This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 4

The Detailed Obligations of a Business

This chapter is the operational core of the guide. Here are the concrete obligations of every Quebec business, grouped by theme.

4.1 Β· Internal policy

Governance and internal policies

The law requires organizations to establish and implement policies and practices governing personal information. Concretely:

  • Define the roles and responsibilities of staff throughout the data lifecycle
  • Provide for a complaint-handling process related to information protection
  • Describe your retention and destruction measures for information
  • Tailor these policies to the size and nature of your organization
This governance policy must be approved at the management level and published in an accessible form (at least a summary on your website).
4.2 Β· Public document

Published privacy policy

Distinct from the internal governance policy, the privacy policy is addressed to the public. It must be written in plain, clear language and explain:

  • What data you collect and why
  • How you use it and to whom you disclose it
  • How long you keep it
  • How to exercise one's rights

See the privacy policy template (chapter 13).

4.3 Β· At the time of collection

Transparency at collection β€” 7 mandatory elements

When an organization collects personal information, it must inform the individual of:

  1. The purposes of the collection
  2. The means used to collect it
  3. Their right to access and correct it
  4. Their right to withdraw consent
  5. Where applicable, the fact that the information may be disclosed outside Quebec
  6. The third parties to whom the data may be disclosed
  7. The use of identification, location or profiling technologies β€” which must be disabled by default
4.4 Β· Guiding principle

Minimization and purpose limitation

  • Minimization: only collect the information necessary for the stated purposes. If you don't need a piece of data, don't collect it.
  • Purpose limitation: only use the information for the purposes for which it was collected, unless you obtain new consent or a legal exception applies.
4.5 Β· Lifecycle

Retention and destruction β€” a mandatory schedule

Once the purposes of the collection have been fulfilled, the law requires you to destroy the information or anonymize it for legitimate use (statistics, etc.). You cannot keep data "just in case" indefinitely.

No indefinite retention. Establish a retention schedule by data category and follow it. See the compliance plan (chapter 11).
4.6 Β· Security

Security measures β€” reasonable and proportionate

The law requires you to take security measures that are reasonable given the sensitivity, purpose, quantity, distribution and medium of the information. The law doesn't mandate a specific technology β€” it mandates the outcome. See the technical guide (chapter 10).

4.7 Β· Marketing

Marketing consent and profiling

  • Consent for marketing or profiling purposes must be separate
  • Profiling, location and identification tools must be disabled by default (privacy by default)
4.8 Β· Overview

Summary table of obligations

ObligationDetailed chapterPrimary owner
Designate a Privacy OfficerChapter 5Management
Governance policySection 4.1Management / Privacy Officer
Published privacy policySection 4.2Management / Marketing
Transparency at collectionSection 4.3Marketing / Sales
Data minimizationSection 4.4IT / Operations
Retention and destructionSection 4.5IT / Privacy Officer
Information securityChapter 10IT / CISO
Incident managementChapter 7IT / CISO / Privacy Officer
Privacy Impact AssessmentChapter 6IT / Privacy Officer
Responding to rights requestsChapter 8Privacy Officer / Customer service

βœ“ Obligations checklist

  • ☐ Governance policy drafted, approved by management and applied?
  • ☐ Privacy policy published and understandable on the website?
  • ☐ Retention/destruction schedule documented?
  • ☐ Profiling technologies disabled by default?
  • ☐ Marketing consent separate from terms of service?