Law 25

1.

Installation of a "Cookie Banner" on your Website.

Ubiweb is taking care of installing a Law 25-compliant cookies banner across all the websites on our network.

2.

Name a Privacy Officer

Law 25 requires that you name a Privacy Officer who is ultimately responsible at your Company for ensuring the Private Sector Act is complied with, otherwise it will be the head of the Company such as the President or CEO. The title and contact information of the Privacy Officer must be published on your website; it is usually put in the privacy policy.

3.

Draft a New Company Privacy Policy

Law 25 requires that all companies who collect personal information publish a privacy policy on their website that is written in clear and simple language. Upon providing Ubiweb with your privacy policy, Ubiweb will upload it free of charge. The privacy policy must include:

✓ Listing all the personal information collected and the purposes it is used for

✓ Listing all the rights of users including: right of access, right of rectification, right to withdraw consent, de-indexation right, and the data portability right; and telling users how to exercise those rights, usually by contacting the privacy officer

✓ Names of third persons (including service providers) or categories of third persons to whom personal information is transferred, and noting if they are outside Quebec

✓ Information regarding any collection of personal information using a technology that includes functions allowing the website visitor to be identified, located or profiled, and means to activate them (i.e. cookies, web pixels, etc.)

✓ Noting if any sensitive personal information (such as health information) is being collected or used

✓ Noting if the website or any services you provide use any automated processing, i.e. artificial intelligence

✓ Having information about the policies and procedures discussed in the next section

4.

Draft Internal Company Policies

Law 25 requires that all organizations have certain internal policies and procedures

5.

Verification of Service Providers and Data Processing Agreements (“DPAs”)

Law 25 requires that where you transfer personal information to any service provider (for example, transferring email addresses to a company that sends out a newsletter for you), you must “entrust the mandate or contract in writing. This usually means you should sign what are called “Data Processing Agreements (DPAs)” with those service providers. To conform with Law 25, you should:

✓ Compile a list of service providers

✓ Determine if DPAs already signed for existing service provider

✓ Develop strategy to sign missing DPAs

✓ Sign missing DPAs

6.

Privacy Impact Assessments (“PIAs”)

Law 25 requires that where you transfer personal information out of Quebec, or create a new electronic system that collects, uses or discloses personal information, before you do so you must complete what Law 25 calls an “assessment of the privacy-related factors” or what are more commonly called Privacy Impact Assessments or “PIAs.” To conform to this part of the law, you should consider: (1) developing an internal PIA procedure; and (2) developing a PIA template that you can use when necessary.