Law 25 for service SMBs: the practical guide

Law 25 doesn't only target banks and web giants. A plumbing company keeping the names, addresses, phone numbers and service histories of 800 clients is processing personal information — and the obligations apply.

Here's the essential version, without jargon.

The 5 obligations that concern you

• 1. Designate a privacy officer. By default, it's the most senior executive. Their name and email must be published (your website is enough).
• 2. Keep an incident register. Any confidentiality incident — an email sent to the wrong client, a stolen laptop — must be logged. If the incident presents a "risk of serious injury," you must notify the Commission d'accès à l'information (CAI) and the affected individuals.
• 3. Obtain clear consent. For GPS tracking of your technicians, marketing newsletters, recordings — specific, free and informed consent you can prove.
• 4. Answer access and deletion requests. A client can request their data or its destruction. You have 30 days to respond.
• 5. Know where your data is. If personal information leaves Quebec (a US server, for example), you must conduct a privacy impact assessment (PIA).

What this changes when choosing your tools

Every piece of software you use is a "processor" under Law 25. Three questions to ask each one: where is the data, do you have a data processing agreement (DPA), and can you export and delete on request?

MainteQC hosts primary data in Canada, provides a DPA, logs consents, and has full export and right-to-erasure built in. Our subprocessor list is public — exactly the transparency Law 25 expects from you toward your own clients.

This post is a plain-language summary, not legal advice: for your specific situation, consult an advisor.