The main objectives of Law 25 include enhancing the rights of individuals concerning their personal information, imposing more stringent obligations on organizations that handle personal data, and providing the Quebec government with greater powers to enforce privacy laws.

Law 25 has introduced new obligations that businesses must follow, regarding the protection of personal information of Quebec residents. Privacy policies and provisions now need to be extended and strictly enforced, some things to consider are:

Security Measures

Businesses and organizations are required to implement appropriate security measures to ensure the protection of personal information.

Failure to comply with these measures will result in heavy fines [ ]

Data Breach Notifications

Businesses and organizations are required to now submit data breach notifications to Le Commission d’accès à l’information du Quebec. Additionally they must inform any affected individuals

Notifications must be sent out as soon as possible after a data breach incident and a record must be kept.

Appointment of a Data Protection Officer

A Data Protection Officer is an individual within a business designated to ensure compliance with Law 25, by default this is person of highest seniority in the company, however any employee can be assigned this responsibility.
The name and contact information for the Data Protection Officer must be published on your website.

Privacy notices

Businesses are now required inform individuals when they collect personal information using technology that identifies, locates, or profiles them.

Enhanced consent

Consent is required prior to the collection, use, or distribution of personal information

Privacy Impact Assessment

When acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, release, keeping, or destruction of personal information a business should perform a privacy impact assessment.