Templates and samples

This chapter gathers starting points you can copy and adapt for your SMB. All these templates must be reviewed by a lawyer before publication or signing: they are faithful to Law 25 as it exists at the time of writing this guide, but every business context, every sector and every residual risk requires specific validation.

Hilo Tech does not draft these documents in the lawyer's place — our role is to integrate them technically (publish on your site, send, log) once they are validated.

1. Privacy-policy skeleton#

Your privacy policy is the public document that explains, in plain language, what you do with personal information. It must be accessible from every page of your site (typically in the footer).

# Privacy Policy

**Last updated: [YYYY-MM-DD]**

## 1. Introduction
[Company name] respects your privacy and is committed to protecting the personal
information you entrust to us. This policy describes how we collect, use, communicate
and retain that information, in accordance with the Act respecting the protection of
personal information in the private sector (CQLR c. P-39.1).

## 2. Data controller
[Company name] is the data controller for your personal information. You can reach
our privacy officer:
- Name: [Person name]
- Email: privacy@[domain]
- Phone: [number]
- Address: [postal address]

## 3. Information we collect
We collect the following categories of information:
- [Identification: first name, last name, email, phone]
- [Contractual: purchase history, invoices, correspondence]
- [Technical: IP address, device type, pages visited]
- [HR (if employees): resume, contact details, reviews, payroll]
- [Sensitive (if applicable): health, biometrics — with express consent]

## 4. Purposes
We use your information to:
- [Provide the requested product/service]
- [Process payments and billing]
- [Communicate with you about your account or orders]
- [Meet our legal obligations (tax, accounting)]
- [With your consent, send you marketing communications]

## 5. Legal basis
Collection and use rest on:
- Your consent (subject to legal exceptions);
- Performance of a contract with you;
- Compliance with legal obligations;
- [Other — to be validated with your lawyer].

## 6. Disclosure to third parties
We may share your information with:
- Our IT vendors (e.g. [host, CRM, payment]) — under contract and for the purposes described;
- Public authorities when required by law;
- [Other third parties, with your prior consent].

## 7. Transfers outside Quebec
[If applicable] Some of our vendors host or access your information outside Quebec.
We have conducted a privacy impact assessment (PIA) that concludes these transfers
benefit from equivalent protection. Countries involved: [list].

## 8. Retention
We retain your information for as long as necessary for the purposes described
and for statutory limitation periods:
- [Customer data: duration of relationship + X years]
- [HR data: duration of employment + X years]
- [Accounting data: 6 years (tax requirement)]

## 9. Your rights
You have the following rights: access, rectification, withdrawal of consent,
de-indexing, portability, information about any automated decision concerning you.
To exercise these rights, write to privacy@[domain]. We will respond within 30 days.

## 10. Cookies
[If website] Our site uses cookies for [purposes]. You can manage your preferences
via the consent banner or your browser settings.

## 11. Security
We implement technical measures (encryption, access controls, logging) and
organizational measures (training, procedures) to protect your information.
No system is foolproof; if a confidentiality incident presents a risk of serious
harm, we will notify you as soon as possible.

## 12. Complaints
If you are dissatisfied with our response, you can file a complaint with the
Commission d'accès à l'information du Québec:
https://www.cai.gouv.qc.ca/

## 13. Changes
We may update this policy. The last-updated date appears at the top. Significant
changes will be communicated to you via a visible notice.

2. Express-consent clause for sensitive information#

This clause fits into an intake form or a contract. To be adapted by your lawyer for the context.

EXPRESS CONSENT TO THE COLLECTION OF SENSITIVE INFORMATION

I consent to [Company name] collecting, using and retaining the following sensitive
personal information about me:

[ ] Health information (diagnoses, history, test results)
[ ] Detailed financial information (card number, bank accounts)
[ ] Biometric information (fingerprints, facial recognition)
[ ] Other: _______________________

This consent is given for the following purposes:
_______________________________________________________

This information will be retained for: ________________

I can withdraw this consent at any time by writing to privacy@[domain].
I understand that some services may no longer be available to me after withdrawal.

Signature: _____________________ Date: _____________________

3. Notice to affected persons (incident template)#

To send when a confidentiality incident presents a risk of serious harm. Email, letter or combination depending on scale.

SUBJECT: Notice of confidentiality incident concerning your personal information

[Date]
[Person name]

Dear [Name],

We are writing to inform you that a confidentiality incident occurred on
[date or period] and has affected some of your personal information that we hold.

**Nature of the incident**
[Factual, clear description without technical jargon. E.g. "A laptop containing your
file was stolen on X. A police report has been filed."]

**Information affected**
[Precise list: name, address, file number, date of birth, etc.]

**What we have done**
- [Immediate measures taken]
- [Notification to the Commission d'accès à l'information]
- [Ongoing corrective measures]

**What you can do**
- [Change your passwords if credentials are involved]
- [Monitor your credit report (Equifax, TransUnion)]
- [Report any suspicious activity to your financial institutions]

**We are available**
For any question, please contact our privacy officer:
- Email: privacy@[domain]
- Phone: [number]

We are sincerely sorry for this incident and for the inconvenience it may cause you.

[Signature]
[Name and title]
[Company name]

4. Internal incident-management procedure (structure)#

Keep in the procedure manual, accessible to all key employees. Short version: 2 pages.

CONFIDENTIALITY INCIDENT MANAGEMENT PROCEDURE

## 1. Definition
A confidentiality incident is unauthorized access, use or communication of personal
information, or loss of such information.

## 2. Detection and reporting
Any employee who suspects an incident must report it IMMEDIATELY to:
- Privacy officer: [name, email, 24/7 phone]
- In case of absence: [backup name]
- IT team (Hilo Tech): [emergency line]

## 3. Containment (0-2 h)
- Isolate affected systems.
- Revoke compromised access.
- Preserve traces (logs).
- Do NOT attempt to "fix" without preservation.

## 4. Assessment (2-24 h)
- Crisis team meeting: privacy officer, leadership, IT, lawyer.
- Fact gathering: what, when, who, how many people, what sensitivity.
- Risk-of-serious-harm assessment (three factors: sensitivity, consequences,
  likelihood of malicious use).

## 5. Decisions (24-72 h)
- Notify the CAI? (Yes if risk of serious harm)
- Notify affected persons? (Same criterion)
- Involve police? (Physical theft, ransomware, threat)
- Cyber insurance to contact?

## 6. Notifications (72 h +)
- CAI: online form (cai.gouv.qc.ca).
- Persons: email or letter (template in Annex A).
- Entry in the incident register.

## 7. Recovery
- Systems restoration.
- Controls strengthening.
- Targeted team training.

## 8. Post-mortem
- Lessons learned, documented.
- Procedure update if needed.
- Report to leadership within 30 days.

5. Incident register (Excel or table structure)#

Minimum columns:

| ID | Discovery date | Incident date | Description | PI categories | # persons |
| Sensitivity | Risk-of-serious-harm | CAI notification | Persons notification |
| Measures taken | Preventive measures | File owner | Status | Closing date |

The register must be immutable (no deletion, only traceable additions and updates). A protected Excel workbook, a dedicated GRC tool or a HaloPSA/ServiceNow table with change history does the job.

6. PIA template (5 pages)#

See the Transfers outside Quebec chapter for detail. Condensed structure:

1. Processing description — service, vendor, data, volume, duration.
2. Purpose — why, alternatives evaluated.
3. Sensitivity — ordinary/sensitive, justification.
4. Data flow — simple diagram.
5. Recipient legal regime — country, law, authority, remedies.
6. Technical measures — encryption, MFA, isolation, logs.
7. Contractual measures — DPA, added clauses.
8. Residual risks — what remains, likelihood, impact.
9. Decision — authorized / authorized with conditions / refused.
10. Review — date of next review (annual).

Hilo Tech can provide the full Word template to its clients on request — validated with the client's lawyer before reuse.

Terms of use for these templates#

• The templates are provided for information. They do not constitute legal advice.
• They reflect Law 25 as in force on April 20, 2026. Any subsequent change in the Act or CAI case law requires an update.
• Each template must be adapted to your sector, size, systems and specific risks.
• Validation by a lawyer is strongly recommended before publication or signing.

To obtain the source files (Word, Excel) or support on the technical integration, email info@hilotech.ca.