Remind-R Blog
← All articles
Office & IT basics

GDPR at the office: the basic good practices

GDPR applies to every organisation that processes data — starting with its employees'. Purpose, proportionality, transparency and a record of processing: the essentials to know.

Rédaction Remind-R · 08/07/2026 · 2 min
Share: LinkedIn X Facebook WhatsApp Email

The General Data Protection Regulation (GDPR) is not just for large companies: as soon as an organisation processes people's data — customers, suppliers and above all employees — it has obligations. Here are the basic good practices to apply at the office.

Three core principles

According to the Belgian Data Protection Authority, any processing of staff data must respect:

In practice, monitoring the network may aim to prevent abuse or protect confidential company data; geolocation may serve safety or logistics; a camera may protect company property. In every case, the purpose must be defined and communicated. The employer is in principle entitled to process employee data in order to exercise its labour-law rights and obligations, but it may not misuse that authority to the detriment of the employee's privacy.

Inform and document

As the data controller, the employer must communicate certain information, in principle when the contract is signed: the retention period (social documents are, as a rule, kept for five years after the contract ends), the right to withdraw consent, and the right to lodge a complaint with the authority. The employer must also keep a record of processing activities, which replaces the old obligation to declare. This applies to companies with more than 250 employees, but also to smaller ones whenever processing is not occasional: because HR management is ongoing, the authority recommends that every company keep such a record.

Sensitive data and monitoring

Processing sensitive data (health, for example) is in principle prohibited, except where the law provides an exception or with explicit consent. Any monitoring (cameras, email checks, geolocation) must remain proportionate and transparent: employees must be informed in advance.

Security underpins GDPR

Protecting data also means securing it. ENISA notes that SMEs are frequently hit by ransomware, stolen laptops and phishing. Basic habits — restricted access, strong passwords and two-factor authentication, backups and updates — are therefore inseparable from GDPR compliance.

Ask an AI about this article

Sources

  1. Processing employees' personal data — Belgian Data Protection Authority
  2. SMEs Cybersecurity — ENISA – European Union Agency for Cybersecurity
Refreshes the article based on the latest sources (once per day).
Article written with the help of artificial intelligence (in accordance with the EU AI Act). Information provided for guidance only, to be validated by a professional before any decision. Sources are listed above.