Blog | Clym

Compliance Checklist - Quebec’s Law 25

Written by Alex Margau | 26 October 2023


Law 25
is Quebec’s modernized privacy law, passed in September 2021, in its initial form, back when it was only known as Bill 64. It governs the way personal data is collected, kept, used, or communicated to third parties, and brings a significant reform to the Private Sector Act, imposing changes that are to become effective over a period of three years, which started back in September 2022. 

Because it applies to any private-sector organization located in or offering services in Quebec, organizations collecting personal information from Quebec residents must be aware of the impact of Quebec’s Law 25, as it is one of North America’s most stringent data privacy regulations; according to the text of the law, “any person carrying on an enterprise” has to comply. Furthermore, Quebec’s Law 25 makes no difference between an organized economic activity that is of a commercial nature - such as providing a service or administration of a property - and others. In addition, it covers both the personal information collected by an enterprise and any personal information it receives from any third party or person, “held by a professional order to the extent provided for by the Professional Code,” or information “held by an authorized entity to the extent provided for by the Election Act.”

In Phase 1, starting September 2022, entities covered by Quebec’s Law 25 were required to appoint a Data Protection Officer (DPO), by default the “person exercising the highest authority,” meaning the CEO. However, according to the text of the law, the CEO of an organization is allowed to delegate all or part of this responsibility to a staff member, with the title and contact details of that person in charge required to be published on your business’ website or “be made available by any other appropriate means.” It is expected that the appointment of a Data Protection Officer is something that businesses have already implemented between September 2022 and now.

As of September 2023, Phase 2 began when most of the requirements came into effect, with covered entities having the following obligations:

  • To ensure that consent is valid and obtained in advance of collection; 
    • In the case of children aged 14 years old or younger, Quebec’s Law 25 mandates that consent has to be obtained from a parent or legal guardian.
    • Furthermore, data subjects have to be given a way to withdraw consent. 
  • To have in place internal policies and practices for handling and protecting personal information;
  • To display a Privacy Policy on their website;
  • To have in place a means for data subjects to submit complaints;
  • To conduct a Data Privacy Impact Assessment (DPIA);
  • For organizations collecting personal data through technology that identifies the data subject, locates them or profiles them (i.e. cookies), the data subjects have to be informed of this and of the way to opt-in; this means that organizations have to implement cookie consent tools and ensure that any tracking technologies and cookies are set to be off by default; 
  • To have Privacy by Design at the foundation of technological products or services offered by organizations conducting business in Quebec; 
  • To respect the right to be forgotten of data subjects. This means destroying or anonymizing personal information upon request; 
  • To opt out of automated decision making data subjects upon request;
  • If they transfer the personal data of individuals outside Quebec to first conduct a Data Privacy Impact Assessment (DPIA) and inform the individual of the fact that their data will be transferred outside Quebec.

Phase 3 will come into effect in September 2024, with the  Right to Data Portability, which will be added to the list of data subject rights granted by Quebec’s Law 25. Preparing for this ahead of time may be considered as a best practice since it may bring with it structural changes to companies, according to the CAI (Commission d'Accès à l'Information du Québec). 

According to the summary published by the CAI, companies can prepare for each phase by following a series of best practices, which we include below.

 

Before September 22, 2022

  1. If you were the person exercising the highest authority in the company (i.e. the CEO) and did not want to serve as the Data Privacy Officer, you had to designate someone who could effectively assume this role. For example, they would need to have the required skills and significant decision-making power;
  2. Support the person responsible for the protection of personal information with the necessary resources (human, technical and financial) to ensure the success of your compliance;
  3. Take an inventory of the personal information held by your company (or on its behalf by a third party) and to assess its sensitivity;
  4. Implement measures to prevent or limit the consequences of a confidentiality incident involving personal information;
  5. Establish practices that would allow you to react adequately and quickly in the event of a confidentiality incident involving personal information (e.g.: incident response plan and staff directive);
  6. If you planned to use a biometric technique (e.g. fingerprint, facial or voice recognition), informing yourself in advance of your obligations in this area would be a best practice.



Before September 22, 2023

To establish and implement your governance policies regarding the protection of personal information, you would have needed in particular:

  1. To take inventory of personal information held by your company (or on its behalf by a third party) and assess its sensitivity;
  2. Since the inventory of personal information is evolving, you would need to keep it up to date to reflect changes that may have occurred within your company (e.g.: new collection of personal information for a project) and to ensure that you adequately plan your actions and respect all your obligations;
  3. To specify the roles and responsibilities of staff members involved in the protection of personal information throughout its life cycle.

Completing these tasks would be essential for implementing your obligations and for prioritizing certain actions.

To carry out a data privacy impact assessment you would need to have completed the previous tasks, but you would have had to, among other things:

  1. Evaluate the project’s compliance with personal information protection laws;
  2. Identify the risks of the project on the private lives of the people concerned; 
  3. Implement strategies and measures to avoid these risks or reduce them effectively;
  4. Monitor the application of these measures and review them.

To respect the new rights of citizens and your new obligations of transparency towards them, you would have had to put in place the mechanisms (e.g.: directive, process, form or adapted technological solution) which would allow you in particular:

  1. To obtain separate valid consent for each specific purpose in simple and clear terms;
  2. To present the consent request of others distinctly information provided if written;
  3. To provide the information required by law to the person whose information is collected;
  4. To inform a person when they are the subject of a decision based exclusively on automated processing;
  5. To inform a person before using technology allowing
    identify it, locate it or carry out its profiling and the means offered to activate these functions;
  6. To publish detailed information about your policies and practices on the company's website or, if it did not have a site, to make this information accessible by any other appropriate means;
  7. To publish a privacy policy written in simple and clear terms on your company's website and disseminate it by any means likely to reach the people concerned if you collect personal information using a technological means such as a website;
  8. To process requests and complaints from citizens concerning your management of personal information.



Before September 22, 2024

Inform the team responsible for maintaining, updating or developing your computer systems that you have new business needs related to the right to portability of personal information, namely:

  • that your systems allow you to communicate, upon request from a person concerned, computerized personal information collected from them, in a structured and commonly used technological format;
  • that this communication may also be made to a person or body authorized by law to collect information, at the request of the person concerned.

Please note: It is important for your employees to follow these guidelines in order to protect personal information.

For a better understanding of Quebec’s Law 25, read our overview here.

 

Compliance Checklist for Quebec's Law 25

Here is a checklist to help businesses know what they have to do with each new phase of requirements that comes into effect. Come to the safe side today, with Clym.

 

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.