Designed for licensees and made available for public information, some of the hyperlinks in this guideline are not publicly available.

9. Actions to be taken to comply with Bill 25 (personal information)

9.1 Recap of legislative changes related to privacy protection

As part of your real estate brokerage activities, here are the essential steps you must take to comply with the new privacy obligations introduced by Bill 25.1

September 22, 2022

Appointing a person in charge of the protection of personal information and posting his or her contact information on the agency’s website or the website of the broker acting on his own account.

Managing confidentiality incidents and maintaining a confidentiality incident log

  • Implementing security measures to prevent or limit the consequences of a confidentiality incident, for example:
    • Making an inventory of personal information held and assessing its sensitivity;
    • Managing physical and computer access to personal information held;
    • Training staff members;
    • Establishing internal policies and guidelines to ensure the confidentiality and integrity of personal information;
    • Securely destroying personal information in accordance with the periods prescribed by law;
    • Establishing standardized classification methods.
  • Establishing a response plan and internal guidelines in the event of a security incident.

September 22, 2023

► Establishing privacy policies and practices and publishing detailed information about these policies on the website

  • Making an inventory of personal information held and assessing its sensitivity.
  • Defining the roles of staff members involved in the handling of personal information.

Establishing consent forms for collecting personal information in accordance with the law

  • Obtaining valid consent for all the specific purposes for which personal information is collected.
  • Presenting the consent request separately from the other information provided (for example, on a separate page).
  • Providing the mandatory information required by law on the consent form.

► Providing "cookie" banners on the website, where appropriate.

► Publishing a confidentiality policy on the website.

► Establishing an internal procedure for handling complaints about your personal information management

September 22, 2024

► Ensuring that your computer systems allow personal information to be disclosed to the person concerned in a structured and commonly used technological format.

1 Act to modernize legislative provisions as regards the protection of personal information (LQ 2021, c. 25)

Return to top

9.1 Recap of legislative changes related to privacy protection

Here are the main changes introduced by Bill 25 that may have an impact on real estate brokerage practice.

September 22, 2022

Appointment of a person responsible for protecting personal information within the agency

Obligation to manage and report confidentiality incidents

  • Conduct an assessment of privacy-related factors before disclosing personal information without the consent of the individuals concerned for study, research or statistical production purposes.

September 22, 2023

Obligation to adopt privacy governance rules, including a confidentiality policy.

► Obligation to help the person concerned understand the scope of the consent. 

► Obligation to destroy personal information once the purposes for which it was collected have been achieved, subject to the time periods prescribed by law.2

Prohibition to disclose nominative lists without client consent and addition of a right to refuse the use of personal information for commercial prospection purposes.

Significant increase in penal fines imposed by the Commission d'accès à l'information (CAI) and addition of monetary administrative penalties.

NOTE : An assessment of privacy-related factors essentially consists in i) assessing the project's compliance with privacy legislation; ii) identifying the project's risks to the privacy of the individuals concerned; iii) implementing measures to avoid or reduce these risks.

September 22, 2024

► The individual's right to data portability, which is the right to obtain his or her personal information on a structured and commonly used technological medium.

2 S. 17 of the Regulation respecting records, books and registers, trust accounting and inspection of brokers and agencies (c. C-73.2, r. 4: “17. The licensee must keep the registers and records for at least 6 years following their final closing. These registers and records may then be destroyed unless they constitute evidence in a civil, disciplinary, penal or criminal action. ”

Return to top

Last updated on: August 15, 2023
Numéro d'article: 253300