What is Law 25 on personal information?


This is a law that strengthens the rights of individuals regarding the protection of personal information, while adding teeth through significant penalties for offending organizations.

Before the law came into effect, companies could handle your personal information without constraints or clear requirements. Yet, it is precisely this data that hackers seek—it is a veritable key to access for fraudsters.

Organizations must now implement processes and protection mechanisms to ensure your safety as an individual. Our role: to rigorously implement these requirements without hindering the performance or good management of your organization.

What are the benefits of complying with Law 25?

In this context, data mapping becomes an essential tool. It enables the identification, location, and classification of personal information that is collected, used, or disclosed. This approach facilitates risk assessment, the implementation of appropriate security measures, and compliance with new legal obligations, such as Privacy Impact Assessments (PIAs). By visualizing data flows, organizations can better manage privacy incidents and respond effectively to citizens' requests. While optimizing operations, it also helps build trust with key partners and avoid reputational damage from data breaches. Mapping thus becomes a strategic pillar for ensuring transparency, accountability, and the protection of individual rights.


Who is subject to Law 25?

Any private organization that conducts business in Quebec, regardless of its size or sector of activity, is subject to Law 25 as soon as it collects, holds or processes personal information.

Consequence of non-compliance with law 25


Fines of up to $25 million or a maximum of 4% of global revenue.


Directors are personally liable in cases of negligence.


Risk of civil lawsuits if an incident causes harm.


What is the final phase of Law 25?

The right to data portability. This allows users to retrieve their personal data in a readable and structured format.



What is its purpose?


  • Facilitates the transfer of your personal data, such as contacts, history, or even preferences, to another company, partner, supplier, or customer.


  • Access an overview of your data to view, verify and understand the actual use of what a company holds about you.


  • Taking back control of your personal data, also known as data empowerment, allows you to optimize your practices and daily life. A concrete example would be retrieving your health records from recent years from your clinic and integrating them into your everyday mobile application.


  • Promote transparency and limit abuse



Our services under Law 25

The turnkey approach leading to your compliance is also an opportunity to assess your posture in terms of information security.


Service managed under Law 25

Implementing your Law 25 compliance