Bill 25 Compliance
Use Syndic+ to comply with Bill 25 on personal information protection.
Overview#
Bill 25 (An Act to modernize legislative provisions as regards the protection of personal information), phased in from 2022 to 2024, imposes new obligations on organizations that collect personal information — including condo syndicates.
The 7 key obligations for a syndicate#
1. Appoint a Privacy Officer (DPO)#
Who? By default, the person with the highest authority (board chair). The role may be delegated by resolution.
In Syndic+: configure the DPO from Settings → Syndicate → Bill 25 Compliance.
2. Publish a privacy policy#
Must be publicly accessible and explain:
- What information is collected
- Why
- Who it's shared with
- How to exercise one's rights
In Syndic+: ready-made template available at /privacy-policy, customizable.
3. Keep a confidentiality incident registry#
Every incident (loss, theft, unauthorized access) must be recorded with:
- Date and nature
- Information involved
- Number of persons affected
- Corrective actions
Incidents posing serious risk must be reported to the CAI (Commission d'accès à l'information) and to the affected individuals.
In Syndic+: Privacy Incidents module accessible from Compliance → Bill 25.
4. Obtain express consent#
For sensitive information (health, detailed financial data), free, informed, specific, and manifest consent is required.
In Syndic+: Consents module to record and timestamp each consent.
5. Honor the right to portability (since 2024)#
Co-owners can request a structured copy of their data (JSON or CSV).
In Syndic+: Download my data button in the portal.
6. Honor the right to erasure#
Co-owners can request the deletion of their information, subject to exceptions (legal retention requirements).
In Syndic+: Erasure Requests module with validation workflow.
7. Privacy impact assessment (PIA)#
Before rolling out a new system containing personal information, a privacy impact assessment is required.
In Syndic+: downloadable PIA template.
Bill 25 Dashboard#
From Compliance → Bill 25, a dashboard shows:
| Check | Status |
|---|---|
| DPO appointed | ✅ / ❌ |
| Public policy published | ✅ / ❌ |
| Active incident registry | ✅ (0 incidents) / ⚠️ (1 open) |
| 2FA required for admins | ✅ / ⚠️ |
| At-rest encryption enabled | ✅ (Supabase AES-256) |
| Sub-processors listed | ✅ up to date |
Penalties#
Bill 25's administrative penalties are very significant:
| Offence | Max fine |
|---|---|
| Natural person | $100,000 |
| Organization | $25M or 4% of worldwide revenue |
| Willful negligence | Doubled |
While the CAI prioritizes guidance over sanctions, any mismanaged incident can trigger an investigation. Keep your registry up to date and react quickly to any suspected incident.
Sub-processors#
Syndic+ is a sub-processor under Bill 25. We contractually commit to:
- Process data only per your instructions
- Maintain appropriate security measures
- Notify you immediately of any incident
- Delete or return data at contract end
Our sub-processors (Supabase, Stripe, Vercel, etc.) are listed in the public privacy policy.
Going deeper#
For full legal treatment, see the detailed Bill 25 guide.