Obligations

The content of this page is taken from the Commission for Access to Information tool entitled Guide to Business Obligations.

Please note that this summary does not take into account the specificities of each organization.

Obligations effective since September 2022

  • All details

    Designate a person responsible for the protection of personal information and publish their title and contact details on the organization’s website or otherwise if they do not have one.


    In the event of a confidentiality incident involving personal information:

    • Take reasonable measures to reduce the risk of harm being caused to the persons concerned and to prevent new incidents of the same nature from occurring.
    • Notify Board of access to information of Quebec and the person concerned if the incident presents a risk of serious harm.
    • Keep a register of all incidents , a copy of which may be sent to the Commission d’accès à l’information du Québec at its request.

    Comply with the new framework applicable to the communication of personal information without the consent of the person concerned for the purposes of studies, research or the production of statistics and in the context of a commercial transaction.


    Evaluate the factors relating to privacy before communicating personal information without the consent of the persons concerned for the purposes of study, research or the production of statistics.


    Disclose in advance to the Commission d’accès à l’information du Québec the verification or confirmation of identity made by means of biometric characteristics or measurements.


    The changes made by Act 25 will gradually come into force until 2024. Next step, September 2023.


    Ce contenu est tiré de Aide-mémoire : résumé des nouvelles obligations des entreprises  publié par la Commission d’accès à l’information du Québec.

    Note: This summary does not take into account the specificities of each organization.

Obligations effective since September 2023

  • All details

    Businesses must comply with obligations that have been effective since September 2022 and also adhere to the following obligations:

    • Establish policies and practices governing the management of personal information and publish detailed information on these in simple and clear terms on the company’s website, or, if it does not have a website, through any other appropriate means;
    • Conduct a Privacy Impact Assessment (PIA) when required by law, for example, before disclosing personal information outside of Quebec;
    • Comply with new rules regarding consent for the collection, disclosure, or use of personal information;
    • Destroy personal information once the purpose for its collection has been fulfilled, or anonymize it for use for serious and legitimate purposes, subject to the conditions and a retention period specified by law;
    • Fulfill new obligations of information and transparency towards citizens;
    • Comply with new rules for the disclosure of personal information without the consent of the concerned individual (for the execution of a mandate or fulfillment of a service or business contract);
    • Comply with new rules for the disclosure of personal information outside of Quebec;
    • Comply with new rules on the use of personal information;
    • By default, set parameters ensuring the highest level of privacy for the technological product or service offered to the public;
    • Comply with new rules surrounding the collection of personal information about minors;
    • Respect the right to stop the dissemination, re-indexing, or de-indexing (or right to be forgotten);
    • Comply with new rules for the disclosure of personal information that facilitate the grieving process.

Obligations effective in september 2024