Consolidated Statutes and Regulations
Consolidated Statutes
Consolidated Regulations
Annual Statutes and Regulations
Annual Statutes
Annual Regulations
Additional information
Québec Official Publisher
What’s new?
Information note
Policy of the Minister of Justice
Laws: Amendments
Laws: Provisions not in force
Laws: Provisions brought into force
Annual Statutes: PDF versions since 1996
Regulations: Amendments
Annual Regulations: PDF versions since 1996
Court Decisions
P-39.1 - Act respecting the protection of personal information in the private sector
Section 3.2
Disposition versions
3.2. Any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.
Detailed information about those policies and practices, in particular as concerns the content required under the first paragraph, must be published in simple and clear language on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means.
In force: 2023-09-22
3.2. Any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.
Detailed information about those policies and practices, in particular as concerns the content required under the first paragraph, must be published in simple and clear language on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means.
