Law 25 coverage
Conformaze maps every Law 25 obligation, article by article. For each one: what the law requires, the feature that covers it, and the proof produced — all in one place, so nothing slips between two Excel files.
Why tracking Law 25 in Excel/SharePoint lets obligations slip — even with a serious team.
Each team keeps its share — legal, IT, HR, operations. The day the regulator or a client asks for a complete view, you chase scattered files.
You approved an activity, signed a DPA, validated a PIA. Reconstructing the chain six months later is archaeology.
A policy adopted in 2023, a processor added last year, a transfer left open — nothing warns you it needs reviewing.
When leadership or the regulator asks 'where are we on Law 25?', no one can answer in five minutes with a reliable number.
Everything Law 25-related — decisions, proof, deadlines — in one place, linked and traced.
All your Law 25 obligations — register, PIA, DPAs, transfers, DSARs, incidents — in one place, linked to each other.
Every creation, change and approval is timestamped and attributed. Proof builds itself as your team works.
See what is covered, what is in progress, what is missing — by obligation and by owner.
A consolidated, signed and defensible export. For the regulator, for leadership, for a client demanding compliance proof.
Article by article
For each article: the obligation in plain language, the feature(s) that cover it, and the proof produced by the platform.
Appoint a privacy officer, document their mandate and publish their contact details on your site.
Define roles, responsibilities and delegations for personal information protection.
Conduct a PIA before any acquisition, development or redesign project involving personal information.
Establish, publish and maintain policies governing personal information protection.
Maintain a register of incidents and notify the CAI and affected individuals when there is a serious risk of harm.
Determine the purposes of processing before collecting personal information.
Inform the individual, at the time of collection, of purposes, third parties, rights and how to exercise them.
Obtain valid consent when required and demonstrate that it was obtained.
Maintain a register documenting each activity: purposes, data, retention period, recipients, security measures.
Destroy or anonymize personal information once the purpose is achieved.
Govern any communication to a processor with a compliant written agreement.
Conduct a privacy impact assessment before any transfer outside Quebec.
Inform the individual, allow them to submit observations and offer them the right to request a review.
Provide access to an individual's personal information within 30 days.
Correct personal information that is inaccurate, incomplete or ambiguous on request.
Provide, on request, personal information collected in a commonly used structured technological format.
Cease dissemination or de-index personal information when legal conditions are met.
Implement security measures proportionate to the risk and demonstrate compliance with the Act on request.
Appoint a privacy officer, document their mandate and publish their contact details on your site.
Documented mandate, published contact details, log of officer decisions.
Define roles, responsibilities and delegations for personal information protection.
Versioned governance framework, RACI assignments, traced approvals.
Conduct a PIA before any acquisition, development or redesign project involving personal information.
PIA archived, timestamped, signed and linked to the corresponding processing activity.
Establish, publish and maintain policies governing personal information protection.
Versioned, dated, approved and published policies.
Maintain a register of incidents and notify the CAI and affected individuals when there is a serious risk of harm.
Complete incident file (facts, harm assessment, measures), 5-year register, timestamped notifications.
Determine the purposes of processing before collecting personal information.
Purposes documented per activity in the register, versioned and approved.
Inform the individual, at the time of collection, of purposes, third parties, rights and how to exercise them.
Versioned collection notices linked to the activity, exportable for audit.
Obtain valid consent when required and demonstrate that it was obtained.
Inventory of consent touchpoints, timestamped proof, withdrawal log.
Maintain a register documenting each activity: purposes, data, retention period, recipients, security measures.
Versioned, timestamped register, exportable as a signed PDF.
Destroy or anonymize personal information once the purpose is achieved.
Retention period per activity, expiration alerts, destruction traces.
Govern any communication to a processor with a compliant written agreement.
Centralized DPAs, status tracked, direct link to the activities concerned.
Conduct a privacy impact assessment before any transfer outside Quebec.
Per-country assessment, documented protection mechanism, link to the DPA.
Inform the individual, allow them to submit observations and offer them the right to request a review.
Register of decision systems, human oversight level, log of review requests.
Provide access to an individual's personal information within 30 days.
Timestamped DSAR file, acknowledgement, response, proof of delivery.
Correct personal information that is inaccurate, incomplete or ambiguous on request.
Rectification file with before/after, propagation traces.
Provide, on request, personal information collected in a commonly used structured technological format.
Portability export generated, timestamped and traced in the DSAR file.
Cease dissemination or de-index personal information when legal conditions are met.
Removal file with reasoned decision and action trace.
Implement security measures proportionate to the risk and demonstrate compliance with the Act on request.
Documented security controls, timestamped exportable audit trail, defensible compliance file.
Indicative list of the main obligations. The Act contains other provisions; Conformaze covers the associated modules. For the full text, consult LégisQuébec.
The free Conformaze assessment asks the right questions to map your current situation against Law 25 obligations — no commitment, in a few minutes. You get a category breakdown, identified gaps and a prioritized action plan.
Take your free assessmentA platform built article by article — so every Law 25 requirement has its module, its feature and its proof.