A European client, a cross-border matter, a foreign-based processor: any one of these can expose a Quebec firm to GDPR — even if it practises only in Quebec.
The General Data Protection Regulation (GDPR) is a European regulation. A Quebec firm may be subject to it whenever its activity touches the European Union.
Common exposure scenarios
- Clients residing in the EU or UK.
- Matters involving European parties, assets or jurisdictional decisions.
- Marketing or data collection via a website accessible to European residents.
- European processors handling the firm's information.
If any of these apply, a GDPR analysis is required — not a simple claim of exclusion.
Coexistence with Bill 25
Bill 25 applies to personal information held in Quebec. GDPR may apply in parallel for the same individuals when extraterritorial criteria are met.
« GDPR extraterritoriality means the firm's location alone does not exclude it. »
Both frameworks require transparency, purpose limitation and security — but mechanisms differ.
Relevant GDPR obligations for a firm
- Legal basis for processing (consent, contract, legal obligation, legitimate interest).
- Right of access, rectification, erasure and portability.
- Breach notification within 72 hours to the competent authority.
- Processor agreements (European Commission standard clauses).
Each GDPR obligation must be documented — not just known to the responsible partner.
Preliminary assessment
Before assuming GDPR does not apply, identify your clients, cross-border matters and digital tools. The CAI reminds that transferring information outside Quebec must also comply with Bill 25 — both analyses complement each other.
Ignoring one framework leaves a blind spot in your compliance.