FRANÇAIS

Information - Law 25

Dear customers,

It is worth remembering that September 22, 2024 is fast approaching.

September 22, 2024 is the date of implementation of the last phase of Law 25 (Quebec), the Act to modernize legislative provisions relating to the protection of personal information.

We have been informed that many of you have recently been approached by various companies of all kinds offering their various services regarding this law, including raising fears of a fine of up to $25 million!

While it is true that a company can indeed be fined for non-compliance with this law, it is important to understand the circumstances that can lead to such fines.

We strongly advise you to consult the website of the Commission d'Accès à l'Information at the following link. From this site, you will see what Law 25 really consists of, what your rights and responsibilities are.

Please note that in reality, this law has been in function since September 2022 and has been developed in different phases.

In summary, here is what the phases consist of:

Phase 1 - September 22, 2022

- You must appoint a privacy officer. By default, the president/manager of the company is responsible. He or she can appoint another member of his or her team as the person in charge.

- In addition, it is important to report any privacy incident to the Commission d'Accès à l'Information (CAI), as well as to individuals who may have been impacted by such an incident.

Phase 2 - September 22, 2023

- If you have a website, you must publish a privacy policy so that your visitors can check the data that is collected, its uses, etc. Also, you should implement a cookie manager so your visitors can opt-in or opt-out of any unecessary cookies usage.

- You must implement the Privacy Impact Assessment (PIA). Once again, we strongly advise you to visit the Commission d'Accès à l'Information website for more information on this subject.

- You must also obtain the consent of your customers for the collection of data such as name, phone number, etc.

(Please note that you can obtain consent via signature on copies of your customers' estimates and invoices in our AB Magique software, this section been visible and accessible for a very long time already.)

- You must also allow the destruction (or anonymization if destruction is impossible) of your customers' sensitive data when the usefulness of said data is no longer necessary. By destroying or anonymizing it, you avoid the leakage of sensitive data that could cause harm to your customers.

Phase 3 - September 22, 2024

- You must set up data portability.

The right to portability allows a citizen to request all the personal information that he/she has transmitted to an organization.

We have enabled the portability of this information using a button added to your customers' file. This button has been accessible since update 2024.004 and + of your AB Magique software.

There are several aspects to check to comply with this law. Although we cannot provide you with legal advice on this law, here are some basic computer tips:

- Avoid giving your customers access to your local computer network. If you must allow access to your computers, make sure to give it to your employees and/or trusted professionals only, and do not leave this access unsupervised.

If you offer the Internet to your customers on site, make sure to give them access to a "Guest" network that cannot communicate with the local network of your workstations or servers.

- Protect your computers and user accounts with a password, as well as any folders or files shared on your local network.

- Use an antivirus and a firewall on all computers in your company. Certain exceptions may be put in place for the proper functioning of your computers and software. However, limit these exceptions to the strict minimum.

- Train your employees on the importance of keeping your customers' personal information or sensitive information secure in any form. It may seem trivial, but a simple email from one of your customers can contain sensitive personal information. Forwarding this email or giving access to emails to an unauthorized individual can be a risk to the security of this information!

- Properly inform your customers about the data you collect (using a privacy policy that you could display on your premises for example). If you could share this data with third-party providers, notify your customers.

Concerning our software, if your customer refuses to share his or her personal information, you must uncheck the box to this effect in their customer file so that the software does not share sensitive data with these providers. Note that your customers can give or withdraw their consent to the sharing of their personal information at any time.

Ultimately, your compliance with law 25 does not only concern your shop management software, it concerns all aspects of your business that directly or indirectly use personal and/or sensitive information.

We strongly advise you once again to consult the Commission d'Accès à l'Information website for any information on this subject, or even to seek advice from your legal advisor regarding this law and your obligations.

Commission d'Accès à l'Information website: https://www.cai.gouv.qc.ca/protection-renseignements-personnels/information-entreprises-privees

Versions Logiques VL INC 2024 © All rights reserved

210-1177, Hw 440 W, Laval, QC, H7L 3W3 Tel: (800)268-4044 or 450-963-8940