INSIGHTSQuebec’s Law 25: A Comprehensive Guide for Businesses on Personal Data Protection Compliance

Quebec’s Law 25: A Comprehensive Guide for Businesses on Personal Data Protection Compliance

By Human After All Nov 29, 2023

Let’s talk about Law 25 and why it’s something you can’t afford to overlook, especially if you’re in the business of handling personal info online. Whether you run a commercial company, a non-profit, a public institution, or even dabble in politics, this law is knocking on your door.

Here’s the Deal with Law 25

If your organization collects, uses, or shares personal information online—whether you’re a commercial enterprise, a non-profit, a public institution, or even a political entity—Law 25 pertains to you.

At its core, Law 25 is all about upping the game in personal data protection. It’s a call to action for Quebec businesses to get their act together in managing personal information. We’re talking about ensuring your clients’ sensitive details are as secure as a vault.

Why Should Citizens Care?

Citizens stand to gain significantly from these regulations:
For the folks out there, this law is a big win. Here’s what you get:

  • A clearer picture of what happens when your data is collected or used in automated decisions.
  • A chance to talk to a real person if you have concerns about how your data is used.
  • Heads up if there’s a privacy breach that could seriously impact you.
  • More control over your data, including getting it erased or de-indexed.
  • Consent forms that don’t need a law degree to understand.

What Counts as “Personal Information”?

So, what’s “personal information” in the eyes of Law 25? It’s anything that can pinpoint who you are – from your name to your social insurance number. But remember, not all info is created equal. Some things like your birthday or area code might not get the same level of protection.

New Responsibilities for Quebec Businesses

With Law 25 rolling out, Quebec businesses have some homework to do:

  1. Ensure people know what they’re signing up for when they give their data.
  2. Be crystal clear about how you’re using that data.
  3. Put up a solid defence to keep personal data safe.
  4. Keep track of how long you’re holding onto data.
  5. Name a go-to person for data protection.
  6. Have a privacy policy that’s easy to find and understand.

Getting Consent Right

Consent isn’t just a formality. It’s about ensuring people understand what they agree to and allowing them to say yes or no.

Protecting Personal Data

Here’s how you can keep data safe:

  • Secure your documents.
  • Use top-notch IT security and passwords.
  • Train your team well.

Dealing with Data Retention

Don’t hang onto data forever. Once you’re done with it, unless there’s a legal reason to keep it, it’s time to say goodbye.

Responding to Data Requests

People can see, challenge, correct, or delete their data. Make sure they can exercise these rights.

Appointing a Data Protection Officer

You’ll need someone on your team who’s all about data protection, with their contact info easy to find on your website.

Keeping Your Privacy Policy Up-to-Date

Your privacy policy should be clear, transparent, and kept fresh.

Making Sure Service Providers Are on Board

If you’re working with other companies that handle personal data, they need to follow Law 25 too.

Wrapping Up

Sticking to Law 25 is non-negotiable. Not doing so could mean facing fines up to 25 million dollars or 4% of your global turnover. Plus, individuals could claim damages starting at $1,000. The Quebec Commission on Access to Information is keeping an eye on compliance.

*Please note that the information provided in this article is not legal advice but for informational purposes only.


View our latest insights