Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Quebec: Overview of Vendor Privacy Contracts

Xanya69 / Essentials collection / istockphoto.com

1. Governing Texts

1.1. Legislation

Please note that most of the provisions introduced by Bill 64 will enter into effect over a three-year period from the date of Bill 64's assent which was 22 September 2021.

1.2. Regulatory authority guidance

The Quebec Commission on Access to Information ('CAI') has not issued any guidance.

1.3. Regulatory authority templates

CAI has not issued any templates.

2. Definitions

Data controller | Data processor: There is no definition of 'data controller' or 'data processor' in the applicable law. However, the Private Sector Act (as amended by Bill 64) applies to 'persons carrying on an enterprise' as defined in Article 1525 of the Quebec Civil Code ('the Civil Code'), whereby the carrying on by one or more persons of an organised economic activity, whether or not it is commercial in nature, consisting of producing, administering, or alienating property, or providing a service, constitutes the operation of an enterprise (Article 1 of the Private Sector Act).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Bill 64 states that a person carrying on an enterprise may, without the consent of the person concerned, communicate personal information to any person or body if the information is necessary for carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body by the person carrying on an enterprise (Article 107 of Bill 64).

In such a case, the person carrying on an enterprise must (Article 107 of Bill 64):

  • entrust the mandate or contract in writing; and
  • specify in the mandate or contract the measures the mandatary or the person performing the contract must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract.

3.2. What content should be included?

Bill 64 outlines that where the communication of personal information is necessary for concluding a commercial transaction to which a person carrying on an enterprise intends to be a party, the person may communicate such information, without the consent of the person concerned, to the other party to the transaction (Article 107 of Bill 64).

An agreement must first be entered into with the other party that stipulates, among other things, that the latter undertakes (Article 107 of Bill 64):

  • to use the information only for concluding the commercial transaction;
  • not to communicate the information without the consent of the person concerned, unless authorised to do so by the Private Sector Act;
  • to take the measures required to protect the confidentiality of the information; and
  • to destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the commercial transaction.

Moreover, the mandate or contract must stipulate the measures the person performing the contract must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract (Article 107 of Bill 64).

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Any person holding personal information on behalf of a person carrying on an enterprise may refer to the latter every request for access or rectification received from a person to whom such information relates. This does not limit a person's right to obtain, from a personal information agent, access to, or rectification of, personal information concerning him or her held by that agent (Section 16 of the Quebec Private Sector Act).

For more information see Quebec - Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Not applicable.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Not applicable.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

A person or body carrying out a mandate or performing a contract of enterprise or for services must notify the person in charge of the protection of personal information without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated, and must also allow the person in charge of personal information to conduct any verification relating to confidentiality requirements (Article 107 of Bill 64).

For further information see Quebec – Data Breach Notification.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Not applicable

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Not applicable.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Not applicable.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The Private Sector Act provides that every personal information agent carrying on an enterprise in Québec must be registered with the CAI. Moreover, any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files relates is a personal information agent (Article 70 of the Private sector Act).

For further information see Quebec - Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

Please see the section on Contractual Requirements above.


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Feedback