The Amended Quebec Privacy Act
Operationalize Quebec Privacy Act Compliance with the most comprehensive PrivacyOps platform.
Download the book today!
The Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (Quebec Private Privacy Act) regulates the collection, use, and disclosure of personal information by private organizations.
The Amended Quebec Privacy Act is part of the reforms introduced in Bill 64, An Act to modernize legislative provisions regarding the protection of personal information. The amendment was enacted on September 22, 2021, and is set to take effect, in full, by 2024. In the meantime, the amendment will roll out some parts of provisions set under the law, such as Privacy Impact Assessment, privacy by default, and extra-provincial data transfer by 2023.
The Amended Quebec Privacy Act applies to private sectors collecting, using, or disclosing the personal information of a consumer (data subject) within the province. The amendment authorizes Commission de l'accès à l'information ("Commission") to enforce the amendments. The Amended Quebec Privacy Act applies to personal information kept by an organization or received by them through a third-party agency.
The Solution
Securiti enables organizations to ensure seamless compliance with the Amended Quebec Privacy Act with its AI-driven data discovery, DSR automation, universal consent management, autonomous documented accountability, data breach management, and vendor risk assessment.
Securiti supports enterprises in their journey towards compliance with the Amended Quebec Privacy Act through automation, enhanced data visibility, and identity linking
See how our comprehensive PrivacyOps platform helps you comply with various sections of the Amended Quebec Privacy Act.
Customize a data subject rights request portal for seamless customer care
Create personalized web forms according to your brand style guide with the DSR request format and accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.
Assess Amended Quebec Privacy Act readiness
Division: 1.1 ; Sections: 9.1, 10,11, 23
With the help of our multi-regulation, collaborative, readiness, and personal information impact assessment system, you can gauge your organization's posture against Amended Quebec Privacy Act requirements, identify the gaps, and address the risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance.
Automate subject data request handling
Sections: 16, 27, 29 , 30, 31, 32, 33
Data subjects have the right to be informed of the use of their personal information and access their data held by an organization. For this purpose, organizations must simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and reduce the workforce required to comply with all the requests.
Secure fulfillment of data access requests
Sections: 27, 32, 33
Disclosure of information to the data subject within a limited time frame of receiving a verifiable data request is a must for any organization looking to comply. This will be free of charge and delivered through a secure, centralized portal.
Automate the processing of rectification requests
Sections: 27, 32, 37, 40.1
With the help of automated data subject verification workflows across all appearances of a data subject's personal information, you can seamlessly fulfill all data rectification requests.
Automate erasure/destroy/anonymize requests
Sections: 28, 35
Fulfill data subjects' erasure/destroy/anonymize requests swiftly through automated and flexible workflows.
Automate de-indexation, and restriction of processing requests
Section: 28.1
Build a framework for de-indexation, and restriction of processing handling based on business requirements, with the help of collaborative workflows.
Meet cookie compliance
Sections: 8(4), 8.3, 11, 12, 13, 14, 15, 18
Automatically scan the web properties within your organization, categorizing tags and cookies. Also, build customizable cookie banners, collect consent, and provide a preference center.
Monitor and track consent
Sections: 8(4), 8.3, 11, 12, 13, 14, 15, 18
Track consent revocation of data subjects to prevent the transfer or processing of PI without their consent. Seamlessly demonstrate consent compliance to regulators and data subjects.
Automate data breach response notifications
Sections: 3.5-3.8
Automates compliance actions and breach notifications to concerned stakeholders about security incidents by leveraging a knowledge database on security incident diagnosis and response.
Manage vendor risk
Section: 18.3
Keep track of privacy and security readiness for all your service providers and processors from a single interface. Collaborate instantly with vendors, automate data requests and deletions, and manage all vendor contracts and compliance documents.
Map data flows (cross border data transfers) and generate RoPA reports
Section: 17
Instantly trace, manage, and monitor data flows on a single interface. Get comprehensive visibility by generating reports of all data points, cross-border data transfers, vendor contracts, and compliance records.
Automate DPIAs and risk assessments
Sections: 3.3,17
Automate the data protection impact assessment process by identifying the risks early on and mitigating them to ensure data security and compliance with the Amended Quebec Privacy Act.
Privacy policy and notice management
Sections: 3.2, 8, 8.2,12.1
Dynamically update privacy policies and notices to comply with the Amended Quebec Privacy Act. Automate how you publish your privacy notices with the help of pre-built templates to make the process faster. Also, enable centralized management by tracking and monitoring privacy notices to maintain compliance.
Key Rights Under Amended Quebec Privacy Act
Here are some critical data subject rights that are guaranteed under the various statutes of the amended Quebec Privacy Act:
Right to be Informed : Data subjects shall have the right to be informed about the purpose of collecting their personal information, processing, retention period, cross-border data transfers, and the contact information of the person protecting the personal information of the data subject.
Right to Access : Data subjects shall have the right to request a business to access the personal information collected, used, and disclosed.
Right to Rectification and Deletion : If a data subject believes the personal information to be equivocal, inaccurate, or incomplete, they may require the information to be rectified. The data controller must also provide a copy of the rectified information to the data subject and attest to the deletion of information (as the case may be).
Right to Deindexation and Re-indexation : The Amended Quebec Privacy Act provides individuals with the right to require cessation of dissemination or de-indexing if the dissemination contravenes the law or court order, where certain conditions are met. It also provides individuals with the right to require re-indexation in the same circumstances where a person may require cessation of dissemination or de-indexing of hyperlinks.
Right to Data Portability : Data subjects shall request an organization transfer their personal information in a structured and commonly-used technological format.
Facts related to Amended Quebec Privacy Act
Provisions associated with consent will likely take effect by September 2023. Under the Amended Quebec Privacy Act, consent should be taken at the time of collecting personal information. Moreover, organizations must inform data subjects about the purpose of collecting the information, means of collection, and the associate data subjects' rights.
Express consent must be taken before using sensitive data.
Organizations must conduct Privacy Impact Assessment (PIA) when upgrading and adding new technologies to their infrastructure or when transferring personal information outside Quebec.
By September 2023, organizations will be required to publish privacy notices and policies on their websites, detailing how they govern the collection, use, or disclosure of personal information and the process detailing how consumers can file complaints or exercise their rights.
The law doesn't define any exact breach notification period. Still, it does outline some other requirements, such as an organization must keep a register or a log containing all the breaches.
By September 2022, organizations will be required to designate a Data Privacy Officer (DPO) and publish their name, title, and contact information on the company's website.
If an organization fails to comply with the Amended Quebec Privacy Act, CAI may fine the organization up to 25 million or 4% of its revenue.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
Newsletter
Resources
Get in touch
[email protected]
3031 Tisch Way Suite 110 Plaza West, San Jose,
CA 95128
