Vendors and suppliers: essential clauses for Law 25 compliance

Your CRM is "compliant" according to the vendor's marketing page, but it is your name that will appear on the complaint if data leaks. Hosting provider, agency, cloud platform: you delegate processing, not accountability. The contract is your proof of due diligence.

Law 25 obligation: before entrusting personal information to a third party, you must ensure it offers sufficient safeguards, and document that assessment.

Due diligence before signing

Do not sign based on a "GDPR ready" badge alone. Ask concrete questions: where data is hosted, who the downstream subcontractors are, what security measures apply, and whether there is an incident history. For a high-risk project, a PIA (EFVP) includes this analysis: it is not reserved for multinationals.

Key clauses in contracts

Here is the list I review systematically with SMBs. Adapt the wording to your lawyer's legal vocabulary:

Risk for your organization

If a vendor is the source of a breach, the CAI and affected individuals will contact you first: the organization responsible for processing. A negligent vendor can lead to sanctions, lost B2B bids, and weeks of remediation. Prioritize contracts covering customers and HR before peripheral tools (internal surveys, whiteboards).

In brief

Start with your web host, CRM, and payroll tool. A clause copied from a European template does not automatically cover Law 25. Have it reviewed by someone who knows Quebec.

Useful references

This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.

Check your website

Several Law 25 obligations show up on your public site (policy, cookies, privacy officer contact). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.