A Quebec building inspector handles more personal information than most realize. Requester contact details, exterior and interior photos of the building, vendor names in the Annex F declaration, observations about the state of an identifiable property. Since the full entry into force of Loi 25 (2023–2024), this data is governed by specific obligations — with significant penalties attached.
This guide covers what an inspector needs to understand to stay compliant, with references to the articles that apply.
Loi 25 in one minute
Loi 25 (official name: Act to modernize legislative provisions as regards the protection of personal information) was assented to in 2021. It modernizes two existing laws, including the Act respecting the protection of personal information in the private sector (P-39.1) — the one that applies to inspectors working independently or through a private firm.
Entry into force rolled out in three phases:
- September 22, 2022 — obligation to report confidentiality incidents; designation of a person in charge of personal-information protection
- September 22, 2023 — most of the obligations (consent, transparency, impact assessments for out-of-Quebec transfers, confidentiality policies, retention, the penalty framework)
- September 22, 2024 — right to data portability
The enforcement authority is the Commission d'accès à l'information du Québec (CAI).
What data is covered
The CAI defines personal information as any information that allows a physical person to be identified, directly or indirectly. For an inspector, that includes:
- Name, address, email, phone of the requester and seller
- Interior photos of the building where personal objects or elements are visible
- The address of the inspected building combined with other elements (date, owner)
- The inspection report as a whole, which contains all the above
Photos of generic structural elements (e.g. a foundation wall with no context) are less clearly personal — but a photo of the same home identifiable by its address in the file is personal by extension.
Concrete obligations for an inspector
1. Designate a person in charge
Since September 2022, any business collecting personal information must designate a person in charge of personal-information protection. For a solo inspector, that's usually the inspector themselves. The name and contact details must be accessible on request (website, service contract, or by written request).
2. Obtain valid consent
Consent must be manifest, free, informed, and given for specific purposes. For an inspector, this means the service contract should clearly state:
- The purposes for which information is collected (carrying out the inspection, writing the report, mandatory archiving under BNQ 3009-500 chapter 10)
- The means used to collect it (notes, photos, recordings)
- The third parties who may access it (where applicable)
- The requester's rights of access and rectification
- The possibility that data may be transferred out of Quebec (where applicable)
For interior photos, it's prudent to obtain explicit consent from the owner at the time of inspection, especially if the owner is not the requester.
3. Assess out-of-Quebec transfers
Since September 2023, before communicating personal information outside Quebec, a business must conduct a privacy impact assessment (EFVP). The assessment weighs the sensitivity of the information, the purpose of use, protective measures, and the legal regime of the receiving jurisdiction. The transfer is permitted only if protection is deemed adequate, and must be covered by a written agreement.
For an inspector, the key issue is cloud software. If your reports, photos, and files are stored on U.S. servers, you trigger the EFVP obligation. A platform hosted in Quebec (like Axiom³, in Montreal) simplifies this obligation.
4. Retain only as long as necessary
Personal information must be kept only as long as necessary for its purpose, then destroyed or anonymized. For an inspector, this obligation reads alongside chapter 10 of BNQ 3009-500, which requires keeping the inspection file without specifying a duration. Sector-specific obligations (BNQ, civil-law prescription for hidden-defect claims) provide a legal basis to keep files beyond the strict minimum of Loi 25.
In practice: define an internal retention policy (for example, 10 years after report delivery, covering civil-law prescription), and destroy files beyond that window.
5. Allow access and rectification
The requester has the right, under article 27 of P-39.1, to request communication of their personal information and a copy. Since September 2024, the communication must be provided in a structured, commonly-used technological format when reasonably possible (right to portability).
The requester can also ask for rectification of inaccurate information. For an inspector, that may mean correcting a factual error (misspelled name, incorrect address) — not an inspection finding, which is a professional opinion.
Penalties — why it matters
Loi 25 introduces a penalty framework that has drawn attention from Quebec businesses:
- Administrative monetary penalties (imposed by the CAI): up to $10 million or 2% of worldwide turnover, whichever is higher
- Penal fines (by court): $15,000 to $25 million or 4% of worldwide turnover, whichever is higher
For a solo inspector or small firm, the theoretical maximums are well beyond payment capacity — but the CAI has broad discretion to impose proportionate sanctions. A private right of action for punitive damages (minimum $1,000) also exists.
Loi 25 and Axiom³
Axiom³ was designed around this reality:
- Hosted in Montreal — data stays in Quebec. The EFVP obligation tied to out-of-Quebec transfer doesn't apply to the base architecture.
- At-rest encryption and access controls modeled on SOC 2 Type II principles
- Public privacy policy that describes collection purposes, retention, and user rights
- Client portal for electronic delivery with time-stamped consent — aligned with BNQ 3009-500 article 9.1 and the Act to establish a legal framework for information technology
Try Axiom³ for free — 10 inspections, no credit card.
Common questions
Do I have to declare all my clients to the CAI?
No. Loi 25 does not require maintaining a public registry of clients. It requires protecting their information and applying the rules on collection, retention, consent, and access.
If my inspection software stores photos in the U.S., am I compliant?
Not automatically. You must have conducted an EFVP, informed the requester of the possibility of transfer, and concluded a written agreement with the vendor covering protection. Hosting in Quebec avoids this complexity.
How long do I have to keep an inspection file?
Loi 25 says "only as long as necessary." BNQ 3009-500 chapter 10 requires keeping the file without specifying a duration. In practice, most inspectors keep files 10 years or more to cover civil-law prescription on hidden-defect claims. Consult your insurer and lawyer for the duration adapted to your situation.
Can my client request their complete inspection file?
Yes, under article 27 of P-39.1. You must provide the personal information about them within a reasonable timeline. Technical sections or professional opinions can stay in your usual format, but factual information must be accessible.
Sources & references
- Loi 25 — Official text: CanLII
- Act respecting the protection of personal information in the private sector (P-39.1): LégisQuébec
- CAI — Key Loi 25 changes: cai.gouv.qc.ca
- CAI — Sanctions: cai.gouv.qc.ca
- CAI — EFVP guide: cai.gouv.qc.ca
- BNQ 3009-500 standard (chapter 10, file retention): bnq.qc.ca
Last verified: April 22, 2026. Penalty thresholds and EFVP obligations are those in force at publication; check the CAI's site for current figures.