Privacy Officer Designation (RPRP) Under Quebec Law

Art. 3.1, 3.2, LPRPSP

What the law requires

If you run a business in Quebec, you're already the Privacy Officer by default. The law designates you automatically.

Your concrete obligations:

  • Publish a way to contact you for privacy questions (website or other accessible means)
  • If you delegate this function to someone else, do it in writing

No mandatory training. No registration with the CAI.

Privacy Officer responsibilities:

  • Ensure compliance with the law throughout the organization
  • Approve personal information governance policies
  • Process access and rectification requests
  • Manage privacy incidents
  • Train staff on best practices

Legal reference

"Any person carrying on an enterprise is responsible for protecting the personal information held by the person."

"Within the enterprise, the person exercising the highest authority shall see to ensuring that this Act is implemented and complied with. That person shall exercise the function of person in charge of the protection of personal information; he may delegate all or part of that function in writing to any person."

"The title and contact information of the person in charge of the protection of personal information must be published on the enterprise's website or, if the enterprise does not have a website, be made available by any other appropriate means."

— Art. 3.1, Act respecting the protection of personal information in the private sector

What you must do

Designating your Privacy Officer is one of the first steps in your compliance journey. Here's how to proceed:

  1. Decide who will be RPRP. If you're the sole owner or CEO, you are RPRP by default. You can keep this responsibility or delegate it.
  2. If you delegate, do it in writing. The law requires written delegation. This document must identify the delegate and specify the scope of their responsibilities.
  3. Publish contact information on your website. The public must be able to reach your RPRP. Add at minimum:
    • The title: "Person Responsible for the Protection of Personal Information"
    • A means of contact: dedicated email or contact form

Concrete example: Marie owns an online store. She adds in her website footer: "For any questions about your personal information: privacy@mystore.ca". That's sufficient.

Example with delegation: Jean runs a firm with 15 employees. He writes a memo delegating the function to his operations director, Sophie Martin. On the firm's website: "Person Responsible for the Protection of Personal Information: Sophie Martin, smartin@firm.ca".

Common mistakes

  • Not publishing contact information at all. Even if you are RPRP by default, you must publish a way to reach you for questions about personal information.
  • Delegating verbally. Delegation must be done in writing. An email or memo is sufficient, but there must be a written record.
  • Publishing a generic email without mentioning the role. "info@company.ca" is not sufficient. You must indicate that this contact is for personal information protection questions.
  • Burying the information. Contact information must be "easily accessible". A link in the footer or in the privacy policy is appropriate.

Frequently asked questions

Who can be designated as Privacy Officer (RPRP)?

Any person with the necessary authority to exercise this function. By default, it's the person with the highest authority in the company (owner, CEO, president). You can also delegate to an employee, an external consultant, or even share the function among several people.

Can the Privacy Officer be external to the company?

Yes. The law allows delegating the function to a consultant or external service provider. However, the company remains responsible for compliance with the law — the external RPRP acts on its behalf.

Do I need to publish the full name of the Privacy Officer?

No. The law requires publishing the title and contact information to reach the RPRP. The name is not mandatory. You can simply indicate 'Person Responsible for the Protection of Personal Information' with an email or contact form.

Where must I publish the Privacy Officer's contact information?

On your website, in an easily accessible location. Most businesses add this information in their privacy policy, on the 'Contact Us' page, or in the website footer. If you don't have a website, use another appropriate means: in-store signage, client documentation, or service contracts.

What happens if I don't designate a Privacy Officer?

By default, the law considers the person with the highest authority in the company to assume this function. However, failing to publish contact information constitutes a breach of the law.

Do I need to notify the CAI of my designation?

No. Unlike some jurisdictions, Quebec does not require registration of the RPRP with the Commission d'accès à l'information (CAI). Publishing on your website is sufficient.

Next step

Once your Privacy Officer is designated and their contact information is published, move on to inventorying your processing activities. You must document what personal information you collect, why, and where it's stored.

Back to compliance guide →

Related topics