Scope of Application

Quebec Law 25 applies to the collection, holding, use, or communication of personal information in the course of carrying on an enterprise. The Act respecting the protection of personal information in the private sector scope covers data in any format, whether kept directly or through a third person.

Any person or organization carrying on an enterprise that processes personal information must comply with Loi 25 compliance requirements. This includes businesses, associations, and partnerships operating within or targeting Quebec.

Yes, if an out-of-province company is carrying on an enterprise that involves collecting, holding, using, or communicating the personal information of individuals in Quebec, they must generally comply with Quebec privacy law requirements.

Carrying on an enterprise Quebec Law 25 definition refers to the carrying on of an economic activity, whether or not it is commercial in nature, organized and directed to the production or delivery of goods or services.

What personal information is covered under Law 25 includes any data that relates to a natural person and allows them to be identified. Law 25 applies regardless of format meaning it covers written, graphic, taped, filmed, computerized, and paper records.

Divisions II and III of the Act do not apply to personal information concerning the performance of duties within an enterprise, such as a person's name, title, duties, work address, work email, and work phone. However, other sensitive employee data falls under the Loi 25 scope of application enterprises.

Yes, does Law 25 apply to nonprofits and associations is answered in the affirmative if they carry on an enterprise. The Act also explicitly applies to personal information held by professional orders, political parties, independent Members, and independent candidates.

Yes, the Act explicitly states that it does not apply to journalistic, historical, or genealogical material collected, held, used, or communicated for the legitimate information of the public.

What data processing activities are in scope under Loi 25 includes the complete lifecycle of data. This covers initial collection, holding or storage, internal use, and Law 25 disclosure to third parties scope.

CISOs and compliance teams must map their data inventory to understand who does Quebec Law 25 apply to within their supply chain. They must evaluate all data collected, held, used, or communicated to ensure comprehensive adherence to Quebec privacy law requirements. Tools like WatchDog Security's Asset Inventory can help keep the system and SaaS inventory accurate, and WatchDog Security's Compliance Center can help link scope conclusions to evidence and periodic review workflows so the assessment stays current.

Scope tends to drift as teams add new SaaS tools, data stores, and processors, which can quietly expand where personal information is collected, held, used, or communicated. Tools like WatchDog Security's Asset Inventory can help maintain an up-to-date system and SaaS inventory, while WatchDog Security's Compliance Center can tie those assets to control ownership and evidence workflows so scope reviews stay aligned to real-world changes.

Third-party processing can create scope gaps when contracts, sub-processors, or data transfer paths are not consistently documented alongside internal data maps. Tools like WatchDog Security's Vendor Risk Management can help catalog vendors, track assessments and risk-tiering, and maintain processor details that support end-to-end data flow mapping and repeatable scope reassessments.