Disclosure in Commercial Transactions
Plain English Translation
Section 18.4 of Quebec Law 25 allows organizations to share personal information without consent during commercial transactions, such as mergers and acquisitions (M&A). However, before any data is shared, both parties must sign a strict agreement ensuring the personal information is only used to evaluate the transaction, remains confidential, and is destroyed if the deal falls through. If the commercial transaction concludes successfully, the new owner must notify the affected individuals that their information has been transferred.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Limit the sharing of personal information in data rooms to only what is strictly necessary.
- Ensure a written NDA including Section 18.4 clauses is signed before providing access to systems or data.
Required Actions (scaleup)
- Implement role-based access control (RBAC) on all due diligence data rooms.
- Establish a formal checklist for M&A data sharing that requires Legal approval before transferring personal information.
Required Actions (enterprise)
- Automate data redaction and de-identification for initial due diligence phases.
- Maintain an audit trail of all personal information disclosed during commercial transactions.
- Automate post-transaction notifications to data subjects using CRM or automated mailing platforms.
Law 25 section 18.4 allows organizations to share personal information without the individual's consent if it is strictly necessary to conclude a commercial transaction, provided a specific written agreement is in place.
No, explicit consent is not required for M&A due diligence as long as the disclosure is necessary for the transaction and the parties sign a mandatory agreement protecting the data as per section 18.4 requirements.
The agreement must explicitly stipulate that the receiving party will use the data only for concluding the transaction, will not communicate it further without consent, will take measures to protect its confidentiality, and will destroy the information if the transaction is not concluded.
It means the receiving party can only process the personal information to evaluate, negotiate, and execute the deal, such as during due diligence. They cannot use the data for their own marketing, analytics, or operational purposes prior to closing.
The receiving party is prohibited from communicating the information further without the individual's consent, unless authorized by the Act. Advisors bound by professional secrecy or acting as service providers under section 18.3 may process it if strict safeguards are extended.
The receiving party must take required measures to protect confidentiality, which typically involves using secure, access-controlled virtual data rooms, encryption, and limiting access to strictly necessary personnel.
The agreement must mandate that the receiving party destroy the personal information immediately if the commercial transaction is abandoned or if the information is no longer necessary for concluding the deal.
Once concluded, the buyer must use the information in accordance with Law 25. Furthermore, within a reasonable time after closing, the buyer must notify the affected individuals that they now hold their personal information due to the transaction.
Organizations should practice data minimization by redacting or anonymizing information wherever possible. Disclosure is only necessary if the deal's evaluation or execution cannot proceed without accessing the specific identifiable data.
Organizations should maintain signed copies of the section 18.4 non-disclosure agreement, audit logs of data room access, evidence of data destruction if the deal fails, and records of the post-closing notification sent to individuals.
Law 25 §18.4 requires proof that disclosures were necessary, governed by a written agreement, and protected with confidentiality and destruction obligations. Tools like WatchDog Security's Compliance Center can help centralize the control requirements, map them to internal procedures, and track evidence such as executed NDAs, access logs, and destruction attestations in one place.
Risk is reduced by minimizing the data shared, enforcing least-privilege access, and maintaining a defensible audit trail of who accessed what and when. Tools like WatchDog Security's Secure File Sharing can support encrypted sharing, time-bound access, and audit logs that help demonstrate confidentiality safeguards during the evaluation phase.
"Where the communication of personal information is necessary for concluding a commercial transaction to which a person carrying on an enterprise intends to be a party, the person may communicate such information, without the consent of the person concerned, to the other party to the transaction. An agreement must first be entered into with the other party that stipulates, among other things, that the latter undertakes (1) to use the information only for concluding the commercial transaction; (2) not to communicate the information without the consent of the person concerned, unless authorized to do so by this Act; (3) to take the measures required to protect the confidentiality of the information; and (4) to destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the commercial transaction. Where the commercial transaction has been concluded and the other party wishes to continue using the information or to communicate it, that party may use or communicate it only in accordance with this Act. Within a reasonable time after the commercial transaction is concluded, that party must notify the person concerned that it now holds personal information concerning him because of the transaction."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
