Everything you need to know about Law 25
Prepare for the implementation of Law 25.
11 September 2023
The Act to modernize legislative provisions regarding the protection of personal information requires that all organizations be responsible in the processing of personal information and that they ensure that the collection, use, disclosure, retention, protection and destruction are done in appropriate ways.
September 22, 2022 | September 22, 2023 | September 22, 2024
The Commission d'access à l'information du Québec is the body responsible for monitoring the application of law 25. In the event of non-compliance with the law, the Commission can impose significant sanctions, amounting to up to $10 million or 2% of the company's global revenue.
Your company will need to designate a person responsible for protecting personal information. Their title and contact details must be provided and accessible on the company’s website. In the event that no one is designated, the person with the highest authority in the company will be assigned this function.
It is important to maintain an up-to-date privacy incident log. In the event of an inspection, you must be able to provide it to the Commission for Access to Information if it requests it. In addition, if an incident occurs presenting a serious risk of harm, you are required to notify the Commission as well as the people concerned.
Your business is required to put in place potential scenarios of loss or theft of personal information. It must be able to identify/propose rules to be put in place to avoid these problems and limit the impacts on the company, visitors to a site, employees, customers, etc.
You are now required to disclose any incident that threatens the confidentiality of confidential data or if you are subject to a cyber attack. All people potentially affected by the security breach must therefore be notified. If the damage is serious, it will also be necessary to notify the Commission for Access to Information in Quebec.
They govern governance, must be public and accessible from the company website and make it possible to provide rules applicable to the retention and destruction of personal information, identify the roles and responsibilities of staff members and communicate on the process of handling of complaints as well as data protection practices.
Companies that collect personal information must communicate to the persons concerned:
Purposes of data collection | The possibility of information being communicated outside of Quebec | The right for anyone to withdraw consent to the collection of personal information.
The company must inform the person when it uses identification, location or profiling technology of the means offered to activate these functions. The information must be destroyed or anonymized when the purposes are accomplished. Users can also request that their information be deindexed outside of Quebec.
The Commission will have the power to impose administrative monetary penalties, which could reach up to 2% of the company's turnover. Following a breach punishable by such a sanction, a person from the company may commit to the Commission to take the necessary measures to remedy it or mitigate the consequences.
If a data subject requests it, the company will be required to communicate in a technological and structured format any personal information collected from them.
Consult our checklist to help you identify the actions to put in place.
To prepare you to comply with Law 25, ctrlweb supports you through two offers to enable you to effectively manage personal information within your company.
The next deadlines are fast approaching! Save time and contact us now to find out more.