Request a Consultation

Home Guides

LAW 25 (QUEBEC)

Law 25 questionnaires: what Quebec buyers now ask their vendors

If a Quebec customer's vendor review suddenly got longer and started asking who your "person in charge of the protection of personal information" is, that is Law 25 at work. Quebec's modernization of its private-sector privacy law — amending the Act respecting the protection of personal information in the private sector, phased in between 2022 and 2024 and now fully in force — produced what is widely regarded as the strictest privacy regime in North America. This guide covers the questions unique to Law 25 and the one assessment Canadian processors fail most often.

Why Law 25 changed vendor reviews

Law 25 did not just raise Quebec enterprises' own obligations; it made several of them flow through to anyone they share personal information with. Communicating personal information to a third party for processing requires a written contract with specific protections, and communicating it outside Quebec requires a prior assessment of whether it will be adequately protected where it lands. A Quebec buyer cannot complete either obligation without interrogating you — so their questionnaires grew sections that have no equivalent in PIPEDA, GDPR, or any US framework. If your answer library was built for generic security reviews, the Law 25 rows will be the blank ones.

The asks unique to Law 25

Four requirements show up in Quebec questionnaires and almost nowhere else:

  • A designated person in charge of the protection of personal information. By default this is the person with the highest authority in the enterprise — the CEO — unless the role is delegated in writing. The title and contact information must be published. A questionnaire asking for the name is checking that the delegation happened, not collecting trivia.
  • Privacy impact assessments (PIA / EFVP). Required before communicating personal information outside Quebec, and for projects involving the acquisition, development, or overhaul of systems that handle personal information. Buyers will ask whether you conduct them and whether you can feed theirs.
  • Confidentiality by default. Technological products or services offered to the public with privacy settings must ship with those settings at the highest level of confidentiality by default. Expect a row asking how your product's defaults are configured.
  • Cessation of dissemination and de-indexing. Individuals can require an enterprise to stop disseminating their personal information or to de-index it in certain circumstances. Vendors get asked whether their systems can actually execute such a request when the customer receives one.

Confidentiality incidents: the CAI, the persons, and the register

Law 25 calls breaches confidentiality incidents — unauthorized access, use, or communication of personal information, or its loss — and the duties run in three directions. Where an incident presents a risk of serious injury, the enterprise must notify the Commission d'accès à l'information (CAI) and the affected persons. And regardless of severity, every confidentiality incident goes into an incident register. As a vendor, your operational duty is usually contractual — tell your customer promptly so they can run their assessment — but the questionnaire will test whether you could: do you detect incidents, do you keep your own register, and is the notification path to the customer written down anywhere.

The outside-Quebec transfer assessment: where processors fail

The single Law 25 question Canadian processors fail most is the transfer assessment. Before personal information leaves Quebec — to your Ontario data center, your US cloud region, your subprocessors — the Quebec enterprise must assess whether it will receive protection consistent with generally accepted data protection principles, and proceed only if the assessment concludes it would. Their assessment is built from your answers: every hosting jurisdiction, every subprocessor, the safeguards in each, and the contract terms binding them. Vendors who answer "data is stored securely in the cloud" stall the buyer's legal obligation and, with it, the deal. The vendors who close are the ones who hand over a jurisdiction-by-jurisdiction map without being asked twice.

How to answer a Law 25 questionnaire, step by step

  1. Confirm what role you play. Are you a service provider processing personal information for the Quebec enterprise, or do you determine purposes yourself? Most of the questionnaire's heaviest obligations sit with the enterprise; knowing which duties are contractually yours keeps you from claiming obligations you do not hold — or disclaiming ones you do.
  2. Build the answer library before drafting. Start from our free answer-library template and add a Law 25 section: person in charge, incident register, transfer map, default settings. Quebec rows recur across buyers nearly verbatim — the library pays for itself on the second questionnaire.
  3. Designate the person in charge, in writing. If nobody has been delegated, the role sits with your CEO by default. Decide deliberately, document the delegation, and publish the title and contact details — then the questionnaire row is one line.
  4. Write the transfer map. List every jurisdiction where personal information is stored or processed, every subprocessor, and the safeguards and contract terms in each. This is the input to your customer's mandatory PIA — handing it over complete is the difference between a one-week and a two-month review.
  5. Stand up the incident register and the notification path. Document where incidents are recorded, what fields the register holds, and how — and how fast — the customer is told. The register duty covers every incident, not just the serious ones.
  6. Answer the product rows against your real defaults. Check what your privacy-relevant settings actually ship as, and whether you can execute a de-indexing or cessation request end to end. If the honest answer is "not yet," say so with a date rather than rounding up.

When the answer is no: closing Law 25-specific gaps

Law 25 "no" answers concentrate where the Act assumes operational machinery exists — detection behind the incident register, governance over who touches personal information. Each gap is closeable with an open-source component you keep:

  • No incident register or the detection behind it: Managed Wazuh — you cannot register confidentiality incidents you never detect; this is the monitoring and log retention the register duty assumes.
  • No access governance over personal information: Managed Teleport for recorded, audited access to the systems holding it, and Managed Keycloak for the MFA and identity layer in front of them.
  • Whole posture needs building: Managed Security — the monitored stack and documentation that make the rest of the questionnaire answerable.

The general method for any questionnaire — triage, answer honestly, build the library as you go — is in our guide to answering security questionnaires; this page is what Quebec adds on top. If a Quebec buyer's review is already on the clock, ThinSky's Questionnaire Rescue drafts the whole response, transfer map included.

Common questions.

Who must be the person in charge of personal information under Law 25?

By default, the person exercising the highest authority in the enterprise — in a company, the CEO. That responsibility can be delegated in writing to anyone, including someone outside the organization, but the delegation has to actually exist. Questionnaire rows asking for your "person in charge of the protection of personal information" are testing whether the role was ever assigned; the title and contact details must also be published on your website.

What is a confidentiality incident under Law 25?

Law 25's term for a breach: unauthorized access, use, or communication of personal information, or its loss — actual or attempted. Where the incident presents a risk of serious injury, you must notify the Commission d'accès à l'information (CAI) and the affected persons. Every confidentiality incident, regardless of severity, must be entered in an incident register.

Does Law 25 apply to companies outside Quebec?

It can. The Act respecting the protection of personal information in the private sector applies to personal information about people in Quebec that an enterprise collects, holds, uses, or communicates — it does not require an office in the province. More practically for vendors: Quebec buyers are obligated under the Act, so they push its requirements down through contracts and questionnaires regardless of where you are incorporated.

Do we need a privacy impact assessment for cloud hosting under Law 25?

If personal information from Quebec will be communicated outside the province — including to a US cloud region — the enterprise must conduct a privacy impact assessment (PIA, or EFVP in French) before the transfer, concluding the information would receive adequate protection. The duty sits with your Quebec customer, but they cannot complete the assessment without facts only you have: hosting jurisdictions, subprocessors, safeguards, and contractual commitments.

Or skip the spreadsheet entirely.

Email us the questionnaire, the deadline, and a sentence about the deal — we reply with scope and a fixed quote within one business day.

Get questionnaire rescue →