Belgium Data Privacy Laws: GDPR Implementation Guide (2026)

Overview of Belgium's Data Privacy Framework

Belgium operates within the European Union's data protection ecosystem, meaning the GDPR serves as the primary regulation governing how personal data is collected, processed, stored, and transferred. The GDPR has direct effect across all EU member states, so it applies in Belgium without needing separate transposition into national law.

However, the GDPR leaves certain matters open for member states to define through national legislation. Belgium addressed these through the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which entered into force on September 5, 2018. This law replaced the older Law of 8 December 1992 on privacy protection.

The Belgian framework also includes the Law of 3 December 2017 establishing the Data Protection Authority itself, which has been substantially amended by Acts of September 7, 2023, and December 25, 2023, to strengthen the authority's independence and operational capacity.

Together, these instruments create a comprehensive data protection regime that applies to any organization processing personal data of individuals in Belgium, whether the organization is based in Belgium or abroad.

The Law of 30 July 2018: Belgium's National Data Protection Act

The Law of 30 July 2018 serves three primary functions. First, it implements GDPR provisions that require or permit national-level specification. Second, it transposes EU Directive 2016/680 on data processing by criminal justice authorities. Third, it establishes rules for data processing by intelligence and security services that fall outside the GDPR's scope.

Several provisions in this law stand out as distinctly Belgian.

Age of Digital Consent Set at 13

Article 7 of the Law of 30 July 2018 sets the age at which a child can independently consent to data processing by information society services at 13 years old. The GDPR's Article 8 allows member states to set this threshold anywhere between 13 and 16, and Belgium chose the lowest permitted age.

The APD justified this choice by noting that 13 represents the average age at which children begin browsing the internet independently, and a higher threshold would unnecessarily limit digital opportunities for young people.

This lower threshold applies specifically to direct offers of information society services where processing is based on consent. For other types of data processing involving minors, the child's legal representative must provide consent, though children with sufficient "capacity for discernment" (often assessed as being acquired between ages 13 and 16) may also need to give their own consent alongside the representative's.

Special Categories of Data: Additional Safeguards

The Law of 30 July 2018 imposes additional requirements when processing genetic, biometric, and health data. Controllers must maintain an updated list identifying every person who has access to these special categories of data, specifying the categories of data they can access. They must also ensure all persons with access are bound by confidentiality obligations, whether statutory or contractual.

These access lists must be kept available for the DPA upon request. This goes beyond what the GDPR itself requires and reflects Belgium's emphasis on accountability for sensitive data processing.

Criminal Convictions and Offenses Data

Belgium provides specific legal bases for processing data related to criminal convictions and offenses. The law requires organizations handling this data to maintain access management lists and enforce confidentiality obligations, mirroring the protections applied to special categories of data.

Journalistic and Academic Exemptions

Article 24 of the Data Protection Act grants exemptions for data processing carried out for journalistic, artistic, or literary purposes. Controllers operating under these exemptions can be relieved from certain data subject rights and obligations, including breach notification requirements and restrictions on international data transfers. These exemptions balance data protection with freedom of expression.

Five-Year Statute of Limitations

Article 105 of the Law establishes a five-year time bar for alleged data protection infringements. This means the DPA must initiate enforcement action within five years of the alleged violation, providing legal certainty to both data subjects and data controllers.

The Belgian Data Protection Authority (APD/GBA)

The Belgian Data Protection Authority is known by two names reflecting Belgium's bilingual structure: Autorite de protection des donnees (APD) in French, and Gegevensbeschermingsautoriteit (GBA) in Dutch. It succeeded the former Commission for the Protection of Privacy on May 25, 2018, the same day the GDPR became enforceable.

The authority is headquartered at Rue de la Presse 35, 1000 Brussels, and operates with approximately 90 full-time employees. It can be contacted at contact@apd-gba.be or +32 2 274 48 00.

Organizational Structure

The APD is organized into five operational bodies plus an Executive Committee:

Executive Committee (headed by Cedrine Morliere): Oversees budgets, annual reports, strategic plans, and organizational decisions.

General Affairs Secretariat (David Stevens): Manages human resources, budget, IT infrastructure, legal matters, and communications.

Front Office (Charlotte Dereppe): Receives complaints from data subjects, conducts mediation between parties, and promotes public awareness of data protection rights.

Knowledge Centre (Cedrine Morliere): Issues opinions and recommendations on data processing matters, providing guidance to both public and private sectors.

Inspection Service (Peter Van den Eynde): Conducts investigations and enforcement activities, with powers to interview individuals, seize computer systems, and demand temporary suspension of processing activities.

Litigation Chamber (Hielke Hijmans): Functions as the administrative disputes body, issuing decisions and imposing fines. Starting April 25, 2025, a single judge may decide merits cases, replacing the previous requirement for three-member panels. This structural change may affect the number of cases the Chamber handles each year.

Enforcement Powers

The APD holds broad enforcement powers under the GDPR. The Inspection Service can conduct on-site investigations, interview witnesses, access premises, and seize relevant evidence. The Litigation Chamber can issue warnings, reprimands, orders to comply, suspension of data processing, and administrative fines.

The authority also has the power to impose periodic penalty payments to compel compliance, and has published policy guidance on how these payments are calculated.

One significant limitation: the APD generally cannot impose administrative fines on public sector bodies, except when those bodies offer goods or services on the open market. The Belgian Constitutional Court upheld this exemption, ruling that the distinction was proportionate and justified by the need to ensure continuity of public services.

GDPR Enforcement in Belgium: Notable Fines and Cases

Belgium's enforcement record demonstrates that the APD takes violations seriously, even if its fine amounts tend to be moderate compared to larger EU member states like France or Ireland.

Google Belgium: 600,000 Euros (2020)

The APD's largest fine to date was imposed on Google Belgium SA in July 2020 for failing to respect a Belgian citizen's right to be forgotten under GDPR Article 17. A public figure requested that Google delist outdated articles about an unfounded harassment complaint. Google refused.

The Litigation Chamber found Google negligent in its handling of the delisting request and criticized the lack of transparency in Google's request form, which failed to clearly identify the data controller. In addition to the 600,000 euro fine, the APD ordered Google to remove the relevant links from search results across the European Economic Area and revise its delisting request form.

Proximus: DPO Conflict of Interest, 50,000 Euros (2020)

In a case that drew attention across Europe, the APD fined telecommunications provider Proximus 50,000 euros for violating Article 38(6) of the GDPR. The violation arose because Proximus had appointed a Data Protection Officer who simultaneously served as director of audit, risk, and compliance. The APD found this dual role created an impermissible conflict of interest.

This decision became widely cited as a reference point for DPO independence requirements across the EU.

Proximus: Public Directory Violations, 20,000 Euros (2020)

In a separate case, the APD fined Proximus 20,000 euros for publishing a citizen's personal data in public telephone directories after the individual had withdrawn consent. Proximus violated Articles 6, 7, 24, and 5.2 of the GDPR by failing to honor the consent withdrawal, and Articles 12 and 13 by not providing transparent information about data processing.

Data Broker Fine: 174,640 Euros (2024)

In Decision 07/2024, the APD fined a data broker 174,640 euros for failing to disclose specific information about data sources and recipients, reflecting the authority's increasing focus on the data brokerage industry.

Biometric Data: Employer Fined 45,000 Euros (2024)

In Decision 114/2024, the APD imposed a 45,000 euro fine on an employer for using a fingerprint-based timekeeping system without a proper legal basis for processing biometric data. The case underscored that biometric data is a special category requiring explicit consent or another specific legal basis.

RTL Belgium: Cookie Violations (2024)

The APD imposed a daily penalty of 40,000 euros on RTL Belgium for GDPR violations related to non-compliant cookie banners, following a complaint filed by the privacy advocacy organization NOYB.

IAB Europe: Transparency and Consent Framework

In a high-profile case, the APD ordered IAB Europe to bring its Transparency and Consent Framework (TCF) into compliance with the GDPR, alongside a 250,000 euro fine. However, on January 9, 2026, IAB Europe announced it had won its appeal against the APD's corrective measures before the Court of Appeal of Brussels.

Data Breach Notification Requirements

Belgium follows the GDPR's standard breach notification framework but has implemented its own procedural refinements through the APD.

Notification to the Authority

Under GDPR Article 33, data controllers must notify the APD of a personal data breach without undue delay, and no later than 72 hours after becoming aware of it. The only exception is when the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals.

Belgium has implemented a two-part notification process through the APD's online portal:

Part 1 (within 72 hours): Controllers must submit the initial and most critical information about the breach. Completing this part generates an official case reference number starting with "DBN," confirming the notification has been recorded.

Part 2 (within 21 calendar days): Controllers must complete the second, more detailed portion of the notification form within 21 days of the initial submission.

This two-stage approach recognizes that organizations rarely have complete information within the first 72 hours and provides a structured timeline for gathering additional details.

Required Information

The notification to the APD must include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and data records affected
• The name and contact details of the Data Protection Officer or other contact point
• A description of the likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Notification to Data Subjects

When a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also communicate the breach to the affected data subjects without undue delay, in clear and plain language.

Breach Statistics

The APD received 1,455 breach notifications in 2024, reflecting the volume of incidents reported by organizations operating in Belgium. The authority handles over 3,000 information requests from individuals annually, though response delays have reached up to one year due to resource constraints.

Penalties and Sanctions

Belgium's penalty framework operates on two tracks: administrative fines under the GDPR and criminal sanctions under national law.

Administrative Fines

The GDPR establishes two tiers of administrative fines:

Lower tier (Article 83(4)): Up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. This applies to violations of controller and processor obligations, certification body obligations, and monitoring body obligations.

Upper tier (Article 83(5-6)): Up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher. This applies to violations of data processing principles, lawfulness of processing, conditions for consent, data subject rights, and international data transfer rules.

The APD follows the EDPB Guidelines 04/2022 on the calculation of administrative fines when determining penalty amounts.

Public Sector Exemption

Public authorities and public bodies in Belgium are generally exempt from administrative fines under the GDPR, except when they offer goods or services on the open market in competition with private entities. The Belgian Constitutional Court reviewed this exemption and ruled it proportionate and justified.

Criminal Sanctions

The Law of 30 July 2018 introduces criminal penalties for certain violations. Individuals found guilty of criminal data protection offenses face fines between 800 and 160,000 euros. Courts may also order the publication of the judgment as an additional sanction.

Criminal sanctions apply to particularly egregious violations and are prosecuted through the regular criminal justice system rather than the APD.

Data Protection Officer Requirements in Belgium

Belgium follows the GDPR's Article 37 requirements for DPO appointment, with some additional national provisions.

Mandatory Appointment Under GDPR

A DPO must be appointed when:

• The data processing is carried out by a public authority or public body (excluding courts in their judicial capacity)
• The core activities require regular and systematic large-scale monitoring of data subjects
• The core activities involve large-scale processing of special categories of data or criminal convictions data

Additional Belgian Requirements

Beyond the GDPR mandates, Belgian national law requires DPO appointment in two additional scenarios:

• When a private body processes personal data on behalf of a federal public authority, and the processing is likely to result in high risk to individuals' rights and freedoms
• When processing involves archiving in the public interest, scientific or historical research, or statistical purposes that are likely to create high risk

DPO Independence

The APD has been particularly active in enforcing DPO independence requirements. The Proximus decision demonstrated that combining the DPO role with functions like audit, risk, or compliance management creates an impermissible conflict of interest. The DPO must report directly to the highest level of management and cannot receive instructions regarding the exercise of their tasks.

International Data Transfers

Belgium follows the GDPR's rules for international data transfers without imposing additional national requirements beyond what the regulation specifies.

Transfers Within the EEA

Personal data can move freely between Belgium and any other EU or EEA member state (Norway, Liechtenstein, Iceland) without additional safeguards, provided the general GDPR principles are respected.

Transfers to Adequate Countries

Transfers to countries that have received an adequacy decision from the European Commission can proceed without specific authorization. Countries currently deemed adequate include Canada (for processing under PIPEDA), Japan, South Korea, the United Kingdom, and the United States (for transfers to organizations on the Data Privacy Framework list).

Transfers Requiring Safeguards

For transfers to countries without an adequacy decision, organizations must implement appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• Binding Corporate Rules (BCRs) approved by the relevant supervisory authority
• Codes of conduct or certification mechanisms

A Transfer Impact Assessment is required when relying on SCCs or BCRs to ensure the recipient country's legal framework does not undermine the protections provided. Prior approval from the APD is not required when using SCCs or transferring to adequate jurisdictions.

Cookies and Electronic Privacy

Belgium's cookie rules derive from Article 10/2 of the Data Protection Act, which implements the EU ePrivacy Directive (Directive 2002/58/EC). The Electronic Communications Act of 13 June 2005, the Code of Economic Law, and the Royal Decree of 4 April 2003 also contain relevant provisions.

Consent Requirements

Cookies and similar tracking technologies require:

• Clear and comprehensive information provided to the user about the purposes of data processing and their rights
• The user's informed consent before any non-essential cookies are placed
• The ability for users to withdraw consent free of charge at any time

Strictly necessary cookies, meaning those essential for transmitting a communication or providing a service explicitly requested by the user, are exempt from the consent requirement.

Enforcement Focus

Cookies have been a consistent enforcement priority for the APD. The RTL Belgium case, where daily penalties of 40,000 euros were imposed for non-compliant cookie banners, signals that the authority treats cookie consent violations as serious infractions. Cookie compliance remains one of the APD's priority areas through 2026.

Direct Marketing Rules

The APD published an extensive 80-page recommendation on direct marketing in February 2020, updated in March 2025 with draft Recommendation 01/2025 to align with new case law, Litigation Chamber decisions, and EDPB guidelines.

Key Principles

Direct marketing communications via email, SMS, or automated calling systems generally require prior opt-in consent under the ePrivacy Directive. Belgium's implementation follows the standard EU approach: business-to-consumer electronic marketing requires consent, with a limited exception for existing customer relationships where the marketing relates to similar products or services.

The GDPR's legitimate interest basis can support certain direct marketing activities, but the APD's guidance emphasizes that organizations must conduct a balancing test and provide clear opt-out mechanisms.

Data Brokers Under Scrutiny

The APD has identified data brokers as a priority enforcement target, particularly regarding the transparency of data sourcing and the validity of consent chains. The 174,640 euro fine in Decision 07/2024 reflects this focus.

Employment Data Protection

Belgium takes an unusual approach to workplace data protection by incorporating protections through collective labor agreements (conventions collectives de travail, or CCTs) rather than statutory provisions.

Key collective agreements governing workplace data protection include:

• CCT No. 38: Governs data protection during worker recruitment and selection processes
• CCT No. 68: Regulates CCTV surveillance in the workplace
• CCT No. 81: Addresses electronic communications monitoring by employers, including email and internet usage
• CCT No. 100: Covers data processing related to alcohol and drug prevention policies

These agreements are negotiated within the National Labour Council and have the force of law once adopted through royal decree.

APD Strategic Plan 2026-2028: What's Changing

The Belgian Data Protection Authority published its new strategic plan for 2026-2028, marking a significant shift in enforcement philosophy.

From Reactive to Proactive Enforcement

Historically, the APD's enforcement has been primarily complaint-driven, processing 837 complaints and 1,455 breach notifications in 2024 alone. The new plan explicitly aims to reduce reliance on complaints and initiate more inspections focused on cases with real societal impact.

Fast-Track Procedures

The APD is implementing mediation-focused approaches for minor disputes, such as camera footage access requests and routine data deletion demands. During inspections, the authority will issue direct compliance demands rather than opening lengthy formal proceedings. Resources will be redirected toward high-impact cases.

Priority Enforcement Areas

Large-scale processing is a primary target, covering healthcare data in hospitals, insurance profiling, tax administration databases, advertising technology (AdTech), and data brokers across both public and private sectors.

Children's data protection has been designated a strategic priority, targeting social media platforms used by minors, profiling and personalization mechanisms, dark patterns in consent collection, parental oversharing practices, and third-party data flows from apps serving children.

Reduced Individual Support

Due to resource constraints (approximately 90 staff members with a hiring freeze through 2029), the APD will no longer provide systematic responses to individual inquiries. Instead, it will create public FAQs, checklists, and guidance documents, shifting responsibility for legal certainty to organizations and their data protection officers.

Litigation Chamber Reform

Effective April 25, 2025, the Litigation Chamber can operate with a single judge rather than the previous three-member collegial body. While this may increase efficiency per case, it could reduce the total number of cases the Chamber handles annually.