DSAR Requirements Under Quebec Law 25 (Loi 25)
Quebec Law 25 access request requirements: individual rights, 30-day response deadline, portability, penalties up to CAD 25 million, and CAI enforcement.
Last updated: 2026-03-15
Individual Rights That Trigger Access Requests
Under Quebec's amended privacy law (Law 25), individuals can request:
- Access to their personal information held by an organization
- Correction of inaccurate or incomplete personal information
- Deletion of personal information when the purpose for collection has been fulfilled or when consent is withdrawn
- Portability of personal information in a commonly used technological format (effective September 2024)
- Opt out of automated decision-making and profiling
- Information about the use of automated decision-making systems that produce decisions about them
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
30 calendar days from receipt of the request. Organizations must respond within this timeframe. If an organization needs more time, it must notify the individual and explain the reason for the delay before the 30-day deadline expires. Portability requests also carry a 30-day deadline.
Identity Verification
Organizations may require individuals to verify their identity before fulfilling a request. The law does not prescribe a specific method, but the verification process must be proportionate to the sensitivity of the information and the risk of harm.
Cost
Requests must be processed free of charge. Organizations may charge a reasonable fee only if a request is clearly abusive or repetitive.
Privacy Officer Requirement
Every organization subject to Law 25 must designate a person responsible for the protection of personal information (privacy officer). This person's title and contact details must be published on the organization's website. The privacy officer oversees compliance activities including:
- Handling access, correction, and deletion requests
- Conducting privacy impact assessments (PIAs)
- Managing breach notification and reporting
- Ensuring proper consent practices
Privacy Impact Assessments
Law 25 requires organizations to conduct privacy impact assessments before:
- Acquiring, developing, or redesigning an information system involving personal information
- Transferring personal information outside Quebec
Penalties
Law 25 has the strictest penalties of any Canadian privacy law, with a tiered enforcement structure:
Administrative monetary penalties (AMPs):
- Up to CAD 10 million or 2% of global turnover for the preceding fiscal year, whichever is higher
- For individuals: capped at CAD 50,000
Penal provisions (for severe violations):
- Up to CAD 25 million or 4% of global turnover for the preceding fiscal year, whichever is higher
- For individuals: capped at CAD 100,000
Private right of action:
- Individuals can seek minimum damages of CAD 1,000 for privacy violations
- Class actions are permitted
Enforced by the Commission d'accès à l'information du Québec (CAI).
Implementation Timeline
Law 25 was phased in over three years:
- September 2022: Privacy officer designation, breach notification, biometric data rules
- September 2023: Consent requirements, transparency obligations, PIAs, right to deletion, automated decision-making provisions
- September 2024: Right to data portability
All provisions are now fully in effect.
Who This Applies To
Law 25 applies to any organization that collects, uses, or discloses personal information in Quebec in the course of carrying on an enterprise. This includes:
- Businesses operating in Quebec
- Organizations outside Quebec that process personal data of Quebec residents
- Both private-sector and public-sector organizations
There is no revenue threshold or company size exemption. Law 25 applies regardless of how small the organization is.
Comparison with PIPEDA
Law 25 is significantly stricter than federal PIPEDA:
- Deletion right — Law 25 includes it; PIPEDA does not
- Portability right — Law 25 includes it; PIPEDA does not
- Penalties — Law 25 allows fines up to 4% of global turnover; PIPEDA caps at CAD 100,000
- Private right of action — Law 25 includes it; PIPEDA does not
- PIAs — Law 25 requires them; PIPEDA does not mandate them
- Privacy officer — Law 25 requires designation and publication; PIPEDA recommends but does not require
Related Guides
- Canadian Privacy Laws Overview — federal vs. provincial framework
- PIPEDA DSAR Requirements — federal privacy law
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- DSAR Exemptions — when you can refuse