Vendors and suppliers: essential clauses for Law 25 compliance
Your CRM is "compliant" according to the vendor's marketing page, but it is your name that will appear on the complaint if data leaks. Hosting provider, agency, cloud platform: you delegate processing, not accountability. The contract is your proof of due diligence.
Law 25 obligation: before entrusting personal information to a third party, you must ensure it offers sufficient safeguards, and document that assessment.
Due diligence before signing
Do not sign based on a "GDPR ready" badge alone. Ask concrete questions: where data is hosted, who the downstream subcontractors are, what security measures apply, and whether there is an incident history. For a high-risk project, a PIA (EFVP) includes this analysis: it is not reserved for multinationals.
Key clauses in contracts
Here is the list I review systematically with SMBs. Adapt the wording to your lawyer's legal vocabulary:
- Purposes and instructions: the vendor processes data only under your written directions; no vague "product improvement" using your customer data.
- Confidentiality: obligation binding all vendor staff and subcontractors.
- Security measures: encryption, access control, backups; level matched to sensitivity (HR data is not the same as a mailing list).
- Downstream subcontracting: prior authorization; same requirements for the subcontractor's subcontractor.
- Location and transfers: where data is stored; notice if region or provider changes.
- Incident notification: short deadline (often 24 to 72 hours) so you can meet your obligations toward the CAI.
- End of contract: secure return or destruction; proof on request.
- Audit: right to verify, or acceptance of a recent SOC 2 report or equivalent.
Risk for your organization
If a vendor is the source of a breach, the CAI and affected individuals will contact you first: the organization responsible for processing. A negligent vendor can lead to sanctions, lost B2B bids, and weeks of remediation. Prioritize contracts covering customers and HR before peripheral tools (internal surveys, whiteboards).
In brief
Start with your web host, CRM, and payroll tool. A clause copied from a European template does not automatically cover Law 25. Have it reviewed by someone who knows Quebec.
Useful references
- CAI, Subcontracting and disclosure to third parties: expectations for Quebec organizations.
- Act P-39.1 (private sector): obligations before entrusting personal information to a third party.
- PIA under Law 25: risk analysis for sensitive projects and vendors.
This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.
Check your website
Several Law 25 obligations show up on your public site (policy, cookies, privacy officer contact). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.