This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 9

Disclosure Outside Quebec and Supplier Management

Most SMBs use services hosted outside Quebec. Every data flow outside Quebec triggers specific obligations β€” a PIA and a written agreement.

9.1 Β· SMB reality

The cloud computing challenge

Most SMBs use services hosted outside Quebec:

  • Microsoft 365 (Exchange, Teams, SharePoint) β€” servers in the US or Europe
  • Google Workspace β€” international servers
  • AWS, Azure, GCP β€” depending on the configured region
  • Shopify, Salesforce, HubSpot, QuickBooks Online β€” outside Quebec
Using Microsoft 365 = disclosing data outside Quebec. This triggers the PIA and written-agreement obligations β€” even if the data is hosted in Canada.
9.2 Β· Prior obligation

The PIA before any disclosure outside Quebec

Before disclosing information outside Quebec, the law requires a PIA to be carried out (chapter 6) taking into account, notably:

  • The sensitivity of the information
  • The purpose of its use
  • The protective measures (encryption, contractual) that would apply
  • The legal regime of the destination jurisdiction

The disclosure can only take place if the PIA demonstrates that the information would receive adequate protection. It must be covered by a written agreement.

9.3 Β· Outsourcing

Agents and service providers β€” mandatory contract

When you entrust information to an agent (host, payroll service, CRM, etc.), disclosure can take place without consent if you have a written contract providing for:

  • The protective measures to be followed
  • Use limited to the intended purposes
  • An obligation to notify the Privacy Officer of any incident or attempted breach
  • Destruction or return of the information at the end of the contract
  • The organization's right of verification (audits)
  • A ban on subcontracting without authorization

See the supplier contract clause template (chapter 13).

9.4 Β· Action plan

A practical approach for SMBs β€” 5 steps

  1. Inventory all suppliers who process personal information (CRM, HR, accounting, marketing, etc.)
  2. Locate where the data is hosted (Quebec, Canada, United States, Europe, etc.)
  3. Carry out a PIA for each disclosure outside Quebec not yet assessed
  4. Update contracts with the required clauses β€” use the chapter 13 template
  5. Document the inventory and PIAs to demonstrate compliance

βœ“ Suppliers checklist

  • ☐ Do we have an inventory of our suppliers that process personal data?
  • ☐ Have we located where each supplier hosts our data?
  • ☐ Does a PIA exist for each disclosure outside Quebec?
  • ☐ Do our supplier contracts contain the 6 required clauses?
  • ☐ Is the contract review part of the Privacy Officer's annual plan?