This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

⚖️
Legal information — not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 15

FAQ · Glossary · Official Resources

The 10 most frequent questions, 14 defined terms, and the official sources to consult.

FAQ · 10 common questions

Answers to the most frequent questions

Does Law 25 apply if we only have a few employees?
Yes. The law sets no minimum threshold. As soon as an organization holds personal information (customers, employees), it is generally subject to the law — regardless of size. To confirm your specific situation, consult the CAI.
Do I have to hire a lawyer or a consultant?
No. An SMB can handle the essentials with templates and CAI resources. An external advisor remains useful for complex cases (out-of-province PIAs, serious incidents, contracts).
What's the difference between Law 25 and the federal law (PIPEDA)?
Law 25 governs the private sector in Quebec. PIPEDA (federal) applies to interprovincial and international commercial activities. Since Quebec has its own law, Law 25 generally takes precedence for activities that stay within Quebec.
Is implied consent still allowed?
In some cases for non-sensitive information, yes, when the purpose is obvious and reasonably expected. But for sensitive information and for marketing/profiling, express and separate consent is mandatory.
How long can I keep data?
As long as needed to fulfill the purposes, plus any applicable legal retention periods (tax, etc.). After that, destruction or anonymization. No "just in case" retention.
Do I need to notify the CAI of every incident?
No. Every incident goes in the register, but only those presenting a risk of serious harm must be notified to the CAI and the individuals concerned.
Is an email sent to the wrong recipient an incident?
Yes, it's an unauthorized disclosure. Log it in the register, then assess the risk of serious harm based on the data's sensitivity and the context.
Does data collected before 2022 fall under the law?
Yes. The law applies to the information you currently hold, regardless of when it was originally collected.
What if someone asks us to delete their data?
Assess the request against the applicable rights (de-indexing/cessation, rectification by deleting unlawfully held data). Document your decision and give reasons for any refusal, indicating available recourse (CAI).
Does Law 25 govern artificial intelligence?
Indirectly but genuinely: as soon as an AI processes personal information or makes automated decisions, transparency obligations and the right to contest the decision apply.
Glossary · 14 terms

Key definitions

Anonymization
Irreversible modification of data so that it can no longer identify a person. Falls outside the law's scope.
CAI
Commission d'accès à l'information du Québec. Law 25's oversight authority. Website: cai.gouv.qc.ca
Consent
Agreement that is manifest, free, informed, for specific purposes, and requested separately from any other information.
Automated decision
A decision based exclusively on automated processing (algorithm, AI). Triggers transparency obligations.
De-identification
Removal of direct identifiers. Re-identification is possible but unlikely. Remains personal information.
PIA
Privacy Impact Assessment. A mandatory risk analysis before certain projects or disclosures.
Confidentiality incident
Unauthorized access, use or disclosure, loss, or other breach of personal information.
Law 25
Act to modernize legislative provisions as regards the protection of personal information (S.Q. 2021, c. 25).
PIPEDA
The federal Personal Information Protection and Electronic Documents Act. Applies to interprovincial and international activities.
Minimization
The principle of only collecting data strictly necessary for the stated purposes.
Serious harm
A significant negative consequence (identity theft, fraud, reputational harm) that triggers the notification obligation.
Personal information
Any information that allows a natural person to be identified, directly or indirectly.
Privacy Officer
The person responsible for personal information protection. Mandatory. CEO by default if not designated.
AMP
Administrative monetary penalty. Imposed directly by the CAI without a court. Max. $10M or 2% of worldwide revenue.
Official resources

Reference sources

  • Commission d'accès à l'information du Québec (CAI)cai.gouv.qc.ca: guides, incident reporting form, sanctions application framework, sample notices.
  • Government of Quebecquebec.ca: general information on personal information protection.
  • Text of the Act — the Act respecting the protection of personal information in the private sector, as amended by Law 25 — available via Légis Québec.
⚠️ Recommended verification. This guide is a plain-language educational tool. Sanction amounts, deadlines and wording may be updated. Before any important decision, confirm the information at the official source (CAI) and, if needed, with a legal advisor.