Cookies help us deliver our site. By using this website, you agree to our use of cookies. Learn more OK
You are here: Home / Our solutions / Infrastructure Solutions / Portlet Fidus / Brussels authorisation system

Brussels authorisation system

Authorisation is required when several parties wish to exchange personal data.
When the personal data supplier does not fall within the territory of Brussels, the competent commission for this supplier grants the authorisations. In practical terms, this means the following:

  • for an institution that falls within the territory of the Flemish Region: the Vlaamse Toezichtcommissie (Flemish Supervisory Commission)
  • for an institution that falls within the territory of the Walloon Region or the Wallonia-Brussels Federation: the Commission de Contrôle Bruxelloise (BSC - Brussels Supervisory Commission), until a Wallonia-Brussels supervisory commission for data exchange has been set up;
  • for a federal institution: the Brussels Supervisory Commission until the federal authority takes further steps in this area.

If a general authorisation has already been granted for the planned exchange, the data requestor must apply to the committee or commission that issued it for permission to be covered by this general authorisation.
In other cases, the authorisation must be requested from the Brussels Supervisory Commission.


To request an authorization from the from the Brussels Supervisory Commission, you must fill in the appropriate request form in French or in Dutch.

Irrespective of the body from which authorisation must be requested, the following essential conditions apply:

  1. a security counsellor must have been appointed, for whom the evaluation questionnaire in French or Dutch, duly completed, has been approved by the competent commission,
  2. the information system must have been made compliant with the basic requirements regarding the security and protection of personal data and the corresponding declaration of conformity in French or Dutch,  duly signed by the data controller (i.e. the person responsible for the day-to-day management of the organisation) must have been submitted to the competent commission,
  3. it must be demonstrated that the use of the personal data referred to in the request fulfils the conditions set by the privacy act.

When the required electronic exchanges involve personal data, it is essential to ensure that the basic principles of the ‘Privacy’ act are observed.
In addition to the authorisation itself, the controller will also have to add this processing to the “record of processing activities” implemented under the GDPR.

Infos & contact

The BRIC offers this service. IRISteam only charges for the work done by IRISteam staff. Like to find out more? Contact us!