Skip to content
Looking for HR software built for US teams?Visit our US site
WalnutsHR is now live in Canada — try Pro free for 30 days. Start free
Skip to content
walnutsHR

Quebec privacy impact assessment (Law 25)

A privacy impact assessment template for Quebec employers handling personal information under Law 25 (formerly Bill 64). Covers purpose, sensitivity, retention, transfers, and risk mitigations.

Live documentReviewed for Quebec

Privacy Impact Assessment — Quebec Law 25

Assessment date:

1. Privacy officer

()

2. Project

Project:

3. Categories of personal information

4. Purposes of processing

5. Legal basis

6. Data flow

Page 1 of 3

7. Retention

8. Transfers outside Quebec

Under section 17 of the Act respecting the protection of personal information in the private sector, an assessment of privacy-related factors is required before communicating personal information outside Quebec. The communication may proceed only if the assessment shows that the information would receive adequate protection.

9. Risks identified

10. Mitigations & safeguards

11. Consultations

12. Law 25 compliance checks

Checklist0 / 10 complete

Page 2 of 3

 Privacy officer
Name
Date

Made with WalnutsHR Paper · Reviewed for Quebec · April 2026

Page 3 of 3

No compliance hints for this jurisdiction yet — your document looks good for the basics. Have a lawyer review before sending anything consequential.

About this template

Quebec's Law 25 (the Act to modernize legislative provisions as regards the protection of personal information, formerly Bill 64) gave Quebec the strongest private-sector privacy regime in Canada. Privacy impact assessments are now mandatory before launching any project that processes personal information of Quebec residents, and especially before communicating that information outside Quebec.

When to use it

  • You're launching a new HR system, payroll system, or third-party tool that handles employee personal information.
  • You're transferring personal information outside Quebec — to a US-based SaaS, a cloud region, or a service provider.
  • You're updating an existing process and the change materially affects how personal information is collected, used, or stored.

What to include

  • Identification of the privacy officer and contact info.
  • Project description and the specific personal information involved.
  • Stated purposes for collection and processing.
  • Legal basis (consent, contract, statutory obligation).
  • Data flow — who collects, stores, transmits, and accesses.
  • Retention schedule with destruction or anonymization at end of life.
  • Transfers outside Quebec, with the section 17 assessment.
  • Risk identification and mitigations (technical and organizational).
  • Consultations with internal counsel, the privacy officer, and (where applicable) the CAI.

Frequently asked questions

Do I need a PIA for every system that touches employee data?

The statutory trigger is "acquisition, development, or overhaul of any information system project or electronic service delivery project" involving personal information. In practice, anything more than incidental — payroll, HRIS, performance, employee monitoring tools — should have a PIA. Trivial uses (e.g., a basic contact list maintained internally) probably don't trigger formal PIA requirements but documenting the analysis briefly is best practice.

What about transfers to the US (e.g. payroll provider in the US)?

Section 17 requires a privacy-related impact assessment before the transfer. The assessment must conclude that the destination jurisdiction provides adequate protection for the information. Standard Contractual Clauses or equivalent contractual safeguards are usually necessary; some Quebec lawyers recommend keeping data in Canada where feasible.

Do we have to notify the CAI of a breach?

Yes — for any "confidentiality incident" presenting a risk of serious injury (a defined term under Law 25). The notification must go to the CAI and the affected persons, with documented timing. A confidentiality incident register is required regardless of whether a single incident triggers notification.

Legal disclaimer. Law 25 carries fines up to $25M or 4% of worldwide turnover for serious violations — the highest in Canada. The Commission d'accès à l'information (CAI) issues binding rulings and has audit powers. PIAs and the broader Law 25 program should be reviewed by Quebec privacy counsel; this template is a starting structure, not a substitute for that review.

Related templates

Workplace harassment & violence policy

A statutorily required harassment, violence, and discrimination policy with jurisdiction-specific reporting language and statutory references.

Open

Employee handbook

A starter employee handbook covering hours, conduct, confidentiality, time off, and the policies every growing team needs.

Open

Save it. Brand it. Sign it.

Sign up free to save your templates, brand them with your logo, and send for e-signature — all from your WalnutsHR dashboard.

Your primary HR database is hosted in a Canadian region. Subprocessors and cross-border processing are disclosed in our privacy policy.

Get started for free Try the demoView pricing

30-day free trial · No credit card required