This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 13

Ready-to-Use Templates

Starting points to adapt to your reality. These templates do not replace legal advice β€” they accelerate your path to compliance.

13.1 Β· Public document

Privacy policy β€” standard structure (11 sections)

1. Who we are β€” business identity and Privacy Officer's contact info 2. What information we collect 3. Why we collect it (purposes) 4. How we use it 5. Who we disclose it to (incl. suppliers and outside Quebec) 6. How long we keep it 7. How we protect it 8. Your rights (access, correction, portability, withdrawal, de-indexing) 9. Cookies and tracking technologies (disabled by default) 10. How to exercise your rights / file a complaint (Privacy Officer + CAI) 11. Policy's last-updated date
13.2 Β· 5-year retention

Incident register β€” mandatory columns

| # | Incident date | Discovery date | Nature of incident | Data affected | | # of individuals | Risk of serious harm (Y/N) | Justification of assessment | | CAI notified (date) | Individuals notified (date) | Measures taken | Closure status | Keep for a minimum of 5 years β€” may be requested by the CAI.
13.3 Β· Supplier contracts

Law 25 contract clause β€” supplier

The Service Provider agrees to: 1. Process personal information solely for the purposes of this contract. 2. Implement security measures that are reasonable and proportionate to the sensitivity of the data. 3. Not retain the information beyond the period necessary for the intended purposes. 4. Notify the Client's Privacy Officer without delay of any incident or attempted breach. 5. Not disclose the information outside Quebec without prior written authorization and a completed PIA. 6. Allow the Client to verify compliance with these obligations (audits, questionnaires). 7. Destroy or return all information at the end of the contract and provide written certification of it.
13.4 Β· Responding to rights requests

Internal form β€” rights request

β€’ Requester's identity and the verification method used β€’ Type of request: access / rectification / portability / withdrawal / de-indexing / automated decision β€’ Information concerned (description) β€’ Date the request was received β€’ Exceptions assessed (third-party rights, professional secrecy, etc.) β€’ Decision made and reasons β€’ Response date (target: ~30 days) β€’ Recourse mentioned to the requester (CAI)
13.5 Β· Notification

Incident notice to an affected individual

β€’ Description of the incident (nature, approximate date, circumstances) β€’ Personal information affected (nature, not necessarily full detail) β€’ Risks to the individual (identity theft, fraud, etc.) β€’ Measures taken by our organization to reduce the risks β€’ Measures recommended to the individual: – Change affected passwords – Monitor bank and credit statements – Stay alert to phishing attempts β€’ Privacy Officer's contact information for any question
Tip: The CAI provides an official incident reporting form and sample notices at cai.gouv.qc.ca. Use them as your primary reference.