Everything you need to know about Law 25

The Commission for the Access to Information of Quebec is responsible for overseeing the application of Law 25. In case of the non-compliance, the Commission can impose significant penalties, up to $10 million or 2% of the company's worldwide turnover.

> September 2022

Appoint a Responsible Person

Your company must appoint a person responsible for the protection of personal information. Their title and contact information must be provided and accessible on the company's website. If no one is designated, the person with the highest authority in the company will be assigned this role.

> September 2022

Incident Register

It is important to maintain an up-to-date register of confidentiality incidents. In case of an audit, you must be able to provide it to the Commission d’accès à l’information if requested. Additionally, if an incident occurs presenting a serious risk of harm, you must notify the Commission as well as the affected individuals.

> September 2022

Scenarios to Prepare

Your company is required to establish potential scenarios of loss or theft of personal information. It must be able to identify and propose rules to prevent these issues and limit the impact on the company, website visitors, employees, customers, etc.

> September 2022

Disclosure Obligation

You are now required to disclose any incident threatening the confidentiality of sensitive data or if you are subject to a cyberattack. All individuals potentially affected by the security breach must be notified. If the harm is serious, the Commission d’accès à l’information in Quebec must also be informed.

> September 2023

Policies and Practices

These govern the management, must be public and accessible from the company's website, and provide for rules applicable to the retention and destruction of personal information, identify the roles and responsibilities of staff members, and communicate the complaint handling process as well as data protection practices.

> September 2023

Transparency Obligation

Companies collecting personal information must mandatorily communicate to the concerned individuals:

• The purposes of data collection
• The possibility that the information may be communicated outside Quebec
• The right for anyone to withdraw their consent regarding the collection of personal information.
  
  
  

> September 2023

Anonymization, De-indexing

The company must inform the person when using identification, location, or profiling technologies of the means available to activate these functions. Information must be destroyed or anonymized once the purposes are fulfilled. Users can also request to de-index their information outside Quebec.

> September 2023

Administrative Sanctions

The Commission will have the power to impose administrative monetary penalties, which could reach up to 2% of the company's turnover. Following a breach subject to such a sanction, a person in the company can commit to the Commission to take necessary measures to remedy or mitigate the consequences.

> September 2024

Right to Portability

If requested by the concerned person, the company will be required to provide all personal information collected from them in a structured and technological format.

> Your Checklist

Compliance with Law 25

Check out our checklist to help you identify the actions to be implemented.

To prepare for compliance with Law 25, ctrlweb offers two solutions to help you effectively manage personal information within your company.