Data Protection Policy — Quebec (Politique de protection des données / Loi 25)
Politique de protection des données — Quebec (Law 25 / LPRPSP / Bill 64)
DATA PROTECTION POLICY
Politique de protection des renseignements personnels
[Organization Name] | [Business Address]
Effective Date: [Effective Date] | Last Reviewed: [Last Review Date]
Privacy Officer (Responsable de la protection): [Privacy Officer Name] | [Privacy Officer Contact]
This Data Protection Policy ('Policy') is established by [Organization Name] in compliance with the Act respecting the protection of personal information in the private sector (LPRPSP / Law 25, as amended by Bill 64), the Civil Code of Quebec (CCQ), and applicable federal privacy legislation.
1. PERSONAL INFORMATION WE COLLECT
[Organization Name] collects the following categories of personal information: [Data Categories]
Purposes of collection: [Collection Purposes]
Legal basis: [Legal Basis]
We collect only the minimum personal information necessary for the purposes identified (principle of data minimization under Law 25). Collection occurs at the time of your engagement with our products or services, and consent is obtained through separate consent forms for each distinct purpose.
2. RETENTION AND DESTRUCTION
[Organization Name] retains personal information only as long as necessary for the identified purposes or as required by law. Retention periods: [Retention Periods]
Upon expiry of retention periods, personal information is securely destroyed or anonymized in accordance with Law 25 art. 23. Anonymized data no longer constitutes personal information and may be retained for statistical analysis.
3. SECURITY MEASURES
[Organization Name] implements appropriate technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, or destruction: [Security Measures]
In the event of a privacy incident that presents a risk of serious injury, [Organization Name] will notify the Commission d'accès à l'information (CAI) and affected individuals as required by Law 25. A Privacy Incident Register (Registre des incidents de confidentialité) is maintained in compliance with the Regulation respecting confidentiality incidents.
4. CROSS-BORDER TRANSFERS
Cross-border transfers outside Quebec: [Cross-Border Transfers].
[Transfer Safeguards]
Before any transfer of personal information outside Quebec, [Organization Name] conducts a Privacy Impact Assessment (Évaluation des facteurs relatifs à la vie privée / EFVP) as required by Law 25 art. 17, and ensures adequate contractual safeguards are in place.
5. INDIVIDUAL RIGHTS
Individuals have the following rights under Law 25 (LPRPSP):
- Right of access — to obtain a copy of personal information held about you
- Right of correction — to have inaccurate information corrected
- Right of withdrawal — to withdraw consent at any time
- Right of deletion — to have personal information anonymized or destroyed when no longer necessary
- Right of portability — to receive your data in a structured, machine-readable format
- Right to lodge a complaint — with the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca
To exercise any of these rights, contact: [Privacy Officer Name] at [Privacy Officer Contact]. We will respond within 30 days as required by Law 25.
6. PRIVACY OFFICER
As required by Law 25, [Organization Name] has designated [Privacy Officer Name] as the person responsible for the protection of personal information (Responsable de la protection des renseignements personnels). Contact: [Privacy Officer Contact].
This Policy is reviewed at least annually and updated to reflect changes in law, technology, or organizational practices. Current version effective: [Effective Date].
Privacy Officer (Responsable de la protection)
________________
Signature
Authorized Representative of {{orgName}}
________________
Signature
What Is a Data Protection Policy — Quebec (Politique de protection des données / Loi 25)?
A Quebec Data Protection Policy (Politique de protection des données) is an organizational document describing how personal information is collected, used, stored, protected, and shared. Mandated by Law 25 (LPRPSP as amended by Bill 64), it must be published and made accessible to individuals. It is the cornerstone of Law 25 compliance for Quebec businesses. Under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25, CQLR c P-39.1), all organizations operating in Quebec that collect, use, communicate, or retain personal information must implement a data protection policy. Law 25 (as amended by Bill 64, effective in stages from 2022-2023) introduced mandatory privacy impact assessments (PIAs), data minimization obligations, and mandatory breach notification. The Commission d'acces a l'information (CAI) supervises compliance. The Civil Code of Quebec (CCQ) Articles 35-41 provide the foundational right to privacy. The Charter of Human Rights and Freedoms of Quebec (CQLR c C-12), Section 5, reinforces these protections at the quasi-constitutional level. The Superior Court of Quebec has jurisdiction over enforcement actions. Article 37 of the Civil Code of Quebec (CCQ) also grants individuals the right to access and correct their personal information. Organizations must appoint a privacy officer whose name and contact details are published. The Superior Court of Quebec adjudicates civil claims for breach of privacy under CCQ art. 1457.
When Do You Need a Data Protection Policy — Quebec (Politique de protection des données / Loi 25)?
A data protection policy is mandatory for all Quebec private sector organizations that collect, use, or communicate personal information about individuals. Law 25 requires it to be published and accessible. It must be reviewed and updated regularly.
Parties in Quebec should prepare a Data Protection Policy — Quebec (Politique de protection des données / Loi 25) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution. A data protection policy must be in place before an organization begins collecting personal information from Quebec residents. Law 25 requires organizations to designate a privacy officer, conduct privacy impact assessments (PIAs) for new projects involving personal information, and publish their privacy policy on their website. The CAI enforces the requirement for a published, accessible policy. Organizations subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA, SC 2000, c 5) must also comply with PIPEDA's accountability principle. Revenu Quebec and the Autorite des marches financiers (AMF) impose additional data governance requirements for regulated entities.
What to Include in Your Data Protection Policy — Quebec (Politique de protection des données / Loi 25)
Key elements: Privacy Officer identification, types of personal information collected, purposes of collection, legal basis, retention periods, security measures, cross-border transfer rules, individual rights (access, correction, deletion), complaint procedure, cookie policy for websites, and Law 25/CAI compliance references.
Additional compliance elements for a Data Protection Policy — Quebec (Politique de protection des données / Loi 25) used in Quebec include: A Quebec data protection policy must cover: appointment of privacy officer with contact information; categories of personal data collected and purposes; legal basis for collection under Law 25; data retention schedules; third-party sharing and cross-border transfer procedures; security measures protecting data; data subject rights (access, rectification, portability, erasure, withdrawal of consent) under Law 25 ss. 37-40; privacy incident response procedures under Law 25 s. 3.5; privacy impact assessment (PIA) process; and complaint handling procedures before the CAI. The policy must be published in plain language accessible to all data subjects. The CAI may order organizations to amend non-compliant policies. Forms-legal.com provides this Quebec-compliant data protection policy template as a starting point. Article 37 of the Civil Code of Quebec (CCQ) grants individuals the right to access and correct their personal information. Organizations must publish their privacy policy and make it easily accessible to data subjects. The CAI (Commission d'acces a l'information) can order organizations to cease collection or amend policies. Under Law 25 s. 3.5, data breach notifications to the CAI must be made within 72 hours. The Superior Court of Quebec adjudicates civil privacy claims. Consult a Quebec privacy lawyer for complex data governance arrangements. Under Section 3.3 of Law 25, organizations must conduct a privacy impact assessment (PIA) before acquiring or developing any information system involving personal information. The CAI publishes annual enforcement reports and may impose corrective orders. Consult a Quebec privacy lawyer to audit your data protection policy for Law 25 compliance.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Protection Policy — Quebec (Politique de protection des données / Loi 25) (Quebec) [Legal document template]. Forms Legal. https://forms-legal.com/quebec/business/policies/data-protection-policy-quebec
"Data Protection Policy — Quebec (Politique de protection des données / Loi 25) (Quebec)." Forms Legal, 2026, https://forms-legal.com/quebec/business/policies/data-protection-policy-quebec.
@misc{formslegal-data-protection-policy-quebec,
author = {{Forms Legal}},
title = {Data Protection Policy — Quebec (Politique de protection des données / Loi 25) (Quebec)},
year = {2026},
howpublished = {\url{https://forms-legal.com/quebec/business/policies/data-protection-policy-quebec}},
note = {Free legal document template. Based on Act Respecting the Protection of Personal Information (CQLR, c. P-39.1)}
}Frequently Asked Questions
Quebec's Law 25 (Act 25, which amended the Act respecting the protection of personal information in the private sector / LPRPSP via Bill 64) imposed major new obligations on private sector organizations. Key requirements include: designation of a Privacy Officer (Responsable de la protection des renseignements personnels) whose name must be published; mandatory privacy impact assessments (PIAs) before collecting personal information or before communicating it outside Quebec; a data breach notification obligation to the Commission d'accès à l'information (CAI) and affected individuals; explicit consent requirements for collection and use of personal information; privacy by design principles; rights of individuals to access, correct, and request deletion of their personal information; and strict rules on cross-border transfers of personal information. Penalties for non-compliance can reach up to $25 million CAD or 4% of worldwide turnover.
A Data Protection Policy — Quebec (Politique de protection des données / Loi 25) does not legally require a lawyer in Quebec, and individuals and businesses may draft and execute the document independently. However, seeking independent legal advice from a qualified Quebec lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Superior Court of Québec has jurisdiction over disputes arising from this type of document, and Registraire des entreprises du Québec may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
A Privacy Impact Assessment (PIA) is a structured process to identify and mitigate privacy risks in a proposed project before personal information is collected or used. Under Section 3.3 of Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25, CQLR c P-39.1), organizations must conduct a PIA before: (1) acquiring, developing, or overhauling an information system involving personal information; (2) communicating personal information outside Quebec under Section 17 of Law 25; or (3) using personal information for profiling, automated decision-making, or biometric identification. The Commission d'acces a l'information (CAI) has published guidelines on PIA methodology. A PIA must document the nature of personal data, risks to data subjects, mitigation measures, and approval by the designated privacy officer. Where a PIA reveals unacceptable risks, the project must be modified or abandoned before launch. Failure to conduct a required PIA may result in administrative penalties under Section 90.1 of Law 25 of up to $25,000,000 or 4% of worldwide turnover. The Civil Code of Quebec (CCQ) art. 35 and Charter of Human Rights and Freedoms of Quebec (CQLR c C-12) s. 5 also underpin the PIA requirement. Forms-legal.com provides this Quebec-compliant data protection policy template as a starting point.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Formulaire de consentement aux renseignements personnels — Québec (Loi 25 / LPRPSP)
Créez un Formulaire de consentement aux renseignements personnels québécois conforme à la Loi 25 (LPRPSP). Obtient le consentement explicite et éclairé pour la collecte, l'utilisation et la divulgation des renseignements personnels. Requis pour les données sensibles, les communications marketing, les transferts transfrontaliers et les utilisations secondaires. PDF ou Word.
Entente de non-divulgation (Québec)
Créez gratuitement une entente de non-divulgation du Québec régie par le Code civil du Québec. Ce modèle en français est conçu pour le droit civil québécois, avec des références aux articles 1371 à 1707 du C.c.Q. Couvre la confidentialité unilatérale et mutuelle, les secrets commerciaux et la propriété intellectuelle. Conforme à la Loi 96.
Accord de confidentialité pour employé — Québec (C.c.Q. art. 2088 / Loi 25)
Créez un Accord de confidentialité pour employé québécois conforme au C.c.Q. art. 2088 et à la Loi 25 (LPRPSP). Protège les secrets commerciaux, les listes de clients, les informations propriétaires et les méthodes commerciales. Couvre les obligations pendant et après l'emploi. PDF ou Word.
Politique de diversité, équité et inclusion — Québec (Charte québécoise / LNT / LCDP)
Créez une Politique DEI québécoise conforme à la Charte des droits et libertés de la personne du Québec (CDLP), à la Loi sur l'équité salariale et à la LNT. Couvre les engagements organisationnels, les motifs de discrimination interdits (15 motifs sous la CDLP), l'accommodement, les procédures de signalement et les mécanismes de révision. PDF ou Word.