Law 25 self-assessment
10 questions to gauge your posture.
A free assessment covering the 11 obligations of Law 25. Score out of 100, priorities identified, concrete recommendations. A detailed personalized report on request.
Question 1 / 10 · Obligation 1 · Art. 3.1, Law 25
Have you publicly designated a Privacy Officer (the person in charge of protecting personal information)?
The privacy officer must be appointed, their role defined, and their contact details made public (privacy policy, website).
Question 2 / 10 · Obligation 2 · Art. 8 and 8.1, Law 25
Is your public privacy policy compliant with Law 25 requirements (purposes, transfers, rights)?
It must describe: the types of personal information collected, specific purposes, third-party recipients, transfers outside Québec, retention period, and rights.
Question 3 / 10 · Obligation 3 · Art. 3.3, Law 25
Do you carry out Privacy Impact Assessments (PIAs) for your new projects?
A PIA is mandatory for any new project involving personal information (a new app, a new CRM, a Copilot rollout).
Question 4 / 10 · Obligation 4 · Art. 3.5, Law 25
Do you maintain a privacy incident register and have a CAI notification plan?
An internal register is mandatory; the CAI and the individuals concerned must be notified without delay in the event of serious injury.
Question 5 / 10 · Obligation 5 · Art. 27 to 41, Law 25
Do you have a documented procedure to handle access and rectification requests within 30 days?
Anyone has the right to access their personal information, rectify it, and receive a response within 30 days.
Question 6 / 10 · Obligation 6 · Art. 27, Law 25 (in force since Sept. 2024)
Are you able to provide personal information in a structured format (right to data portability)?
It must be deliverable in a structured, commonly used technological format (JSON, CSV, XML).
Question 7 / 10 · Obligation 7 · Art. 17, Law 25
Have you mapped and assessed your transfers of personal information outside Québec?
Any transfer outside Québec (including to the US or another Canadian province) must be assessed and covered by contractual measures.
Question 8 / 10 · Obligation 8 · Art. 12 and 14, Law 25
Is your consent-collection process granular and freely given (boxes unchecked by default, distinct purposes)?
Consent must be clear, free, informed, and given for specific purposes. Pre-checked boxes are prohibited.
Question 9 / 10 · Obligation 9 · Art. 12.1, Law 25 (in force since Sept. 2023)
If you use AI tools (Copilot, Copilot Studio agents, scoring), have you assessed Article 12.1 on automated decisions?
Any decision made exclusively through automated processing about a person must be disclosed and allow for human review.
Question 10 / 10 · Obligations 10 and 11 · Ongoing awareness
Do you have a mandatory annual personal-information protection training program for your employees?
A minimum of annual training, with a written record (who, when, content). Reinforced for at-risk roles (HR, finance, sales).
30 minutes to frame what matters.
A direct conversation with one of our experts. No commitment, no sales pitch. You leave with a clear, reasoned perspective on your situation.
