Belgium';s data protection landscape shifted noticeably in the final quarter, with the Belgian Data Protection Authority - known in Dutch as the Gegevensbeschermingsautoriteit and in French as the Autorité de protection des données, referred to throughout as the APD - issuing a series of enforcement decisions, guidance documents, and procedural updates that carry direct implications for businesses operating in or targeting Belgian residents. For international companies with Belgian operations, the period brought both new compliance obligations and clarified expectations around existing rules. This guide covers the key regulatory developments, notable enforcement actions, practical compliance implications, and what businesses should prioritise in the months ahead.
The APD continued to refine its enforcement posture during the quarter, building on the General Data Protection Regulation framework while applying distinctly Belgian procedural and substantive interpretations. Several developments stand out as particularly consequential for compliance teams.
The APD';s Litigation Chamber issued a series of decisions addressing the lawfulness of processing personal data for direct marketing purposes. The decisions reinforced that legitimate interest as a legal basis requires a genuine, documented balancing test - one that weighs the controller';s interest against the data subject';s reasonable expectations. Controllers that rely on boilerplate legitimate interest assessments without tailoring them to specific processing activities face a heightened risk of adverse findings. In practice, this means marketing teams and their legal advisers need to revisit standard consent and legitimate interest frameworks, particularly where profiling or behavioural targeting is involved.
The APD also published updated guidance on the use of cookies and similar tracking technologies. The guidance aligns with the European Data Protection Board';s position but adds Belgian-specific nuances, particularly around the requirement for granular consent options. Websites targeting Belgian users must now ensure that consent banners offer genuine choice at the category level - bundled consent for all non-essential cookies remains non-compliant. The APD signalled that it will increase proactive monitoring of consent management platforms in the coming period.
A further development concerned the interaction between the GDPR and Belgium';s Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data, which serves as the national implementing legislation. The APD clarified how certain derogations available under that Act - for example, in the context of employment data and health data - apply in practice, reducing some of the ambiguity that had persisted since the Act';s entry into force.
Enforcement activity during the quarter was notable both for its volume and for the sectors targeted. The APD';s Litigation Chamber issued decisions covering financial services, e-commerce, healthcare, and public sector entities, reflecting the authority';s broad jurisdictional reach and its willingness to pursue cases across industries.
One cluster of decisions addressed data subject rights, specifically the right of access under Article 15 of the GDPR. The APD found that several controllers had failed to respond to access requests within the mandatory one-month period, or had provided incomplete responses that omitted required information such as the categories of data processed, the recipients of that data, and the envisaged retention periods. The decisions resulted in corrective orders and, in some cases, administrative fines. Controllers should treat these decisions as a clear signal that access request handling is under active scrutiny.
A second enforcement theme concerned data breach notification. The GDPR requires controllers to notify the APD of qualifying personal data breaches within 72 hours of becoming aware of them. Several decisions found that controllers had either failed to notify at all or had notified significantly outside the 72-hour window without adequate justification. The APD reiterated that the clock starts when the controller has reasonable grounds to believe a breach has occurred - not when an internal investigation is formally concluded. This distinction is critical for incident response planning.
The APD also pursued cases involving unlawful data transfers to third countries. Following the Court of Justice of the European Union';s Schrems II ruling and subsequent guidance, the APD examined whether controllers relying on Standard Contractual Clauses had conducted the required transfer impact assessments. Decisions found that several controllers had adopted SCCs without performing any substantive assessment of the legal framework in the destination country, rendering the transfer mechanism ineffective. Businesses with data flows to non-EEA countries should treat this as a priority remediation area.
Fines issued during the quarter ranged from modest corrective amounts for procedural failings to more substantial penalties for systemic non-compliance. The APD has consistently applied a proportionality analysis, but repeat infringers and those who failed to cooperate with the authority';s investigations faced the upper end of the scale.
One of the most practically significant areas of APD activity during the quarter concerned the intersection of data protection law and artificial intelligence. The APD published a position paper addressing the use of AI systems that involve the processing of personal data, with particular attention to automated decision-making and profiling under Article 22 of the GDPR.
The position paper clarified that Article 22 applies not only to decisions that are fully automated but also to those where a human nominally reviews an automated output without exercising genuine independent judgment. This so-called "rubber-stamping" scenario - where a human approver simply confirms an algorithmic recommendation without meaningful scrutiny - does not satisfy the requirement for meaningful human involvement. For businesses using AI-driven credit scoring, recruitment screening, or customer segmentation, this clarification has immediate operational implications.
The APD also addressed the obligation to provide meaningful information about the logic involved in automated decisions, as required by Articles 13, 14, and 22 of the GDPR. The position paper indicated that generic descriptions of algorithmic processes are insufficient. Controllers must be able to explain, in terms understandable to the data subject, how the system reaches its outputs and what factors carry the most weight. This places new demands on technical teams to document model logic in a way that can be translated into plain-language privacy notices.
In practice, founders and compliance officers should consider conducting an audit of any AI or machine learning tools currently in use that touch personal data. The audit should assess whether the tool falls within Article 22';s scope, whether appropriate safeguards are in place, and whether privacy notices accurately describe the processing. Many organisations underestimate the breadth of Article 22';s application, assuming it covers only fully automated systems with no human involvement.
If your organisation is deploying AI tools that process personal data of Belgian residents and you are uncertain about your compliance posture, contact info@vlolawfirm.com. We can help structure the setup correctly the first time.
Employment data processing remains one of the most complex areas of Belgian data protection law, given the interaction between the GDPR, the Act of 30 July 2018, and sector-specific collective labour agreements - known in Belgium as CAOs or CCTs. The quarter brought renewed APD attention to workplace monitoring practices, particularly in the context of remote work arrangements.
Belgian law imposes specific procedural requirements before an employer can monitor employees'; electronic communications or track their activity on company systems. Collective Agreement No. 81, concluded within the National Labour Council, sets out the conditions under which employers may monitor networked data, including requirements for prior information, proportionality, and purpose limitation. The APD';s recent decisions confirmed that these requirements apply equally to monitoring conducted through cloud-based productivity tools, video conferencing platforms, and remote desktop software - not only to traditional email or internet monitoring.
A common mistake among foreign employers entering the Belgian market is to apply their home-country monitoring policies without adapting them to Belgian procedural requirements. An employer established in a jurisdiction with more permissive monitoring rules may find that its standard acceptable-use policy and monitoring consent framework are non-compliant in Belgium. The APD has shown willingness to act on employee complaints in this area, and the consequences can include both administrative fines and orders to cease the monitoring activity.
The quarter also saw guidance on the processing of health data in the employment context. Belgian law permits employers to process certain health-related information - for example, in the context of occupational health assessments - but the conditions are strictly defined. Employers must ensure that health data is processed only by or under the supervision of a health professional, that it is not accessible to line managers or HR personnel beyond what is strictly necessary, and that retention periods are clearly defined and enforced.
A practical scenario worth considering: a multinational company with a Belgian subsidiary that uses a centralised HR information system hosted outside the EEA should assess whether the system';s data flows comply with both the transfer rules discussed above and the specific Belgian rules on employment data. The combination of requirements creates a layered compliance obligation that is easy to underestimate.
Drawing together the developments of the quarter, several compliance priorities emerge for businesses with Belgian operations or Belgian-resident customers.
First, data subject rights handling deserves immediate attention. The APD';s enforcement decisions make clear that access request management is a live risk area. Businesses should audit their current processes for receiving, logging, and responding to access, erasure, and portability requests. Response timelines must be tracked, and the substantive content of responses must be complete. Where requests are complex or voluminous, the one-month extension mechanism is available but must be invoked correctly and communicated to the data subject within the initial one-month period.
Second, consent management for digital services requires review. The APD';s updated cookie guidance and its broader approach to consent as a legal basis mean that many existing consent management platforms will need reconfiguration. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, consent bundled with terms of service, and consent obtained through dark patterns all remain non-compliant. The APD has signalled proactive enforcement in this area.
Third, international data transfers need documented transfer impact assessments. Businesses relying on Standard Contractual Clauses for transfers to non-EEA countries must be able to demonstrate that they have assessed the legal framework of the destination country and, where necessary, implemented supplementary measures. This is not a one-time exercise - it must be reviewed when the destination country';s legal framework changes.
Fourth, AI and automated processing tools require a dedicated compliance review. The APD';s position paper on automated decision-making sets a clear expectation that controllers understand and can explain the logic of their AI systems. Privacy notices, data protection impact assessments, and internal documentation should all reflect the actual processing that occurs.
Fifth, employment monitoring policies must be adapted to Belgian law. Foreign employers in particular should not assume that policies compliant in their home jurisdiction will satisfy Belgian requirements. Collective Agreement No. 81 and the Act of 30 July 2018 create a specific procedural framework that must be followed.
A second practical scenario: a Belgian e-commerce business that recently integrated a third-party personalisation engine should assess whether the engine';s profiling activities require a data protection impact assessment under Article 35 of the GDPR, whether the privacy notice accurately describes the profiling, and whether the legitimate interest assessment supporting the processing has been documented and is defensible. Each of these steps is straightforward in isolation but requires coordination between legal, technical, and marketing teams.
For businesses that need support navigating these priorities, contact info@vlolawfirm.com. We can assist with documents and filings, as well as broader compliance strategy.
What are the most common reasons the APD issues fines against businesses in Belgium?
The APD';s enforcement record shows that fines most frequently arise from failures in three areas: inadequate responses to data subject rights requests, unlawful processing without a valid legal basis, and insufficient security measures leading to data breaches. Procedural failings - such as missing records of processing activities or absent data processing agreements with processors - also attract corrective orders, though these more often result in compliance deadlines rather than immediate fines. Businesses that cooperate fully with APD investigations and demonstrate remediation efforts typically receive more favourable treatment than those that are unresponsive or obstructive. The APD applies a proportionality analysis, so the size of the organisation, the nature of the data, and the number of individuals affected all influence the outcome.
How long does it typically take for the APD to resolve a complaint or investigation?
The APD';s procedural timeline varies depending on the complexity of the case and whether it involves cross-border elements requiring coordination with other European supervisory authorities. Simple complaints involving a single controller and a clear factual record can be resolved within a few months. More complex cases - particularly those involving large-scale processing, multiple jurisdictions, or novel legal questions - can take considerably longer, sometimes extending beyond a year. The APD';s Litigation Chamber follows a formal adversarial procedure that includes written submissions from both parties, and controllers have the right to be heard before a decision is issued. Businesses should not assume that a prolonged investigation means the matter will be dropped; the APD has demonstrated sustained follow-through on complex cases.
Does a Belgian company need a Data Protection Officer, and what are the consequences of not appointing one when required?
Under Article 37 of the GDPR, a Data Protection Officer is mandatory for public authorities, organisations that carry out large-scale systematic monitoring of individuals, and organisations that process special categories of data or data relating to criminal convictions on a large scale. Many Belgian SMEs fall outside these categories and are not required to appoint a DPO, though doing so voluntarily can strengthen a compliance programme. Where a DPO is mandatory, failure to appoint one is itself an infringement of the GDPR and can result in an administrative fine. The DPO must be registered with the APD, must have sufficient expertise in data protection law, and must be given the resources and independence necessary to perform their tasks effectively. Outsourcing the DPO function to an external provider is permitted under the GDPR and is a common arrangement for smaller organisations.
The final quarter brought meaningful regulatory activity from the APD, with enforcement decisions, updated guidance, and a significant position paper on AI all demanding attention from compliance teams. The consistent themes - lawful basis, data subject rights, international transfers, and employment data - reflect the APD';s settled enforcement priorities. Businesses that address these areas proactively are better positioned to avoid enforcement action and to build the kind of documented compliance programme that regulators respond to favourably.
VLO Law Firms advises international clients on data protection matters in Belgium. We can assist with compliance audits, data protection impact assessments, transfer impact assessments, DPO support, and regulatory correspondence with the APD. To request a consultation, contact: info@vlolawfirm.com