Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

The Amended Quebec Privacy Act

Operationalize Quebec Privacy Act Compliance with the most comprehensive PrivacyOps platform.

background-image

Download the book today!

PrivacyOps - Automation & Orchestration for Privacy Compliance
Download Book
Available in PDF

The Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (Quebec Private Privacy Act) regulates the collection, use, and disclosure of personal information by private organizations.

The Amended Quebec Privacy Act is part of the reforms introduced in Bill 64, An Act to modernize legislative provisions regarding the protection of personal information. The amendment was enacted on September 22, 2021, and is set to take effect, in full, by 2024. In the meantime, the amendment will roll out some parts of provisions set under the law, such as Privacy Impact Assessment, privacy by default, and extra-provincial data transfer by 2023.

The Amended Quebec Privacy Act applies to private sectors collecting, using, or disclosing the personal information of a consumer (data subject) within the province. The amendment authorizes Commission de l'accès à l'information ("Commission") to enforce the amendments. The Amended Quebec Privacy Act applies to personal information kept by an organization or received by them through a third-party agency.

The Solution

Securiti enables organizations to ensure seamless compliance with the Amended Quebec Privacy Act with its AI-driven data discovery, DSR automation, universal consent management, autonomous documented accountability, data breach management, and vendor risk assessment.

securiti dashboard

Securiti supports enterprises in their journey towards compliance with the Amended Quebec Privacy Act through automation, enhanced data visibility, and identity linking

See how our comprehensive PrivacyOps platform helps you comply with various sections of the Amended Quebec Privacy Act.


 

dsr portal

Customize a data subject rights request portal for seamless customer care

Create personalized web forms according to your brand style guide with the DSR request format and accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.

Assess Amended Quebec Privacy Act readiness

Division: 1.1 ; Sections: 9.1, 10,11, 23

With the help of our multi-regulation, collaborative, readiness, and personal information impact assessment system, you can gauge your organization's posture against Amended Quebec Privacy Act requirements, identify the gaps, and address the risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance.

Assess GDPR readiness
dsr handling

Automate subject data request handling

Sections: 16, 27, 29 , 30, 31, 32, 33

Data subjects have the right to be informed of the use of their personal information and access their data held by an organization. For this purpose, organizations must simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and reduce the workforce required to comply with all the requests.

Secure fulfillment of data access requests

Sections: 27, 32, 33

Disclosure of information to the data subject within a limited time frame of receiving a verifiable data request is a must for any organization looking to comply. This will be free of charge and delivered through a secure, centralized portal.

data access request
data rectify request

Automate the processing of rectification requests

Sections: 27, 32, 37, 40.1

With the help of automated data subject verification workflows across all appearances of a data subject's personal information, you can seamlessly fulfill all data rectification requests.

Automate erasure/destroy/anonymize requests

Sections: 28, 35

Fulfill data subjects' erasure/destroy/anonymize requests swiftly through automated and flexible workflows.

data erasure request
processing request

Automate de-indexation, and restriction of processing requests

Section: 28.1

Build a framework for de-indexation, and restriction of processing handling based on business requirements, with the help of collaborative workflows.

Meet cookie compliance

Sections: 8(4), 8.3, 11, 12, 13, 14, 15, 18

Automatically scan the web properties within your organization, categorizing tags and cookies. Also, build customizable cookie banners, collect consent, and provide a preference center.

cookie consent
consent preference management

Monitor and track consent

Sections: 8(4), 8.3, 11, 12, 13, 14, 15, 18

Track consent revocation of data subjects to prevent the transfer or processing of PI without their consent. Seamlessly demonstrate consent compliance to regulators and data subjects.

Automate data breach response notifications

Sections: 3.5-3.8

Automates compliance actions and breach notifications to concerned stakeholders about security incidents by leveraging a knowledge database on security incident diagnosis and response.

breach response notification
manage vendor risk

Manage vendor risk

Section: 18.3

Keep track of privacy and security readiness for all your service providers and processors from a single interface. Collaborate instantly with vendors, automate data requests and deletions, and manage all vendor contracts and compliance documents.

Map data flows (cross border data transfers) and generate RoPA reports

Section: 17

Instantly trace, manage, and monitor data flows on a single interface. Get comprehensive visibility by generating reports of all data points, cross-border data transfers, vendor contracts, and compliance records.

map data flows

Automate DPIAs and risk assessments

Sections: 3.3,17

Automate the data protection impact assessment process by identifying the risks early on and mitigating them to ensure data security and compliance with the Amended Quebec Privacy Act.

Privacy policy and notice management

Sections: 3.2, 8, 8.2,12.1

Dynamically update privacy policies and notices to comply with the Amended Quebec Privacy Act. Automate how you publish your privacy notices with the help of pre-built templates to make the process faster. Also, enable centralized management by tracking and monitoring privacy notices to maintain compliance.

cookie consent

Key Rights Under Amended Quebec Privacy Act

Here are some critical data subject rights that are guaranteed under the various statutes of the amended Quebec Privacy Act:

Right to be Informed : Data subjects shall have the right to be informed about the purpose of collecting their personal information, processing, retention period, cross-border data transfers, and the contact information of the person protecting the personal information of the data subject.

Right to Access : Data subjects shall have the right to request a business to access the personal information collected, used, and disclosed.

Right to Rectification and Deletion : If a data subject believes the personal information to be equivocal, inaccurate, or incomplete, they may require the information to be rectified. The data controller must also provide a copy of the rectified information to the data subject and attest to the deletion of information (as the case may be).

Right to Deindexation and Re-indexation : The Amended Quebec Privacy Act provides individuals with the right to require cessation of dissemination or de-indexing if the dissemination contravenes the law or court order, where certain conditions are met. It also provides individuals with the right to require re-indexation in the same circumstances where a person may require cessation of dissemination or de-indexing of hyperlinks.

Right to Data Portability : Data subjects shall request an organization transfer their personal information in a structured and commonly-used technological format.

Facts related to Amended Quebec Privacy Act

1

Provisions associated with consent will likely take effect by September 2023. Under the Amended Quebec Privacy Act, consent should be taken at the time of collecting personal information. Moreover, organizations must inform data subjects about the purpose of collecting the information, means of collection, and the associate data subjects' rights.

2

Express consent must be taken before using sensitive data.

3

Organizations must conduct Privacy Impact Assessment (PIA) when upgrading and adding new technologies to their infrastructure or when transferring personal information outside Quebec.

4

By September 2023, organizations will be required to publish privacy notices and policies on their websites, detailing how they govern the collection, use, or disclosure of personal information and the process detailing how consumers can file complaints or exercise their rights.

5

The law doesn't define any exact breach notification period. Still, it does outline some other requirements, such as an organization must keep a register or a log containing all the breaches.

6

By September 2022, organizations will be required to designate a Data Privacy Officer (DPO) and publish their name, title, and contact information on the company's website.

7

If an organization fails to comply with the Amended Quebec Privacy Act, CAI may fine the organization up to 25 million or 4% of its revenue.

Solutions

Systems

Newsletter

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award