The Detailed Obligations of a Business
This chapter is the operational core of the guide. Here are the concrete obligations of every Quebec business, grouped by theme.
Governance and internal policies
The law requires organizations to establish and implement policies and practices governing personal information. Concretely:
- Define the roles and responsibilities of staff throughout the data lifecycle
- Provide for a complaint-handling process related to information protection
- Describe your retention and destruction measures for information
- Tailor these policies to the size and nature of your organization
Published privacy policy
Distinct from the internal governance policy, the privacy policy is addressed to the public. It must be written in plain, clear language and explain:
- What data you collect and why
- How you use it and to whom you disclose it
- How long you keep it
- How to exercise one's rights
See the privacy policy template (chapter 13).
Transparency at collection β 7 mandatory elements
When an organization collects personal information, it must inform the individual of:
- The purposes of the collection
- The means used to collect it
- Their right to access and correct it
- Their right to withdraw consent
- Where applicable, the fact that the information may be disclosed outside Quebec
- The third parties to whom the data may be disclosed
- The use of identification, location or profiling technologies β which must be disabled by default
Minimization and purpose limitation
- Minimization: only collect the information necessary for the stated purposes. If you don't need a piece of data, don't collect it.
- Purpose limitation: only use the information for the purposes for which it was collected, unless you obtain new consent or a legal exception applies.
Retention and destruction β a mandatory schedule
Once the purposes of the collection have been fulfilled, the law requires you to destroy the information or anonymize it for legitimate use (statistics, etc.). You cannot keep data "just in case" indefinitely.
Security measures β reasonable and proportionate
The law requires you to take security measures that are reasonable given the sensitivity, purpose, quantity, distribution and medium of the information. The law doesn't mandate a specific technology β it mandates the outcome. See the technical guide (chapter 10).
Marketing consent and profiling
- Consent for marketing or profiling purposes must be separate
- Profiling, location and identification tools must be disabled by default (privacy by default)
Summary table of obligations
| Obligation | Detailed chapter | Primary owner |
|---|---|---|
| Designate a Privacy Officer | Chapter 5 | Management |
| Governance policy | Section 4.1 | Management / Privacy Officer |
| Published privacy policy | Section 4.2 | Management / Marketing |
| Transparency at collection | Section 4.3 | Marketing / Sales |
| Data minimization | Section 4.4 | IT / Operations |
| Retention and destruction | Section 4.5 | IT / Privacy Officer |
| Information security | Chapter 10 | IT / CISO |
| Incident management | Chapter 7 | IT / CISO / Privacy Officer |
| Privacy Impact Assessment | Chapter 6 | IT / Privacy Officer |
| Responding to rights requests | Chapter 8 | Privacy Officer / Customer service |
β Obligations checklist
- β Governance policy drafted, approved by management and applied?
- β Privacy policy published and understandable on the website?
- β Retention/destruction schedule documented?
- β Profiling technologies disabled by default?
- β Marketing consent separate from terms of service?