Quebec Law 25

Quebec Law 25 is a legislative framework designed to enhance the protection of personal information in Quebec. It updates and expands upon the existing privacy laws to align with modern privacy standards and practices.

Law 25 applies to:

• Public and Private Sector Organizations: This includes businesses, government agencies, and other entities that collect, use, or disclose personal information in Quebec.
• Individuals: Employees, contractors, and other representatives of these organizations are also subject to the law in their professional capacity.

Quebec Law 25 Guidelines

• Organizations must obtain explicit consent from individuals before collecting, using, or disclosing their personal information.
• Individuals must be informed about the purposes for which their data is being collected and how it will be used.
• Individuals have the right to access their personal information held by organizations and request corrections if needed. They also have the right to withdraw consent at any time, which must be facilitated by the organization.
• Organizations are required to appoint a Chief Compliance Officer or a similar role responsible for overseeing data protection practices and ensuring compliance with Law 25.
• Organizations must conduct privacy impact assessments for new projects or processes that involve the collection or processing of personal information to identify and mitigate privacy risks.
• Organizations must notify the Commission d'accès à l'information (CAI) and affected individuals of any data breaches that pose a risk of significant harm.
• Personal information must be retained only for as long as necessary for its intended purpose and securely disposed of when no longer needed.
• If personal information is transferred outside of Quebec, organizations must ensure that the recipient jurisdiction provides adequate protection for the data.

How Finite State Helps You Comply with Quebec Law 25

Finite State can complement your data protection efforts by strengthening your data security capabilities, particularly by: 

• Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
• Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
• Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
• Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.

Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with Quebec Law 25