Act 25 and your condo board: your obligations and how Kohabit protects you
Since September 22, 2023, Act 25 applies to every business and legal entity in Quebec, including your condo association. New obligations on personal information protection are now binding. Here is a clear guide to understand your responsibilities and keep your board safe.
Join early accessData hosted in Canada, compliant by design.
What is Act 25?
Act 25 (officially the Act to modernize legislative provisions as regards the protection of personal information) was adopted in September 2021 and came fully into force on September 22, 2023. It modernizes Quebec's privacy framework, which had been governed by a 1994 law.
Its goal is to give Quebec citizens real control over their personal information and to impose on organizations holding it obligations comparable to the European GDPR.
Act 25 applies to every business and legal entity operating in Quebec, regardless of size. This explicitly includes divided co-ownership condo associations, which are legal entities under the Quebec Civil Code.
Why your condo board is concerned
Many boards believe Act 25 only targets "large companies". This is wrong. A condo association handles personal information on a daily basis under the meaning of the law.
Identification data
Name, address, email, phone, date of birth of every co-owner and registered tenant.
Financial data
Share in milliemes, account balances, payment schedules, arrears, sometimes banking details.
Private-life data
Household composition, pets, vehicles, emergency contacts, maintenance requests revealing the unit's interior.
Written communications
Emails, complaints, nominative votes, noise reports. These exchanges often contain sensitive data.
The 6 key obligations for your board
1. Appoint a Personal Information Protection Officer (PIPO)
By default, the highest authority in the board, usually the president. Their contact info must be published and accessible to co-owners.
2. Maintain a clear and accessible privacy policy
The board must be able to tell any co-owner what data is collected, why, who can access it, where it is stored and for how long. In plain language.
3. Keep a confidentiality incident register
Stolen binder, leaked email, unauthorized access to the co-owner list: each incident must be logged. If it presents a risk of serious harm, the CAI and affected persons must be notified without delay.
4. Conduct a Privacy Impact Assessment (PIA) before any new IT project
Mandatory when adopting or changing a system handling personal information. Adopting Kohabit triggers this obligation, but we provide the compliance file to make it straightforward.
5. Frame any cross-border data transfer
If you use a tool hosted outside Quebec (USA, Europe), a comparative analysis of the foreign legal regime is required. The simplest solution: choose a Canada-hosted tool like Kohabit.
6. Honor the new co-owner rights
Right of access, rectification, portability, dereferencing, cessation of dissemination. The board must respond within 30 days.
Canadian hosting: why it changes everything
A tool hosted in the United States, even by a reputable vendor, exposes your data to the US CLOUD Act. This statute allows US authorities to compel access to your data even if it sits on Canadian servers, as long as the operator is a US company.
US tools (Buildium, Yardi, DoorLoop)
- Data potentially reachable under CLOUD Act
- Comparative analysis required to stay compliant
- Act 25 compliance must be rebuilt per board
- More complex and risky PIA
Kohabit, hosted in Canada
- Data fully stored in Canada
- No comparative analysis needed
- Act 25 compliance file provided by default
- Simplified PIA, ready-to-sign template
How Kohabit makes you compliant
Kohabit was built in Quebec, for Quebec, integrating Act 25 from the very first line of code. Here is how each obligation is covered with no effort on your side.
End-to-end encryption
All data encrypted in transit (TLS 1.3) and at rest. Backups are also encrypted.
Certified Canadian hosting
Data stored in Canadian data centers, exclusively subject to Canadian and Quebec law.
Complete audit log
Every access, modification and document view is logged. You can prove who did what in case of an incident.
Granular permissions
Each user sees only what concerns them. A co-owner does not see others' financial data.
Built-in portability right
Each co-owner can download their personal data in one click, in an open exportable format.
Deletion on request
A co-owner can request account deletion. The process is automated and logged.
Ready-to-use incident registry
Kohabit provides a CAI-compliant incident registry template, integrated in your board's admin.
PIA file included
A compliance file ready to integrate in your Privacy Impact Assessment is provided.
Kohabit vs US tools when it comes to Act 25
Popular US tools (Buildium, Yardi Breeze, DoorLoop, AppFolio) are technically solid, but they were not built for Act 25 nor for Quebec condos. Factual comparison below.
| Act 25 criterion | Kohabit | Buildium / Yardi / DoorLoop |
|---|---|---|
| Hosted in Canada | Yes, guaranteed | No, US operator under CLOUD Act |
| Comparative analysis required | No | Yes, per board |
| Quebec French UI | Yes, primary language | Partial or absent |
| Act 16 maintenance log | Built-in module | Missing |
| Voting weighted by milliemes | Native | No, not built for divided co-ownership |
| Act 25 compliance file | Provided by default | Build your own |
| French support in Quebec | Yes, Montreal-based team | Limited, time zone and language are blockers |
The new co-owner rights
Act 25 grants co-owners (and registered tenants) new rights enforceable against the board, with a 30-day response deadline.
Right of access
Obtain a complete copy of their information held by the board, in an understandable format.
Right to rectification
Require correction of inaccurate, incomplete or outdated information.
Right to portability
Receive their data in a structured, reusable, exportable technological format.
Right to dereferencing
Require that certain information no longer be accessible through public search engines.
Right to cessation of dissemination
Have information withdrawn when its diffusion causes harm (e.g. on an internal site).
Right to prior information
Know, at collection time, what the data will be used for and who will access it.
Sanctions for non-compliance
Act 25 introduces a sanction regime unprecedented in Quebec privacy law. The amounts are deliberately high to produce a deterrent effect.
Administrative sanctions
Up to CA$10 million or 2% of worldwide turnover.
Criminal sanctions
Up to CA$25 million or 4% of worldwide turnover.
Civil remedies
Affected individuals may sue for damages, class actions are possible.
Frequently asked questions
Official sources
Compliant by design, from day one
Skip the comparative analyses, the complex PIAs and the CLOUD Act concerns. Kohabit is built for Act 25 from the start.
Join early accessNo credit card required. Hosted in Canada. Cancel anytime.