Belgium Data Privacy Laws: GDPR Implementation Guide (2026)

Belgium governs data privacy through three instruments: the EU GDPR (Regulation (EU) 2016/679), the Law of 30 July 2018, and Article 22 of the Belgian Constitution. The Belgian Data Protection Authority (APD/GBA) enforces compliance and can impose fines up to 20 million euros or 4% of global annual turnover.

Quick Answer: What Are Belgium's Key Data Privacy Rules?

Belgium's data privacy regime rests on three pillars: the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), which applies directly in all EU member states; the Law of 30 July 2018, Belgium's national implementation act that fills in GDPR's member-state discretions; and Article 22 of the Belgian Constitution, the domestic constitutional right to privacy inserted in 1994. The Belgian Data Protection Authority (APD/GBA), established under the Law of 3 December 2017, enforces compliance. Any organization processing personal data about individuals in Belgium is subject to this framework, whether headquartered in Belgium or abroad. For a broader EU-level view of how GDPR operates across all member states, see our EU data privacy laws overview.

Jurisdiction scope: This article addresses the data protection regime of the Kingdom of Belgium, including EU GDPR as applied in Belgium, the Law of 30 July 2018, APD/GBA enforcement, and the EU AI Act as it applies to Belgian-designated authorities. It does not address Belgian recording consent laws; for those, see Belgium recording laws.

Constitutional Basis: Article 22 and the Right to Private Life

Belgium's right to privacy has domestic constitutional roots that predate the GDPR by decades. Article 22 of the Belgian Constitution guarantees every person the right to respect for private and family life. The Belgian parliament inserted this provision in 1994, giving privacy the status of a fundamental constitutional right enforceable independently of EU law.

Before the GDPR took effect in 2018, Belgium already had Article 22 of the Constitution, a dedicated data protection commission (the predecessor Commission for the Protection of Privacy), and the Law of 8 December 1992 on privacy protection. The arrival of the GDPR layered EU regulatory requirements on top of an already mature constitutional tradition.

Article 8 of the European Convention on Human Rights also has direct effect in Belgium. Belgian courts apply Article 8 ECHR as a floor for privacy protection in cases not directly covered by the GDPR or national legislation.

The practical significance of Article 22 is that it allows Belgian courts to grant privacy protections in contexts the GDPR leaves to national law, and it gives constitutional authority to the legislature when enacting national derogations under GDPR Articles 6(2), 9(4), and 23.

GDPR and the Law of 30 July 2018: The Dual Framework

The GDPR has direct effect in Belgium, meaning it applies without requiring transposition into Belgian statute. It sets the ceiling and the floor for most data protection rules.

The Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data serves three primary functions. First, it implements GDPR provisions that require or permit national-level specification. Second, it transposes EU Directive 2016/680 on data processing by criminal justice authorities. Third, it establishes rules for data processing by intelligence and security services that fall outside the GDPR's scope.

The Belgian framework also includes the Law of 3 December 2017 establishing the Data Protection Authority itself, substantially amended by Acts of September 7, 2023, and December 25, 2023, to strengthen the authority's independence and operational capacity.

Together, these instruments govern any organization processing personal data of individuals in Belgium, whether the organization is based in Belgium or abroad.

Age of Digital Consent Set at 13

Article 7 of the Law of 30 July 2018 sets the age at which a child can independently consent to data processing by information society services at 13 years. The GDPR's Article 8 allows member states to set this threshold anywhere between 13 and 16, and Belgium chose the lowest permitted age. The APD justified this choice on the basis that 13 represents the average age at which children begin browsing the internet independently, and a higher threshold would unnecessarily limit digital opportunities for young people.

This lower threshold applies specifically to direct offers of information society services where processing relies on consent. For other types of data processing involving minors, the child's legal representative must provide consent, though children with sufficient capacity for discernment (often acquired between ages 13 and 16) may also need to give their own consent alongside the representative's.

Special Categories of Data: Additional Safeguards

The Law of 30 July 2018 imposes additional requirements when processing genetic, biometric, and health data. Controllers must maintain an updated list identifying every person who has access to these special categories of data, specifying the categories of data each person can access. They must also ensure all persons with access are bound by confidentiality obligations, whether statutory or contractual. These access lists must be kept available to the APD upon request. This exceeds what the GDPR itself requires and reflects Belgium's emphasis on accountability for sensitive data processing.

Criminal Convictions and Offenses Data

Belgium provides specific legal bases for processing data related to criminal convictions and offenses. The law requires organizations handling this data to maintain access management lists and enforce confidentiality obligations, mirroring the protections applied to special categories of data.

Journalistic and Academic Exemptions

Article 24 of the Law of 30 July 2018 grants exemptions for data processing carried out for journalistic, artistic, or literary purposes. Controllers operating under these exemptions can be relieved from certain data subject rights and obligations, including breach notification requirements and restrictions on international data transfers. These exemptions balance data protection with freedom of expression.

Five-Year Statute of Limitations

Article 105 of the Law of 30 July 2018 establishes a five-year time bar for alleged data protection infringements. The APD must initiate enforcement action within five years of the alleged violation, providing legal certainty to both data subjects and data controllers.

Lawful Bases for Processing Personal Data in Belgium

GDPR Article 6(1) provides six exhaustive lawful bases. Every processing activity in Belgium must rest on one of these; Belgium's national law does not add a seventh basis.

Consent (Art. 6(1)(a)): The data subject has given freely given, specific, informed, and unambiguous consent. The APD has repeatedly held that consent is not a valid basis for processing employee personal data in an employment context, because the power imbalance between employer and employee makes freely given consent structurally impossible under Article 4(11) GDPR.

Contract (Art. 6(1)(b)): Processing is necessary for the performance of a contract to which the data subject is party, or to take pre-contractual steps at the data subject's request. The necessity requirement is construed strictly: processing that is merely convenient for contract performance, rather than genuinely necessary, does not qualify.

Legal obligation (Art. 6(1)(c)): Processing is necessary to comply with a legal obligation imposed on the controller. Belgian legislation, including tax law, social security law, and the National Labour Council collective agreements, creates numerous such obligations for organizations operating in Belgium.

Vital interests (Art. 6(1)(d)): Processing is necessary to protect the vital interests of the data subject or another natural person. This basis applies in emergency situations where other bases cannot be relied upon quickly enough.

Public task (Art. 6(1)(e)): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Belgian public authorities and their processors rely on this basis extensively.

Legitimate interests (Art. 6(1)(f)): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided those interests are not overridden by the fundamental rights and freedoms of the data subject. The Court of Justice of the EU has confirmed three cumulative conditions: (i) pursuit of a legitimate interest; (ii) necessity of the processing to achieve that interest; (iii) the data subject's fundamental rights must not prevail after a balancing test. The APD's guidance on direct marketing confirms that legitimate interests can support certain marketing activities, but the balancing test must be documented and clear opt-out mechanisms must be provided.

Data Subject Rights in Belgium

GDPR Articles 12 through 22 give individuals a comprehensive set of rights over their personal data. Belgian national law does not restrict these rights beyond the derogations the GDPR itself permits.

Right of access (Art. 15): Data subjects may request confirmation of whether their personal data is processed, and receive a copy. The controller must respond within one month, extendable by two months for complex or numerous requests. The APD has enforced this right actively: excessive delays in responding to access requests are a recurring violation in APD decisions.

Right to rectification (Art. 16): Data subjects may require inaccurate personal data to be corrected and incomplete data to be completed.

Right to erasure / right to be forgotten (Art. 17): Data subjects may request deletion in specified circumstances, including when data is no longer necessary for its original purpose, when consent is withdrawn and no other basis exists, or when data has been unlawfully processed. The APD's most significant fine to date, 600,000 euros against Google Belgium (July 2020), arose from Google's failure to honor a delisting request under this right.

Right to restriction of processing (Art. 18): Data subjects may request that processing be restricted in certain circumstances, such as when the accuracy of data is contested or the processing is unlawful but the data subject prefers restriction over erasure.

Right to data portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, data subjects may receive their personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.

Right to object (Art. 21): Data subjects may object to processing based on legitimate interests or the public task basis, including profiling on those bases. On receipt of an objection, the controller must stop processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests.

Rights related to automated decision-making and profiling (Art. 22 GDPR): Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on them, with exceptions for contract necessity, legal authorization, and explicit consent.

The APD's 2026-2028 Strategic Plan specifically identifies enforcement of data subject rights as a priority, and the new GDPR Procedural Regulation (EU) 2025/2518 (applying from April 2, 2027) will introduce binding 15-month deadlines for cross-border investigations, strengthening the practical enforceability of these rights in multi-jurisdiction complaints.

The Belgian Data Protection Authority (APD/GBA)

The Belgian Data Protection Authority is known by two names reflecting Belgium's bilingual structure: Autorite de protection des donnees (APD) in French, and Gegevensbeschermingsautoriteit (GBA) in Dutch. It succeeded the former Commission for the Protection of Privacy on May 25, 2018, the same day the GDPR became enforceable.

The authority is headquartered at Rue de la Presse 35, 1000 Brussels, and operates with approximately 90 full-time employees. It can be contacted at contact@apd-gba.be or +32 2 274 48 00.

Organizational Structure

The APD is organized into five operational bodies plus an Executive Committee:

Executive Committee: Oversees budgets, annual reports, strategic plans, and organizational decisions.

General Affairs Secretariat: Manages human resources, budget, IT infrastructure, legal matters, and communications.

Front Office: Receives complaints from data subjects, conducts mediation between parties, and promotes public awareness of data protection rights.

Knowledge Centre: Issues opinions and recommendations on data processing matters, providing guidance to both public and private sectors.

Inspection Service: Conducts investigations and enforcement activities, with powers to interview individuals, seize computer systems, and demand temporary suspension of processing activities.

Litigation Chamber: Functions as the administrative disputes body, issuing decisions and imposing fines. Effective April 25, 2025, a single judge may decide merits cases, replacing the previous requirement for three-member panels. This structural change may affect the total number of cases the Chamber handles each year.

Enforcement Powers

The APD holds broad enforcement powers under the GDPR. The Inspection Service can conduct on-site investigations, interview witnesses, access premises, and seize relevant evidence. The Litigation Chamber can issue warnings, reprimands, orders to comply, suspension of data processing, and administrative fines. The authority also has the power to impose periodic penalty payments to compel compliance.

One significant limitation: the APD generally cannot impose administrative fines on public sector bodies, except when those bodies offer goods or services on the open market. The Belgian Constitutional Court upheld this exemption, ruling that the distinction was proportionate and justified by the need to ensure continuity of public services. The APD can still issue orders and reprimands against public authorities.

APD Strategic Plan 2026-2028: Systemic Impact Enforcement

The APD published a new strategic plan for 2026-2028 that marks a significant shift in enforcement philosophy. Rather than processing individual complaints reactively, the APD intends to focus on systemic-impact investigations in sectors with the greatest potential for widespread privacy harm.

Priority sectors include healthcare organizations, financial institutions, and entities processing the data of minors. The authority will initiate more proactive inspections rather than waiting for complaints. For minor disputes such as camera footage access requests and routine data deletion demands, the APD is implementing mediation-focused fast-track procedures.

Due to a hiring freeze through 2029, the APD will no longer provide systematic responses to individual inquiries from organizations. It will instead produce public FAQs, checklists, and sector-specific guidance, shifting primary responsibility for legal certainty to organizations and their data protection officers.

Lawful Processing of Special Categories: Health, Biometric, and Genetic Data

The Law of 30 July 2018 imposes additional obligations on controllers processing special categories of data as defined in GDPR Article 9, specifically health data, genetic data, and biometric data used for unique identification.

Beyond the GDPR's requirements, Belgian law mandates that controllers maintain an updated access log identifying every person authorized to access special category data, specifying the categories each person may access. All persons with access must be bound by statutory or contractual confidentiality obligations. These access logs must be made available to the APD upon request.

The APD enforces these requirements in practice. In a December 2024 decision, it fined an employer 45,000 euros for using a fingerprint-based timekeeping system without a proper legal basis for processing biometric data (Decision 114/2024). In a separate December 2024 decision, the APD fined a hospital 200,000 euros for failing to implement adequate security measures that led to a ransomware attack exposing health data of approximately 300,000 individuals.

Data Protection Officer Requirements in Belgium

Belgium follows the GDPR's Article 37 mandatory appointment triggers, with additional national requirements under the Law of 30 July 2018.

Mandatory Appointment Under GDPR Article 37

A DPO must be appointed when:

• The data processing is carried out by a public authority or public body (excluding courts in their judicial capacity)
• The core activities require regular and systematic large-scale monitoring of data subjects
• The core activities involve large-scale processing of special categories of data or criminal convictions data

Additional Belgian Requirements

Beyond the GDPR mandates, Belgian national law requires DPO appointment in two additional scenarios:

• When a private body processes personal data on behalf of a federal public authority, and the processing is likely to result in high risk to the rights and freedoms of individuals
• When processing involves archiving in the public interest, scientific or historical research, or statistical purposes that are likely to create high risk

DPO Independence and Registration

The APD has been particularly active in enforcing DPO independence requirements. The 2020 Proximus decision established that combining the DPO role with functions such as audit, risk, or compliance management creates an impermissible conflict of interest under Article 38(6) GDPR. The DPO must report directly to the highest level of management and cannot receive instructions regarding the exercise of their tasks.

Organizations required to appoint a DPO must register that DPO with the APD. Following the launch of the new APD portal on June 10, 2025, each organization may register only one DPO per data controller through the portal. DPOs must verify their registration is accurate on the new platform.

Data Breach Notification Requirements

Belgium follows the GDPR's standard breach notification framework but has implemented procedural refinements through the APD.

Notification to the Authority

Under GDPR Article 33, data controllers must notify the APD of a personal data breach without undue delay, and no later than 72 hours after becoming aware of it. The only exception is when the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals.

New Notification Portal (June 2025)

The APD launched a new unified data breach notification portal on June 10, 2025. Organizations must create a single company account on the portal, authenticated via Belgium's Federal Authentication Service (FAS) using Belgian eID or itsme. The portal consolidates breach notifications and DPO registration in one platform. Organizations that previously used the older two-part (Part 1 / Part 2) form-based system must now operate through this portal.

The APD permits only one company account per data controller and only one DPO registration per controller. Where an organization had multiple DPO registrations under the old system, only the most recent registration carries over.

Required Information

The notification to the APD must include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and data records affected
• The name and contact details of the DPO or other contact point
• A description of the likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Notification to Data Subjects

When a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also communicate the breach to affected data subjects without undue delay, in clear and plain language.

Breach Statistics

The APD received 1,455 breach notifications in 2024, reflecting the volume of incidents reported by organizations operating in Belgium. The authority handles over 3,000 information requests from individuals annually, though response delays have historically reached up to one year due to resource constraints under the pre-strategic-plan model.

International Data Transfers

Belgium follows the GDPR's rules for international data transfers without imposing additional national requirements beyond what the regulation specifies.

Transfers Within the EEA

Personal data can move freely between Belgium and any other EU or EEA member state (Norway, Liechtenstein, Iceland) without additional safeguards, provided the general GDPR principles are respected.

Transfers to Adequate Countries

Transfers to countries that have received an adequacy decision from the European Commission under GDPR Article 45 can proceed without specific authorization. Countries currently deemed adequate include Canada (for processing under PIPEDA), Japan, South Korea, the United Kingdom, and the United States (for transfers to organizations on the EU-US Data Privacy Framework list, established by Commission Implementing Decision (EU) 2023/1795). Organizations relying on the US DPF should monitor legal developments, as adequacy decisions are subject to review and challenge.

Transfers Requiring Safeguards

For transfers to countries without an adequacy decision, organizations must implement appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• Binding Corporate Rules (BCRs) approved by the relevant supervisory authority
• Codes of conduct or certification mechanisms

A Transfer Impact Assessment is required when relying on SCCs or BCRs, to ensure the recipient country's legal framework does not undermine the protections provided. Prior approval from the APD is not required when using SCCs or transferring to adequate jurisdictions.

Cookies and Electronic Privacy

Belgium's cookie rules derive from Article 10/2 of the Law of 30 July 2018, which implements the EU ePrivacy Directive (Directive 2002/58/EC). The Electronic Communications Act of 13 June 2005, the Code of Economic Law, and the Royal Decree of 4 April 2003 also contain relevant provisions. The Belgian Institute for Postal Services and Telecommunications (BIPT) has concurrent jurisdiction over electronic communications.

Consent Requirements

Cookies and similar tracking technologies require:

• Clear and comprehensive information to the user about the purposes of data processing and their rights
• The user's informed consent before any non-essential cookies are placed
• The ability for users to withdraw consent free of charge at any time

Strictly necessary cookies, meaning those essential for transmitting a communication or providing a service explicitly requested by the user, are exempt from the consent requirement.

Enforcement Focus

Cookies have been a consistent enforcement priority for the APD. The RTL Belgium case, where daily penalties of 40,000 euros were imposed for non-compliant cookie banners, signals that the authority treats cookie consent violations as serious infractions. Cookie compliance remains one of the APD's priority areas through 2026.

Direct Marketing Rules

The APD published an 80-page recommendation on direct marketing in February 2020. In March 2025, it published draft Recommendation 01/2025 to update the guidance to align with new case law, Litigation Chamber decisions, and EDPB guidelines. As of May 2026, organizations should monitor whether Recommendation 01/2025 was finalized.

Direct marketing communications via email, SMS, or automated calling systems generally require prior opt-in consent under the ePrivacy Directive. Belgium's implementation follows the standard EU approach: business-to-consumer electronic marketing requires consent, with a limited exception for existing customer relationships where the marketing relates to similar products or services.

The GDPR's legitimate interest basis can support certain direct marketing activities, but the APD's guidance emphasizes that organizations must conduct a documented balancing test and provide clear opt-out mechanisms. In Decision 72/2025, the APD found that a B2B data broker's legitimate interest claim for processing an individual's email address was not justified and fined it 8,000 euros for that specific violation.

Employment Data Protection

Belgium takes an unusual approach to workplace data protection by incorporating protections through collective labor agreements (conventions collectives de travail, CCTs) negotiated within the National Labour Council. These agreements have the force of law once adopted through royal decree.

Key collective agreements governing workplace data protection include:

• CCT No. 38: Governs data protection during worker recruitment and selection processes
• CCT No. 68: Regulates CCTV surveillance in the workplace
• CCT No. 81: Addresses electronic communications monitoring by employers, including email and internet usage
• CCT No. 100: Covers data processing related to alcohol and drug prevention policies

The APD's consistent position is that employers cannot rely on employee consent as a lawful basis for processing, given the power imbalance inherent in the employment relationship. Employers typically rely on legal obligation (CCT obligations, social security, tax law) or legitimate interests, with a careful balancing test documented in the processing record.

GDPR Enforcement in Belgium: Notable Fines and Cases

Belgium's enforcement record demonstrates that the APD takes violations seriously across sectors, even if aggregate fine amounts remain moderate compared to larger EU member states such as France or Ireland.

Google Belgium: 600,000 Euros (2020)

The APD imposed its largest single fine on Google Belgium SA in July 2020 for failing to honor a Belgian citizen's right to be forgotten under GDPR Article 17. A public figure requested that Google delist outdated articles about an unfounded harassment complaint. The Litigation Chamber found Google negligent and criticized the lack of transparency in Google's delisting request form for failing to clearly identify the data controller. In addition to the 600,000 euro fine, the APD ordered Google to remove the relevant links from search results across the European Economic Area and revise its delisting request form.

Proximus: DPO Conflict of Interest, 50,000 Euros (2020)

The APD fined telecommunications provider Proximus 50,000 euros for violating Article 38(6) of the GDPR. Proximus had appointed a Data Protection Officer who simultaneously served as director of audit, risk, and compliance. The APD found this dual role created an impermissible conflict of interest. This decision became widely cited across the EU as a reference point for DPO independence requirements.

Proximus: Public Directory Violations, 20,000 Euros (2020)

In a separate case, the APD fined Proximus 20,000 euros for publishing a citizen's personal data in public telephone directories after the individual had withdrawn consent, violating Articles 6, 7, 24, and 5(2) of the GDPR on lawfulness and accountability, and Articles 12 and 13 on transparency.

IAB Europe: Transparency and Consent Framework (2022 to 2026)

This multi-year case illustrates the complexity of data-broker ecosystem enforcement. In February 2022, the APD fined IAB Europe 250,000 euros and ordered it to bring its Transparency and Consent Framework (TCF) into compliance with the GDPR. On May 14, 2025, the Belgian Market Court (sitting as part of the Court of Appeal of Brussels) annulled the February 2022 APD decision, finding the APD had not adequately justified why it considered TC Strings to be personal data and had incorrectly characterized IAB Europe as a joint controller for TCF participants' own advertising processing. On January 9, 2026, the Market Court issued a further ruling annulling the January 2023 APD action-plan approval decision as legally flawed.

Data Broker: 174,640 Euros (Decision 07/2024)

In Decision 07/2024, the APD fined a data broker 174,640 euros for failing to disclose specific information about data sources and recipients. This case reflects the APD's increasing focus on the data brokerage industry under its strategic transparency enforcement priorities.

Biometric Data: Employer Fined 45,000 Euros (Decision 114/2024)

In Decision 114/2024, the APD imposed a 45,000 euro fine on an employer for using a fingerprint-based timekeeping system without a proper legal basis for processing biometric data under Article 9 GDPR.

RTL Belgium: Cookie Violations (2024)

The APD imposed daily penalties of 40,000 euros on RTL Belgium for GDPR violations related to non-compliant cookie banners, following a complaint filed by NOYB. This case reinforces that cookie consent violations carry ongoing financial exposure, not merely one-time fines.

Hospital: 200,000 Euros (December 2024)

In a decision issued December 17, 2024, the APD fined an unnamed Belgian hospital 200,000 euros for failing to implement adequate cybersecurity measures after a 2021 ransomware attack exposed health data of approximately 300,000 individuals. The hospital had experienced a prior ransomware attack in 2019. The APD found it lacked a coherent information security policy, failed to conduct a DPIA, and had not implemented staff training, system log monitoring, or cybersecurity audits. The APD initially proposed a 3,000,000 euro fine, reduced to 200,000 to reflect the hospital's turnover. This case is particularly significant for healthcare controllers in Belgium.

Data Broker: Decision 72/2025 (April 22, 2025)

In Decision 72/2025, the APD fined a B2B data broker 20,000 euros for unlawfully processing a data subject's email address and multiple related violations: 8,000 euros for unlawful processing (Articles 5(1)(a), 5(2), 6(1)); 6,000 euros for failing transparency duties (Articles 5(2), 12(1), 14(1), 14(2), 24(1), 25(1)); and 6,000 euros for failing to respond to an access request (Article 15(1)). The APD held the controller's legitimate interest claim could not justify the processing.

Fining Methodology Reform

Belgium's fine levels have historically been modest compared to EU peers. A Belgian Market Court judgment of June 14, 2023 reduced a 10,000 euro APD fine to a symbolic 1 euro because the APD had insufficiently justified the fine's proportionality. This decision prompted the APD to move toward publicly adopting a five-step fining methodology consistent with EDPB Guidelines 04/2022, which uses higher starting percentages than the APD has historically applied. If formally adopted, future Belgian GDPR fines are likely to be substantially higher.

Penalties and Sanctions

Belgium's penalty framework operates on two tracks: administrative fines under the GDPR and criminal sanctions under national law.

Administrative Fines

The GDPR establishes two tiers of administrative fines:

Lower tier (Article 83(4)): Up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. This applies to violations of controller and processor obligations, certification body obligations, and monitoring body obligations.

Upper tier (Article 83(5-6)): Up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher. This applies to violations of data processing principles, lawfulness of processing, conditions for consent, data subject rights, and international data transfer rules.

The APD follows a five-step fining methodology: (1) identify the infringements; (2) set the starting point for calculation; (3) apply mitigating or aggravating circumstances; (4) check against maximum caps; (5) assess effectiveness, deterrence, and proportionality. The APD has signaled it will align this methodology with EDPB Guidelines 04/2022, which could substantially increase future fine amounts.

Public Sector Exemption

Public authorities and public bodies in Belgium are generally exempt from administrative fines under the GDPR, except when they offer goods or services on the open market in competition with private entities. The Belgian Constitutional Court upheld this exemption as proportionate and justified. The APD can still issue warnings, reprimands, and compliance orders against public sector entities.

Criminal Sanctions

The Law of 30 July 2018 introduces criminal penalties for particularly egregious violations. Individuals convicted of criminal data protection offenses face fines between 800 and 160,000 euros. Courts may also order publication of the judgment as an additional sanction. Criminal proceedings are handled by the ordinary criminal justice system, not the APD.

EU AI Act Overlay: BIPT and APD Roles

The EU AI Act (Regulation (EU) 2024/1689) applies in Belgium as it does across all EU member states. Belgium has taken steps to designate its national oversight architecture, though the process was not complete by the August 2, 2025 deadline.

BIPT as Market Surveillance Authority

Belgium designated the Belgian Institute for Postal Services and Telecommunications (BIPT/IBPT) as its primary market surveillance authority under the EU AI Act, as announced in the 2025-2029 Federal Government Agreement of January 31, 2025. The FOD Economy (Federal Public Service Economy) coordinates overall EU AI Act implementation. The European Commission's official market surveillance registry listed Belgium's designation as still pending as of September 26, 2025, suggesting the formal legal designation was not yet complete at that date.

BIPT's role covers market surveillance to ensure AI systems placed on the Belgian market comply with the EU AI Act's requirements. This includes oversight of high-risk AI systems in sectors outside BIPT's traditional telecommunications domain, making it the central AI enforcement body.

APD Role for AI Systems Processing Personal Data

The APD retains its data protection supervisory function for AI systems that process personal data or engage in automated profiling. Under Article 77 of the EU AI Act, Belgium designated 21 specific bodies to supervise high-risk AI systems where fundamental rights are at stake; the APD is the relevant body where those systems process personal data. This dual-authority structure means AI systems that involve personal data processing must comply with both the GDPR (supervised by the APD) and the EU AI Act's technical and risk-management requirements (supervised by BIPT).

Key Compliance Deadlines for Belgian Organizations

• February 2, 2025: Prohibited AI practices banned (subliminal manipulation, social scoring, certain biometric identification)
• August 2, 2025: GPAI model obligations apply
• August 2, 2026: Full high-risk AI system compliance required
• August 2, 2027: Full EU AI Act application including product safety integration

Sector-Specific Authorities

Beyond BIPT and the APD, sector-specific authorities supervise AI in their respective domains: FAMHP (Federal Agency for Medicines and Health Products) for AI in the pharmaceutical and medical sector, and FSMA (Financial Services and Markets Authority) for AI in financial services. These sector bodies operate alongside BIPT under the broader EU AI Act governance architecture.

Recent Developments (2024-2026)

June 2025 Portal Launch: The APD launched a new unified portal on June 10, 2025, consolidating breach notifications and DPO registration. Organizations must authenticate via Belgium's Federal Authentication Service.

May 14, 2025 IAB Europe Ruling: The Belgian Market Court annulled the APD's February 2022 decision against IAB Europe and its TCF, finding flaws in the APD's analysis of TC Strings as personal data and IAB Europe's controller status.

January 9, 2026 IAB Europe Second Ruling: A further Market Court ruling annulled the APD's approval of IAB Europe's corrective action plan, leaving the regulatory status of the TCF in Belgium in ongoing flux.

GDPR Procedural Regulation (EU) 2025/2518: This new regulation, which entered into force on January 1, 2026 and applies from April 2, 2027, introduces binding 15-month deadlines for cross-border GDPR investigations and new procedural rights for parties. Organizations with cross-border operations should review their internal processes for responding to DPA inquiries.

APD 2026-2028 Strategic Plan: The APD formally shifted from complaint-driven to systemic-impact enforcement. Healthcare, financial services, and children's data are the stated priority sectors.

Fining Methodology Reform: Following the June 2023 Market Court judgment reducing a fine to 1 euro for inadequate proportionality reasoning, the APD has moved toward the EDPB's publicly documented five-step methodology. Future fines are likely to be higher as a result.

Single-Judge Litigation Chamber (April 2025): The Litigation Chamber began operating with a single judge rather than a three-member panel from April 25, 2025, potentially increasing per-case efficiency while reducing the total number of cases the Chamber can handle annually.

Business Compliance Checklist for Belgium

Organizations subject to Belgium's data protection regime should address the following:

Lawful basis documentation: Identify and document the GDPR Article 6(1) basis for each processing activity. Avoid relying on employee consent for employment-related processing. Conduct and document a three-part legitimate interest assessment (LIA) wherever relying on Article 6(1)(f).

DPO appointment and registration: Determine whether GDPR Article 37 or Belgian national law mandates a DPO. If required, appoint a DPO free from conflicts of interest and register them with the APD's portal. Only one DPO registration per data controller is permitted under the new portal.

Special category data: If processing health, genetic, or biometric data, establish the access log required by Belgian national law, bind all authorized persons to confidentiality obligations, and maintain logs for APD inspection.

Age of consent: For information society services offered to children, implement age-verification or parental consent mechanisms for users under 13. For users 13 to 15, the Law of 30 July 2018 permits processing with the child's consent but Belgian civil law may still require parental involvement depending on the nature of the service.

Data breach preparedness: Register for the new APD portal using Belgian eID/itsme authentication. Establish internal procedures to identify, assess, and report breaches within 72 hours of becoming aware of them.

Cookie compliance: Audit cookie banners and consent mechanisms for compliance with the APD's ongoing enforcement focus. Ensure withdrawal of consent is as easy as granting it.

DPO and workplace monitoring: If monitoring employee communications or using CCTV, ensure compliance with CCTs 68 and 81, and document the legitimate interest basis and necessity of the monitoring.

EU AI Act readiness: Identify whether any AI systems deployed by the organization qualify as high-risk under the EU AI Act. Ensure prohibited practices (as of February 2, 2025) are not in use. High-risk AI system compliance is required by August 2, 2026. The APD will supervise AI systems processing personal data; BIPT will supervise AI market placement generally.

Cross-border transfers: Maintain Transfer Impact Assessments for transfers relying on SCCs or BCRs, and monitor the legal status of adequacy decisions, particularly the EU-US Data Privacy Framework.

Disclaimer

This article presents general legal information about Belgium's data protection regime as of May 2026. It is not legal advice. The laws and regulations described were verified against primary sources as of May 19, 2026. Belgium's implementation of the EU AI Act was still evolving at that date. Organizations should consult a lawyer licensed in Belgium or the relevant EU jurisdiction for advice on their specific situation.