Quebec's privacy law is stricter than PIPEDA. Vimy covers both.

Law 25 modernized Quebec's privacy framework with mandatory breach reporting, privacy impact assessments, data governance requirements, and transparency obligations. Vimy maps all key obligations and auto-collects evidence from your security operations.

Book Demo → See All Frameworks →
All obligations mapped Breach notification tracking 100% Canadian infrastructure
Vimy Law 25 compliance dashboard
Why It Matters

If you operate in Quebec, Law 25 applies to you.

Quebec's Act Respecting the Protection of Personal Information in the Private Sector — commonly called Law 25 — was fully enacted on September 22, 2024. It applies to any organization that collects, holds, uses, or discloses personal information of Quebec residents, regardless of where the organization is headquartered.

Law 25 goes further than PIPEDA in several critical areas: mandatory privacy impact assessments, data inventory requirements, a designated privacy officer, and administrative monetary penalties up to $25 million or 4% of worldwide turnover — whichever is greater.

This isn't a future concern. It's fully in force today.

Law 25 rollout

September 2022 — Phase 1
Incident reporting & privacy officer
Designate a privacy officer. Report confidentiality incidents to the CAI (Commission d'accès à l'information).
September 2023 — Phase 2
PIAs, consent & de-identification
Privacy impact assessments. Privacy policies. Consent requirements. De-identification obligations.
September 2024 — Phase 3
Portability, automated decisions & full enforcement
Data portability. Automated decision-making transparency. Full enforcement now active.
Key Obligations

What Law 25 requires — and how Vimy helps.

Eight of Law 25's core obligations — and how Vimy evidences compliance with each one from live security operations.

Confidentiality Incident Reporting
Report breaches involving personal information to the CAI and notify affected individuals when there's a risk of serious injury.
How Vimy helps
Every security incident creates a TRO with full timeline, affected data scope, and containment actions — ready for CAI reporting.
Privacy Impact Assessments (PIAs)
Conduct PIAs before any new project involving personal information, any acquisition of information systems, or any major change to data handling practices.
How Vimy helps
Compliance dashboard tracks PIA requirements. Policy management templates cover PIA documentation with version control.
Privacy Officer Designation
Designate a person responsible for the protection of personal information and publish their title and contact information.
How Vimy helps
People management tracks the designated privacy officer, their responsibilities, and contact details published to the Trust Center.
Data Inventory
Maintain an inventory of personal information held, including categories, purposes, retention periods, and access controls.
How Vimy helps
Vimy's compliance section tracks data categories, retention policies, and access controls across your connected infrastructure.
Consent & Transparency
Obtain clear, informed consent for collection. Provide privacy policies in plain language. Inform individuals of automated decision-making.
How Vimy helps
Policy management templates cover consent documentation and privacy policies. Trust Center publishes your data handling practices publicly.
De-identification & Anonymization
When personal information is no longer needed for its stated purpose, it must be destroyed or de-identified.
How Vimy helps
Data retention policies enforce automatic deletion after the retention period expires. Deletion is verifiable and produces an auditable record.
Data Portability
Individuals can request their personal information in a structured, commonly used technological format.
How Vimy helps
Data export functionality in Settings provides tenant data in portable formats on request, with a logged audit trail of each export.
Breach Records
Maintain a register of all confidentiality incidents — not just those that meet the reporting threshold.
How Vimy helps
Every TRO serves as a breach record — maintained automatically, searchable, and available for CAI inspection at any time.
Comparison

Where Law 25 goes further than PIPEDA.

PIPEDA compliance is a foundation — not a ceiling. For organizations operating in Quebec, Law 25 adds requirements that PIPEDA simply doesn't cover.

Requirement PIPEDA Law 25
Breach reporting To OPC — risk of significant harm To CAI — risk of serious injury, with diligence
Privacy impact assessments Not mandated Mandatory for new projects & system changes
Privacy officer Recommended, not required Mandatory, with public contact information
Data inventory Not explicitly required Mandatory — categories, purposes, retention
Penalties Up to $100K per violation Up to $25M or 4% worldwide turnover
Data portability Not required Required — structured, portable format
Automated decision transparency Not required Required — individuals must be informed
Consent requirements Implied consent accepted in some cases Explicit, clear, informed consent required

Vimy maps both PIPEDA and Law 25 simultaneously. Organizations operating across Canada and Quebec evidence both from the same security data — no duplicate work.

Enforcement

Law 25 has real teeth.

$25M
Maximum administrative monetary penalty — or 4% of worldwide turnover, whichever is greater
$10M
Maximum penal fine for individuals who obstruct or mislead the CAI during an investigation
Full
force
All three phases enacted as of September 2024 — enforcement is active today

The CAI can investigate complaints, conduct audits, and impose penalties without prior warning. Having evidence of reasonable safeguards isn't optional — it's your primary defense.

Multi-Framework

Law 25 + PIPEDA + SOC 2. One platform.

Quebec businesses often face a triple compliance challenge: Law 25 provincially, PIPEDA federally, and SOC 2 or ISO 27001 from enterprise customers. Three frameworks, significant overlap, and traditionally three separate compliance efforts.

Vimy maps all of them from the same security data. A single incident response action satisfies Law 25 breach reporting, PIPEDA breach records, and SOC 2 incident response controls — simultaneously.

PIPEDA

Federal privacy law — 10 fair information principles. PIPEDA evidence is included in all plans, including Sentinel. Law 25 and PIPEDA overlap significantly.

See PIPEDA coverage →

SOC 2 Type II

Privacy is a Trust Services Criterion. Law 25 evidence feeds directly into SOC 2 privacy controls — one security action, two frameworks evidenced.

See SOC 2 coverage →

ISO 27001

Annex A covers data protection and information security. Law 25 safeguards map directly to ISMS requirements — compliance from one evidence stream.

See ISO 27001 coverage →

Law 25 compliance features are available on Bastion and Citadel plans.

PIPEDA evidence — which covers overlapping requirements — is included in all plans, including Sentinel.

See Plans →
Law 25 FAQ

Common questions about Law 25 with Vimy.

If your organization collects, holds, uses, or discloses personal information of Quebec residents — regardless of where you're headquartered — Law 25 applies. This includes businesses outside Quebec that have customers, employees, or operations in the province.
Yes. Law 25 has requirements that go beyond PIPEDA — mandatory privacy impact assessments, a data inventory obligation, stricter consent rules, data portability, and significantly higher penalties. PIPEDA compliance is a foundation, but it's not sufficient for Law 25.
The Commission d'accès à l'information du Québec is Quebec's privacy regulator — distinct from the federal Office of the Privacy Commissioner (OPC). They receive breach notifications, investigate complaints, conduct audits, and impose administrative monetary penalties under Law 25. PIPEDA matters go to the OPC; Law 25 matters go to the CAI.
Law 25 requires notification to the CAI "with diligence" when a confidentiality incident presents a risk of serious injury. Unlike PIPEDA's "as soon as feasible," Quebec expects prompt action. Vimy's TRO timeline provides the documentation to demonstrate you identified the incident quickly and acted immediately.
Administrative monetary penalties up to $25 million or 4% of worldwide turnover (whichever is greater). Penal fines up to $10 million for individuals who obstruct or mislead the CAI. These are among the highest privacy penalties in Canada — comparable to GDPR in structure.
No. Law 25 compliance features require Bastion or Citadel. Sentinel includes PIPEDA evidence, which covers some overlapping requirements — but the full Law 25 obligation set (PIAs, data inventory, portability, automated decision tracking) requires Bastion. View plan comparison →

Get ahead of
Law 25 enforcement.

30-minute demo. We'll show you where your Law 25 obligations are covered and where the gaps are.

All obligations mapped CAI breach reporting ready 100% Canadian infrastructure