Who does Law 25 apply to?
This requirement applies to all private entities, including OBSLs (Other Businesses and Supportive Organizations) and unions, operating a business in Quebec. Compliance with Law 25 is mandatory for these companies once they handle, store, utilize, or share personal information of Quebec residents, irrespective of the organization’s location or the storage location of the data.
The law does not establish any specific criteria such as minimum number of employees or customers, revenue thresholds, or types of personal information processing activities to determine its applicability.
Criminal Offence
Measures and best practices: Implementation of an information governance program.
Â
Content of the information governance programÂ
- Policies, procedures and guidelines;
- A classification plan and a retention schedule for their data;
- A data subject rights process;
- A comprehensive definition of the roles and responsibilities of staff members;
New business obligations from September 22, 2023
The company must establish comprehensive policies and practices to govern the handling of personal information and should provide detailed, transparent information on these policies in a clear and accessible manner on its official website.
This information should specifically cover:
- Retention and Disposal: Clearly defined rules and procedures concerning the retention and secure disposal of personal information in accordance with applicable regulations and legal requirements.
- Roles and Responsibilities: Clearly outlined roles and responsibilities of personnel involved in all stages of the personal information life cycle, ensuring accountability and adherence to privacy principles and standards.
- Privacy Complaint Handling: A well-defined process for receiving, managing, and resolving privacy-related complaints from individuals, ensuring timely and appropriate responses to address any concerns.
It is crucial for the company to demonstrate its commitment to privacy protection by establishing these policies and practices and providing accessible information to ensure compliance with legal obligations and safeguard the rights and interests of individuals.
