Individual rights

Law 25 enshrines six individual rights that every enterprise must be able to honour within 30 days (s. 32 PPIPSA). This chapter explains each right, the response procedure, and what to prepare before you receive a first request.

The six rights#

Right	Source	In force since
Access	s. 27	always (before Law 25)
Rectification	s. 28, 53	always
Withdrawal of consent	s. 8.3	Sept. 2023
De-indexing / cessation of dissemination	s. 28.1	Sept. 2023
Information about automated decisions	s. 12.1	Sept. 2023
Portability	s. 27 para. 2	Sept. 2024

1. Right of access (s. 27)#

Every person has the right to obtain confirmation that the enterprise holds personal information about them, a copy of that information and information about its source, use and communication.

What must be provided#

• The raw content of the information (customer file, invoices, emails, CRM fields, access logs where they concern the person).
• The categories of third parties to whom the information has been communicated.
• The retention periods applied.
• The purpose for which each piece of information is held.

What can be refused#

• Information covered by professional secrecy (lawyer–client, doctor–patient).
• Information that would reveal personal information about another person (absent that third party's consent).
• Information protected by an ongoing criminal or disciplinary investigation.

Any refusal must be in writing and motivated (s. 34), with mention of the right to apply to the CAI (s. 40).

2. Right of rectification (s. 28)#

The person can ask for correction of information that is inaccurate, incomplete or equivocal. The enterprise must:

• Correct the information.
• Communicate the correction to the third parties to whom the erroneous information was transmitted in the last 6 months, on request.
• Refuse only if the rectification is manifestly unfounded (e.g. the information is correct).

Special case: observations#

Some information consists of professional observations (performance review, case note, medical diagnosis). The person cannot demand a change to their content, but can require an annotation expressing disagreement.

3. Right to withdraw consent (s. 8.3)#

See the Consent chapter for detail. In brief:

• Withdrawal at any time, with prospective effect.
• Simple and free withdrawal mechanism (link, form, dedicated email).
• Consequences of withdrawal communicated (e.g. "your account can no longer be used").

4. Right to de-indexing / cessation of dissemination (s. 28.1)#

Since September 2023, a person can require:

• Cessation of dissemination of personal information (e.g. remove a blog article naming them).
• De-indexing of their information (remove a search result) or re-indexing under terms of the query they specify.

Conditions:

• Dissemination causes serious harm to the person.
• That harm is manifestly greater than the public interest in the information.
• Less restrictive means would not suffice.

In practice for an SMB#

This right chiefly concerns:

• Forums, review sites, photo galleries, former-employee lists, blog articles.
• Internal search engines that index customer content.
• Public directories and catalogues.

If your website still displays the name of a former employee, a churned customer or a person mentioned in an old press release, you have the obligation to assess any de-indexing request against the test above.

5. Right to information about automated decisions (s. 12.1)#

Since September 2023, when a decision that produces a legal effect or significantly affects the person is made exclusively by automated processing, the enterprise must:

• Inform the person that such a decision has been made automatically.
• On request, provide the personal information used, the main reasons and the factors that led to the decision.
• Offer the person the opportunity to correct the information used.

Typical examples:

• Automated decision to grant or deny credit.
• Automated scoring of a candidate by an AI-powered ATS.
• Automated fraud detection that blocks an account.

A mere AI recommendation followed by a human decision is not a "decision based exclusively on automated processing." But watch out for processes where the human decision amounts to rubber-stamping the machine's result — the CAI may treat those as automated de facto.

6. Right to portability (s. 27 para. 2 — in force since September 22, 2024)#

The person has the right to obtain their computerized personal information in a structured and commonly used technological format, or to request its direct transmission to another data controller.

What it covers#

• Information the person has provided (e.g. name, profile, order history).
• Information generated by their use of the service (e.g. preferences, carts, messages).
• Not covered: observations, analyses, scoring produced by the enterprise.

Acceptable formats#

• JSON, CSV, XML, Excel.
• PDF only if it is the sole original format.

The CAI has imposed no mandatory standard; the test is commonly used — meaning reusable by a comparable service provider.

The response procedure (s. 32)#

The deadline: 30 days#

• The clock starts at receipt of the request (not at its routing to the internal privacy officer).
• An extension can be granted for complex requests, provided the person is notified before the 30 days expire.

The steps#

1. Receipt: the request can arrive by email, letter, phone, form. Timestamp immediately.
2. Identification: verify the requester is who they claim to be (no impersonation). Proof level proportionate to data sensitivity.
3. Search: exhaustive, including archives, backups, contact databases, third-party systems.
4. Analysis: what portion is accessible, what portion must be redacted (third-party secrecy, investigation secrecy).
5. Response: in writing, motivated, in the language of the request. If the response is a partial or total refusal, it must mention the right of recourse.

The CAI recourse (s. 40)#

If the person is dissatisfied (refusal, silence, incomplete response), they can file a complaint with the CAI. The Commission can investigate, order correction and impose an administrative sanction.

Our role on the IT side#

At Hilo Tech, we configure the tools that allow the client's privacy officer to find information quickly across Microsoft 365, SharePoint, OneDrive, CRMs, backups and third-party systems. We do not draft the response or decide what is redacted — that's the privacy officer's role, validated by the lawyer.

Quick checklist#

• A dedicated email (e.g. privacy@) receives requests and an employee checks the box at least once a day.
• We have a response template for access requests, validated by our lawyer.
• A register of requests is maintained (date received, nature, response time, decision).
• We know where to look — inventory of systems containing personal information.
• We have a proportionate identity-verification process.
• An extension plan is ready for complex requests.
• The refusal template explicitly mentions the right of recourse to the CAI.

Common mistakes#

• Responding past 30 days without written extension. — Outright breach, ground for complaint.
• Demanding too much identity proof. — Asking for a certified cheque to prove identity when the person has an active account is disproportionate. The CAI has sanctioned similar cases.
• Forgetting backups. — An employee removed from the CRM may still live in a 7-year Veeam backup. Access must include that data, even if inconveniently.
• Charging for access requests. — In principle free. Fees are permitted only for transcription, reproduction or transmission (s. 33), and must be moderate.

Questions to ask your legal counsel#

• What level of identity proof for which data category?
• Can we refuse an abusive request (very many, repetitive, manifestly vexatious)?
• What clauses should we include in vendor contracts (Microsoft, SaaS) to ensure they return data we need for access requests within our deadline?
• How do we handle requests that come through a representative (lawyer, family member, guardian)?