You are here: Home / News & more / News / A reminder about GDPR

A reminder about GDPR

Posted on
Illustration de l'actualité - cliquer pour agrandir

28 January was Data Protection Day. It is an opportunity to look back on GDPR, the European Data Protection Regulation. The acronym GDPR has been in force for more than 4 years and has entered our daily life. But do you really know what it covers?

GDPR stands for General Data Protection Regulation. This European regulation entered into force on 25 May 2018 and applies identically to all European Union Member States. One of its main goals is to give citizens more rights on how their data is used.

On this Data Protection Day, it is worth remembering that GDPR gives you control over your personal data. Feel free to use this prerogative.

What is personal data?

Personal data is any information that directly or indirectly identifies a natural person. Directly means surname, first name or named email address. Indirectly is, for example, a telephone number, a bank account or credit card number, an IP address, a licence plate, a photo, etc.

GDPR covers all processing related to this data. This means collecting, recording, distributing, making available, consulting, sorting, and even deleting and destroying data. It is also important to remember that we are not just talking about IT processes. All types of media are concerned, including paper.

The principle of lawfulness

As a reminder, the data controller is responsible for determining a legal basis before any processing operation. In practice, when a single data processing operation has several purposes, a legal basis must be defined for each of these purposes. Moreover, it is not possible to "accumulate" legal bases for the same purpose; only one must be selected.

Lastly, the chosen legal basis is part of the information that must be brought to the attention of the data subjects because it has an impact on the exercise of their rights.

The six legal bases for processing personal data

  • The execution of the contract

Processing is considered lawful when it is necessary for the performance of a contract or the preparation of a contract with the data subject. For example, for the establishment of remuneration or the provision of pay slips.

  • The legal obligation

Processing is considered lawful when it is carried out in accordance with the legal texts to which the data controller is subject. One example is the Ordinance on the transparency of the remuneration and benefits of Brussels public officials.

  • The execution of a public interest mission

Processing is lawful when it is carried out in connection with a public interest mission or in the exercise of public authority. This is particularly true for the treatment of income by taxes.

  • Vital interest

Processing is considered lawful if it is necessary for safeguarding the vital interests of the data subject or of a third party, for example data processing for humanitarian purposes.

  • Legitimate interest

Processing is lawful if it is necessary for the pursuit of legitimate interests by the data controller. These objectives must not prejudice the interests, rights and freedoms of the data subject. This is the case with a visitors' register, for example.

  • Consent

Organisations that collect and process personal data must inform citizens and obtain their consent. Specifically, GDPR refers to "prior, informed and unambiguous consent". For example, temployee consent is required for the use of his/her photograph in an internal social network.

What can I do as a citizen?

Under GDPR, any citizen can exercise various rights over their personal data, such as the right of access and copy, the right of rectification, the right of erasure, etc.

Few citizens assert these rights, or those arising from the e-Privacy Directive (the Directive of 12 July 2002 on the protection of privacy in the electronic communications sector). How often do you click "Accept all cookies" when you visit a website? Do you really read the new terms and conditions sent by YouTube, Facebook or Apple before clicking "Accept"? Does the store really need to know your address, profession and age to activate a loyalty card?

You can withdraw your consent at any time to the use of your data or request that it be corrected or deleted. However, many cookie banners do not allow you to withdraw consent in practice. This is for technical reasons but also due to the nature of the user, who is almost anonymous. Furthermore, the e-Privacy Directive does not require it, except for mailshots.

The role of the DPO

DPO stands for "Data Protection Officer". Their role and missions are defined by Article 39 of the GDPR. The DPO's mission includes making staff aware of all the regulations. This article is an example.

They also ensure the GDPR compliance of the institution in which they work and coordinate "best practices". At the initiative of the BRIC, the DPOs and Information Security Advisors of the regional institutions regularly meet during the "DPO/ISA* Knowledge Center" sessions to share their experiences and pool their knowledge.

The DPO is also the reference person for any employee who has questions about the processing and protection of personal data. You can contact him/her by email at the following address: dpo@cirb.brussels.

Multidisciplinary team

Regardless of their size, public services are obliged to appoint a Data Protection Officer.

The BRIC has therefore introduced specific services to assist administrations in this work, because this function can be shared between several entities.

At from 2023, more than 35 institutions are using the BRIC for this service.

To learn more about GDPR:

Filed under: Categories: