Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

Your Personal Information Governance Program Includes Your Subcontractors

  • Nathalie Lamontagne
By Nathalie Lamontagne Lawyer
Quebec’s privacy laws now require businesses and organizations operating in Quebec—or collecting personal information in Quebec—to establish a governance program for the personal information they hold.

Have you considered including your relationships with subcontractors to whom you entrust personal information in this program? If not, your organization may be at risk. Indeed, the program cannot be considered complete without a thorough analysis of the contracts with subcontractors selected to receive and process such personal information.

Verifying the Subcontractor’s Privacy Posture Before Signing

Before entering into a contract with a subcontractor involving the disclosure, access or use of personal information held by your organization, the organization must conduct due diligence and ensure that the subcontractor provides guarantees regarding the confidentiality, security and protection of that personal information.

The subcontractors should already, among other things:

  • Have implemented their own privacy governance program, demonstrating that privacy is central to their operations;
  • Show that employees have been trained and know how to act to maintain the confidentiality of personal information, and that they have signed a confidentiality agreement or a code of ethics or conduct that includes relevant clauses;
  • Demonstrate that the organization is trustworthy, has experienced few or no confidentiality incidents in the past, and has put in place measures to prevent such incidents and manage them appropriately if they occur;
  • Prove that cybersecurity measures in place to ensure the protection of personal information are appropriate and meet your requirements.

Remember that upon signing the contract, you must also specify that the subcontractor may only use the personal information for the purposes of the contract, and that your organization’s Privacy Officer has the rightto verify, at any time, the subcontractor’s compliance with the contractual clauses.

General Clauses

The contract should include detailed clauses that clearly define roles and responsibilities, such as:

  • The tasks the subcontractor must perform;
  • Who will have access to personal information and for what purpose;
  • What the subcontractor must do with the personal information once the work is completed—whether to return or securely destroy it;
  • Whether the subcontractor may use another subcontractor and under what conditions (e.g., only with your approval).

Privacy Incidents Clauses

In the event of a privacy incident involving the subcontractor, you must also specify:

  • The measures the subcontractor must take if a privacy incident occurs on their premises or within their systems, whether or not they are at fault;
  • The timeframe within which they must notify you;
  • Their role and responsibility in managing the incident;
  • The possibility of terminating the contract and the timeframe for doing so if trust has been compromised.

Each organization must include clauses required by its industry, regulatory obligations, contractual commitments or internal policies.

Transfers Outside Quebec

If personal information must be transmitted outside Quebec—whether because the subcontractor is located in another province or country, or because their network data is hosted outside Quebec—a Privacy Impact Assessment, commonly referred to as a PIA, must be conducted. This assessment considers the sensitivity of the personal information being transferred, the purpose of its use, the protection measures outlined in the contract and the legal framework of the destination. It is therefore essential to ensure that the level of privacy risk is acceptable before proceeding with the transfer.

Conclusion

To meet legal obligations and protect the personal information you hold, many factors must be considered. Specific clauses must be included in your contracts with subcontractors.

Our Privacy and Cybersecurity team can assist you with:

  • Establishing questions to ask potential subcontractors;
  • Clarifying your process for reviewing existing contracts;
  • Reviewing your process for awarding new subcontracts;
  • Drafting the required privacy-related clauses in your contracts with subcontractors;
  • Conducting PIAs;
  • Determining the strategic technological positioning to adopt and implementing the related controls.
Share this article
1