Compliance
The compliance hub gathers your Law 25 obligations into distinct pages, each with its own route. Every page carries a clear notice: this is a guide, not legal advice. Agreely gives you the tools to keep and demonstrate your compliance; it does not stand in for the judgment of a legal advisor.
Guide, not legal advice
Every section of this hub is an implementation tool. The content you enter, and how you apply it, are your responsibility. Agreely gives no legal advice and certifies no compliance.
Privacy officer, article 3.1
Declare the person responsible for the protection of personal information: their name, their title, and at least one way to reach them, either an email or a phone number. This is the person Law 25 charges with overseeing the protection of personal information within the company.
Policies
Publish and version your policies:
- the personal-information governance policy, article 3.2;
- the privacy policy, article 8.2.
Each policy carries a bilingual title and body. On publication, a policy is versioned and immutable: a published version is never edited, a new one is published instead. The history stays a faithful record of what was in force on each date.
Retention and destruction
Define your retention rules. Each rule carries:
- a label;
- a period expressed in months;
- a trigger, by default the purpose being achieved;
- an action, by default destruction;
- notes.
The rules govern how long personal information lives and when it is destroyed, in step with the purposes for which it was collected.
Cross-border transfers and privacy impact assessments, article 17
Record communications of personal information outside Quebec and the privacy impact assessments that go with them. An assessment carries a title, the sensitivity of the information, the purpose of the communication, the protection measures, the legal regime of the destination, and a conclusion.
Confidentiality incident register, articles 3.5 to 3.8
Keep the confidentiality incident register. Each entry records:
- the date the incident was discovered and the date it occurred;
- a description;
- the categories of information involved;
- the number of persons affected;
- a risk assessment, with a serious-risk-of-injury flag;
- the measures taken;
- whether the Commission d'accès à l'information was notified, and whether the affected persons were;
- the incident status.
The register supports the obligation to keep, and where required demonstrate, the handling of confidentiality incidents.
Rights requests
Handle requests from data subjects in a workflow: received → in progress → responded or refused. Each request carries the article 32 30-day clock, and an overdue count highlights the ones past their deadline.
The request types covered are:
- access, article 27;
- rectification, article 28;
- de-indexing, article 28.1.
Requests and their handling export in JSON or CSV.
Erasure obligations, article 23
When a citizen exercises erasure, your company receives an actionable erasure obligation: destroy or anonymize the underlying data you still hold in your own systems. You attest a disposition from among:
- destroyed;
- anonymized;
- retained under a legal period.
You attach a note to the attestation.
Attesting is not proof of compliance
Agreely proves the consent ended and signals the obligation to act. You, the company, attest that you acted. That attestation is your statement, not cryptographic proof that the data was in fact destroyed or anonymized in your systems. And an erasure obligation is not a confidentiality incident and is not handled as one.
Compliance guide
The compliance guide is a static, article-by-article map of how Agreely helps address each relevant Law 25 article. It carries the same notice as the rest of the hub: it is a guide, not legal advice.
Next
- Customers: the customer dossier and the article 27 portability export.
- Team and billing: roles, seats, and API keys.