Law 25

Protection of personal information

Quebec’s Law 25, in force since September 2022, strengthens companies’ responsibility to protect personal data.

Header Map Quebec Loi 25

What is Law 25, and when does it apply?

Picto Quelle est la loi 25 Quebec

Law 25, also known as “An Act to modernize legislative provisions respecting the protection of personal information”, aims to protect the population of Quebec. Its purpose is to make companies holding personal information on Quebec citizens more accountable.

Picto loi 25

Law 25 is being progressively implemented over a three-year period, starting on September 22, 2022. Most of its obligations came into force on September 22, 2023.

Picto la Loi 25 Impact penalités

Who is affected by Law 25, and how do the fines work?

Law 25 applies to all private companies and public organizations that collect, process or share personal information. From September 22, 2023, this law requires all organizations to obtain explicit consent from individuals for the collection, use and disclosure of their personal information.

The reform introduces considerable penalties for companies for non-compliance with the legislation, similar to what happened with the General Data Protection Regulation (GDPR) in Europe. In the event of non-compliance with Law 25, companies risk fines and sanctions. The Commission d’accès à l’information (CAI – Commission for access to information) will have the option of imposing administrative monetary penalties of up to $10,000,000 or 2% of worldwide sales, as well as criminal penalties of up to $25,000,000 or 4% of worldwide sales.

Loi 25 protection des données individuelles

What does a company need to do, and how can it comply?

With the new privacy responsibilities and obligations imposed on businesses, here are five key points to remember to ensure your company is compliant with the law:

Picto Nommer Responsable Loi 25

1. Designate a privacy officer and make his or her contact details available on the company’s website or by other appropriate means.

Picto Mesures & impact loi 25

2. Implement measures to prevent or reduce the impact of a privacy incident involving personal information, notify the Commission and the individuals concerned in the event of serious harm, and keep a register of incidents.

Picto Recensé Loi 25

3. Identify the personal data stored by your company and evaluate their degree of vulnerability.

Picto Technique Biométrique Loi 25

4. Inform the Commission in advance of any use of biometric techniques (e.g. fingerprint, facial or voice recognition).

Picto loi 25 & détruire données personnelles

5. Destroy personal information once the purpose of its collection has been fulfilled or anonymize it in order to use it for serious and legitimate purposes, subject to the conditions and retention period stipulated by law. 

Picto loi 25 protection données

How can I protect citizens’ personal information?

The preparation of a data processing and retention plan is strongly recommended under Law 25. This plan sets a date by which the data collected must be destroyed or irreversibly anonymized.

Anonymization, a process that makes personal information irreversibly anonymous for various uses such as support, analysis, testing or outsourcing, is particularly emphasized under this law.

DOT Anonymizer offers an effective solution for complying with Law 25, while preserving data exploitability. The solution is compatible with a variety of platforms and databases, meeting the law’s strict criteria.

DOT Anonymizer logo

Do you want to anonymize your test data?

Automate the process using DOT Anonymizer!