top of page

Law 25:
What you need to know

This new law amends certain provisions of the Act respecting the protection of private information in the private sector.

If your business collects or holds personal information, i.e. information relating to aPHYSICAL PERSONand allows, directly or indirectly, to identify it, you must comply with the following new obligations:

In force since September 2022:

  • The company must appoint a person responsible for the protection of personal information. In the absence of designation of a Head, the Law presumes that the person with the highest authority occupies this role;

  • The title and contact information of the privacy officer must be published on the company's website;

  • When a company has reason to believe that a serious confidentiality incident has occurred, it must notify the Commission d'accès à l'information and all persons concerned by the incident; And

  • The Manager must keep a register of confidentiality incidents that have occurred in the company.

Effective as of September 22, 2023:

  • Each company will have to develop, establish andimplement a privacy policyto provide for practices governing its governance with respect to the protection of personal information. Detailed information about this policy should be posted on the company's website;

  • The company that collects personal information must inform the person concerned of the purposes necessary for this collection and use the personal information only in connection with this purpose;

  • Bill 25 adds a system of financial administrative penalties applicable in the event of a breach by a company of an obligation imposed on it by the Act, which may go up to a sum of $10,000,000 or an amount corresponding to 2% of the turnover. global business; And

  • Criminal penalties are also increased, up to $25,000,000 or an amount equal to 4% of the company's worldwide revenue.

Act now!
To comply with the standards in force, contact  and set up your privacy policy.
bottom of page