Resources

Vendor Contracts Under Law 25: What Section 18.3 Requires

Elite Consultation·2026-06-01
Law 25section 18.3vendorscontracts

A typical Quebec SME relies on 30 to 50 outside vendors that touch its personal information: payroll firm, bookkeeper, marketing agency, cloud host, CRM platform, technical support provider, translator, printer, HR tools. Each of these vendors triggers a specific contractual obligation under Law 25.

Section 18.3 of the Act respecting the protection of personal information in the private sector (Law 25) requires a written contract with six mandatory elements any time an organization entrusts a mandate or service contract to a third party that involves personal information. The Commission d'accès à l'information (CAI) treats those clauses as a minimum. Their absence from a contract seriously undermines an organization's position during a complaint or an incident.

This guide walks through what section 18.3 requires, how its clauses interact with section 17 on cross-border transfers, and how to set up a vendor review program.

What Section 18.3 Says

Section 18.3 applies any time you communicate personal information to a person or body to whom you entrust a mandate or a service contract. It targets the controller-processor relationship specifically. This obligation is distinct from the rule covering communications to a third party in general.

The section requires six mandatory elements in the contract:

  1. The contract must be written. Verbal or implied agreements are not enough.
  2. The contract must describe the protection measures the vendor has in place to ensure the confidentiality and security of the personal information.
  3. Use is limited to the purpose of the mandate. The vendor may use the information only to perform the mandate or service contract.
  4. No communication to a third party without your authorization, unless required by law.
  5. Prompt notification of any confidentiality incident or any attempted unauthorized access.
  6. Verification rights for your organization to confirm that the vendor is meeting its commitments.

When the vendor carries on activities in whole or in part outside Quebec, the contract must also indicate the jurisdiction where the personal information will be stored, used, or communicated.

How Section 18.3 Interacts with Section 17

The two sections cover different situations, and a single transfer can trigger both at once.

Section 17 governs cross-border transfers, regardless of the type of relationship. It requires a privacy impact assessment (PIA) and adequate protection.

Section 18.3 governs communications to a vendor, regardless of location. It requires a written contract with six specific elements.

When your vendor is located outside Quebec (the common case being a US-based SaaS provider), both sections apply at the same time. You must:

  • Run a PIA (section 17)
  • Verify that adequate protection exists in the destination jurisdiction (section 17)
  • Sign a written contract with the six mandatory elements (section 18.3)
  • Document the data processing jurisdiction (section 18.3)

For major vendors (Microsoft, Google, AWS, HubSpot, Salesforce), a standardized data processing addendum (DPA) generally covers all six elements. The addendum still needs to be signed.

The Six Mandatory Clauses in Detail

1. Detailed Protection Measures

A generic statement like "we comply with all applicable laws" is not enough. The contract (or its appendix) must concretely describe:

  • Access controls and authentication
  • Encryption (in transit and at rest where appropriate)
  • Backup and disaster recovery measures
  • Physical security of facilities
  • Logging and monitoring
  • Patch and vulnerability management

The depth of detail should match the sensitivity of the information being handled. A payroll vendor that processes social insurance numbers does not warrant the same level of expectation as a marketing email service.

2. Limited to the Purpose of the Mandate

The vendor may use the personal information only to perform the mandate. Any other use, including profiling, analytics for the vendor's own purposes, direct marketing, or resale, is prohibited without your explicit authorization.

Many SaaS tools analyze customer data to improve their own models. This practice falls directly within the scope of this prohibition. The contract must rule it out clearly or specify the conditions under which it is allowed.

3. No Sub-Communication Without Authorization

The vendor may not pass the information on to its own subcontractors without your prior approval. When such authorization is granted, the vendor must impose contractual obligations on the subcontractors that are at least as protective as its own (confidentiality, security, incident notification).

In practice, ask your SaaS vendors for the list of their own subcontractors (sub-processors). Most publish it on a dedicated page. Verify that the list is current and that you are notified of any changes.

4. Prompt Incident Notification

The vendor must notify you promptly of:

  • Any confidentiality incident (breach, loss, unauthorized use or disclosure)
  • Any detected attempt at unauthorized access

This notification must be fast enough to let you meet your own obligations under Law 25, including assessing the risk of serious injury and, where applicable, notifying the CAI and affected individuals.

The contract should set a concrete deadline (24 to 72 hours is common) and the notification channel.

5. Verification Rights

Your organization must be able to verify that the vendor is meeting its commitments. This can take several forms:

  • Documentary evidence (internal policies, certifications, audit reports such as SOC 2 Type II or ISO 27001)
  • On-site or remote audits or inspections
  • Periodic security questionnaires

For an SME, demanding a physical audit of a large SaaS vendor is rarely realistic. An annual review of the vendor's certifications and audit reports is usually sufficient.

6. Indication of Jurisdiction (If Outside Quebec)

When the vendor processes data in whole or in part outside Quebec, the contract must identify the jurisdictions involved. This obligation combines with section 17's requirement for cross-border transfers.

For SaaS vendors, this information often lives in the public documentation (Trust Center or Data Residency page). It still needs to appear in your contract or its addendum.

Which Vendors Are Covered

Section 18.3 applies to every vendor with access to your personal information. Here are the most common categories for a Quebec SME:

| Vendor type | Examples | |---|---| | Cloud hosting | Microsoft 365, Google Workspace, AWS, Azure | | CRM and marketing | HubSpot, Salesforce, Mailchimp, Klaviyo | | Payment and billing | Stripe, Square, Moneris, QuickBooks | | HR and payroll | ADP, Nethris, BambooHR, Folks | | Communications | Slack, Zoom, Microsoft Teams | | Productivity tools | Notion, Asana, Monday, Trello | | Technical support | IT subcontractors, managed service providers | | Professional services | Accounting, legal, marketing, translation firms | | Other | Printers, secure document destruction, archival services |

For an organization of 50 employees, a complete inventory often runs past 40 vendors.

Setting Up a Vendor Review Program

For an SME just discovering section 18.3, here is a realistic five-step approach.

  1. Complete inventory. List every vendor with access to personal information. A spreadsheet or a dedicated module in your compliance tool is enough.
  2. Triage by criticality. Rank vendors by the volume and sensitivity of the information they handle. Start with the most critical.
  3. Existing contract review. For each vendor, check whether a written contract with the six elements is in place. For major SaaS vendors, look up and sign the data processing addendum (DPA).
  4. Targeted renegotiation. For vendors without a compliant contract, ask for an addendum. Most serious B2B vendors already have a template. Others should accept one that you propose.
  5. Procurement procedure. Build the section 18.3 check into your procurement process. No new vendor should be engaged without a compliant contract.

For an organization with 20 to 100 employees, this initial process usually takes between 30 and 80 hours, depending on the number of vendors and how cooperative they are.

How Observantia Supports This Work

Observantia centralizes the vendor register, keeps contracts and addenda in one file, and flags contracts that need renewal or updating. The dashboard helps the privacy officer see at a glance which vendors are in compliance with section 18.3 and which have missing elements. Start your 14-day free trial.

Related articles

This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.

Ready to simplify your compliance?

Try Observantia free for 14 days.

Start free trial