Date published: 01/07/2024
Protection of personal information in divided co-ownership
Cohabiting with others in a building in divided co-ownership implies the right to respect for the private life. This right is guaranteed by article 3 of the Civil Code of Québec and the Charter of Human Rights and Freedoms. Its informational dimension is legally protected by the Act respecting the protection of personal information in the private sector (ARPPIPS). With the assent of Bill 64 on September 22, 2022, new rules for the use and dissemination of personal information have subject (and will subject) the world of co-ownership since September 22, 2022, while other rules will come into force in September 2023 and 2024.
Purpose of the Act
The purpose of the ARPPIPS is to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code of Quebec with respect to the protection of personal information, specific rules with respect to personal information about others that a person collects, holds, uses or communicates to third parties in the course of carrying on an enterprise within the meaning of article 1525 of the Civil code of Quebec. In the present case, any syndicate of co-owners must be regarded as an undertaking, in that it provides, inter alia, services and administers the common portions. These new rules complement those set out in the Civil Code on the protection of personal information, by granting natural persons a right of access to personal information concerning them and by making the actors processing this data responsible. The purpose of the ARPPIPS is thus to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code of Quebec, specific rules with respect to personal information about others that a person collects, holds, uses or communicates to third parties in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code of Quebec. They apply to all persons operating a business holding and processing personal data. This includes syndicates of co-owners, which must be considered as a business, in that they provide, inter alia, services and administer the common portions. The representatives of these enterprises (which includes directors and condo managers of syndicates of co-owners) must therefore be aware of these rules and respect them.
Obtaining and Processing Personal Information
Every syndicate of co-owners must establish a register including an up-to-date list of all co-owners. In that regard, the first paragraph of the article 1070 Civil Code of Quebec states as follows:
" Among the registers of the co-ownership, the syndicate keeps at the disposal of the co-owners a register containing the name and mailing address of each co-owner; the register may also contain other personal information concerning a co-owner or another occupant of the immovable if he expressly consents to it. In addition, the register contains the minutes of the meetings of the co-owners and of the board of directors, the resolutions in writing, the by-laws of the immovable and any amendments to them, and the financial statements. »
The directors and managers therefore have access to the personal information of the co-owners and other occupants of the building. This is the case, especially for the accounting and financial data of the co-owners (e.g. bank account and folio number), the registration number of a lessee's vehicle and images collected by surveillance cameras. This information may not be communicated to third parties. In this regard, article 1068.2 of the Code civil of Quebec recalls that documents or information concerning the immovable and the syndicate that must be communicated by the syndicate to a promising purchaser must not have the effect of affecting anyone's privacy. This rule of confidentiality relating to personal information also emerges from the privacy protection principles recognized in section 5 of the Charter of Human Rights and Freedoms and sections 35 and 36 of the Civil Code of Quebec. In addition, article 37 of the Civil Code of Quebec, which deals with the confidentiality of personal information, provides as follows:
" Every person who establishes a file on another person shall have a serious and legitimate reason for doing so. He may gather only information which is relevant to the stated objective of the file, and may not, without the consent of the person concerned or authorization by law, communicate such information to third persons or use it for purposes that are inconsistent with the purposes for which the file was established. In addition, he may not, when establishing or using the file, otherwise invade the privacy or injure the reputation of the person concerned. »
The confidentiality rule seeks to limit the invasion of privacy. It thus prohibits the obtaining or use by a syndicate of co-owners of personal information (e.g. the social insurance number of a co-owner) for purposes other than the safeguarding of the rights relating to the immovable or co-ownership, as well as all transactions of common interest. In addition, the use of information and documents obtained by the syndicate for purposes other than those of the co-ownership may amount to a breach of good faith codified in articles 6 and 7 of the Civil code of Quebec and engage the personal liability of the directors or manager.
Privacy Policy and Website
Syndicates of co-owners are responsible for the personal information they process in the course of their activities and operations, even when this information is managed or retained by a third party (for example, a co-ownership manager).
Thus, since September 22, 2023, they must adopt rules on the subject and a protocol for the communication of personal information. The policies to be put in place must include a framework for the retention and destruction of information, the roles and responsibilities of its staff (if any) throughout the life cycle of the information, and a process for handling complaints. Such policies should also be created for board members and, where applicable, the condo manager.
The person "with the highest authority" within a company must ensure compliance with and implementation of the PSPA and unless he or she has delegated this function. Thus, since September 22, 2022, syndicates of co-owners must designate, following a resolution of the board of directors, a person responsible for the protection of personal information (responsible person) and publish the title and contact information of the person in charge on the co-ownership's website. To the extent that the co-ownership does not have a site, the contact details must be made accessible by any other appropriate means. It is important that the responsible person so designated by the board of directors be aware of his or her role and responsibilities, and the resolution should describe them.
Privacy Incident
As of September 22, 2022, in the event of a confidentiality incident involving personal information, the head must take reasonable measures to reduce the risk of harm to the individuals concerned, as well as prevent future incidents of the same nature from occurring. It should be recalled that the notion of confidentiality incident is defined by art. 3.6 of ARPPIPS as access to or use, disclosure or loss of personal information. For example, the erroneous transmission of banking information from one co-owner to another co-owner would constitute a confidentiality incident.
After assessing the consequences, the person responsible must notify the Commission d'accès à l'information du Québec and the person concerned if the incident presents a risk of serious harm. This assessment must take into account the sensitivity of the information, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes. This could be the case if, for example, the compromised information is likely to be used to commit fraud or identity theft. In this regard, the syndicate of co-owners must keep a register of incidents and keep certain information on the incident for a period of 5 years. Moreover, a copy of the register must be sent to the Commission at its request. It has several order-making powers in relation to confidentiality incidents. In particular, it may order any person to apply the measures deemed appropriate in order to protect the rights of the persons concerned.
Disclosure of Personal Information to a Service Provider
As of September 22, 2023, syndicates of co-owners that entrust a mandate involving the processing of personal information to a third party must do so in writing. For example, a syndicate of co-owners that transmits personal information of co-owners to a co-ownership condo manager will be subject to this obligation. The same applies if the syndicate uses the services of an IT service provider to host a database containing information on co-owners.
The contract with the service provider must provide, at a minimum, for the following: (i) the measures to be taken by the service provider to ensure the confidentiality of the personal information communicated, (ii) the provider may use the information only in the exercise of its mandate, (iiI) the provider may not retain the data after the expiry of the contract, (iv) the claimant shall promptly notify the trade union's Privacy Officer of any breach or attempted breach by any person of the obligations relating to the confidentiality of the information disclosed, (v) the union may conduct any verification of such confidentiality.
Data destruction
Syndicates of co-owners have an obligation to destroy personal information when the purposes for which it was collected or used are fulfilled, subject to the retention periods provided for by law. Thus, the financial data of a former co-owner must be destroyed after the sale of his fraction of co-ownership.
Sanctions
The ARPPIPS provides for administrative penal sanctions (which may be imposed by the Commission) and penal provisions applicable for contraventions of the Act, including fines. This is the case, in particular, where there is a failure to report a confidentiality incident to the Commission or to the persons concerned, even though it would have been required to do so. For legal persons (such as syndicates of co-owners), the maximum criminal administrative penalties are $10,000,000 and the maximum criminal fines are $25,000,000..
WHAT YOU SHOULD KNOW ! The policies and practices governing its governance with respect to personal information must be proportionate to the nature and extent of the activities of the syndicate of co-owners and be approved by the person responsible for the protection of personal information.
WHAT TO KEEP IN MIND : The person who collects personal information for the syndicate of co-owners from a co-owner, occupant or tenant must, at the time of collection and thereafter upon request, inform the syndicate of the purposes for which the information is collected, the means by which the information is collected, the rights of access and rectification provided by law, their right to withdraw consent to the disclosure or use of the information collected.
WARNING ! ARPPIPS grants rights to an individual to whom personal information relates, including the right to obtain access to and request correction of his or her personal information.
Back to the factsheets