This page consolidates the information that Quebec’s Act respecting the protection of personal information in the private sector (Law 25) requires every Quebec organization to publish: appointment of the privacy officer, governance policies, rights exercise and complaint procedure.
1. Privacy Officer (DPO)
Pursuant to article 8.1 of Law 25, Conformaze has appointed a Privacy Officer. This person also acts as data protection officer (DPO) under article 37 GDPR for our European users.
- Role: Privacy Officer (DPO / Privacy Lead).
- Organization: Conformaze.
- Email: dpo@conformaze.com.
- Postal address: Conformaze, Attn: Privacy Officer / DPO, Montréal (Québec), Canada.
- Committed response time: 30 calendar days.
2. Personal information governance policy
Our internal framework rests on the following principles:
- Minimization: we only collect information necessary for explicit purposes (article 5 of Law 25).
- PIA / EFVP: every new project involving personal information triggers a privacy impact assessment, documented and reviewed at every significant change (article 3.3 of Law 25).
- Security by design: encryption by default, role-based access control, immutable logging, periodic restore tests.
- Privacy by default: non-essential cookies refused by default, sharing features explicitly enabled, profiles private by default.
- Controlled retention: retention periods documented in the privacy policy, automated purges and end-of-life anonymization.
- Training: periodic awareness for teams with data access.
3. Your rights and how to exercise them
Law 25 grants you several rights that Conformaze undertakes to honour within the legal deadlines (typically 30 days):
- Right of access to your personal information (art. 27 of Law 25).
- Right of rectification of inaccurate or incomplete information (art. 28).
- Right to portability in a structured, commonly used format (art. 27).
- Right to de-indexation and to cease dissemination (art. 28.1).
- Right to withdraw consent at any time.
- Right to information about automated decision-making with legal effect (art. 12.1).
To exercise a right, email dpo@conformaze.com. You can also use our contact form. We acknowledge receipt without delay and respond within a maximum of 30 days.
4. Complaint procedure
If you are dissatisfied with our response, or if you believe your rights have not been respected, you can file a complaint with the Commission d’accès à l’information du Québec (CAI):
- Official site: https://www.cai.gouv.qc.ca
- Complaint procedure: https://www.cai.gouv.qc.ca/citoyens/plaintes
- Phone: 1 888 528-7741
5. Confidentiality incident notification (72h)
Should a confidentiality incident present a risk of serious harm to a data subject, Conformaze:
- assesses the incident immediately and triggers its internal runbook;
- notifies the CAI and affected individuals as soon as possible (article 3.5 of Law 25);
- informs affected client organizations and provides them with the elements they need to satisfy their own notification obligation.
To report an incident to Conformaze, email dpo@conformaze.com immediately with subject “CONFIDENTIALITY INCIDENT”.
6. Incident register
In accordance with article 3.8 of Law 25, Conformaze maintains an internal register of confidentiality incidents. An anonymized copy may be obtained upon reasoned request to the Privacy Officer.
7. Automated decision-making
Conformaze can offer AI-generated suggestions (Azure OpenAI hosted in Canada) to ease drafting registers or assessments. These suggestions never constitute an automated decision producing legal effects on a person: a human always validates the content before it is recorded.
8. Data location and sovereignty
Most personal information is hosted in Canada (Azure Canada Central and Canada East regions). Transfers outside Canada are strictly framed and listed on the Subprocessors page.
9. Policy updates
This page is reviewed at least annually. The applicable version is shown at the top. The full history is available on request at dpo@conformaze.com.