Cross-Border Transfers
Plain English Translation
Quebec Law 25 Section 17 mandates that organizations must conduct a privacy impact assessment (PIA) before transferring personal information outside of Québec. The assessment must confirm that the data will receive adequate protection in the destination jurisdiction. If approved, the organization must establish a written agreement that incorporates the PIA's findings and outlines specific measures to mitigate any identified risks.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Map all data flows to identify where personal information is stored or processed outside Québec.
- Execute standard written agreements with cloud providers storing data externally.
Required Actions (scaleup)
- Implement a standardized Privacy Impact Assessment (PIA) template for all cross-border transfers.
- Review and update vendor contracts to include specific terms mitigating identified jurisdictional risks.
Required Actions (enterprise)
- Integrate automated data residency checks into the deployment pipeline.
- Conduct continuous audits of cross-border transfers and vendor compliance with established written agreements.
Quebec Law 25 cross-border data transfers require organizations to conduct a privacy impact assessment (PIA) to ensure the data receives adequate protection and to establish a formal written agreement before transferring personal information out of the province.
A Law 25 privacy impact assessment (PIA) is strictly required before communicating personal information to any third party, service provider, or corporate affiliate located outside of Québec.
To perform a Law 25 section 17 adequacy assessment for data transfers, organizations must evaluate the foreign state's legal framework and generally recognized privacy principles to ensure the data remains protected equivalent to Québec standards.
The Loi 25 section 17 written agreement must incorporate the findings of the PIA and specifically include how to document Law 25 cross-border transfer risk mitigation terms that bind the foreign recipient to strict protection standards. Tools like WatchDog Security's Policy Management can help maintain controlled contract clause templates and track approvals so agreements stay consistent across vendors.
Yes, if a cloud provider stores or processes personal information outside the province, it constitutes a cross-border transfer, triggering the Quebec Law 25 requirements for communicating personal information outside Quebec and requiring a PIA.
The Law 25 PIA factors sensitivity purpose protection measures contractual measures must all be evaluated, alongside the legal framework of the destination state, to determine the overall risk of the transfer.
Yes, provided that the written agreement contains specific Quebec Law 25 cross-border transfer clauses for vendors and cloud providers designed to effectively mitigate the identified risks and ensure adequate protection.
The Person in Charge of the Protection of Personal Information (Privacy Officer) should oversee, review, and approve the assessment and ensure the Law 25 vendor contract requirements for processing personal information outside Quebec are met.
Organizations should review these agreements periodically, especially when there are changes in the foreign legal framework, vendor processing activities, or as part of a routine Quebec Law 25 cross-border transfer compliance checklist audit.
Teams should maintain detailed records of the completed PIAs, the signed written agreements with vendors, and data flow maps demonstrating how they do a transfer impact assessment for Law 25 section 17. Tools like WatchDog Security's Compliance Center can centralize this evidence and link it to the control for faster audits and recurring reviews.
A repeatable process matters because cross-border transfers often happen through vendor onboarding and cloud design changes. Tools like WatchDog Security's Compliance Center can help teams track required PIAs, map the control to Law 25 §17, and centralize evidence (assessment outcomes, approvals, and supporting artifacts) so reviews are consistent and audit-ready.
Written agreements are only effective when they are consistently created, approved, and reviewed across all vendors that touch personal information. Tools like WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, collect security assessments that inform the §17 adequacy evaluation, and track renewal dates and risk-tiering so contract updates and safeguards are not missed.
"Before communicating personal information outside Québec, a person carrying on an enterprise must conduct a privacy impact assessment. The person must, in particular, take into account (1) the sensitivity of the information; (2) the purposes for which it is to be used; (3) the protection measures, including those that are contractual, that would apply to it; and (4) the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State. The information may be communicated if the assessment establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information. The communication of the information must be the subject of a written agreement that takes into account, in particular, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment. The same applies where the person carrying on an enterprise entrusts a person or body outside Québec with the task of collecting, using, communicating or keeping such information on his behalf. This section does not apply to a communication of information under subparagraph 7 of the first paragraph of section 18."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
