p-39.1 - Act respecting the protection of personal information in the private sector

Texte complet
À jour au 22 septembre 2023
Ce document a valeur officielle.
chapter P-39.1
Act respecting the protection of personal information in the private sector
DIVISION I
APPLICATION AND INTERPRETATION
1. The object of this Act is to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code concerning the protection of personal information, particular rules with respect to personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code.
The Act applies to such information, whether the enterprise keeps the information itself or through the agency of a third person, whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other.
This Act also applies to personal information held by a professional order to the extent provided for by the Professional Code (chapter C-26) and to that held by a political party, an independent Member or an independent candidate to the extent provided for by the Election Act (chapter E-3.3).
This Act does not apply to journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public.
Divisions II and III of this Act do not apply to personal information which by law is public. Nor do they apply to personal information concerning the performance of duties within an enterprise by the person concerned, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work.
1993, c. 17, s. 1; 2002, c. 19, s. 19; 2006, c. 22, s. 111; 2021, c. 25, s. 100.
1.1. For the purposes of this Act, any person who collects personal information relating to another person for a serious and legitimate reason is deemed to be establishing a file within the meaning of the Civil Code and the rights concerning such a file conferred by articles 35 to 40 of that Code apply to the personal information collected.
2021, c. 25, s. 101.
2. Personal information is any information which relates to a natural person and directly or indirectly allows that person to be identified.
1993, c. 17, s. 2; 2021, c. 25, s. 102.
3. This Act does not apply
(1)  to a public body within the meaning of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A‐2.1);
(2)  to information held on behalf of a public body by a person other than a public body.
1993, c. 17, s. 3; 2006, c. 22, s. 112.
DIVISION I.1
RESPONSIBILITIES RELATING TO PROTECTION OF PERSONAL INFORMATION
2021, c. 25, s. 103.
3.1. Any person carrying on an enterprise is responsible for protecting the personal information held by the person.
Within the enterprise, the person exercising the highest authority shall see to ensuring that this Act is implemented and complied with. That person shall exercise the function of person in charge of the protection of personal information; he may delegate all or part of that function in writing to any person.
The title and contact information of the person in charge of the protection of personal information must be published on the enterprise’s website or, if the enterprise does not have a website, be made available by any other appropriate means.
2021, c. 25, s. 103.
3.2. Any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.
Detailed information about those policies and practices, in particular as concerns the content required under the first paragraph, must be published in simple and clear language on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means.
2021, c. 25, s. 103.
3.3. Any person carrying on an enterprise must conduct a privacy impact assessment for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.
For the purposes of such an assessment, the person must consult the person in charge of the protection of personal information within the enterprise from the outset of the project.
The person must also ensure that the project allows computerized personal information collected from the person concerned to be communicated to him in a structured, commonly used technological format.
The conduct of a privacy impact assessment under this Act must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
2021, c. 25, s. 103.
3.4. The person in charge of the protection of personal information may, at any stage of a project referred to in section 3.3, suggest personal information protection measures applicable to the project, such as
(1)  the appointment of a person to be responsible for implementing the personal information protection measures;
(2)  measures to protect the personal information in any document relating to the project;
(3)  a description of the project participants’ responsibilities with regard to the protection of personal information; or
(4)  training activities for project participants on the protection of personal information.
2021, c. 25, s. 103.
3.5. Any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.
If the incident presents a risk of serious injury, the person carrying on an enterprise must promptly notify the Commission d’accès à l’information established by section 103 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1). He must also notify any person whose personal information is concerned by the incident, failing which the Commission may order him to do so. He may also notify any person or body that could reduce the risk, by communicating to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the communication of the information.
Despite the second paragraph, a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.
A government regulation may determine the content and terms of the notices provided for in this section.
2021, c. 25, s. 103.
3.6. For the purposes of this Act, confidentiality incident means
(1)  access not authorized by law to personal information;
(2)  use not authorized by law of personal information;
(3)  communication not authorized by law of personal information; or
(4)  loss of personal information or any other breach of the protection of such information.
2021, c. 25, s. 103.
3.7. In assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident, a person carrying on an enterprise must consider, in particular, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes. The person must also consult the person in charge of the protection of personal information within the enterprise.
2021, c. 25, s. 103.
3.8. A person carrying on an enterprise must keep a register of confidentiality incidents. A government regulation may determine the content of the register.
A copy of the register must be sent to the Commission at its request.
2021, c. 25, s. 103.
DIVISION II
COLLECTION OF PERSONAL INFORMATION
4. Any person carrying on an enterprise who, for a serious and legitimate reason, collects personal information on another person must determine the purposes for collecting the information before doing so.
1993, c. 17, s. 4; 1999, c. 40, s. 233; 2021, c. 25, s. 104.
4.1. The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority or of the tutor, unless collecting the information is clearly for the minor’s benefit.
2021, c. 25, s. 104.
5. Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it.
Such information must be collected by lawful means.
1993, c. 17, s. 5; 2021, c. 25, s. 105.
6. Any person collecting personal information relating to another person may collect such information only from the person concerned, unless the latter consents to collection from third persons.
However, he may, without the consent of the person concerned, collect such information from a third person if the law so authorizes.
He may also do so if he has a serious and legitimate reason and either of the following conditions is fulfilled:
(1)  the information is collected in the interest of the person concerned and cannot be collected from him in due time;
(2)  collection from a third person is necessary to ensure the accuracy of the information.
1993, c. 17, s. 6.
7. Any person collecting personal information from another person carrying on an enterprise must, at the request of the person concerned, inform the latter of the source of the information.
This section does not apply to a file established for the purposes of an inquiry to prevent, detect or repress a crime or statutory offence.
1993, c. 17, s. 7; 1999, c. 40, s. 233; 2021, c. 25, s. 106.
8. Any person who collects personal information from the person concerned must, when the information is collected and subsequently on request, inform that person
(1)  of the purposes for which the information is collected;
(2)  of the means by which the information is collected;
(3)  of the rights of access and rectification provided by law; and
(4)  of the person’s right to withdraw consent to the communication or use of the information collected.
If applicable, the person concerned is informed of the name of the third person for whom the information is being collected, the name of the third persons or categories of third persons to whom it is necessary to communicate the information for the purposes referred to in subparagraph 1 of the first paragraph, and the possibility that the information could be communicated outside Québec.
On request, the person concerned is also informed of the personal information collected from him, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information.
The information must be provided to the person concerned in clear and simple language, regardless of the means used to collect the personal information.
1993, c. 17, s. 8; 2021, c. 25, s. 107.
8.1. In addition to the information that must be provided in accordance with section 8, any person who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person
(1)  of the use of such technology; and
(2)  of the means available to activate the functions that allow a person to be identified, located or profiled.
Profiling means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.
2021, c. 25, s. 107.
8.2. Any person who collects personal information through technological means must publish on the enterprise’s website, if applicable, a confidentiality policy drafted in clear and simple language and disseminate it by any appropriate means to reach the persons concerned. The person must do the same for the notice required for any amendment to such a policy.
2021, c. 25, s. 107.
8.3. Any person who provides his personal information in accordance with section 8 consents to its use and its communication for the purposes referred to in subparagraph 1 of the first paragraph of that section.
2021, c. 25, s. 107.
8.4. No person may, after being notified by a credit assessment agent in accordance with section 9 of the Credit Assessment Agents Act (chapter A-8.2) of the existence of a security freeze prohibiting the agent from communicating personal information, request communication of that information from another credit assessment agent for the purposes of the same entering into a contract or the same credit increase for which a request had been made to the agent having sent the notice of the existence of the freeze.
2020, c. 21, s. 108; 2021, c. 25, s. 172; 2021, c. 34, s. 135.
9. No person may refuse to respond to a request for goods or services or to a request relating to employment by reason of the applicant’s refusal to disclose personal information except where
(1)  collection of that information is necessary for the conclusion or performance of a contract;
(2)  collection of that information is authorized by law; or
(3)  there are reasonable grounds to believe that the request is not lawful.
In case of doubt, personal information is deemed to be non-necessary.
1993, c. 17, s. 9; 1999, c. 40, s. 233.
9.1. Any person carrying on an enterprise who collects personal information when offering to the public a technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned.
The first paragraph does not apply to privacy settings for browser cookies.
2021, c. 25, s. 108.
DIVISION III
CONFIDENTIALITY OF PERSONAL INFORMATION
§ 1.  — Retention, use and non-communication of information
10. A person carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
1993, c. 17, s. 10; 2006, c. 22, s. 113.
11. Every person carrying on an enterprise must ensure that any personal information held on another person is up to date and accurate when used to make a decision in relation to the person concerned.
The information used to make such a decision is kept for at least one year following the decision.
1993, c. 17, s. 11; 2021, c. 25, s. 109.
12. Unless the person concerned gives his consent, personal information may not be used within the enterprise except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.
Personal information may, however, be used for another purpose without the consent of the person concerned, but only
(1)  if it is used for purposes consistent with the purposes for which it was collected;
(2)  if it is clearly used for the benefit of the person concerned;
(3)  if its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;
(4)  if its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or
(5)  if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.
In order for a purpose to be consistent within the meaning of subparagraph 1 of the second paragraph, it must have a direct and relevant connection with the purposes for which the information was collected. However, commercial or philanthropic prospection may not be considered a consistent purpose.
For the purposes of this Act, personal information is
(1)  de-identified if it no longer allows the person concerned to be directly identified;
(2)  sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy.
Every person carrying on an enterprise who uses de-identified information must take reasonable measures to limit the risk of someone identifying a natural person using de-identified information.
1993, c. 17, s. 12; 2021, c. 25, s. 110.
12.1. Any person carrying on an enterprise who uses personal information to render a decision based exclusively on an automated processing of such information must inform the person concerned accordingly not later than at the time it informs the person of the decision.
He must also inform the person concerned, at the latter’s request,
(1)  of the personal information used to render the decision;
(2)  of the reasons and the principal factors and parameters that led to the decision; and
(3)  of the right of the person concerned to have the personal information used to render the decision corrected.
The person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.
2021, c. 25, s. 110.
13. No person may communicate to a third person the personal information he holds on another person, unless the person concerned consents to, or this Act provides for, such communication.
Such consent must be given expressly when it concerns sensitive personal information.
1993, c. 17, s. 13; 2021, c. 25, s. 110.
14. Consent under this Act must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language. If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned. If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested.
The consent of a minor under 14 years of age is given by the person having parental authority or by the tutor. The consent of a minor 14 years of age or over is given by the minor, by the person having parental authority or by the tutor.
Consent is valid only for the time necessary to achieve the purposes for which it was requested.
Consent not given in accordance with this Act is without effect.
1993, c. 17, s. 14; 2006, c. 22, s. 115; 2021, c. 25, s. 110.
15. Consent to the communication of personal information by a third person may be given by the person concerned to the person who collects the information from the third person.
1993, c. 17, s. 15.
16. Any person holding personal information on behalf of a person carrying on an enterprise may refer to the latter every request for access or rectification received from a person to whom such information relates.
Nothing in this section limits a person’s right to obtain, from a personal information agent, access to, or rectification of, personal information concerning him held by that agent.
1993, c. 17, s. 16.
17. Before communicating personal information outside Québec, a person carrying on an enterprise must conduct a privacy impact assessment. The person must, in particular, take into account
(1)  the sensitivity of the information;
(2)  the purposes for which it is to be used;
(3)  the protection measures, including those that are contractual, that would apply to it; and
(4)  the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State.
The information may be communicated if the assessment establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information. The communication of the information must be the subject of a written agreement that takes into account, in particular, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.
The same applies where the person carrying on an enterprise entrusts a person or body outside Québec with the task of collecting, using, communicating or keeping such information on his behalf.
This section does not apply to a communication of information under subparagraph 7 of the first paragraph of section 18.
1993, c. 17, s. 17; 2006, c. 22, s. 116; 2021, c. 25, s. 111.
§ 2.  — Communication to third persons
18. A person carrying on an enterprise may, without the consent of the person concerned, communicate personal information he holds on that person
(1)  to his attorney;
(2)  to the Director of Criminal and Penal Prosecutions if the information is required for the purposes of the prosecution of an offence under an Act applicable in Québec;
(3)  to a person or body responsible, by law, for the prevention, detection or repression of crime or statutory offences who requires it in the performance of his duties, if the information is needed for the prosecution of an offence under an Act applicable in Québec;
(4)  to a person to whom it is necessary to communicate the information under an Act applicable in Québec or under a collective agreement;
(5)  to a public body within the meaning of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1) which, through a representative, collects such information in the exercise of its functions or the implementation of a program under its management;
(6)  to a person or body having the power to compel communication of the information if he or it requires it in the exercise of his or its duties or functions;
(7)  to a person to whom the information must be communicated by reason of the urgency of a situation that threatens the life, health or safety of the person concerned;
(7.1)  to a person or body in accordance with sections 18.1 to 18.4;
(8)  to a person who may use the information for study, research or statistical purposes in accordance with section 21 or a person authorized pursuant to section 21.1;
(9)  to a person who is authorized by law to recover debts on behalf of others and who requires it for that purpose in the performance of his duties;
(9.1)  to a person if the information is needed for the recovery of a claim of the enterprise;
(10)  (subparagraph repealed).
A person carrying on an enterprise must make an entry of every communication made under subparagraphs 6 to 9.1 of the first paragraph.
The persons referred to in subparagraphs 1, 9 and 9.1 of the first paragraph who receive communication of information may communicate the information to the extent that such communication is necessary, in the performance of their duties, to achieve the purposes for which they received communication of the information.
The holder of a security guard agency licence or investigation agency licence issued under the Private Security Act (chapter S-3.5) or a body having as its object the prevention, detection or repression of crime or statutory offences and a person carrying on an enterprise may, without the consent of the person concerned, communicate among themselves the information needed for conducting an inquiry for the purpose of preventing, detecting or repressing a crime or a statutory offence. The same applies in respect of information communicated among persons carrying on an enterprise, if the person who communicates or collects such information has reasonable grounds to believe that the person concerned has committed, or is about to commit, a crime or statutory offence against one or other of the persons carrying on an enterprise.
1993, c. 17, s. 18; 1999, c. 40, s. 233; 2001, c. 73, s. 1; 2006, c. 22, s. 117; 2005, c. 34, s. 85; 2006, c. 23, s. 128; 2021, c. 25, s. 112.
18.1. In addition to the cases referred to in section 18, a person who carries on an enterprise may also communicate personal information the person holds on another person, without the consent of the persons concerned, in order to prevent an act of violence, including a suicide, where there is reasonable cause to believe that there is a serious risk of death or serious bodily injury threatening a person or an identifiable group of persons and where the nature of the threat generates a sense of urgency.
The information may in such case be communicated to any person exposed to the danger or that person’s representative, and to any person who can come to that person’s aid.
A person carrying on an enterprise who communicates information pursuant to this section may only communicate such information as is necessary to achieve the purposes for which the information is communicated.
Where information is so communicated by a person carrying on an enterprise, the person must make an entry of the communication.
For the purposes of the first paragraph, serious bodily injury means any physical or psychological injury that is significantly detrimental to the physical integrity or the health or well-being of a person or an identifiable group of persons.
2001, c. 78, s. 13; 2017, c. 10, s. 32; 2021, c. 25, s. 113.
18.2. A person carrying on an enterprise may, without the consent of the person concerned, communicate personal information concerning another person to an archival agency if the archival agency is a person carrying on an enterprise whose object is the acquisition, preservation and distribution of documents for their general informational value and if the information is communicated as part of the transfer or deposit of the archives of the enterprise.
A person carrying on an enterprise may also communicate personal information to any person without the consent of the person concerned if the document containing the information is more than 100 years old or if more than 30 years have elapsed since the death of the person concerned. However, no information relating to a person’s health may be communicated without the consent of the person concerned unless 100 years have elapsed since the date of the document.
Notwithstanding the first and second paragraphs, the information may be communicated for research purposes, without the consent of the person concerned, before the time specified has elapsed if the documents containing the information are not structured so as to allow retrieval by reference to a person’s name or identifying code or symbol and the information cannot be retrieved by means of such a reference. The person to whom the information is communicated must preserve the confidentiality of the personal information throughout the period during which it may not be communicated without the consent of the person concerned.
2002, c. 19, s. 20; 2021, c. 25, s. 114.
18.3. A person carrying on an enterprise may, without the consent of the person concerned, communicate personal information to any person or body if the information is necessary for carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body by the person carrying on an enterprise.
In such a case, the person carrying on an enterprise must
(1)  entrust the mandate or contract in writing; and
(2)  specify in the mandate or contract the measures the mandatary or the person performing the contract must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract. A person or body carrying out a mandate or performing a contract of enterprise or for services referred to in the first paragraph must notify the person in charge of the protection of personal information without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated, and must also allow the person in charge of the protection of personal information to conduct any verification relating to confidentiality requirements.
Subparagraph 2 of the second paragraph does not apply if the mandatary or the person performing the contract is a public body within the meaning of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1) or a member of a professional order.
2021, c. 25, s. 115.
18.4. Where the communication of personal information is necessary for concluding a commercial transaction to which a person carrying on an enterprise intends to be a party, the person may communicate such information, without the consent of the person concerned, to the other party to the transaction.
An agreement must first be entered into with the other party that stipulates, among other things, that the latter undertakes
(1)  to use the information only for concluding the commercial transaction;
(2)  not to communicate the information without the consent of the person concerned, unless authorized to do so by this Act;
(3)  to take the measures required to protect the confidentiality of the information; and
(4)  to destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the commercial transaction.
Where the commercial transaction has been concluded and the other party wishes to continue using the information or to communicate it, that party may use or communicate it only in accordance with this Act. Within a reasonable time after the commercial transaction is concluded, that party must notify the person concerned that it now holds personal information concerning him because of the transaction.
For the purposes of this section, commercial transaction means the alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations.
2021, c. 25, s. 115.
19. Every person carrying on an enterprise having as its object entering into a credit contract, a long-term contract of lease of goods or a contract involving sequential performance for a service provided at a distance, who consults credit reports or recommendations as to the solvency of natural persons prepared by a personal information agent, must inform such persons of their right of access and rectification in relation to the personal information held by the agent and indicate to them the manner in which and the place where they may have access to the reports or recommendations and cause them to be rectified, where necessary.
The person carrying on such an enterprise must communicate to a natural person, on request, the content of any credit report or recommendation he has consulted for the purpose of making a decision concerning the person. The person must also inform the natural person who so requests that
(1)  the refusal to enter into a contract referred to in the first paragraph or the entering into such a contract with less advantageous conditions for the natural person, or
(2)  the refusal to increase the credit extended under a credit contract or the increasing of the credit with less advantageous conditions for the natural person
is based on the consultation of such a report or recommendation.
For the purposes of this section:
(1)  credit that is the subject of a contract has the meaning assigned by subparagraph f of the first paragraph of section 1 of the Consumer Protection Act (chapter P-40.1);
(2)  long-term contract of lease of goods has the meaning assigned by section 150.2 of that Act; and
(3)  contract involving sequential performance for a service provided at a distance is a contract to which Division VII of Chapter III of Title I of that Act applies.
1993, c. 17, s. 19; 2020, c. 21, s. 109; 2021, c. 25, s. 116.
19.1. Every person who consults a recommendation or credit report referred to in section 19 or other document sent by a credit assessment agent on which the notice referred to in the first paragraph of section 10 of the Credit Assessment Agents Act (chapter A-8.2) appears or is otherwise notified by that agent must take reasonable measures to ensure that the person from whom consent was obtained to obtain the recommendation, report, document or personal information concerning him is actually the person who is the subject of the recommendation, report, document or personal information, the representative of that person or the person having parental authority over that person before entering into a contract with that person.
2020, c. 21, s. 110.
20. In the carrying on of an enterprise, authorized employees or agents may have access to personal information without the consent of the person concerned only if the information is needed for the performance of their duties.
1993, c. 17, s. 20; 2006, c. 22, s. 118; 2021, c. 25, s. 117.
21. A person carrying on an enterprise may communicate personal information without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics.
The information may be communicated if a privacy impact assessment concludes that
(1)  the objective of the study or research or of the production of statistics can be achieved only if the information is communicated in a form allowing the persons concerned to be identified;
(2)  it is unreasonable to require the person or body to obtain the consent of the persons concerned;
(3)  the objective of the study or research or of the production of statistics outweighs, with regard to the public interest, the impact of communicating and using the information on the privacy of the persons concerned;
(4)  the personal information is used in such a manner as to ensure confidentiality; and
(5)  only the necessary information is communicated.
1993, c. 17, s. 21; 2021, c. 25, s. 118.
21.0.1. A person or body wishing to use personal information for study or research purposes or for the production of statistics must
(1)  request it in writing;
(2)  enclose a detailed presentation of the research activities with the request;
(3)  state the grounds supporting fulfillment of the criteria set out in subparagraphs 1 to 5 of the second paragraph of section 21;
(4)  mention all the persons and bodies to whom or which the person or body is making a similar request for the purposes of the same study or research or production of statistics;
(5)  if applicable, describe the different technologies that will be used to process the information; and
(6)  if applicable, send the documented decision of a research ethics committee relating to the study or research or the production of statistics.
2021, c. 25, s. 118.
21.0.2. A person who communicates personal information in accordance with section 21 must first enter into an agreement with the person or body to whom or which the information is to be sent that stipulates, among other things, that the information
(1)  may be made accessible only to persons who need to know it to exercise their functions and who have signed a confidentiality agreement;
(2)  may not be used for purposes other than those specified in the detailed presentation of the research activities;
(3)  may not be matched with any other information file that has not been provided for in the detailed presentation of the research activities; and
(4)  may not be communicated, published or otherwise distributed in a form allowing the persons concerned to be identified.
The agreement must also
(1)  specify the information that must be provided to the persons concerned if personal information concerning them is used to contact them to participate in the study or research;
(2)  provide for measures for ensuring the protection of the personal information;
(3)  determine a preservation period for the personal information;
(4)  set out the obligation to notify the person who communicates the personal information of its destruction; and
(5)  provide that the person who communicates the personal information and the Commission must be informed without delay
(a)  of non-compliance with any condition set out in the agreement;
(b)  of any failure to comply with the protection measures provided for in the agreement; and
(c)  of any event that could breach the confidentiality of the information.
The agreement must be sent to the Commission and comes into force 30 days after it is received by the Commission.
2021, c. 25, s. 118.
21.1. The Commission d’accès à l’information may, on written request and after consulting the professional orders concerned, grant a person authorization to receive communication of personal information on professionals regarding their professional activities, without the consent of the professionals concerned, if it has reasonable cause to believe
(1)  that the communication protects professional secrecy, especially in that it does not allow the identification of the person to whom the professional service is rendered, and does not otherwise invade the privacy of the professionals concerned ;
(2)  that the professionals concerned will be notified periodically of the intended uses and the ends contemplated and will be given a valid opportunity to refuse to allow such information to be preserved or to allow such information to be used for the intended uses or the ends contemplated ; and
(3)  that security measures have been put into place to ensure the confidentiality of personal information.
Such authorization shall be granted in writing. It may be revoked or suspended if the Commission has reasonable cause to believe that the authorized person is not complying with the prescriptions of this section, the intended uses or the ends contemplated.
The authorized person may communicate such personal information if
(1)  the information is communicated in a combined form that does not allow the identification of a specific professional act performed by a professional ;
(2)  the professionals concerned are periodically given a valid opportunity to refuse to be the subject of such a communication of information ; and
(3)  the person receiving communication of such information undertakes to use the information only for the intended uses and the ends contemplated.
The authorized person shall report annually to the Commission on the implementation of the authorization. The Commission shall publish a list of the persons authorized under this section in its annual report of activities.
Any interested person may, on any question of law or jurisdiction, appeal to a judge of the Court of Québec from the granting, refusal, suspension or revocation of an authorization in accordance with Division II of Chapter V of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1).
2001, c. 73, s. 2.
22. Any person carrying on an enterprise who uses personal information for commercial or philanthropic prospection purposes must identify himself to the person whom he is addressing and inform that person of his right to withdraw his consent to the personal information concerning him being used for such purposes.
If the person concerned withdraws his consent regarding such use, the personal information must cease to be used for those purposes.
1993, c. 17, s. 22; 2006, c. 22, s. 119; 2021, c. 25, s. 119.
§ 3.  — Destruction or anonymization
2021, c. 25, s. 119.
23. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.
For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.
Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.
1993, c. 17, s. 23; 2021, c. 25, s. 119.
24. (Replaced).
1993, c. 17, s. 24; 2006, c. 22, s. 120; 2021, c. 25, s. 119.
25. (Replaced).
1993, c. 17, s. 25; 2021, c. 25, s. 119.
26. (Replaced).
1993, c. 17, s. 26; 2021, c. 25, s. 119.
DIVISION IV
ACCESS BY PERSONS CONCERNED
§ 1.  — General provisions
27. Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant’s request, computerized personal information must be communicated in the form of a written and intelligible transcript.
If the person concerned is handicapped, reasonable accommodation must be provided on request to enable the person to exercise the right of access provided for in this division.
1993, c. 17, s. 27; 2006, c. 22, s. 121; 2021, c. 25, s. 120.
28. In addition to the rights provided under the first paragraph of article 40 of the Civil Code, any person may, if personal information concerning him is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it are not authorized by law, require that the information be rectified.
1993, c. 17, s. 28; 2021, c. 25, s. 121.
28.1. The person to whom personal information relates may require any person carrying on an enterprise to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means, if the dissemination of the information contravenes the law or a court order.
The person may do likewise, or may require that the hyperlink providing access to the information be re-indexed, where the following conditions are met:
(1)  the dissemination of the information causes the person concerned serious injury in relation to his right to the respect of his reputation or privacy;
(2)  the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself freely; and
(3)  the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.
In assessing the criteria set out in the second paragraph, the following, in particular, must be taken into account:
(1)  the fact that the person concerned is a public figure;
(2)  the fact that the information concerns the person at the time the person is a minor;
(3)  the fact that the information is up to date and accurate;
(4)  the sensitivity of the information;
(5)  the context in which the information is disseminated;
(6)  the time elapsed between the dissemination of the information and the request made under this section; and
(7)  where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.
Sections 30, 32 and 34 apply, with the necessary modifications, to a request made under this section. When granting such a request, the person in charge of the protection of personal information shall attest, in his written reply under section 32, to the cessation of the dissemination of the personal information or to the de-indexation or the re-indexation of the hyperlink.
2021, c. 25, s. 121.
29. Every person carrying on an enterprise who holds personal information on other persons must take the necessary steps to ensure the exercise by a person concerned of the rights provided under articles 37 to 40 of the Civil Code and the rights conferred by this Act. In particular, he must inform the public of the place where, and manner in which, access to the personal information may be granted.
1993, c. 17, s. 29; 2021, c. 25, s. 122.
30. No request for access or rectification may be considered unless it is made in writing by a person who proves that he is the person concerned or the representative, heir or successor of that person, the liquidator of the succession, a beneficiary of life insurance or of a death benefit, the person having parental authority even if the minor child is deceased, or the spouse or a close relative of the deceased person in accordance with section 40.1.
Such a request must be addressed to the person in charge of the protection of personal information. If the request is not sufficiently precise or if a person requires it, the person in charge must assist in identifying the information sought.
This section does not limit the communication of personal information to the person concerned or the rectification of that information as a result of a service to be provided to the person.
1993, c. 17, s. 30; 2006, c. 22, s. 122; 2021, c. 25, s. 123.
31. The spouse and the direct ascendants or descendants of a deceased person are entitled to receive, in accordance with the procedure provided for in section 30, communication of information relating to the cause of death contained in the person’s medical file, unless the deceased person recorded in writing, in his file, his refusal to grant such right of access.
Notwithstanding the first paragraph, the blood relatives of a deceased person are entitled to receive communication of the information contained in that person’s medical file to the extent that such communication is necessary to ascertain the existence of a genetic or family disease.
1993, c. 17, s. 31.
32. The person in charge of the protection of personal information must reply in writing to the request for access or rectification, promptly and not later than 30 days after the date the request is received.
Failure to respond within 30 days of the receipt of a request is deemed to be a refusal to grant the request.
1993, c. 17, s. 32; 2006, c. 22, s. 123; 2021, c. 25, s. 124.
33. Access to personal information shall be free of charge.
However, a reasonable charge may be required from a person requesting the transcription, reproduction or transmission of such information.
Any person carrying on an enterprise who intends to require a charge under this section must inform the applicant, in advance, of the approximate amount that will be charged for the transcription, reproduction or transmission of information.
1993, c. 17, s. 33; 2021, c. 25, s. 125.
34. The person in charge of the protection of personal information must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under this Act and the time limit for exercising them. If the applicant so requests, the person in charge must also help him understand the refusal.
1993, c. 17, s. 34; 2021, c. 25, s. 126.
35. Where the person in charge of the protection of personal information grants a request for rectification, he must, in addition to the obligations prescribed in the second paragraph of article 40 of the Civil Code, issue free of charge to the person who made the request a copy of any personal information modified or added or, as the case may be, an attestation of the deletion of personal information.
1993, c. 17, s. 35; 2021, c. 25, s. 127.
36. The person holding information that is the subject of a request for access or rectification must, if he does not grant the request, retain the information for such time as is necessary to allow the person concerned to exhaust the recourses provided by law.
1993, c. 17, s. 36.
§ 2.  — Restrictions on access
37. A person carrying on a professional health care enterprise may temporarily refuse to the person concerned access to the file established on him only if, in the opinion of a health care professional, consultation would result in serious harm to the person’s health.
A person carrying on another type of enterprise and holding such information may refuse to the person concerned access to the information relating to him only if consultation would result in serious harm to the person’s health, provided that he offers the person the possibility of designating a health care professional of his choice to receive communication of the information and communicates the information to such physician.
The health care professional shall determine the time at which consultation may take place and inform the person concerned thereof.
1993, c. 17, s. 37; 2006, c. 22, s. 124.
38. No person of less than 14 years of age may demand to be informed of the existence of information of a medical or social nature concerning him and contained in a file established on him, or receive communication of such information, except through his attorney in the context of judicial proceedings.
Nothing in the first paragraph is intended to restrict normal communication between a health care or social services professional and his patient, or the right of access of the holder of parental authority.
1993, c. 17, s. 38.
39. A person carrying on an enterprise may refuse to communicate personal information to the person it concerns where disclosure of the information would be likely to
(1)  hinder an inquiry the purpose of which is the prevention, detection or repression of crime or statutory offences conducted by his internal security service or conducted on his behalf for the same purpose by an external service or the holder of a security guard agency licence or investigation agency licence issued under the Private Security Act (chapter S-3.5);
(2)  affect judicial proceedings in which either person has an interest.
1993, c. 17, s. 39; 2006, c. 23, s. 129.
40. Any person carrying on an enterprise must refuse to give communication of personal information to a person to whom it relates where disclosure would be likely to reveal personal information about a third person or the existence of such information and the disclosure may seriously harm that third person, unless the latter consents to the communication of the information or in the case of an emergency that threatens the life, health or safety of the person concerned.
1993, c. 17, s. 40; 2021, c. 25, s. 128.
40.1. A person carrying on an enterprise may communicate personal information that he holds concerning a deceased person to the spouse or a close relative of the person if knowledge of the information could help the applicant in the grieving process and if the deceased person did not record in writing his refusal to grant such a right of access.
2021, c. 25, s. 129.
41. Subject to section 40.1, a person carrying on an enterprise must refuse to communicate personal information to the liquidator of the succession, to a beneficiary of life insurance or of a death benefit, or to the heir or successor of the person to whom the information relates, unless the information affects their interests or rights as liquidator, beneficiary, heir or successor.
1993, c. 17, s. 41; 2006, c. 22, s. 125; 2021, c. 25, s. 130.
DIVISION V
RECOURSE
41.1. The functions and powers of the Commission that are provided for in this division are exercised by the chair and the members assigned to the adjudicative division.
2006, c. 22, s. 126.
§ 1.  — Examination of disagreements
42. Any interested person may submit an application to the Commission d’accès à l’information for the examination of a disagreement relating to the application of a legislative provision concerning access to or the rectification of personal information, or concerning the application of section 28.1.
1993, c. 17, s. 42; 2021, c. 25, s. 131.
43. Where the disagreement results from a refusal to grant a request or from a failure to respond within the time limit prescribed by law, the person concerned disposes of a period of 30 days from the refusal or the expiry of the time limit to submit the disagreement to the Commission unless the Commission, for reasonable cause, releases the person concerned from failure to submit the disagreement within that time.
1993, c. 17, s. 43.
44. Any party who wishes to submit a disagreement to the Commission for examination must apply therefor in writing and pay the fees prescribed by regulation.
The application shall state briefly the reasons which justify examination of the disagreement by the Commission.
Notice of an application made by one party shall be given by the Commission to the other party.
1993, c. 17, s. 44.
45. A group of persons having an interest in the same subject of disagreement may submit an application to the Commission through a representative.
1993, c. 17, s. 45.
46. A person carrying on an enterprise who holds personal information on others may request authorization from the Commission to disregard applications that are obviously improper by reason of their number or their repetitious or systematic nature or applications that, in the opinion of the Commission, are not consistent with the object of this Act. The person may also request the Commission to limit the scope of the applicant’s request or extend the time limit within which he must reply.
A request made under the first paragraph must be sent to the Commission within the same time limit as would be applicable to the processing of a request under section 32, from the date the applicant’s most recent request was received.
1993, c. 17, s. 46; 2021, c. 25, s. 132.
47. The members of the personnel of the Commission must lend their assistance to any interested person requiring it in the drawing up of an application for the examination of a disagreement.
1993, c. 17, s. 47.
48. Where an application for the examination of a disagreement has been brought before it, the Commission may entrust a person it designates to attempt to bring the parties to an agreement.
1993, c. 17, s. 48; 2006, c. 22, s. 127.
49. If the Commission is of the opinion that no agreement is possible between the parties, it shall examine the subject of the disagreement according to the procedure it determines.
It must give the parties an opportunity to present their observations.
1993, c. 17, s. 49.
50. A member of the Commission may, on behalf of the Commission, examine a disagreement alone and render a decision. A member of the Commission may also act alone on behalf of the Commission to exercise the powers provided for in sections 46, 52, 57.1 and 60.
1993, c. 17, s. 50; 2006, c. 22, s. 128.
50.1. The Commission must, by regulation, prescribe rules of evidence and procedure for the examination of applications which may be brought before it. The regulation must include provisions to ensure the accessibility of the Commission and the quality and promptness of its decision-making process. To that end, the regulation must specify the time allotted to proceedings, from the time the application for examination is filed until the hearing, if applicable. The regulation shall be submitted to the Government for approval.
2006, c. 22, s. 129.
51. Every person must furnish to the Commission any information it requires for the examination of a disagreement.
1993, c. 17, s. 51.
52. The Commission may refuse or cease to examine a matter if it has reasonable grounds to believe that the application is frivolous or made in bad faith or that its intervention would clearly serve no purpose.
In such cases, the Commission may prohibit a person from bringing an application except with the authorization of and subject to the conditions determined by the chair of the Commission. It may, in the same manner, prohibit a person from presenting a pleading in an ongoing proceeding.
1993, c. 17, s. 52; 2021, c. 25, s. 133.
53. In the case of a disagreement relating to a request for rectification, the person holding the personal information must prove that it need not be rectified, unless the information in question was communicated to him by the person concerned or with the latter’s consent.
1993, c. 17, s. 53; 2021, c. 25, s. 134.
§ 2.  — Decision by the Commission
54. The Commission shall render, in respect of every disagreement submitted to it, a decision in writing giving the reasons on which it is based.
The Commission shall send a copy of the decision to the parties by any means providing proof of the date of receipt.
1993, c. 17, s. 54; 2006, c. 22, s. 130.
55. The Commission has all the powers necessary for the exercise of its jurisdiction; it may make any order it considers appropriate to protect the rights of the parties and rule on any issue of fact or law.
The Commission may, in particular, order a person carrying on an enterprise to communicate or rectify personal information or refrain from doing so.
1993, c. 17, s. 55.
55.1. The Commission must exercise its functions and powers in the matter of the examination of a disagreement diligently and efficiently.
The Commission must make its decision within three months after the matter is taken under advisement, unless the chair extends that time limit for valid reasons.
If a member of the Commission to whom a case is referred does not make a decision within the specified time limit, the chair may, by virtue of office or at the request of a party, remove the member from the case.
Before extending the time limit or removing from a case a member who has not made a decision within the applicable time limit, the chair must take the circumstances and the interest of the parties into account.
2006, c. 22, s. 131.
56. (Repealed).
1993, c. 17, s. 56; 2021, c. 25, s. 135.
57. In rendering a decision, the Commission may rule as to payment of the fees prescribed by regulation.
1993, c. 17, s. 57.
57.1. A decision containing an error in writing or in calculation or any other clerical error may be corrected by the Commission or the member who made the decision; the same applies to a decision which, through obvious inadvertence, grants more than was requested or fails to rule on part of the application.
A correction may be made on the Commission’s or the concerned member’s own initiative as long as execution of the decision has not commenced. A correction may be effected at any time on the motion of one of the parties, unless an appeal has been lodged.
The motion is addressed to the Commission and submitted to the member who made the decision. If the latter is no longer in office, is absent or is unable to act, the motion is submitted to the Commission.
If the correction affects the conclusions, the time limit for appealing or executing the decision runs from the date of the correction.
2006, c. 22, s. 132.
58. A decision of the Commission prescribing a particular course of action to a party is enforceable 30 days after its receipt by the parties.
A decision prohibiting a course of action to a party is enforceable from its delivery to the party concerned.
From the time a decision becomes enforceable, a certified copy of the decision may be filed by the Commission or a party in the office of the clerk of the Superior Court of the district of Montréal or Québec or of the district where the head office, business establishment or residence of a party is situated.
The filing confers on the decision the same force and effect as a judgment of the Superior Court.
1993, c. 17, s. 58; 1999, c. 40, s. 233; 2021, c. 25, s. 136.
59. A decision of the Commission on a question of fact coming under its jurisdiction is final and no appeal lies therefrom.
1993, c. 17, s. 59.
60. The Commission may declare an application for examination of a disagreement perempted if one year has elapsed since the last useful proceeding was filed.
1993, c. 17, s. 60; 2002, c. 7, s. 171.
§ 3.  — Appeal and contestation
1993, c. 17, Sd. 3; 2021, c. 25, s. 137.
61. A person directly interested may bring an appeal from a final decision of the Commission before a judge of the Court of Québec on a question of law or jurisdiction or, with leave of a judge of that Court, from an interlocutory decision which cannot be remedied by the final decision.
The person may also contest before a judge of the Court of Québec an order issued by the Commission’s oversight division.
1993, c. 17, s. 61; 2006, c. 22, s. 133; 2021, c. 25, s. 138.
61.1. The application for leave to appeal from an interlocutory decision must specify the questions of law or jurisdiction that ought to be examined in appeal and the reason it cannot be remedied by the final decision and, after notice to the parties and to the Commission, be filed in the office of the Court of Québec within 10 days after the date on which the parties receive the decision of the Commission.
If the application is granted, the judgment authorizing the appeal serves as a notice of appeal.
2006, c. 22, s. 133; I.N. 2016-01-01 (NCCP).
62. The jurisdiction conferred by this division on a judge of the Court of Québec is exercised by only the judges of that Court that are appointed by the chief judge.
1993, c. 17, s. 62.
63. The appeal is brought by filing with the Court of Québec a notice to that effect specifying the questions of law or jurisdiction which ought to be examined in appeal.
The notice of appeal is filed at the office of the Court of Québec within 30 days after notification of the final decision.
The proceeding to contest an order issued by the Commission’s oversight division is filed at the office of the Court of Québec within 30 days after notification of the order and must specify the questions which ought to be examined.
1993, c. 17, s. 63; 2006, c. 22, s. 134; 2021, c. 25, s. 139.
64. The filing of the notice of appeal or of the application for leave to appeal from an interlocutory decision suspends the execution of the decision of the Commission until the decision of the Court of Québec is rendered. If it is an appeal from a decision ordering a person to cease or refrain from doing something, the filing of the notice or of the application does not suspend execution of the decision.
The filing of the proceeding to contest an order issued by the Commission’s oversight division does not suspend the execution of the order. However, on a motion heard and judged on an urgent basis, a judge of the Court of Québec may order otherwise because of the urgency of the situation or the risk of serious and irreparable injury.
1993, c. 17, s. 64; 2006, c. 22, s. 134; I.N. 2016-01-01 (NCCP); 2021, c. 25, s. 140.
65. The notice of appeal must be served on the parties and the Commission within 10 days after its filing at the office of the Court of Québec.
The secretary of the Commission shall send a copy of the decision appealed from and the accompanying documents to the office of the Court to serve as a joint record.
The contestation of an order issued by the Commission’s oversight division must be served on the Commission and, if applicable, on the other parties, within 10 days after its filing at the office of the Court of Québec. The secretary of the Commission shall send a copy of the contested order and the accompanying documents to the office of the Court to serve as a joint record.
1993, c. 17, s. 65; 2006, c. 22, s. 134; 2021, c. 25, s. 141.
66. (Replaced).
1993, c. 17, s. 66; 2006, c. 22, s. 134.
67. The appeal is governed by articles 351 to 390 of the Code of Civil Procedure (chapter C-25.01), adapted as required. The parties are not required, however, to file a statement of their claims.
The contestation is governed by the rules of Book II of the Code of Civil Procedure.
1993, c. 17, s. 67; I.N. 2016-01-01 (NCCP); 2021, c. 25, s. 142; 2023, c. 3, s. 25.
68. The Court of Québec may, in the manner prescribed under the Courts of Justice Act (chapter T-16), make the regulations judged necessary for the carrying out of this division.
1993, c. 17, s. 68; I.N. 2016-01-01 (NCCP).
69. The decision of the judge of the Court of Québec is without appeal.
1993, c. 17, s. 69.
DIVISION VI
PERSONAL INFORMATION AGENTS
70. Every personal information agent carrying on an enterprise in Québec must be registered with the Commission.
Any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files relates is a personal information agent.
1993, c. 17, s. 70.
70.1. A personal information agent may not invoke registration with the Commission to claim that the agent’s competence, solvency, conduct or operations are recognized or approved.
2006, c. 22, s. 135.
71. Every personal information agent must establish and apply a method of operation that ensures that the information communicated by him is up to date and accurate, and that it is communicated in accordance with this Act.
1993, c. 17, s. 71; 2021, c. 25, s. 143.
72. Applications for registration shall be filed according to the procedure determined by the Commission, accompanied with the fees prescribed by regulation. An application shall contain, in particular, the following information:
(1)  the name, address and email address of the agent and, in the case of a legal person, the address of its head office and the names and addresses of its directors;
(2)  the address, email address and telephone number of each establishment of the agent in Québec;
(3)  the title and contact information of the person in charge of the protection of personal information;
(4)  the method of operation provided for in section 71;
(5)  the rules of conduct provided for in section 78; and
(6)  the other measures taken to ensure the confidentiality and security of personal information in accordance with this Act.
Every personal information agent must inform the Commission of any change in the information referred to in the first paragraph no later than 30 days following the change. If applicable, the agent must also promptly inform the Commission of the expected termination of the agent’s activities.
1993, c. 17, s. 72; 2021, c. 25, s. 144.
73. The Commission shall register an agent who files an application in conformity with the provisions of section 72.
1993, c. 17, s. 73.
74. The Commission shall keep a current register of personal information agents containing, for each agent, the agent’s name, address and email address, and the title and contact information of the person in charge of the protection of personal information.
1993, c. 17, s. 74; 2021, c. 25, s. 145.
75. The register shall be available for public consultation during the regular business hours of the Commission. It may also be consulted on the Commission’s website.
The Commission shall furnish, free of charge, to any person who so requests any extract from the register concerning a personal information agent.
1993, c. 17, s. 75; 2021, c. 25, s. 146.
76. (Repealed).
1993, c. 17, s. 76; 2021, c. 25, s. 147.
77. (Repealed).
1993, c. 17, s. 77; 2006, c. 22, s. 136.
78. Every personal information agent must establish and apply within his enterprise rules of conduct allowing any person to whom personal information held by the agent relates to have access to the information according to a procedure that ensures the protection of the information and to cause the information to be rectified.
1993, c. 17, s. 78; 1999, c. 40, s. 233; 2021, c. 25, s. 148.
79. Every personal information agent must inform the public
(1)  of the fact that the agent holds personal information on other persons, that he gives communication of credit reports bearing on the character, reputation or solvency of the persons to whom the personal information relates to persons with whom he is bound by contract, and that he receives from the latter personal information relating to other persons;
(2)  of the rights of access and rectification that the persons concerned may exercise under this Act in respect of the personal information the agent holds; and
(3)  of the information provided for in subparagraphs 3 to 6 of the first paragraph of section 72.
The information must be published on the personal information agent’s website, or, if the agent does not have a website, made available by any other appropriate means.
1993, c. 17, s. 79; 2021, c. 25, s. 148.
79.1. Despite section 23, a personal information agent must destroy personal information collected more than seven years earlier.
This section does not apply to personal information in a file established for the purposes of an inquiry to prevent, detect or repress a crime or statutory offence.
2021, c. 25, s. 148.
DIVISION VII
APPLICATION OF THIS ACT
§ 1.  — General provisions
2006, c. 22, s. 137.
80. The functions and powers provided for in section 21.1, Division VI and this division are exercised by the chair and the members assigned to the oversight division.
1993, c. 17, s. 80; 2006, c. 22, s. 137; 2021, c. 25, s. 149.
80.1. A member of the Commission may act alone on behalf of the Commission to exercise the functions and powers conferred on it by sections 21.1, 72, 80.2, 81, 81.3, 81.4, 83, 84, 92 and 95.
The chair of the Commission may delegate to a member of the personnel of the Commission all or part of the functions and powers conferred on the Commission by sections 21.1, 80.2 and 95.
2006, c. 22, s. 137; 2021, c. 25, s. 150.
80.1.1. For the purposes of subdivisions 4.1 and 5, a political party is considered a natural person.
2021, c. 25, s. 151.
§ 1.1.  — Inspection
2006, c. 22, s. 138.
80.2. In the exercise of its oversight functions, the Commission may authorize members of its personnel or any other persons to act as inspectors.
2006, c. 22, s. 138.
80.3. Persons acting as inspectors may
(1)  enter the establishment of a body or person subject to the oversight of the Commission at any reasonable time;
(2)  request a person on the site to present any information or document required to exercise the Commission’s oversight function; and
(3)  examine and make copies of such documents.
2006, c. 22, s. 138.
80.4. Persons acting as inspectors must, on request, identify themselves and produce a certificate of authority.
Persons acting as inspectors may not be prosecuted for an act performed in good faith in the exercise of their duties.
2006, c. 22, s. 138.
§ 2.  — Inquiry
81. The Commission may, on its own initiative or following a complaint by a person, inquire into or entrust a person with inquiring into any matter relating to the protection of personal information as well as into the practices of a person who carries on an enterprise and who collects, holds, uses or communicates such information to third persons. A complaint may be filed anonymously.
1993, c. 17, s. 81; 2006, c. 22, s. 139; 2021, c. 25, s. 152.
81.1. It is forbidden to take a reprisal against a person on the ground that the person has, in good faith, filed a complaint with the Commission or cooperated in an investigation.
It is also forbidden to threaten to take a reprisal against a person to dissuade him from filing a complaint or cooperating in an investigation.
2021, c. 25, s. 153.
81.2. The demotion, suspension, dismissal or transfer of a person or any other disciplinary measure or measure that adversely affects a person’s employment or conditions of employment is presumed to be a reprisal within the meaning of section 81.1.
2021, c. 25, s. 153.
81.3. The Commission may, by a formal demand notified by any appropriate method, require any person, whether subject to this Act or not, to file, within a reasonable time specified in the demand, any information or document to verify compliance with this Act or the regulations.
The person to whom the demand is made shall comply with it within the specified time regardless of whether the person has already filed such information or documents pursuant to a similar demand or pursuant to an obligation under this Act or the regulations.
2021, c. 25, s. 153.
81.4. The Commission may, when a confidentiality incident is brought to its attention, order any person, after giving him the opportunity to submit observations, to take any measure to protect the rights of the persons concerned that are granted by this Act, for the time and on the conditions the Commission determines. It may, in particular, order that the personal information involved be returned to the person carrying on an enterprise or destroyed.
If a person to whom an order applies was not given prior notice because, in the opinion of the Commission, urgent action is required or there is a danger of irreparable injury being caused, the person may, within the time specified in the order, submit observations so that the order may be reviewed by the Commission.
2021, c. 25, s. 153.
82. (Repealed).
1993, c. 17, s. 82; 2006, c. 22, s. 140.
83. The inquiries of the Commission are non-adversary investigations.
Following an inquiry relating to the collection, retention or communication of personal information by a person carrying on an enterprise, the Commission may, after giving the person an opportunity to present his observations, recommend or order the application of such remedial measures as are appropriate to ensure the protection of the personal information within the reasonable time limit the Commission specifies.
1993, c. 17, s. 83; 2021, c. 25, s. 154.
83.1. Every person carrying on an enterprise must, at the request of the Commission, provide it with any information it requires on the carrying out of this Act.
2021, c. 25, s. 155.
84. If, within a reasonable time after issuing an order in respect of a person who carries on an enterprise, the Commission considers that appropriate measures have not been taken in response, it may publish, in the manner it determines, a notice to inform the public thereof.
1993, c. 17, s. 84.
85. The Commission, its members and any person entrusted by it with making an inquiry for the purposes of this Act, are vested for the inquiry with the powers and immunity provided for in the Act respecting public inquiry commissions (chapter C‐37) except the power to order imprisonment.
1993, c. 17, s. 85; 2006, c. 22, s. 141.
86. An order issued by the Commission’s oversight division becomes enforceable in the same manner as a decision referred to in section 58.
1993, c. 17, s. 86; 2021, c. 25, s. 156.
87. A person directly interested may contest an order issued by the Commission’s oversight division.
The contestation is subject to the rules set out in sections 61 to 69.
1993, c. 17, s. 87; 2021, c. 25, s. 156.
§ 3.  — Reports
88. Not later than 14 June 2026, and, subsequently, every five years, the Commission must report to the Government on the application of this Act and of Division V.1 of Chapter IV of the Professional Code (chapter C‐26), as well as on any other subject the Minister may submit to it.
The report must also include any audit findings and recommendations that the Auditor General considers it appropriate to forward to the Commission under the Auditor General Act (chapter V‐5.01) and that the Auditor General states are to be reproduced in the report.
The Minister shall table the report in the National Assembly within 15 days of receiving it or, if the Assembly is not sitting, within 15 days of resumption.
1993, c. 17, s. 88; 2006, c. 22, s. 142; 2021, c. 25, s. 157.
89. The Committee on the National Assembly shall designate, as soon as possible, the committee which will study the report concerning the carrying out of this Act.
Within the year following the tabling of the report before the National Assembly, the designated committee must examine the advisability of amending this Act, and shall hear the representations of interested persons and bodies on such matters.
1993, c. 17, s. 89; 2006, c. 22, s. 143.
§ 4.  — Regulations
90. The Government, after obtaining the advice of the Commission, may make regulations to
(1)  fix the fees payable for any act performed by the Commission;
(2)  determine cases of total or partial exemption from payment of the fees payable under this Act;
(3)  determine the content and terms of the notices provided for in section 3.5;
(3.1)  determine the content of the register provided for in section 3.8;
(3.2)  for the purposes of section 23, determine the criteria and terms applicable to the anonymization of personal information;
(3.3)  determine the cases in which a recovery charge is payable under section 90.17, as well as the conditions of payment and the amount payable;
(4)  fix the registration fees payable by personal information agents.
In exercising its regulatory power, the Government may define sectors of activity and categories of personal information and files.
1993, c. 17, s. 90; 2021, c. 25, s. 158.
§ 4.1.  — Monetary administrative penalties
2021, c. 25, s. 159.
90.1. A monetary administrative penalty may be imposed by a person designated by the Commission, but who is not a member of any of its divisions, on anyone who
(1)  does not inform the persons concerned in accordance with sections 7 and 8;
(2)  collects, uses, communicates, keeps or destroys personal information in contravention of the law;
(3)  does not report, where required to do so, a confidentiality incident to the Commission or to the persons concerned;
(4)  does not take the security measures necessary to ensure the protection of the personal information in accordance with section 10;
(5)  does not inform the person concerned by a decision based exclusively on an automated process or does not give the person an opportunity to submit observations, in contravention of section 12.1; or
(6)  is a personal information agent and contravenes any of sections 70, 70.1, 71, 72, 78, 79 and 79.1.
Following a failure referred to in the first paragraph, a person may, at any time, enter into an undertaking with the Commission to take the measures necessary to remedy the failure or mitigate its consequences. The undertaking must identify the acts or omissions constituting a failure and the provisions involved. It may also include the conditions the Commission considers necessary and contain a requirement to pay a sum of money.
If the undertaking is accepted by the Commission and is complied with, no monetary administrative penalty may be imposed on the person carrying on an enterprise with regard to the acts or omissions mentioned in the undertaking.
2021, c. 25, s. 159.
90.2. The Commission shall develop and make public a general framework for the application of monetary administrative penalties and shall specify in the framework the following elements in particular:
(1)  the purpose of the penalties, such as urging a person carrying on an enterprise to rapidly take the measures required to remedy the failure and deter repetition of such failures;
(2)  the criteria that must guide designated persons in the decision to impose a penalty when a failure occurs and in the determination of the amount of the penalty, including
(a)  the nature, seriousness, repetitiveness and duration of the failure;
(b)  the sensitivity of the personal information concerned by the failure;
(c)  the number of persons concerned by the failure and the risk of injury to which they are exposed;
(d)  the measures taken by the person in default to remedy the failure or mitigate its consequences;
(e)  the degree of cooperation provided to the Commission to remedy the failure or mitigate its consequences;
(f)  the compensation offered by the person in default, as restitution, to every person concerned by the failure; and
(g)  the ability to pay of the person in default, given such considerations as the person’s assets, turnover and revenues;
(3)  the circumstances in which priority will be given to penal proceedings; and
(4)  the other terms regarding the imposition of such a penalty.
2021, c. 25, s. 159.
90.3. When a failure referred to in section 90.1 has occurred, a notice of non-compliance may be notified to the person in default to urge him to take, without delay, the measures required to remedy the failure. The notice must mention the fact that the failure could give rise to a monetary administrative penalty or penal sanctions, among other things.
2021, c. 25, s. 159.
90.4. The designated person must, before imposing a monetary administrative penalty, notify the notice of non-compliance referred to in section 90.3 to the person in default and give the person an opportunity to submit observations and produce any documents to complete the record.
2021, c. 25, s. 159.
90.5. A monetary administrative penalty is imposed on the person in default by notification of a notice of claim setting out the amount of the claim, the reasons for it, the time from which it bears interest, the right to apply for a review of the decision, the right to contest the review decision before the Court of Québec and the time limit for bringing such proceedings.
The notice of claim must also include information on the procedure for recovery of the amount owing, in particular with regard to the issue of a recovery certificate under section 90.14 and its effects. The person must also be advised that the facts on which the claim is founded may result in penal proceedings.
The amount owing bears interest at the rate determined under the first paragraph of section 28 of the Tax Administration Act (chapter A-6.002), from the 31st day after notification of the notice.
The notification of a notice of claim interrupts the prescription provided for in the Civil Code with regard to the recovery of the amount owing.
2021, c. 25, s. 159.
90.6. The person in default may apply to the Commission in writing for a review of the decision to impose a monetary administrative penalty, within 30 days after notification of the notice of claim.
A member assigned to the Commission’s oversight division is responsible for reviewing the decision.
2021, c. 25, s. 159.
90.7. The application for review must be dealt with promptly. The review decision is rendered after giving the person in default an opportunity to submit observations and produce any documents to complete the record. The decision may confirm, quash or vary the decision under review.
2021, c. 25, s. 159.
90.8. The review decision must be written in clear and concise terms, with reasons given, must be notified to the applicant and must state the applicant’s right to contest the decision before the Court of Québec and the time limit for bringing such a proceeding.
If the review decision is not rendered within 30 days after the application is received or, if applicable, after the time granted to the applicant to submit observations or produce documents, the interest provided for in the first paragraph of section 90.5 on the amount owing is suspended until the decision is rendered.
2021, c. 25, s. 159.
90.9. A review decision confirming or amending the decision to impose a monetary administrative penalty may be contested before the Court of Québec within 30 days after notification of the contested decision.
The contestation is subject to the rules set out in sections 61 to 69, with the necessary modifications.
2021, c. 25, s. 159.
90.10. The imposition of a monetary administrative penalty is prescribed two years from the date of the failure to comply with the Act.
2021, c. 25, s. 159.
90.11. No monetary administrative penalty may be imposed on a person for a failure to comply with this Act if a statement of offence has already been served on the person for a failure to comply with the same provision on the same day, based on the same facts.
2021, c. 25, s. 159.
90.12. The maximum amount of the monetary administrative penalty is $50,000 in the case of a natural person and, in all other cases, $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
2021, c. 25, s. 159.
90.13. The debtor and the Commission may enter into a payment agreement with regard to the amount owing. Such an agreement, or the payment of the amount owing, does not constitute, for the purposes of penal proceedings or any other administrative penalty under this Act, an acknowledgement of the facts giving rise to it.
2021, c. 25, s. 159.
90.14. If the amount owing is not paid in its entirety or the payment agreement is not adhered to, the Commission may issue a recovery certificate upon the expiry of the time for applying for a review of the decision imposing the monetary administrative penalty, upon the expiry of the time for contesting the review decision before the Court of Québec or upon the expiry of 30 days after the final decision of the Court confirming all or part of the decision imposing the penalty or the review decision, as applicable.
However, a recovery certificate may be issued before the expiry of the time referred to in the first paragraph if the Commission is of the opinion that the debtor is attempting to evade payment.
A recovery certificate must state the debtor’s name and address and the amount of the debt.
2021, c. 25, s. 159.
90.15. Once a recovery certificate has been issued, the Minister of Revenue applies, in accordance with section 31 of the Tax Administration Act (chapter A-6.002), any refund owed to a person under a fiscal law to the payment of an amount owed by that person under this Act.
The allocation interrupts the prescription provided for in the Civil Code with regard to the recovery of an amount owing.
2021, c. 25, s. 159.
90.16. Upon the filing of the recovery certificate at the office of the competent court, together with a copy of the final decision stating the amount of the debt, the decision becomes enforceable as if it were a final judgment of that court not subject to appeal, and has all the effects of such a judgment.
2021, c. 25, s. 159.
90.17. The debtor is required to pay a recovery charge in the cases, under the conditions and in the amount determined by regulation.
2021, c. 25, s. 159.
§ 5.  — Penal provisions
91. Anyone who
(1)  collects, uses, communicates, keeps or destroys personal information in contravention of the law,
(2)  fails to report, where required to do so, a confidentiality incident to the Commission or to the persons concerned,
(3)  contravenes the prohibition set out in section 8.4,
(4)  does not take the security measures necessary to ensure the protection of the personal information in accordance with section 10,
(5)  identifies or attempts to identify a natural person using de-identified information without the authorization of the person holding the information or using anonymized information,
(6)  is a personal information agent and contravenes any of sections 70, 70.1, 71, 72, 78, 79 and 79.1,
(7)  impedes the progress of an inquiry or inspection of the Commission or the hearing of an application by the Commission by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise,
(8)  contravenes section 81.1,
(9)  refuses or neglects to comply, within the specified time, with a demand made under section 81.3, or
(10)  fails to comply with an order of the Commission
commits an offence and is liable to a fine of $5,000 to $100,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.
1993, c. 17, s. 91; 2006, c. 22, s. 144; 2021, c. 25, s. 160.
92. The Commission may, in accordance with article 10 of the Code of Penal Procedure (chapter C-25.1), institute penal proceedings for an offence under this division.
1993, c. 17, s. 92; 2006, c. 22, s. 145; 2021, c. 25, s. 160.
92.1. In the case of a subsequent offence, the fines under this division are doubled.
2006, c. 22, s. 146; 2021, c. 25, s. 160.
92.2. All penal proceedings must be instituted within five years of the commission of the offence.
2021, c. 25, s. 160.
92.3. In determining the penalty, the judge takes into account the following factors, among others:
(1)  the nature, seriousness, repetitiveness and duration of the offence;
(2)  the sensitivity of the personal information concerned by the offence;
(3)  whether the offender acted intentionally or was negligent or reckless;
(4)  the foreseeable character of the offence or the failure to follow recommendations or warnings to prevent it;
(5)  the offender’s attempts to cover up the offence or failure to try to mitigate its consequences;
(6)  whether the offender failed to take reasonable measures to prevent the commission of the offence;
(7)  whether the offender obtained or intended to obtain an increase in revenues or a decrease in expenses by committing the offence or by omitting to take measures to prevent it; and
(8)  the number of persons concerned by the offence and the risk of injury to which they are exposed.
2021, c. 25, s. 160.
93. Where an offence under this Act is committed by a legal person, the administrator, director or representative of the legal person who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty.
1993, c. 17, s. 93.
§ 6.  — Damages
2021, c. 25, s. 161.
93.1. Where the unlawful infringement of a right conferred by this Act or by articles 35 to 40 of the Civil Code causes an injury and the infringement is intentional or results from a gross fault, the court shall award punitive damages of not less than $1,000.
2021, c. 25, s. 161.
DIVISION VIII
MISCELLANEOUS PROVISIONS
94. The provisions of this Act have precedence over those of any subsequent general or special Act which would be contrary thereto, unless the latter Act expressly provides that it applies despite this Act.
However, they do not have the effect of limiting the protection of personal information or access to that information by a person concerned pursuant to another Act, a regulation, an order in council, a collective agreement, an order or a practice established before 1 January 1994.
1993, c. 17, s. 94.
95. The Commission may make agreements with any department, body or person authorized by law to make inquiries in the matter of protection of personal information, in order to coordinate its actions with those of the department, body or person.
1993, c. 17, s. 95.
96. Any association or partnership that carries on an enterprise and holds personal information on its members or on third persons has, in respect of its members and such third persons, the same rights and the same obligations as a person carrying on an enterprise.
1993, c. 17, s. 96.
97. Credit unions and the federation of which they are members and, if applicable, a legal person or partnership controlled by the federation are not considered to be third persons in relation to each other for the purposes of the communication among themselves and the use of personal information relevant to the supply of property or the provision of a service under the Act respecting financial services cooperatives (chapter C-67.3).
Credit unions, the federation of which they are members and the other members of the group are not considered to be third persons in relation to each other for the purposes of the communication among themselves and the use of personal information relevant to financial risk management.
1993, c. 17, s. 97; 1999, c. 40, s. 233; 2000, c. 29, s. 662; 2006, c. 22, s. 147; 2010, c. 40, s. 13; 2018, c. 23, s. 781.
98. The minister designated by the Government is responsible for the administration of this Act.
1993, c. 17, s. 98; 1994, c. 14, s. 32; 1996, c. 21, s. 63; 2005, c. 24, s. 47.
The Minister responsible for Access to Information and the Protection of Personal Information is responsible for the administration of this Act. Order in Council 1541-2021 dated 15 December 2021, (2022) 154 G.O. 2 (French), 177.
DIVISION IX
AMENDING PROVISIONS
ACT RESPECTING ACCESS TO DOCUMENTS HELD BY PUBLIC BODIES AND THE PROTECTION OF PERSONAL INFORMATION
99. (Amendment integrated into c. A-2.1, s. 88.1).
1993, c. 17, s. 99.
100. (Amendment integrated into c. A-2.1, s. 89.1).
1993, c. 17, s. 100.
101. (Amendment integrated into c. A-2.1, s. 94).
1993, c. 17, s. 101.
102. (Amendment integrated into c. A-2.1, s. 104).
1993, c. 17, s. 102.
103. (Amendment integrated into c. A-2.1, s. 118).
1993, c. 17, s. 103.
104. (Amendment integrated into c. A-2.1, s. 122).
1993, c. 17, s. 104.
105. (Amendment integrated into c. A-2.1, s. 130.1).
1993, c. 17, s. 105.
106. (Amendment integrated into c. A-2.1, s. 146.1).
1993, c. 17, s. 106.
107. (Amendment integrated into c. A-2.1, s. 148).
1993, c. 17, s. 107.
108. (Amendment integrated into c. A-2.1, s. 151).
1993, c. 17, s. 108.
109. (Amendment integrated into c. A-2.1, s. 174).
1993, c. 17, s. 109.
SAVINGS AND CREDIT UNIONS ACT
110. (Amendment integrated into c. C-4.1, s. 196).
1993, c. 17, s. 110.
111. (Omitted).
1993, c. 17, s. 111.
112. (Omitted).
1993, c. 17, s. 112.
113. (Omitted).
1993, c. 17, s. 113.
DIVISION X
FINAL PROVISIONS
114. The statement indicating the object of a file on another person held by a person carrying on an enterprise on 1 January 1994 must be entered before 1 January 1995.
1993, c. 17, s. 114.
115. (Omitted).
1993, c. 17, s. 115.
REPEAL SCHEDULE

In accordance with section 9 of the Act respecting the consolidation of the statutes and regulations (chapter R-3), chapter 17 of the statutes of 1993, in force on 1 September 1994, is repealed, except section 115, effective from the coming into force of chapter P-39.1 of the Revised Statutes.