Skip to main content

Does The Implementation of Law 25 Present Any Challenges for Your Business? Elements of Compliance (Bulletin 3 of 3)

Reading Time 6 minute read


Privacy & Cybersecurity Bulletin

How to conduct a Privacy Impact Assessment (“PIA”)? [i]

The Private Sector Act requires that a PIA be completed for three scenarios:[ii]

  • Before sharing personal information outside Québec;[iii]
  • When developing or upgrading an information system or electronic service that involves collecting, using, communicating, keeping or destroying personal information;[iv]
  • Before sharing personal information for study or research purposes or for the production of statistics without the consent of the persons concerned;

The Commission d'accès à l'information ("CAI") published a guide for PIAs on its website, which will be updated to reflect the changes brought about by Law 25;[v]

The challenge with PIAs is identifying scenarios that require one throughout an organization and report them to the Privacy Officer for assessment.

What is a retention period?

When personal information is no longer needed for the purposes for which it was collected or used, an enterprise must either destroy the information or anonymize it to use it for serious and legitimate purposes, subject to any retention period provided for by the law.[vi] A “retention period” refers to the lenght of time that an organization must identify and associate with each category of personal information it holds before destroying or, when permitted, anonymizing it.

All retention periods are documented in a retention schedule. Implementing such a preservation schedule is a tedious but necessary step for any enterprise covered by the Private Sector Act, especially given the hefty penalties now associated with it (up to $25 million or 4% of worldwide sales, whichever is greater).[vii] To do so, if they do not already have one, organizations should start making an inventory of personal information under their control, whether retained by the enterprise or through the agency of a third party.

When is personal information considered to have fulfilled its purpose and when must it be destroyed?

The purposes referred to in section 23 of the Private Sector Act are those identified before the collection of personal information. This is why an entreprise must determine the purposes for which it collects personal information beforehand, and inform the individual is informed at the time of collection.[viii]

Once these purposes are fulfilled, an enterprise must consider whether retention obligations require it to hold personal information for an additional period of time. For example, tax or ethical requirements for record keeping may apply. It is therefore necessary to combine the time periods relating to the purposes initially identified with the required preservation periods in order to determine the destruction period for each category of personal information held by an enterprise.

How to avoid confidentiality incidents?

There is no such thing as zero risk. Even with excellent security measures and governance, mistakes happen. Furthermore, some confidentiality incidents result from external threats that are difficult to anticipate as they are constantly evolving.

That being said, it is important to be diligently prepared. For example, enterprises should implement measures to detect irregular activity, downloads, or unusual access to the enterprise’s personal information (active monitoring).[ix] Conducting internal training and protecting physical media can help enhance the overall security level of an enterprise and thus minimize the risk of privacy incidents.

Finally, an enterprise should ensure that it keeps only the personal information necessary for the purposes identified at the time of collection.[x] As a matter of fact, the less personal information an enterprise retains, the less likely it is to suffer a significant confidentiality incident.

Is there currently a right to delete personal information?

The Private Sector Act does not provide an absolute right to have personal information deleted in the Private Sector Act. However, an individual may request that an entreprise delete information about them if (i) it is inaccurate, incomplete, or misleading, (ii) its collection, disclosure, or retention is not authorized by law, or (iii) it is outdated or not relevant for the purpose of the file.[xi]

For more information on the new rights introduced by Law 25, see our newsletter De-identify, Anonymize and De-index: New Verbs and New Obligations!

Do our websites need to have a banner for accepting cookies?

In addition to the disclosure requirement at the time of collection,[xii] any person who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person of the following elements:

  • the use of this technology
  • the means available to activate the functions allowing identification, location or profiling.[xiii

As a result, it is generally not possible to collect personal information using cookies without obtaining the consent of the individual beforehand. This can be done with a cookie banner. This consent requires a positive action from the person concerned to activate identification, location or profiling (for example, click on a “I accept” button). The use of a banner is an effective way to achieve this.

To learn more about cookies, see Cookies, a bite out of cybernauts’ privacy? A Canadian-European overview.

When an employer uses a service provider to collect personal information on its behalf, who must obtain the worker’s consent?

Section18.3 of the Private Sector Act specifically provides an exception to the requirement to obtain consent for the communication of personal information in the context of carrying out a mandate,[xiv] or performing a contract of enterprise or services,[xv] subject to certain conditions. Therefore, if an employer communicates certain personal information to its service provider for the purpose of fulfilling its mandate, it generally does not need to obtain the consent of the individuals involved (here, the workers).

On the contrary, if the service provider collects personal information on behalf of a third person (here, the employer), such third person has several obligations to obtain valid consent.[xvi] Nevertheless, the employer remains responsible for ensuring that the methods used comply with the Private Sector Act, by contract or otherwise. An enterprise remains responsible for personal information under its control, even if it is entrusted to a third person.[xvii]


[i]       For the purposes of this bulletin, all legislative references must be read as incorporating the amendments introduced by An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25 (“Law 25”), which come into effect in several phases. For a reminder of the different effective dates, see the Annotated Private Sector Act or the Annotated Access Act. (Available in French only)

[ii]      In the public sector, there are five scenarios, which are set out in sections 63.5, 64, 67.2.1, 68 and 70.1 of the Access Act. See SRIDAIL, “Privacy Impact Assessment”, online (in French only): on this topic.

[iii]     Private Sector Act, s. 17

[iv]     Private Sector Act, s. 3.3

[v]      See Commission d’accès à l’information, “Guide d’accompagnement”, online (only in French):

[vi]     Private Sector Act, s. 23

[vii]     Private Sector Act, s. 91

[viii]    Private Sector Act, s. 4 and 8.

[ix]     Regarding the concept of active monitoring, see Fédération des caisses Desjardins du Québec, 1020846-s, online (only in French):écembre-2020_VF_diffusion.pdf

[x]      Private Sector Act, s. 5

[xi]     According to a reading of s. 28 and 35 of Private Sector Act and of s. 40 of the C.C.Q.; Note that the Private Sector Act, as amended by Law 25, provides in article 1.1 that “any person who collects personal information relating to another person for a serious and legitimate reason is deemed to be establishing a file within the meaning of the Civil Code and the rights concerning such a file conferred by articles 35 to 40 of that Code apply to the personal information collected.”

[xii]     Private Sector Act, s. 8

[xiii]    As indicated in section 8.1 of the Private Sector Act, in addition to the information to be provided under s. 8.

[xiv]    CCQ, s. 2130.

[xv]    CCQ, s. 2098.

[xvi]    See, for example, the Private Sector Act, s. 2 para. 2.

[xvii]   Private Sector Act, s. 1 para. 2 and 3.1.

Contact the Authors

For more information or to discuss a particular matter please contact us.

Contact the Authors



    Receive email updates from our team