Law 25 Quebec - Personal Information Protection Compliance Guide 2025

Q: Do I need to appoint a Privacy Officer?

Yes, every organization must designate a Privacy Officer (RPRP in French) with a clear mandate and publish their contact information. By default, this role falls to the highest-ranking person in the organization.

Q: What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment (PIA or EFVP in French) is a mandatory evaluation for high-risk technological projects. It identifies privacy risks and documents mitigation measures before implementation.

Law 25 (formerly Bill 64) modernizes Quebec's personal information protection framework. The CAI (Commission d'acces a l'information) can audit organizations and impose fines up to $25 million or 4% of global annual turnover.

Key Law 25 obligations: data inventory, Privacy Officer (DPO/RPRP) appointment, consent registers, incident registers with 72-hour CAI notification, Privacy Impact Assessments (PIAs/EFVPs) for technological projects, annual staff training.

All organizations (SMEs, non-profits, corporations) collecting personal information in Quebec are affected regardless of size.

10 key compliance steps: 1) Appoint Privacy Officer, 2) Data inventory, 3) Document policies, 4) Consent register, 5) Incident response plan, 6) PIAs for high-risk projects, 7) Vendor agreements, 8) Staff training, 9) Retention schedule, 10) Monitoring and audits.

Exact RH supports 3,000+ organizations with Law 25 compliance: diagnostics, policy drafting, training, PIA support, incident risk assessment.

Free diagnostic: 1-866-950-3357 | Website: info-employeur.ca

2-Minute Compliance Check

Call us free 1-866-950-3357

Personal Information Protection

Would Your Personal Information Protection Practices Withstand a CAI Audit?

Take advantage of a free compliance assessment by clicking the link below.

Free consultation Call us

Free consultation

1-866-950-3357

The CAI Can Audit Your Personal Information Protection Practices

The Commission d'acces a l'information (CAI) has the authority to audit your data protection practices and impose fines of up to $25M or 4% of global annual turnover.

Law 25 introduces new obligations, including: data inventory, appointment of a designated Privacy Officer (DPO/RPRP), consent registers, incident registers (mandatory notification within 72 hours), Privacy Impact Assessments (PIAs/EFVP) for technological projects, and annual staff training.

All organizations (SMEs, non-profits, and corporations) that collect personal information in Quebec are affected—regardless of size.

Free diagnostic available: 1-866-950-3357 to determine whether your practices would withstand a CAI audit.

FREE

Law 25 Compliance Guide

Download our comprehensive guide to understand and implement Law 25 within your organization. An essential tool for compliance.

50+ pages of detailed explanations
Practical examples and templates
Complete compliance checklist

Download for free

Why a CAI Audit Matters

Even the most well-intentioned organizations face three key realities:

A Rapidly Evolving Legal Framework

Law 25 (formerly Law 64), CNESST requirements (medical records), Canadian biometric data regulations, and more.

Data Proliferation

Remote work, SaaS tools, cameras, OHS records, 360° evaluations, tax audits, etc.

Heavier Sanctions

Main risk:

Privacy breach, delayed reporting

Solution: Incident response plan, CAI notification within 72 hours

10 Key Steps to Be CAI Audit-Ready

A structured approach for full preparedness:

Appoint a Privacy Officer

Formally designate a Personal Information Protection Officer with a clear mandate and dedicated email.

Data Inventory

Maintain a detailed inventory of data: type, location, purpose, and owner.

Document Policies

Document collection, access, retention, and destruction policies.

Consent Register

Maintain consent registers for employees, clients, and partners.

Incident Response Plan

Deploy an incident response plan and incident register to notify the CAI within 72 hours.

Privacy Impact Assessments

Conduct assessments for any high-risk technological or monitoring projects.

Vendor Agreements

Execute confidentiality and data processing agreements with all suppliers.

Staff Training

Provide annual training (with proof) for HR, IT, and management staff.

Retention Schedule

Apply a retention schedule with automated deletion mechanisms.

Monitoring & Audits

Track key indicators via a compliance dashboard and conduct regular internal audits.

Law 25 Compliance Checklist

Suggested roadmap for full compliance:

Initial diagnostic: assess current practices and identify compliance gaps

Appoint the Privacy Officer (RPRP) and publish contact details

Data inventory: map personal information sources, purposes, locations, flows, and security

Policies and procedures: draft or update privacy, consent, access, incident, and retention policies

Vendor/partner agreements: update or create compliant contracts

Privacy Impact Assessments (EFVPs): apply to high-risk projects

Staff training: plan and deliver tailored training with attendance records

Incident register & response plan: define processes, test scenarios

Individual rights mechanisms: handle access, rectification, portability requests

Monitoring & audits: internal reviews, dashboards, KPIs

Testing & simulations: run incident simulations to validate processes

Continuous improvement: adapt to evolving technology and CAI decisions

Get the full checklist: 1-866-950-3357

Best Practices vs Common Mistakes

Common Mistakes

No incident register

Unable to report within 72 hours

No employee training

Lack of awareness of risks and obligations

Vendors unmanaged without written agreements

Unclear responsibility in case of breach

Best Practices

Tested incident response plan

Trained emergency team

Clear, documented consents

Up-to-date registers with valid proof

Annual policy updates

Aligned with legal and technological changes

Key Takeaways on Law 25 Compliance

Personal information protection is no longer a "nice to have"—it is a strategic legal obligation. By anticipating CAI expectations and implementing strong governance, Quebec employers reduce legal exposure, strengthen employee trust, and gain a sustainable competitive advantage.

Need Help?

Exact RH already supports hundreds of organizations—SMEs and non-profits—in the practical application of Law 25:

Compliance diagnostics

Policy drafting and consent templates

Targeted training for staff and managers

PIA (EFVP) support and security testing

Incident risk assessment support

Assistance with CAI communications

Frequently Asked Questions

Everything you need to know about CAI audits and Law 25:

What is Law 25?

Law 25 (formerly Bill 64) is Quebec's modernized personal information protection law. It imposes new obligations on all organizations collecting personal data, including appointment of a Privacy Officer, consent management, incident registers, and Privacy Impact Assessments.

What is the CAI and what is its role?

The CAI (Commission d'acces a l'information) is Quebec's privacy regulator. It has authority to audit organizations, investigate complaints, issue orders, and impose fines up to $25 million or 4% of global revenue for non-compliance.

What are the consequences of non-compliance with Law 25?

Non-compliance can result in administrative fines up to $25 million or 4% of global annual turnover, CAI orders, civil lawsuits, reputational damage, and loss of customer trust.

Are SMEs and non-profits affected?

Yes, all organizations that collect personal information in Quebec are affected, regardless of size. This includes SMEs, non-profits, corporations, and even sole proprietors.

Do I need to appoint a Privacy Officer (RPRP)?

Yes, every organization must designate a Privacy Officer with a clear mandate. By default, this role falls to the highest-ranking person. Contact information must be published publicly.

How often must employees be trained?

Organizations should provide annual training on personal information protection, with documented proof of attendance. Training should be tailored to each role's data handling responsibilities.

What is a Privacy Impact Assessment (PIA/EFVP)?

A PIA is a mandatory evaluation for high-risk technological projects. It identifies privacy risks and documents mitigation measures before implementation. Required for projects involving personal data processing.

Which incidents must be reported to the CAI?

Privacy incidents that present a serious risk of harm must be reported to the CAI within 72 hours. This includes data breaches, unauthorized access, loss of personal information, and ransomware attacks.

How can Exact RH help me prepare for a CAI audit?

Exact RH provides compliance diagnostics, policy drafting, consent templates, staff training, PIA support, incident risk assessments, and CAI communication assistance. Over 3,000 organizations trust our services.

Let's Talk About Your Law 25 Compliance

Contact us for a free assessment. We'll help you turn Law 25 compliance into a trust-building advantage for your organization, employees, clients, and partners.

Free consultation 1-866-950-3357