Bill 25 — Compliance
Practical guide for a syndicate's compliance with Quebec's Bill 25 on personal information protection.
What is Bill 25?#
Bill 25 (PL-64 adopted in September 2021, phased rollout 2022-2024) modernizes Quebec's framework for personal information protection. It applies to every business or organization in Quebec that collects, holds, or uses personal information — including your condo syndicate.
Fines can reach $25M or 4% of worldwide revenue (whichever is higher). For a syndicate, this is a serious risk — but obligations are proportional to size and data sensitivity.
Obligations for a syndicate#
1. Appoint a Privacy Officer (DPO)#
Since September 2022, every organization must appoint a person responsible for personal information protection.
- Who? The board president by default, or a designated director
- Publication: the DPO's name and contact must be published publicly (website or official documents)
In Syndic+: Settings → Syndicate → Bill 25 Compliance → Privacy Officer.
2. Policies and procedures#
The syndicate must document:
- Privacy policy — collect, use, retain, delete
- Governance policy — who can access what
- Incident procedure — what to do in case of a breach
Syndic+ provides bilingual ready-to-use templates in Documents → Templates → Bill 25.
3. Privacy Impact Assessment (PIA)#
For any new project involving personal information (e.g. new integration, new portal form), the syndicate must assess risks before deploying.
Syndic+ offers a guided PIA form in Compliance → PIA → New assessment.
4. Incident notification (September 2022)#
If a "confidentiality incident" occurs — leak, theft, loss, unauthorized access — and presents a risk of "serious injury":
Detection
The DPO documents the incident in a register (mandatory since Sept 2022).
Risk assessment
Factors: data sensitivity, number of people affected, recoverability, likely malicious use.
CAI notification
If serious risk: notify Quebec's Commission d'accès à l'information as soon as possible (72-hour best practice).
Notify affected people
Notify each affected person, unless it would hinder an ongoing investigation.
Corrective measures
Document measures taken to prevent recurrence.
Syndic+ includes an incident workflow that auto-generates required documents (Compliance → Incidents).
5. Rights of individuals (September 2023)#
Each co-owner has the right to:
- Access their data
- Rectify inaccurate data
- Be informed about automated use with legal effect (Syndic+ uses none)
- Portability (from Sept 2024) — obtain their data in a structured format
From Settings → Privacy in the portal, each co-owner can:
- Download their data (JSON)
- Request a correction
- Request deletion (subject to legal retention obligations)
Common cases for a syndicate#
Publishing minutes on the portal#
Problem: minutes contain names, addresses, and votes of co-owners. Solution: enable the "Redacted minutes for portal" option that anonymizes names. Full minutes remain available to administrators.
Sharing a co-owner list with a vendor#
Problem: sharing an Excel list with a cleaner or contractor isn't necessary. Solution: share only the minimum required (e.g. unit number and phone, not names). Use filtered CSV export.
Surveillance cameras#
Problem: filming common areas means collecting images. Solution: display visible pictograms, retain recordings less than 72h by default, limit access to board admins.
Self-assessment#
Syndic+ includes a Bill 25 compliance checklist (Compliance → Self-assessment) that verifies:
- DPO appointed and contact published
- Privacy policy published
- Incident register in place
- 2FA enabled for admins
- Co-owner portal with access rights
- Processing agreement signed with Syndic+ (automatic at signup)
Real-time score displayed.
Resources#
- Commission d'accès à l'information — supervisory authority
- CAI cheat sheet — private-sector obligations
- RGCQ guide — Bill 25 adaptation for condos