Response Time for Data Subject Requests

Under Quebec Law 25 section 32, organizations must reply to a request for access or rectification promptly and no later than 30 days after the date the request is received.

Yes, the law explicitly imposes a written response requirement for Law 25 access requests and rectification requests. The person in charge of the protection of personal information must provide this written reply.

The 30-day clock begins on the exact date the organization receives the written request from the data subject or their authorized legal representative.

Unlike some other privacy frameworks (like the GDPR), Quebec Law 25 section 32 does not explicitly provide a broad mechanism for businesses to unilaterally extend the 30-day deadline for private sector access or rectification requests.

According to the legislation, failure to respond within 30 days of receipt is legally deemed to be a refusal to grant the request. A Law 25 deemed refusal for late response permits the individual to escalate the matter and seek recourse with the Commission d'accès à l'information.

A written response must confirm the existence of the personal information and provide a copy or transcript. If the organization refuses the request, the response must state the legal reasons for the refusal, cite the specific provision of law, and inform the applicant of their available remedies and time limits.

If granted, the organization should provide a copy of the modified information or an attestation of deletion. A Law 25 rectification request response letter template for a refusal must outline the reasons, cite the legal basis, and explain the individual's right to recourse.

To appropriately track data subject requests for Law 25 compliance, organizations should maintain a data subject request log. This log must capture the date of receipt, the steps taken to verify identity, the actions performed to retrieve or correct data, and the date the final written response was sent.

Yes, organizations can refuse access if disclosing the data would reveal personal information about a third party, hinder an internal security inquiry, or affect judicial proceedings. Rectification can be refused if the organization can prove the existing information is accurate and lawful.

Best practices include deploying a ticketing system with automated SLA timers, configuring internal escalation alerts at the 15-day and 25-day marks, and ensuring cross-functional workflows assign clear data retrieval tasks while the privacy officer handles the formal compliance response.

Meeting the 30-day statutory deadline requires consistent intake, clear ownership, and reliable SLA tracking across teams and systems. Tools like WatchDog Security's Compliance Center can help centralize evidence of request handling (intake timestamps, assignments, and response artifacts) and highlight gaps in workflow coverage so teams can prove the deadline was monitored and met.

An audit-ready request log needs complete, consistent records (receipt date, identity verification, retrieval/correction steps, and the date the written response was sent). Tools like WatchDog Security's Secure File Sharing can support controlled distribution of response packages with access controls and audit logs, while WatchDog Security's Policy Management can track acknowledgment of SOPs that define how requests are processed.