Source Disclosure on Request

The Act respecting the protection of personal information in the private sector section 7 requires that if an organization collects personal information from another enterprise, it must inform the individual of that source upon request.

Organizations must disclose the source of the personal information whenever the individual it concerns makes a formal request to know where their data was obtained.

To document and prove consent under GDPR, organizations should use a consent management platform that captures the exact time, date, user identifier, and the specific version of the privacy notice presented. This creates reliable proof of consent GDPR records for audits. Tools like WatchDog Security's Compliance Center can help by linking consent logs and notice versions to this control and organizing evidence for faster audit response.

The source is the specific enterprise, vendor, partner, or data broker that provided the personal information to your organization.

To know how to document the source of personal information Quebec Law 25, organizations should maintain a robust data inventory map and RoPA that includes origin metadata for all records ingested from third parties.

Yes, there is an exception. Source disclosure is not required if the file was established for the purpose of an inquiry to prevent, detect, or repress a crime or statutory offence.

If the data was collected from a vendor or data broker acting as an enterprise, you must identify that specific entity. This is a core part of Law 25 obligations when collecting personal information from another enterprise.

A template response for Law 25 source disclosure request should clearly state the legal name and contact details (if appropriate) of the enterprise from which the personal information was sourced.

A Quebec private sector privacy act source of personal information request is often bundled with a general access request. A robust Law 25 data subject request source of personal information workflow should handle both data extraction and lineage reporting simultaneously.

Failing to disclose the source violates Loi 25 requirements, which can result in regulatory investigations, monetary administrative penalties, and reputational damage for failing to meet transparency obligations.

Auditors typically expect you to show consistent, traceable evidence that consent was captured and can be demonstrated on demand (who consented, when, for what purpose, and what notice was shown). Tools like WatchDog Security's Compliance Center can help by centralizing evidence requests and linking consent-related artifacts (logs, policies, and screenshots of notices) to the control so teams can retrieve proof quickly and consistently.

Withdrawal requests often require coordinated actions across systems (marketing suppression, analytics opt-out, data pipeline filters) and must be provable after the fact. Tools like WatchDog Security's Risk Register can help track withdrawal-related risks and remediation actions, while WatchDog Security's Policy Management can document the process and capture staff attestations that the workflow is followed.