Support for compliance with Bill 25
Your compliance with Bill 25 from Québec,supported by our expertise
Ease of compliance
With our turnkey toolkit, you can easily comply with Bill 25 requirements.
Automation of your compliance
Thanks to the various document management tools in our toolbox, you will be able to automate the tasks related to your compliance.
Cybersecurity Expertise
Our hours of consultation with a cybersecurity specialist allow you to be advised to protect your precious data.
The turnkey toolbox integrated into Microsoft 365
Our turnkey toolkit integrated into Microsoft 365, developed in collaboration with the Delegatus collective of lawyers, provides you with all the tools you need to comply with Bill 25 compliance requirements.
Our tunrkey toolkit includes a Privacy-Security Incident SharePoint Site.
Our support also includes an overview of the toolbox for the purpose of training the manager(s) and support with a cybersecurity specialist to ensure that your data is well protected.
With any purchase of the toolbox, a consultation session with a specialist lawyer from the Delegatus lawyers’ collective is included.
Taking inventory of your personal information can be a long and tedious process. For this reason, we offer two options depending on the degree of complexity of this task within your organization.
- Support in understanding and implementing the PR register meeting the requirements of Bill 25.
- Optional: Microsoft Purview
– Discovery of RP already present in your Microsoft 365 environment in order to simplify the implementation of Law 25.
– Real-time monitoring of PR usage in your M365 environment in order to remain compliant with your internal usage policies as well as regulatory requirements.
- Procedure for managing confidentiality incidents involving personal information
- Cybersecurity incident management procedure
- Notice template to notify in writing anyone affected by a privacy incident
- Model notice to the Commission d’accès à l’information (CAI)
- Analysis grid to determine if the incident presents a risk of serious harm
- Model of delegation of the manager and his legal obligations
- Privacy Program
- Framework policy on the protection of personal information
- Directive on the Collection, Use and Disclosure of Personal Information
- Directive on the retention and destruction of personal information
- Procedure on the management of requests and complaints relating to personal information
- Directive on Physical, Technical and Organizational Security Measures for Personal Information
- Privacy policy for the website
- Contractual annex to be attached to a service contract to provide for the protection of personal information
- Data Processing Agreement as a Model Supplier Personal Information Processing Agreement
- Privacy Impact Assessment Guide
- Privacy Impact Assessment Report Template
Through this Forms form, anyone who has reasonable grounds to believe that a confidentiality incident has occurred involving personal information held by the organization can notify the Privacy Officer.
Our collaborators from the Delegatus law collective have created several video capsules to better understand what Bill 25 is about. We discuss the key terms (personal information, confidentiality-security incidents, person responsible for the protection of personal information, etc.) , but also the different phases of Bill 25.
Proper management of personal information requires optimal cybersecurity to ensure that no intruder can come and steal your precious data. Our team will be able to advise you to adopt a proactive attitude in the face of the inherent risks.
- Present and clarify incident management
- Respond to questions and queries related to incident management
- Specify the next steps for compliance with Bill 25 for your organization
* Up to 5 hours
Due to the legal implications linked to this compliance, our support includes a 45-minute consultation with a specialist lawyer.
Why be accompanied by cybersecurity professionals to comply with Bill 25?
Bill 25 modernizes the legislative provisions regarding the protection of personal information. Its purpose is to provide users with better control over their personal information.
To comply with the requirements of this bill, organizations must implement several measures gradually.
3 phases are spread out in September 2022, September 2023 and September 2024.
- Getting support to ensure that you comply with all the prerequisites of Bill 25 makes it possible to not miss any of the crucial steps in data protection. We work closely with a legal team to ensure that our actions comply with the legal framework in force.
- Surrounding yourself with cybersecurity professionals to ensure the compliance of your data management is a good reflex. Indeed, our professionals are familiar with the topics of data governance and best practices to preserve the confidentiality of your data. In addition, good management of personal information requires optimal cybersecurity to ensure that no intruder can come and steal your precious data. Our team will be able to advise you on adopting a proactive attitude in the face of the inherent risks.
Frequently asked Questions
Discover below the frequently asked questions related to Bill 25 in Quebec.
Bill 25 is a Quebec law that strengthens the protection of personal information. It imposes new obligations on companies to better protect their customers’ data. In other words, this is an important update to the rules on confidentiality in Quebec.
The main changes brought by Bill 25 include:
Clearer consent: Companies must obtain explicit, informed consent to collect and use your personal data.
Right to be forgotten: You can ask a company to delete your data if it is no longer necessary.
Increased Accountability: Businesses must implement rigorous security measures to protect your data.
In summary, Bill 25 aims to give you more control over your personal data and strengthen trust in the private sector.
Bill 25, officially titled “An Act modernizing legislative provisions relating to the protection of personal information”, is a Quebec law adopted in 2021 which aims to strengthen the protection of citizens’ personal data. This law makes significant changes to existing privacy laws, both in the public and private sectors.
The main objectives of Bill 25 are:
- Strengthening the protection of personal information: The bill aims to give individuals greater control over their personal data and protect it against misuse.
- Modernize the legal framework: Bill 25 adapts Quebec legislation to new technological realities and developments in data protection on an international scale, in particular by drawing inspiration from the General Data Protection Regulation (GDPR) of the European Union.
- Holding organizations accountable: The bill imposes new obligations on organizations that collect, use or communicate personal information, encouraging them to adopt more secure and transparent practices.
The main changes introduced by Bill 25 include:
- Consent: The bill requires free, informed and specific consent for the collection, use and communication of personal information.
- The rights of individuals: Individuals have more extensive rights, such as the right of access, rectification, opposition and portability of their data.
- Obligations of organizations: Organizations must put in place adequate security measures, designate a person responsible for the protection of personal information and carry out privacy impact assessments.
- Sanctions: The bill provides for administrative monetary sanctions and significant criminal fines for organizations that do not comply with its provisions.
In summary, Bill 25 is a major step forward in the protection of personal data in Quebec. It aims to ensure a better balance between the needs of organizations and the rights of individuals in terms of the protection of their data.
Bill 25 imposes new obligations regarding the protection of personal information. To write a compliant privacy policy, it is essential to cover the following elements:
- Organization Identification: Clearly indicate your company name and contact information for your Privacy Officer.
- Purposes of collection: Explain in a simple and straightforward manner why you collect your customers’ data (for example, to process an order, send promotional emails, etc.).
- Types of data collected: List the information you collect (name, email address, purchase history, etc.).
- Data recipients: Indicate to whom you are transmitting the data (partners, subcontractors, etc.).
- Retention period: Specify how long you keep the data.
- Security measures: Describe the technical and organizational measures put in place to protect the data (e.g. encryption, firewalls, etc.).
- Rights of individuals: Inform individuals of their rights (access, rectification, opposition, etc.) and the procedure to follow to exercise them.
- Consent: Explain how you obtain consent from your customers and how they can withdraw it.
- Data transfers: If you transfer data abroad, indicate the protection measures in place.
Phase 3 of Bill 25 represents the final stage in the implementation of this major bill on the protection of personal information in Quebec. It marks a significant evolution in the way organizations must manage and protect their customers’ personal data.
Key Features of Phase 3:
- Right to data portability: This is the most significant element of this phase. Individuals will have the right to receive a copy of their personal data in a structured, commonly used and machine-readable format. This will allow them to transfer this data easily from one service to another.
- Strengthening security measures: Organizations will need to put in place even more robust security measures to protect personal data, particularly with regard to security breach prevention and incident management.
- Simplification of administrative procedures: The Commission for Access to Information (CAI) plans to simplify certain administrative procedures linked to the application of Law 25.
Why is this phase important?
- Empowering individuals: The right to data portability gives individuals greater control over their personal data, allowing them to choose the services they use and limiting dependence on a single company.
- Stimulating competition: Data portability should promote competition by making it easier for consumers to switch providers.
- Improved data protection: Enhanced security measures will help reduce the risk of security breaches and protect individuals’ personal data.
In summary, phase 3 of Bill 25 marks an important step in the evolution of the protection of personal information in Quebec. It gives individuals new rights and imposes new data security obligations on organizations.
Bill 25 on the protection of personal information in Quebec provides for significant fines for companies that do not comply with its provisions. These sanctions are intended to encourage organizations to take their obligations regarding the protection of personal data seriously.
Fines can reach considerable amounts and vary depending on the seriousness of the offense.
Here is an overview of the different categories of fines provided for by Bill 25:
- Administrative monetary fines:
- Amount: Up to $10 million or 2% of global revenue for the previous financial year, whichever is greater.
- For what violations: These fines are imposed for less serious violations, such as failures to keep records or delays in responding to access requests.
- Criminal fines:
- Amount: Up to $25 million or 4% of global revenue for the previous fiscal year, whichever is greater.
- For what offenses: These harsher fines are reserved for more serious offenses, such as collecting personal data without consent or illegally disclosing data.
- Punitive damages:
- Amount: At least $1,000.
- For which infringements: These damages are awarded for intentional infringements or those resulting from gross negligence. Their aim is to punish the offender and to deter other companies from committing similar offenses.
Factors that may affect the amount of the fine include:
- The nature of the offense: More serious offenses generally result in higher fines.
- Damage caused: The consequences of the breach on individuals whose data was compromised may also be taken into account.
- Company size: Larger companies generally face higher fines.
Recidivism: Companies that have already been sanctioned for similar offenses may be subject to more severe fines.
It is important to note that fines are not the only possible consequences of non-compliance with Bill 25. Businesses may also face reputational damage, loss of customers and legal action.
The function of Personal Information Manager (PIR) is a crucial role established by Bill 25 in Quebec. This person is responsible for ensuring compliance with personal information protection obligations within an organization.
Role of the personal information manager
The responsibilities of the RRP are multiple and varied. He or she must in particular:
- Raise employee awareness of issues related to the protection of personal information.
- Develop and implement data protection policies and procedures.
- Conduct privacy impact assessments.
- Manage requests for access, rectification or opposition from individuals.
- Collaborate with the Quebec Commission for Access to Information (CAI).
- Ensure the organization’s compliance with the provisions of Bill 25.
Who should assume this function?
According to Bill 25, every person who operates a business is responsible for protecting the personal information they hold. This means that the person with the highest authority in the organization must ultimately ensure compliance with the bill.
However, this function may be delegated, in whole or in part, to another person. It is common to designate an employee with knowledge of bill, technology or risk management to fill this position.
Why designate an RRP?
- Expertise: The PIR provides specific expertise in data protection.
- Accountability: Designating an PIR demonstrates the organization’s commitment to the protection of personal information.
- Coordination: The PIR coordinates the organization’s efforts to ensure compliance with the bill.
In summary, the personal information manager plays an essential role in the implementation of Bill 25. By designating an PIR, organizations demonstrate their commitment to the protection of personal data and reduce the risk of sanctions.
Bill 25 has considerably strengthened the rights of individuals regarding the protection of personal information. At the same time, it introduced new obligations for organizations, particularly regarding access to information.
What does this mean for a business?
- Individuals’ right to information: Individuals now have the right to request that an organization disclose to them the personal information it holds about them. They may also request the rectification or deletion of this data.
- Obligations of the company: The organization must respond to these requests within a reasonable time and provide the requested information, unless otherwise provided by law.
- Record keeping: The organization must keep a record of personal information processing activities. This register must contain information on the categories of personal information collected, the purposes of the processing, the recipients of the data, etc. This register may be required when requesting access to information.
- Transparency: The organization must be able to justify the data processing it carries out and demonstrate that it respects the principles of Bill 25.
Our Commitment
Our team of certified cybersecurity professionals will work with you to implement and maintain the IT security solution that meets your needs.
Bernard Després
Security and Audit Practice Manager