CHAPTER 13
Ready-to-Use Templates
Starting points to adapt to your reality. These templates do not replace legal advice β they accelerate your path to compliance.
13.1 Β· Public document
Privacy policy β standard structure (11 sections)
1. Who we are β business identity and Privacy Officer's contact info
2. What information we collect
3. Why we collect it (purposes)
4. How we use it
5. Who we disclose it to (incl. suppliers and outside Quebec)
6. How long we keep it
7. How we protect it
8. Your rights (access, correction, portability, withdrawal, de-indexing)
9. Cookies and tracking technologies (disabled by default)
10. How to exercise your rights / file a complaint (Privacy Officer + CAI)
11. Policy's last-updated date
13.2 Β· 5-year retention
Incident register β mandatory columns
| # | Incident date | Discovery date | Nature of incident | Data affected |
| # of individuals | Risk of serious harm (Y/N) | Justification of assessment |
| CAI notified (date) | Individuals notified (date) | Measures taken | Closure status |
Keep for a minimum of 5 years β may be requested by the CAI.
13.3 Β· Supplier contracts
Law 25 contract clause β supplier
The Service Provider agrees to:
1. Process personal information solely for the purposes of this contract.
2. Implement security measures that are reasonable and proportionate to the
sensitivity of the data.
3. Not retain the information beyond the period necessary for the intended
purposes.
4. Notify the Client's Privacy Officer without delay of any incident or
attempted breach.
5. Not disclose the information outside Quebec without prior written
authorization and a completed PIA.
6. Allow the Client to verify compliance with these obligations
(audits, questionnaires).
7. Destroy or return all information at the end of the contract and
provide written certification of it.
13.4 Β· Responding to rights requests
Internal form β rights request
β’ Requester's identity and the verification method used
β’ Type of request: access / rectification / portability / withdrawal /
de-indexing / automated decision
β’ Information concerned (description)
β’ Date the request was received
β’ Exceptions assessed (third-party rights, professional secrecy, etc.)
β’ Decision made and reasons
β’ Response date (target: ~30 days)
β’ Recourse mentioned to the requester (CAI)
13.5 Β· Notification
Incident notice to an affected individual
β’ Description of the incident (nature, approximate date, circumstances)
β’ Personal information affected (nature, not necessarily full detail)
β’ Risks to the individual (identity theft, fraud, etc.)
β’ Measures taken by our organization to reduce the risks
β’ Measures recommended to the individual:
β Change affected passwords
β Monitor bank and credit statements
β Stay alert to phishing attempts
β’ Privacy Officer's contact information for any question
Tip: The CAI provides an official incident reporting form and sample notices at cai.gouv.qc.ca. Use them as your primary reference.