Disclosure for Service Providers
Plain English Translation
Under Quebec Law 25 section 18.3, organizations can share personal information with a service provider without the individual's consent, provided the disclosure is strictly necessary to deliver the service. However, this arrangement must be governed by a written contract. The outsourcing agreement must explicitly state that the vendor will protect the data's confidentiality, use it exclusively for the contracted services, and destroy or return the information once the contract ends.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Identify all service providers currently handling personal data.
- Sign standard DPAs or vendor agreements that cover the baseline Law 25 requirements for confidentiality, usage limits, and destruction.
Required Actions (scaleup)
- Maintain a centralized vendor inventory mapping data flows to third parties.
- Standardize security and confidentiality clauses across all new procurement and outsourcing agreements.
- Establish a process to verify vendor data destruction when contracts terminate.
Required Actions (enterprise)
- Implement automated vendor security reviews and risk assessments.
- Enforce active verification and audit rights for critical service providers handling sensitive information.
- Integrate vendor compliance tracking into broader lifecycle management systems.
Section 18.3 requires organizations to establish a written contract when outsourcing the processing of personal information. This agreement must specifically mandate confidentiality, limit data usage strictly to the service provided, and require the destruction or return of the data upon contract termination.
Yes, a formal written contract is explicitly required by Law 25 section 18.3 in order to legally share personal information with a service provider or mandatary without obtaining the individual's direct consent.
The outsourcing agreement must include specific measures the vendor will take to protect the confidentiality of the personal information, a strict limitation that the data is only used for carrying out the mandate, and an obligation to not keep the information after the contract expires.
Law 25 dictates that vendors and service providers can only use the personal information they receive for the exact purpose of performing the contract or mandate. They are legally prohibited from utilizing the data for secondary purposes, such as their own marketing or training models, without authorization.
Yes, the mandatory written agreement must enforce that the service provider does not keep the personal information after the expiry of the mandate or contract, ensuring data is either destroyed or returned to the controlling organization.
Organizations must ensure their vendor contracts restrict onward transfers to subcontractors unless those subcontractors are bound by the same strict confidentiality, purpose limitations, and destruction requirements mandated by section 18.3.
The contract must specify the measures the vendor must take to protect confidentiality. These measures should align with the sensitivity of the data, the context of its use, and generally accepted industry security standards like encryption and access controls.
Yes, an organization can disclose personal information to a service provider without the individual's consent if the disclosure is necessary for carrying out a mandate or contract, provided the mandatory written agreement outlining safeguards is fully executed.
Both PIPEDA and Law 25 require organizations to remain accountable for outsourced data and ensure comparable levels of protection. However, Law 25 section 18.3 is highly prescriptive, explicitly legislating the requirement for a written contract containing specific confidentiality, usage, and destruction clauses.
Organizations should maintain an updated vendor inventory, fully executed data processing agreements or service contracts with the required clauses, and records of vendor security reviews to prove due diligence.
Law 25 §18.3 is easiest to sustain when contracts, vendor records, and review evidence are centralized and consistently applied across procurement. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor catalog, track what personal information is shared, and standardize assessment workflows so contract safeguards and risk tiering stay aligned.
Post-contract destruction obligations often fail due to missing offboarding steps, unclear ownership, and incomplete evidence collection. Tools like WatchDog Security's Compliance Center can help track control tasks and evidence requests, while WatchDog Security's Secure File Sharing can support controlled exchange of destruction confirmations with audit logs.
"A person carrying on an enterprise may, without the consent of the person concerned, communicate personal information to any person or body if the information is necessary for carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body by the person carrying on an enterprise. In such a case, the person carrying on an enterprise must (1) entrust the mandate or contract in writing; and (2) specify in the mandate or contract the measures the mandatary or the person performing the contract must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
