Aller au contenu
FR EN QC EN
Contact
FR EN QC EN
Contact
Legal · Quebec

Law 25 compliance

Our commitments for Quebec organisations subject to the Act respecting the protection of personal information in the private sector, as modernised by Law 25.

Last updated 19 May 2026

Hexceos operates from Montréal and France. For our Quebec-based clients, personal information collected or processed through our services falls under Law 25 as well as the Personal Information Protection and Electronic Documents Act (PIPEDA). This page outlines our concrete commitments. It complements our privacy policy and our GDPR charter — the underlying principles are largely aligned across the three frameworks.

1. Canadian data residency

Personal information collected in Quebec and in Canada stays in Canada. Our Quebec point of presence ensures the hosting, processing and backup of Canadian data on Canadian soil — without transfer to the United States or to the European Union, unless explicit and documented consent is obtained.

For clients who accept cross-border processing (in particular toward our sovereign datacentre in France), we first carry out a privacy impact assessment (PIA) covering contractual safeguards, applicable jurisdiction and the absence of extraterritorial US access rights (Cloud Act).

2. Designated Privacy Officer

Hexceos has designated a person in charge of the protection of personal information in accordance with section 3.1 of Law 25. The Privacy Officer oversees the compliance of all our personal information processing activities and serves as the primary point of contact for any question, access request or complaint.

Privacy Officer
Gaëtan Maiuri
Email — [email protected]

3. Rights of the individuals concerned

Law 25 grants individuals extended rights that we commit to honour in short timeframes, free of charge and without unjustified preconditions:

  • Right of access to personal information held by Hexceos or by our clients in the context of our services.
  • Right to rectification in case of inaccurate, incomplete or ambiguous information.
  • Right to withdraw consent at any time, without prejudice to prior processing.
  • Right to data portability in a structured, commonly used technological format (JSON, CSV).
  • Right to de-indexation and to cessation of distribution where the dissemination causes serious harm to reputation or privacy.
  • Right to information about decisions based exclusively on automated processing.

We respond to rights requests within 30 days — in practice often under 10 business days. No fee is charged for a first reasonable request.

4. Privacy breach notification

In the event of a confidentiality incident likely to cause a serious risk of harm to the individuals concerned:

  • Notification to the Commission d'accès à l'information du Québec (CAI) as soon as reasonably possible.
  • Direct and understandable notice to the individuals concerned whose information was affected.
  • Entry in the incident register maintained by Hexceos, available to the CAI upon request.
  • Forensic report made available to the competent authorities and the impacted clients.

For client engagements, the contractual notification deadline between Hexceos and the client is under 24 hours for critical incidents — well below the regulatory obligation.

5. Privacy impact assessments (PIA)

We carry out a PIA before any project that involves:

  • Acquisition or commissioning of a new personal information processing system.
  • Communication of personal information outside Quebec.
  • Processing for profiling, location or identification purposes.
  • Any processing presenting an increased risk to the individuals concerned.

PIAs are documented, archived and reviewed at each significant evolution of the processing. They are made available to clients upon request for the processing that concerns them.

6. Subcontractors and third parties

The full list of our subcontractors with access to Canadian personal information is kept up to date and shared with any client who requests it at [email protected]. Each subcontractor is subject to:

  • A written agreement compliant with sections 18.3 and 22 of Law 25.
  • An initial assessment of their cyber and legal maturity.
  • An annual compliance review.
  • A right to prior notification in case of any subsequent change of subcontractor.

7. Minors

Where our processing involves personal information of a minor under 14 years of age, consent is obtained from the person having parental authority or from the guardian. For minors aged 14 to 17, consent is obtained from the individual or, depending on the nature of the processing, from the person having parental authority.

Hexceos never knowingly solicits personal information from children under 13 in the context of its own commercial activities (forms, newsletters).

8. Retention and destruction

Personal information is retained only for the time necessary to achieve the purposes for which it was collected and to comply with our legal and tax obligations. At the end of this period:

  • Secure deletion of information across all our systems (production, backups, archives).
  • Cryptographic erasure of encrypted disks or physical destruction of media when relevant.
  • Destruction certificate issued to the client upon request.

9. Complaint to the Commission d'accès à l'information

If you believe your rights have not been respected and the response from our Privacy Officer is not satisfactory, you may file a complaint with the Commission d'accès à l'information du Québec:

Commission d'accès à l'information du Québec
575, rue Saint-Amable, bureau 1.10, Québec (QC) G1R 2G4
Phone — 1 888 528-7741
Website — cai.gouv.qc.ca

10. Updates to this page

This page is updated whenever our practices or the applicable Quebec regulation evolve significantly. The last update date is shown at the top of the page. For major changes, we proactively inform our clients by email.

For any question, suggestion or claim, write to [email protected].