Bill 25 and GDPR: How Codally Ensures International Data Compliance

With the entry into force of Bill 25 in Quebec and the General Data Protection Regulation (GDPR) in Europe, we have implemented strict governance to ensure complete international compliance, without compromising the performance of our artificial intelligence solutions.

1. A 'Privacy by Design' and 'Privacy by Default' Approach

From the design phase of our software, privacy is integrated into every technical decision. Our AI solutions are designed to:

• Reduce data collection to the strict minimum (principle of minimization);
• Use anonymization and pseudonymization of AI training data;
• Ensure traceability of processing for each collected data;
• Offer each user control over their data (access, rectification, deletion).

This approach meets both the requirements of Bill 25 and the key articles of the GDPR (notably Articles 5, 6 and 25 on lawfulness, transparency and protection by design).

2. Secure Hosting and Territorial Compliance

All data processed by Codally is hosted on certified servers compliant with local and international standards:

• In Canada: data centers in Montreal and Toronto compliant with Bill 25;
• In Europe: possible hosting in Frankfurt or Paris, respecting GDPR and European Cloud Act requirements.

We use advanced encryption protocols (TLS 1.3, AES-256) and conduct regular security audits to ensure the confidentiality and integrity of information.

3. Transparency and Informed Consent

We make it a point of honor to inform our users:

• Of the purposes of data collection;
• Of the retention period and access rights;
• Of any transfers outside Canadian or European territory, accompanied by necessary guarantees (standard contractual clauses, legal framework).

Users can consult, correct or delete their data at any time via our dedicated portals, in accordance with Bill 25 (Articles 3.1 and 3.2) and GDPR (Articles 12 to 22).

4. Governance and Accountability

Codally has appointed a Personal Information Protection Officer (PIPO) and a Data Protection Officer (DPO) for international projects. Their mission:

• Monitor compliance of all projects in America and Europe;
• Train teams in best practices for data protection;
• Ensure proactive management of incidents and access requests;
• Maintain a complete register of processing activities (in accordance with Article 30 of GDPR).

5. Ethics and Responsible AI

Our commitment goes beyond mere legal compliance. We believe in ethical, inclusive and transparent AI. Each model developed by Codally undergoes internal verification:

• Analysis of potential biases and reduction of discrimination;
• Documentation of algorithmic decisions;
• Human validation of critical cases to ensure responsible use of AI.