Privacy policy

The "General Data Protection Regulation" (GDPR), is a set of rules designed to provide better protection for the personal data of European citizens. It covers personal data protection in the broadest sense, regardless of the nature of the data (private, professional, public) or their format.

The GDPR does not only apply to processing itself, but to everything that an entity processing personal data must do to ensure compliance with the structural rules and what it must do to demonstrate this compliance (duty of accountability).

Ensuring the privacy of your personal data is a priority when you access or use the be.brussels portal.

Your personal data are processed with the utmost care via the be.brussels portal, in a bid to ensure the highest level of protection in accordance with the GDPR and the national law applicable in this matter. 

The purpose of this privacy policy is to inform you about:

• the personal data processed on the be.brussels portal and the reasons for such processing;
• how your personal data are processed on the be.brussels portal; and
• your rights as a data subject and how to exercise them.

However, it should be noted that this privacy policy is not an exhaustive document, as it is virtually impossible to address all aspects of privacy protection in a rapidly changing society. This privacy policy should therefore be seen as an evolutionary tool. Consequently, this privacy policy is subject to change.

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical identity, physiological identity, etc.

Personal data that are likely to be processed when you use the be.brussels portal are:

1. data of internet users who visit the be.brussels portal: these are personal data processed by the be.brussels portal when you visit the portal but do not enter any data.
   • IP address
2. internet user data provided when they fill in a contact form on the be.brussels portal: this concerns the processing of personal data that you yourself provide when filling in a form on the be.brussels portal. 
   
   In order to use the form, only your e-mail address is required. However, you can include personal data in the contact form sent to the data controllers (as identified in the point below). In this case, the types of data processed will depend on what you decide to include in the contact form. As far as possible, we recommend you avoid including sensitive data on contact forms (such as your banking details, information about your health or disability or information about other people).
3. personal data included in content posted on the be.brussels portal by administrations: this refers to personal data that the administrations include in the content they post online via the be.brussels portal.
   
   In this case, the categories of personal data may vary depending on what the data controller posts. The data processed are likely to include at least identification data (e.g. first and last name) and contact data (e.g. email address).
   
   With regard to the personal data collected through cookies, please consult our Cookie Policy.

The "data controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your personal data. The data controller is responsible for compliance with the GDPR requirements and guaranteeing that you can exercise your rights.

The identity of the data controller(s) depends on the data flow concerned. There are three separate flows to be taken into account when using the be.brussels portal.

1. Data from internet users who visit the be.brussels portal: these are personal data processed by the be.brussels portal when you visit the portal but do not enter any data (for example, your IP address).
   
   In this case, the data controller is the BRIC (Paradigm), whose data are listed below under point 4.2).
2. Internet user data provided when they fill in a contact form on the be.brussels portal: this concerns the processing of personal data that you yourself provide when filling in a form on the be.brussels portal.
   
   In this case, the data controller is the administration to which the form is sent. The following administrations are likely to be considered as data controllers for this type of processing.

3. Personal data included in content posted on the be.brussels portal by administrations: this refers to personal data that the administrations include in the content they post online via the be.brussels portal.
   
   In this case, the data controller is the administration that posted the content online. Depending on the circumstances of the case, this may be one of the administrations identified above in point 4.2).

The various data controllers referred to in point 4 (the "Data Controllers") collect and process your data in order to carry out their legal duties in the following regional areas: 

• land use planning (planning, urban development, urban regeneration, land policy, protection of monuments and sites);
• housing;
• the environment, water policy and nature conservation;
• the economy (economic expansion, foreign trade);
• employment policy;
• transport;
• public works;
• the energy policy;
• local and subordinate authorities (municipalities, intermunicipal bodies, religious organisations);
• foreign relations;
• scientific research;
• culture;
• education; and
• sport.

Data controllers can only collect and process your personal data if such processing is based on one of the legal grounds determined by the GDPR. In this case, the processing of your personal data when you use the be.brussels portal is based on the necessity of the processing for the data controllers for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controllers (Art. 6.1.e) GDPR). This task must be defined in Belgian or European legislation. 
Controllers can also process your personal data in order to defend their rights in the event of investigations or disputes. In this case, the processing is based on the legitimate interest of the data controllers to defend their rights (Art. 6.1.f) GDPR).

Finally, the BRIC (Paradigm) can also process data collected during your visit to the be.brussels portal, such as your IP address, in order to obtain statistics on visits, improve the user experience on the website and facilitate access to information for users. In this case, the processing is based on the legitimate interest of the BRIC (Paradigm) in improving the services offered to citizens via the brussels.be portal (Art. 6.1.f) GDPR).

The data controllers can share your personal data with the following third parties:

• certain processors,  such as suppliers of management software and hosting services, providers of e-mailing solutions, etc.;     
• suppliers, such as accountants, translation agencies, consultants; and
• other public authorities, in response to legal requests.

Personal data will be shared for the purposes of improving the portal and processing citizens' requests made through it.
When they share personal data, data controllers ensure optimal protection in accordance with the requirements of the GDPR.

The data controllers do not transfer any of your personal data outside the European Union.

The data controllers only process your data insofar as this is necessary to fulfil the purposes identified in point 5, after which they will be deleted or made anonymous.
More specifically, the data of internet users processed in the context of a simple visit to the be.brussels portal will be subject to a maximum retention period of one year from the date of collection. 

Data processed in the context of a request submitted via a form completed on the be.brussels portal will be retained for the period necessary for processing the request, plus an additional 5 years. 
If further processing is carried out on your personal data, the retention periods applicable to that processing by the data controllers will apply.

Data controllers are required to take technical and organisational measures to ensure the security of processed data (e.g. password protection, firewalls, antivirus software, intrusion and anomaly detection and access controls for employees and members). 

They must also ensure that their staff receive the most appropriate training to enable them to ensure information security. They must also ensure that the appropriate measures are taken by any processor(s) they use, as soon as the processing contract is concluded. 

Consequently, they must be attentive to:

• pseudonymisation and encryption of data;
• their ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore availability and access to data in a timely manner in the event of a physical or technical incident;
• implementation of a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing.

As a data subject, you have certain rights which can be exercised with the data controllers responsible for processing your personal data. However, please note that these rights may be subject to conditions and that exercising them may conflict with the rights of others. 
In order to facilitate the exercise of your rights, you can send your request to the Data Protection Officers of the various data controllers. Their contact details are given in point 4.

A summary of your rights appears below. 

You have the right to be informed, free of charge, about how the data controllers process your personal data. The data controllers must inform you proactively and free of charge that they are processing your personal data.

You can access all information concerning:

• the purposes of the processing;
• the data categories processed;
• the recipients or categories of recipients to which your personal data have been or will be disclosed;
• the retention period of the data, where possible;
• exercising your rights under the GDPR;
• your right to lodge a complaint with a data protection authority;
• the source of your data when data controllers have not collected this data directly from you.

You have the right to receive a copy of the data processed. If you request multiple copies, data controllers may charge a reasonable fee.

You can correct inaccurate data about yourself or add data relevant to the purpose of the processing.

Depending on the case, data controllers will distinguish between justified and unjustified requests for rectification.

• Objective data (national register/Crossroads Bank of Social Security): data whose accuracy is certified by these databases (=authentic sources). In this case, the request should be made directly to the data controllers responsible for the authentic sources.
• Subjective data (impression/description): data controllers can refuse to modify this data and the data subject can request the addition of their own statement to the data.
• Inaccurate data (e.g. mobile phone number, e-mail address, etc.): In this case, the data controller will change the inaccurate data and, if applicable, inform other recipients of any corrections made.

You can request that your personal data be erased. 

The right to erasure is not absolute and data controllers may not be able to comply with a request for erasure. This is particularly the case when:

• data controllers need the personal data whose erasure has been requested to comply with a legal obligation;
• data controllers need personal data whose erasure has been requested in order to establish, exercise or defend legal claims.

You can request that the processing of your personal data be limited.

This right can be exercised, for example:

• in the event of a request for rectification, for a period enabling the data controller to verify the accuracy of the personal data; or
• when the personal data is no longer necessary to achieve the purposes originally intended or when the processing of the personal data was unlawful, but you do not want the data to be deleted because it may be important to you (in particular in relation to exercising or defending legal rights).

The data controllers must immediately take the necessary steps to ensure that your data no longer appears in internal searches, and will inform you when the restriction is lifted. 

You have the right to object, at any time, on grounds relating to your particular situation, to the processing of your personal data when such data is processed based on a public interest mission or in the legitimate interest of the data controller.

The right to object is not absolute and the data controllers can reject a request to exercise this right if they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or if the processing is necessary for the establishment, exercise or defence of legal claims. The data controller who responds positively to a request to exercise the right to object ceases the processing of the personal data that is the subject of the request. 

Do you have a question or suggestion about this privacy policy? Please let us know by contacting us at privacy@paradigm.bussels or by post to the Data Protection Officer, CIRB (Paradigm), Avenue des Arts, 21, 1000 Brussels. We will read your message carefully and respond as soon as possible. 

If you believe that the data controllers are not complying with the applicable data protection laws or that your rights have been violated in the processing of your personal data, you have the right to lodge a complaint with the Belgian Data Protection Authority, the DPA (by post: Data Protection Authority, Rue de la Presse 35, 1000 Brussels/or by email: contact@apd-gba.be).

This privacy policy can be changed at any time, in particular to take account of any changes in legislation or regulations and the development of services.

We encourage you to consult this privacy policy regularly to find out how the data controllers protect your data.

Date of last modification: 25/09/2023
Version of this confidentiality policy: V 1.0