I was at a specialty coffee shop in Brussels this morning.
I ordered a Flat White.
The barista smiled and picked up a Sharpie. "Can I get your name for the cup?"
I froze.
"You are about to write my Personally Identifiable Information (PII) on a disposable paper substrate."
"This constitutes 'Processing' under Article 4(2) of the GDPR."
"Did I sign a Data Processing Agreement?"
She sighed. "Sir, it's just so I can call you when it's ready."
"That is not a valid legal basis," I countered.
"I demand to speak to your Data Protection Officer (DPO) immediately."
She said they didn't have one. She said they are just a "small business."
I immediately dialed the Belgian Data Protection Authority.
20 minutes later, the shop was cordoned off.
The espresso machine was seized as evidence of an unregulated data intake system.
People say I need caffeine to function.
Incorrect.
I need Compliance to function.
