Complete Guide to Law 25 Compliance for Quebec Organizations
Everything you need to know about Law 25: phase obligations, compliance checklist, PIA templates and practical advice to structure your compliance program.
The Act to modernize legislative provisions as regards the protection of personal information (commonly known as Law 25) is the most significant data protection reform in Quebec in 30 years. Implemented progressively between 2022 and 2024, it imposes concrete obligations on Quebec organizations, with penalties of up to 25 million dollars or 4% of worldwide turnover.
All phases are now in effect
Since September 22, 2024, all Law 25 obligations apply. If your organization is not yet compliant, corrective measures must be taken immediately.
The 3 implementation phases
September 22, 2022
Phase 1 — Governance and responsibilities
- Designate a person responsible for the protection of personal information (PRPI)
- Publish the PRPI contact information on your website
- Implement a personal information governance policy
- Report any privacy incident to the CAI and affected individuals
- Maintain a privacy incident register
September 22, 2023
Phase 2 — Individual rights and consent
- Implement a process to handle access and rectification requests
- Obtain express, free and informed consent for data collection
- Limit collection to the identified and announced purposes
- Adopt governance rules published on the website
- Conduct a PIA for any project involving personal information
- Implement a data portability right mechanism
September 22, 2024
Phase 3 — Transparency and automation
- Inform individuals when their data is used for automated decisions
- Allow individuals to request human review of automated decisions
- Disclose the use of location or profiling technologies
- Obtain consent before sharing information outside Quebec
- Implement privacy by default settings
Understanding the PIA (Privacy Impact Assessment)
A PIA is mandatory before any new project involving personal information, any significant change to an existing system, and before any communication of data outside Quebec. It must be conducted from the design phase of the project.
Identify data collected
What personal data is involved? Who collects it? For what purpose?
Assess risks
What are the risks to the privacy of the individuals concerned?
Document measures
What protection measures are in place to mitigate identified risks?
Archive and review
The PIA must be retained and revised if the project changes significantly.
Law 25 Compliance Checklist
Governance
- PRPI designated and contact info published
- Governance policy adopted and published
- Incident register kept up to date
- Incident reporting process documented
Data inventory
- Personal data flow mapping completed
- Inventory of systems processing personal data
- Data classification by sensitivity
- Identification of third parties with data access
PIA
- PIA process documented and applied
- PIA templates available to teams
- Register of completed and archived PIAs
- PIA conducted before any new project
Individual rights
- Access request handling process in place
- 30-day response deadline respected
- Rectification mechanism documented
- Data portability implemented
Consents
- Express consents obtained and documented
- Consent withdrawal mechanism available
- Collection purposes clearly stated
- Separate consent for each purpose
Download our free templates
To accelerate your compliance, we have prepared ready-to-use templates.
CapGRC automates your Law 25 compliance
PIA registry, consent management, incident tracking — everything in one tool designed for the Quebec context.