company’s website. In the event that no one is designated, the person with the highest authority in the company will be assigned this function.

Incident log

It is important to maintain an up-to-date privacy incident log. In the event of an inspection, you must be able to provide it to the Commission for Access to Information if it requests it. In addition, if an incident occurs presenting a serious risk of harm, you are required to notify the Commission as well as the people concerned.

Scenarios to prepare

Your business is required to put in place potential scenarios of loss or theft of personal information. It must be able to identify/propose rules to be put in place to avoid these problems and limit the impacts on the company, visitors to a site, employees, customers, etc.

Disclosure obligation

You are now required to disclose any incident that threatens the confidentiality of confidential data or if you are subject to a cyber attack. All people potentially affected by the security breach must therefore be notified. If the damage is serious, it will also be necessary to notify the Commission for Access to Information in Quebec.

September 2023

Policies and practices

They govern governance, must be public and accessible from the company website and make it possible to provide rules applicable to the retention and destruction of personal information, identify the roles and responsibilities of staff members and communicate on the process of handling of complaints as well as data protection practices.

Obligation of transparency

Companies that collect personal information must communicate to the persons concerned:

Purposes of data collection | The possibility of information being communicated outside of Quebec | The right for anyone to withdraw consent to the collection of personal information.

Anonymization, deindexing

The company must inform the person when it uses identification, location or profiling technology of the means offered to activate these functions. The information must be destroyed or anonymized when the purposes are accomplished. Users can also request that their information be deindexed outside of Quebec.

Administrative sanctions

The Commission will have the power to impose administrative monetary penalties, which could reach up to 2% of the company's turnover. Following a breach punishable by such a sanction, a person from the company may commit to the Commission to take the necessary measures to remedy it or mitigate the consequences.

September 2024

Right to portability

If a data subject requests it, the company will be required to communicate in a technological and structured format any personal information collected from them. 

Your checklist