Law 25 DSAR Requirements: What Canadian Organizations Need to Know

Law 25, officially known as "An Act to modernize legislative provisions as regards the protection of personal information," came into full effect in September 2024. It represents the most significant update to Québec's privacy framework in over 25 years. The law applies to any organization that collects, holds, or uses personal information of Québec residents, regardless of where the organization is based. This includes: • Private sector businesses operating in Québec • Organizations offering goods or services to Québec residents • Companies processing data of Québec employees • Non-profits and associations with Québec members

Law 25 grants individuals several rights regarding their personal information: Right of Access Individuals can request a copy of all personal information an organization holds about them, along with information about how it's being used and who it has been shared with. Right to Rectification If personal information is inaccurate or incomplete, individuals can request corrections. Right to Deletion (Right to be Forgotten) Individuals can request deletion of their personal information when it's no longer necessary for the purposes it was collected, or when they withdraw consent. Right to Data Portability Individuals can request their data in a structured, commonly used format that can be transferred to another organization. Right to Withdraw Consent Individuals can withdraw consent for processing their personal information at any time.

Organizations must respond to DSARs within strict timelines: Standard Response Time: 30 calendar days This 30-day period begins when you receive a valid request. The clock starts immediately — not when you verify identity or acknowledge receipt. Extensions If the request is complex or you receive a high volume of requests, you may extend this by an additional 10 days (total 40 days). However, you must: • Notify the requester within the initial 30 days • Explain why an extension is needed • Document the reasons for the extension Consequences of Missing Deadlines Failure to respond within the required timeframe can result in: • Complaints to the Commission d'accès à l'information (CAI) • Administrative penalties up to $10 million or 2% of worldwide turnover • Reputational damage • Individual liability for privacy officers

A compliant DSAR response under Law 25 must include: For Access Requests: • All personal information held about the individual • The sources of the information • The purposes for which it's used • A list of third parties to whom it has been disclosed • Any automated decision-making applied to the data For Deletion Requests: • Confirmation of deletion • List of any third parties notified of the deletion • Explanation if deletion cannot be completed (and legal basis) For Portability Requests: • Data in a structured, commonly used, machine-readable format • Transmission to another organization if technically feasible Format Requirements: • Information must be provided in plain, understandable language • Technical terms should be explained • Free of charge for the first request; reasonable fees may apply for subsequent requests

Before processing a DSAR, organizations must verify the requester's identity to prevent unauthorized disclosure. Law 25 requires: Reasonable Verification • Request only information necessary to confirm identity • Don't collect more data than needed for verification • Consider the sensitivity of the information requested Acceptable Verification Methods: • Knowledge-based questions (information only the individual would know) • Government-issued ID (with appropriate data minimization) • Existing account credentials • Two-factor authentication What to Avoid: • Requesting excessive documentation • Requiring in-person verification when not necessary • Creating barriers that discourage legitimate requests

Organizations may refuse or limit a DSAR response in certain circumstances: Legitimate Exemptions: • Information protected by legal privilege • Information that would reveal confidential commercial information • Information collected for a legal proceeding • Information that would reveal personal information about another individual Process for Refusals: • Provide a written explanation for the refusal • Cite the specific legal basis • Inform the requester of their right to complain to the CAI • Document the decision and reasoning internally

To handle DSARs efficiently and compliantly, organizations should: 1. Establish Clear Intake Channels • Create a dedicated email or web form for DSAR requests • Ensure staff know how to recognize and route DSARs • Acknowledge receipt promptly 2. Implement Tracking Systems • Log all requests with receipt dates • Track response deadlines • Maintain audit trails of all actions taken 3. Map Your Data • Know where personal information is stored • Document data flows and sharing arrangements • Identify all systems containing personal data 4. Train Your Team • Ensure staff understand DSAR requirements • Define clear roles and responsibilities • Conduct regular training updates 5. Document Everything • Keep records of all requests and responses • Document decision-making processes • Maintain evidence of compliance

Law 25 introduced significant penalties for privacy violations: Administrative Monetary Penalties: • Up to $10 million CAD • Or 2% of worldwide turnover (whichever is greater) Penal Sanctions: • Fines of $5,000 to $100,000 for individuals • Fines of $15,000 to $25 million for organizations Private Right of Action: • Individuals can sue for damages • Minimum $1,000 in damages for unlawful violations Factors Affecting Penalties: • Nature and severity of the violation • Organization's compliance history • Steps taken to mitigate harm • Whether the violation was intentional