- Designate a person in charge of the protection of personal information.
- Make an inventory of the data collected.
- Maintain an incident log to document data security events.
Introduction to Act 25
Act 25, or the Privacy Act, was adopted to strengthen the security of personal data held by the Quebec population. In the context of rapidly evolving technologies and growing privacy concerns, this act imposes stricter standards for businesses’ collection, use, and sharing of personal information.
Since coming into effect on September 22, 2022, Act 25 requires public or private organizations to manage data responsibly while respecting individuals’ rights over their information.
The 3 phases of Act 25
Phase 1
Start‑up—September 22, 2022
Phase 2
Enhanced transparency—September 22, 2023
- Privacy policies must be clearly accessible on websites.
- Implement mechanisms to obtain consent for data collection (cookies, geolocation, etc.).
- Establish contracts with suppliers guaranteeing compliance with Act 25.
Phase 3
Access and management—September 22, 2024
- Implement a policy enabling individuals to consult, update or request the deletion of their personal information held by the company, with a processing time of less than 30 days.
- Reinforcement of security measures to protect data in transit.
Understand your obligations and prepare effectively
Meet our Act 25 experts
- Soleïca Monnier—Lawyer at Fasken
As a specialist in data protection law, Soleïca assists numerous companies in their compliance with Act 25 and closely follows regulatory developments. She is a legal expert in the field, bringing an essential perspective on legal obligations and citizens’ rights. - Patrick Bélanger — Vice‑President of Innovation and Compliance at Nmédia
Patrick has extensive experience in business strategy and compliance. He plays a key role in developing solutions to ensure Nmédia’s compliance with Act 25 and ensures that these requirements are integrated into the company’s innovation and development objectives. - Stéphane Lépine — Senior Director of Technology and Security at Nmédia
As a cybersecurity and data management expert, Stéphane implements the technical measures required to protect personal information.
Topics covered during the webinar
- Introduction
Presentation of the issues and objectives of Act 25. - New obligations for companies
Focus on appointing a data protection officer, privacy impact assessments, and management of privacy settings. - New rights for citizens
Analysis of data portability rights, the right to digital oblivion, and access and rectification rights. - Sanctions and enforcement
Explanation of potential sanctions, fines and the powers of the Commission d’accès à l’information (CAI). - Practical tips for compliance
A step‑by‑step guide to getting started on compliance, with tips on how to avoid common mistakes. - Question‑and‑answer segment
Open discussion with participants to answer any questions about Act 25. - Watch the webinar
Nmédia faces the challenges of achieving compliance
Like many SMEs, Nmédia has encountered challenges in complying with Act 25. As reported by La Presse, Patrick Bélanger, Vice‑President of Innovation and Compliance, explained that the company initially fell behind, prioritizing other projects before focusing fully on compliance.
In the process, Nmédia was confronted with a cyber incident, which served as a full‑scale test to improve its security standards. Although this event did not compromise any sensitive data, it did raise awareness throughout the team of the crucial importance of compliance with Act 25. The experience also led the company to institute more rigorous data management practices, including regularly cleansing superfluous information.
As of today, Nmédia has completed 90% of its compliance and continues to refine its processes, including validating its data destruction schedules.
To read the full article (available in French only), consult the La Presse website.
