Right of Access to Personal Information

Under Quebec Law 25 right of access, individuals can ask an organization to confirm whether it holds personal information about them, communicate that information, and provide a copy. Section 27 guarantees transparency and control over one's data.

Organizations must require the applicant to prove they are the person concerned or an authorized representative. This involves verifying their identity through secure means, such as matching account details or requiring a secure login, before releasing any sensitive data.

Organizations must disclose the personal information they hold on the individual, fulfilling what personal information must be provided under Law 25 access rights. For portability specifically, this covers data collected from the applicant, but excludes data created or inferred by the organization.

Yes, Law 25 provide copy of personal information in electronic format rules require that computerized data collected from the applicant be delivered in a structured, commonly used technological format, unless doing so raises serious practical difficulties.

While the law does not explicitly list formats, standard industry practices for a structured commonly used technological format Law 25 include CSV, JSON, or XML. These formats allow the individual to easily read the data or transfer it to another service.

The Law 25 access request response time mandates that the person in charge of the protection of personal information must reply in writing promptly and no later than 30 days after the date the request is received.

Access to personal information must generally be free of charge. However, a reasonable charge may be required for the transcription, reproduction, or transmission of the information, provided the applicant is informed of the approximate amount in advance.

An organization may refuse access if disclosure would reveal personal information about a third party and seriously harm them, or if it would hinder a legal inquiry. Additionally, organizations can cite Law 25 access request exemptions practical difficulties if providing the data in a specific technological format is disproportionately burdensome.

Organizations should maintain a comprehensive data subject request log detailing the receipt date, identity verification steps, data sources queried, and the final response provided. This ensures an auditable Law 25 access request process for organizations.

To figure out how to export personal data for Law 25 portability requests securely, organizations should use encrypted channels, secure portals, or password-protected files. Delivering data securely prevents unauthorized access or confidentiality incidents during the fulfillment process.

A consistent access-request workflow requires tracking intake, identity verification, data sources searched, and response deadlines. Tools like WatchDog Security's Compliance Center can centralize evidence and task assignments so teams can demonstrate a repeatable, auditable process for §27 requests.

Delivering exports often involves transmitting sensitive data and proving it was shared securely to the right person. Tools like WatchDog Security's Secure File Sharing can help by providing encrypted delivery, requester verification, and audit logs that support secure fulfillment and auditability.