Disclosure Outside Quebec and Supplier Management
Most SMBs use services hosted outside Quebec. Every data flow outside Quebec triggers specific obligations β a PIA and a written agreement.
The cloud computing challenge
Most SMBs use services hosted outside Quebec:
- Microsoft 365 (Exchange, Teams, SharePoint) β servers in the US or Europe
- Google Workspace β international servers
- AWS, Azure, GCP β depending on the configured region
- Shopify, Salesforce, HubSpot, QuickBooks Online β outside Quebec
The PIA before any disclosure outside Quebec
Before disclosing information outside Quebec, the law requires a PIA to be carried out (chapter 6) taking into account, notably:
- The sensitivity of the information
- The purpose of its use
- The protective measures (encryption, contractual) that would apply
- The legal regime of the destination jurisdiction
The disclosure can only take place if the PIA demonstrates that the information would receive adequate protection. It must be covered by a written agreement.
Agents and service providers β mandatory contract
When you entrust information to an agent (host, payroll service, CRM, etc.), disclosure can take place without consent if you have a written contract providing for:
- The protective measures to be followed
- Use limited to the intended purposes
- An obligation to notify the Privacy Officer of any incident or attempted breach
- Destruction or return of the information at the end of the contract
- The organization's right of verification (audits)
- A ban on subcontracting without authorization
A practical approach for SMBs β 5 steps
- Inventory all suppliers who process personal information (CRM, HR, accounting, marketing, etc.)
- Locate where the data is hosted (Quebec, Canada, United States, Europe, etc.)
- Carry out a PIA for each disclosure outside Quebec not yet assessed
- Update contracts with the required clauses β use the chapter 13 template
- Document the inventory and PIAs to demonstrate compliance
β Suppliers checklist
- β Do we have an inventory of our suppliers that process personal data?
- β Have we located where each supplier hosts our data?
- β Does a PIA exist for each disclosure outside Quebec?
- β Do our supplier contracts contain the 6 required clauses?
- β Is the contract review part of the Privacy Officer's annual plan?