This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 12

Quebec Case Studies

5 fictional but realistic scenarios illustrating typical situations for Quebec SMBs. Any resemblance to a real organization is coincidental.

Case 1 Β· Retail
South Shore Online Boutique β€” Shopify, 12,000 customers, data outside Quebec

Situation: "Mode BorΓ©ale," a Longueuil business with a Shopify online store, collects names, addresses, emails and purchase histories from 12,000 customers. Data hosted outside Quebec.

Problems identified: No clear privacy policy, marketing consent buried in terms of service, no PIA for the out-of-province hosting.

What they did:

  • Designated the co-owner as Privacy Officer, published her contact info on the site
  • Rewrote a simple privacy policy, added a separate marketing consent checkbox
  • Carried out a PIA on the Shopify hosting and updated the supplier agreement
  • Set up a retention schedule (purging accounts inactive for 3+ years)
πŸ’‘ Lesson: Compliance for a small business rests mostly on simple but documented steps, not on expensive tools.
Case 2 Β· Sensitive health data
Private physiotherapy clinic β€” stolen laptop

Situation: A clinic holds health data (sensitive information requiring enhanced protection).

Incident: An unencrypted laptop containing patient files is stolen from a vehicle.

Compliant response:

  • Incident logged in the register as soon as discovered
  • Assessment: sensitive data + risk of fraud = confirmed risk of serious harm
  • CAI notified within 72 hours, patients notified with vigilance advice
  • Corrective measures: encryption of all laptops, no-local-storage policy
πŸ’‘ Lesson: A stolen encrypted laptop generally does not trigger the same level of risk. Encryption often turns a serious incident into a non-event.
Case 3 Β· Nonprofit Β· Limited resources
Montreal community organization β€” tight budget

Situation: A nonprofit manages donor and beneficiary data with a small staff and a tight budget.

Challenge: "We can't afford a compliance department."

Proportionate solution:

  • The executive director becomes Privacy Officer by default, supported by a skilled volunteer
  • Use of free templates (CAI, sector associations) for policies and the register
  • Prioritization: incident register, MFA on cloud accounts, privacy policy
πŸ’‘ Lesson: The law is proportionate. Doing the essentials, well documented, beats aiming for perfection and doing nothing.
Case 4 Β· Professional services
Real estate brokerage β€” sensitive financial data

Situation: A brokerage holds detailed financial information: income, debts, clients' identity documents.

Risks: Over-collection (asking for more than necessary), indefinite retention, sharing with partners without contractual safeguards.

Path to compliance:

  • Minimization: only request the documents actually needed for each file
  • PIA on CRM tools and lending partners
  • Contracts updated with partners (Law 25 subcontracting clauses)
  • Limited retention and secure destruction after the required legal period
πŸ’‘ Lesson: In professional services, the main risk is over-collection and excessive retention. Always ask: "Do I actually need this piece of data?"
Case 5 Β· Manufacturer Β· Cyberattack
80-employee manufacturer β€” ransomware on HR servers

Situation: A manufacturer holds HR data (payroll, disability medical records) and suffers a ransomware attack encrypting its servers.

Response:

  • Immediate containment: isolate systems, activate the response plan
  • Logged in the register, risk assessed (sensitive HR data exposed) β†’ confirmed risk of serious harm
  • CAI notified + affected employees, credit monitoring offered
  • Restoration from offline backups untouched by the attack
  • Post-mortem: MFA rolled out everywhere, network segmentation, anti-phishing training
πŸ’‘ Lesson: An incident response plan and offline backups make the difference between a managed crisis and a disaster. Without them: no register, no plan, no backups = 3 immediate Law 25 violations on top of the ransomware itself.

Cross-cutting lessons

  • Encryption and offline backups radically reduce the impact of incidents
  • Data minimization limits exposure in the event of an incident
  • Proportionality protects small organizations: doing the essentials is often enough
  • Documenting your efforts demonstrates due diligence in an investigation