Direct Collection from Data Subject

Quebec Law 25 section 6 direct collection from the person concerned requires that organizations gather personal data strictly from the individual it relates to. This principle ensures transparency and gives individuals control over their personal information.

An organization can collect personal information from a third party if the individual gives explicit consent for this indirect collection. It is also permitted if authorized by law, or if there is a serious and legitimate reason such as ensuring data accuracy.

While consent is the general rule, there are exceptions. Organizations do not need consent if another law authorizes the collection, if it is in the individual's interest and they cannot be reached in due time, or to ensure data accuracy.

To obtain valid consent to collect personal information from third parties in Quebec, the consent must be clear, free, informed, and given for specific purposes. It must explicitly authorize the organization to source the data externally.

Yes, the exceptions to direct collection requirement under Quebec private sector privacy law include situations where third-party collection is legally mandated, necessary to verify accuracy, or done for a serious and legitimate reason in the individual's interest when they are unavailable.

Organizations must maintain a consent management record that logs when, how, and for what purpose consent was obtained. Tracking this is crucial to prove lawful collection and consent under Loi 25 during an audit.

Yes, the Loi 25 consent to collect personal information from third parties applies across the board. Purchasing lead lists from partners or sourcing background checks for employees requires valid consent or a qualifying legal exception.

To fully address how to document lawful basis in RoPA and privacy notice, organizations must maintain an up-to-date Record of Processing Activities (RoPA) that maps every specific data process to its exact lawful basis, alongside documented LIAs where applicable. Tools like WatchDog Security's Compliance Center can help maintain this mapping as structured evidence and highlight gaps during periodic reviews.

CISOs should enforce data inventory maps, maintain a consent audit trail, and implement vendor security reviews for data brokers. These are the controls needed for third-party sourcing of personal information in Quebec to ensure compliance.

Common risks include buying marketing lists without verifying consent, failing to update public privacy policies regarding indirect collection, and lacking a mechanism to document the legal basis for third-party sourcing.

Article 6 compliance often fails when lawful basis decisions live in emails or spreadsheets and drift from actual processing. Tools like WatchDog Security's Compliance Center can centralize lawful-basis mappings as control evidence, flag missing documentation (e.g., no LIA when using legitimate interests), and support ongoing reviews through structured workflows.

LIAs require consistent documentation of purpose, necessity, and balancing tests, plus a clear approval trail for audit readiness. Tools like WatchDog Security's Risk Register can track each LIA as a risk decision with owners, review dates, and linked mitigations, while WatchDog Security's Policy Management can manage the underlying templates and capture approvals and attestations.