Obligations in force since September 2022

Designate a person responsible for the protection of personal information and publish their title and contact details on the organization’s website or otherwise if they do not have one.


In the event of a confidentiality incident involving personal information:

  • Take reasonable measures to reduce the risk of harm being caused to the persons concerned and to prevent new incidents of the same nature from occurring.
  • Notify Board of access to information of Quebec and the person concerned if the incident presents a risk of serious harm.
  • Keep a register of all incidents , a copy of which may be sent to the Commission d’accès à l’information du Québec at its request.

Comply with the new framework applicable to the communication of personal information without the consent of the person concerned for the purposes of studies, research or the production of statistics and in the context of a commercial transaction.


Evaluate the factors relating to privacy before communicating personal information without the consent of the persons concerned for the purposes of study, research or the production of statistics.


Disclose in advance to the Commission d’accès à l’information du Québec the verification or confirmation of identity made by means of biometric characteristics or measurements.


The changes made by Act 25 will gradually come into force until 2024. Next step, September 2023.


Ce contenu est tiré de Aide-mémoire : résumé des nouvelles obligations des entreprises  publié par la Commission d’accès à l’information du Québec.

Note: This summary does not take into account the specificities of each organization.