What is Act 25

An Act to modernize legislative provisions as regards the protection of personal information (”Act 25”) adopted by the National Assembly in September 2021 substantially modifies certain obligations of enterprises and organizations with regards to the protection of personal information.


This law applies to all persons who operate a business that collects personal information (on their employees, clients, via their website or any other way throughout the course of their business) whether kept on paper or electronically. Most of these new obligations will be effective as of September 22, 2023. Nonetheless, many enterprises and many organizations are unaware that this law applies to them. A lot of the times, the term “personal information” is misunderstood. Many wrongly presume that by deleting direct identifiers from a document, such as the last name or first name, a person is no longer identified and therefore, the provisions of the law do not apply. This is not true. Act 25 applies to all personal information, i.e., all information on a physical person that can directly or indirectly be used to identify them.

This law applies to co-ownership syndicates

In the case of co-ownership syndicates, Act 25 applies since it is required under the Civil Code of Québec that a co-ownership registry be held in which can be found, amongst other, the name and postal address of each co-owner. Act 25 also applies to the collection of personal information upon hiring a property manager or caretaker, e.g., the social security number and banking information needs to be provided.

This law applies to real estate promoters

It is important for promoters that act as provisional directors of the co-ownership syndicates to be aware that they are held to the same obligations.

New obligations

 In this situation, the law requires that the co-ownership syndicates and real estate promoters adopt specific practices with regards to governance and protection of personal information.  Among these, the law requires that each enterprise or organization:

(1) names a Person in charge of the protection of personal information1 and posts his or her title and contact information on their website, or failing which, that it be made accessible by any other means;

(2) properly reacts to “confidentiality incidents2”;

(2.1) Consequently, each enterprise must keep a register of confidentiality incidents in compliance with the Regulation respecting confidentiality incidents, which entails that when a confidentiality incident occurs:

a. the employee of the enterprise communicates the confidentiality incident to the Person in charge;

b. the incident is logged in the Register;

c. the Person in charge of the protection of the personal information analyses the incident, adopts measures to limit the risk of serious injury to the persons concerned and limit the risk that a similar incident occurs again;

(2.2.) When there is a risk of serious injury, other requirements will need to be met, notably to notify the persons concerned and the Commission d’accès à l’information of the incident.

(3) reviews their agreements and contracts with all entities that operate or perform a mandate, a service contract or business contract for the enterprise or the organization3;

(4) ensures that the persons concerned are informed of the purposes for which the personal information and other information required4 pursuant to Act 25 is collected, and prior to its collection5;

(5) reviews the consent received from the persons concerned to justify the collection and disclosing of the personal information in light of the new criteria for consent validity;

(6) meets the new obligations with regards to the collection of personal information by technological means6;

(7) complies with the new applicable obligations in the event of communicating personal information outside of Québec7;

(8) complies with the new requirements and deadlines with regards to applications by the persons concerned for access or for rectification;

(9) elaborates or updates their governance policies and practices in compliance with Act 25.8

Those are only a few of the obligations under Act 25 that compel the co-ownership syndicates and real estate promoters to make substantial adjustments to their practices in matters of privacy protection for all personal information they hold and in whatever format.


There are hefty penalties provided under Act 25 in the event of non-compliance with requirements or inaction by the concerned organizations: up to a maximum of $25 million or an amount corresponding to 4% of global turnover of an organization over the previous financial year. Remember that a security breach or confidentiality incident can also damage the reputation of an organization and diminish clients and employee trust. It is therefore paramount to ensure that your operations comply with these requirements.


The Cain Lamarre personal information protection team can help your enterprise or organization to comply with the new Quebec obligations. Whether for training on the new obligations, advice on how to treat personal information, following a confidentiality incident, or to elaborate directives or policies with regards to the protection of personal information that meet the specific needs of your enterprise or organization, Cain Lamarre can accompany you in the process of complying to your new legal obligations. 


[1] By default, the person with the highest authority within the organization holds this position, although it can be delegated to another person.

[2] A “confidentiality incident” includes any access, use, or communication not authorized by law, to personal information as well as any loss or other breach of the protection of personal information.

[3] Among other things, in order to communicate personal information to these entities without obtaining the prior consent of the persons concerned, a written contract will be necessary providing for the measures taken by the entity to protect the confidentiality of the personal information communicated and to be notified in the event of a confidentiality incident. The contract must also provide that this information can only be used in the exercise of the mandate, or the execution of the contract and that the entity cannot keep it after its expiration.

[4] See Section 8 et seq. of Act 25.

[5] Except as provided under Act 25; See Section 12 of Act 25.

[6] Among other things, each organization must post a confidentiality policy on its website and by appropriate means. A public body must conduct a privacy impact assessment (PIA) for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of personal information.

[7] This is the case, for example, if a co-ownership syndicate entrusts a person or entity outside Quebec with the task of collecting, using, disclosing or retaining this information on its behalf by means of an application, a website or network. These new obligations include completing a PIA and signing a written agreement to this effect with this entity outside Quebec.

[8] Which means, a clear and compliant framework for the conservation and destruction of personal information; for the roles and responsibilities of staff members throughout the lifecycle of personal information; and a process for handling complaints regarding the protection of privacy; In addition, detailed information about these policies and practices must be available, in clear and simple terms, on the organization’s website.

[9] Act 25 applies to personal information held on paper and also on digital media.