Belgium';s data protection landscape has shifted considerably in recent months, with the Belgian Data Protection Authority - the Gegevensbeschermingsautoriteit, or GBA - stepping up enforcement and issuing a series of consequential decisions. Businesses operating in Belgium or processing the personal data of Belgian residents face a more demanding compliance environment than at any point since the General Data Protection Regulation came into force. This guide covers the most significant legislative and regulatory developments in belgium data protection 2026, the enforcement trends shaping GBA practice, key decisions affecting consent and cookie management, and the practical steps organisations should take to stay compliant.
The GBA operates under the GDPR as directly applicable EU law, supplemented by the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. That Act has been subject to incremental amendment, and the most recent modifications clarify the GBA';s investigative powers, extend its capacity to conduct sector-specific audits, and tighten the rules on transfers of personal data to third countries. Organisations that previously relied on informal compliance practices should treat these amendments as a signal that the GBA now has both the legal tools and the institutional appetite to pursue complex investigations.
The Belgian legislature has also transposed the NIS2 Directive - the Network and Information Security Directive - into national law, creating an overlap between cybersecurity obligations and data protection requirements. Entities classified as essential or important under NIS2 must now implement security measures that align with both the NIS2 framework and Article 32 of the GDPR, which requires appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In practice, this means that a single cybersecurity incident can trigger parallel obligations: notification to the Centre for Cybersecurity Belgium and, where personal data is affected, notification to the GBA within 72 hours under Article 33 of the GDPR.
A non-obvious requirement that has caught several organisations off guard is the interaction between the NIS2 transposition and the existing ePrivacy rules under the Belgian Electronic Communications Act. Businesses providing electronic communications services must now reconcile three overlapping regimes, and the GBA has indicated it will coordinate with the Belgian Institute for Postal Services and Telecommunications on joint investigations where both frameworks apply.
The GBA has issued a number of significant decisions in recent months that repay careful reading. In the advertising and media sector, the authority confirmed its position that consent obtained through so-called "consent or pay" models - where users must either accept tracking or pay a subscription fee - must meet the GDPR';s standard of freely given consent. The GBA aligned its reasoning with guidance from the European Data Protection Board, finding that where the fee is set at a level that makes refusal economically unrealistic for most users, consent cannot be considered free. Businesses running subscription-based alternatives to cookie consent should audit their pricing structures and the genuine accessibility of the paid option.
In the human resources sector, the GBA examined the lawfulness of employee monitoring, including the use of productivity-tracking software and location data from company vehicles. The authority reiterated that employers cannot rely on legitimate interests alone where the monitoring is systematic and intrusive. A data protection impact assessment under Article 35 of the GDPR is mandatory where the processing is likely to result in a high risk to the rights and freedoms of natural persons, and the GBA has made clear that blanket employee monitoring almost always meets that threshold. Employers who have not conducted a DPIA for their monitoring tools should treat this as an urgent compliance gap.
The GBA also issued a decision concerning a Belgian public authority that had retained personal data far beyond the periods specified in its own retention policy. The authority found a violation of the storage limitation principle under Article 5(1)(e) of the GDPR and imposed a corrective measure requiring the public body to implement automated deletion workflows. While public bodies face different sanction structures than private companies, the decision signals that the GBA will scrutinise retention practices across all sectors.
In practice, founders and compliance officers should consider that GBA investigations increasingly originate from data subject complaints rather than proactive audits. A single well-documented complaint can open a full investigation. Maintaining a robust record of processing activities under Article 30 of the GDPR is therefore not merely a formal obligation - it is the first line of defence when the GBA comes knocking.
If your organisation is navigating a GBA inquiry or reviewing its processing records, contact info@vlolawfirm.com. We can help structure the setup correctly the first time.
Cookie enforcement remains one of the most active areas of GBA practice. The authority has continued to apply the IAB Europe Transparency and Consent Framework decisions, and Belgian publishers and advertisers are expected to have implemented the remediation measures required by earlier GBA and Belgian Market Court rulings. Organisations that have not yet completed this remediation are at material risk of follow-on enforcement.
The GBA';s current position on cookie walls - where access to a website is conditional on accepting non-essential cookies - is that such walls are presumptively invalid unless a genuine, equivalent alternative is offered free of charge. This position goes further than the minimum required by the ePrivacy Directive as implemented in Belgium, and it reflects the GBA';s interpretation of the GDPR';s freely given consent standard. Website operators should review their cookie banners, consent management platforms, and the logic governing what happens when a user declines all non-essential cookies.
A common mistake is treating cookie compliance as a one-time technical implementation rather than an ongoing governance obligation. The GBA expects organisations to re-obtain consent when the purposes of processing change, when new cookies are introduced, or when the consent management platform is updated in a way that affects the information provided to users. Consent records must be maintained and must be capable of demonstrating that valid consent was obtained at a specific point in time for a specific set of purposes.
Practical scenarios illustrate the stakes. Consider a Belgian e-commerce operator that integrated a new analytics tool mid-year without updating its cookie notice or re-requesting consent. Under the GBA';s current approach, this would constitute a violation of Articles 6 and 7 of the GDPR, potentially triggering both a formal reprimand and a fine. Contrast this with a media company that implemented a consent management platform with granular purpose-based controls, maintained detailed consent logs, and conducted a quarterly review of its cookie inventory - this organisation is well-positioned to demonstrate compliance even if a complaint is filed.
Belgium is a significant hub for multinational operations, and many businesses established in Belgium act as data controllers or processors for personal data that flows to entities outside the European Economic Area. The current transfer landscape is shaped by the EU-US Data Privacy Framework, the standard contractual clauses adopted by the European Commission, and the GBA';s own guidance on transfer impact assessments.
The GBA has signalled that it will scrutinise transfers to third countries where the legal framework does not provide essentially equivalent protection to that guaranteed within the EEA. Organisations relying on standard contractual clauses must conduct and document a transfer impact assessment - a TIA - that evaluates the laws and practices of the destination country. Many underestimate the depth of analysis required: a TIA is not a checkbox exercise but a substantive legal assessment that should be reviewed whenever the destination country';s legal framework changes.
For businesses using US-based cloud providers, the EU-US Data Privacy Framework provides a current adequacy basis for transfers to certified US organisations. However, the framework has faced legal challenges before, and organisations should maintain standard contractual clauses as a fallback mechanism. The GBA has encouraged this belt-and-suspenders approach in its published guidance.
A non-obvious requirement for Belgian companies acting as processors for non-EEA controllers is that the processor';s obligations under Article 28 of the GDPR apply regardless of where the controller is established. Belgian processors must ensure their sub-processing arrangements, security measures, and audit rights provisions comply with GDPR standards even when the controller is based in a jurisdiction with different data protection norms.
Three sectors deserve particular attention in the current period. Health data processing in Belgium is subject to both the GDPR';s special category rules under Article 9 and sector-specific legislation, including the Act on the Rights of the Patient and the framework governing the eHealth platform. The GBA has issued guidance clarifying that secondary use of health data for research purposes requires either explicit consent or a specific legal basis under Belgian law, and that pseudonymisation alone does not remove data from the special category regime.
The intersection of artificial intelligence and data protection is an emerging enforcement priority. The EU AI Act is now in phased application, and Belgian organisations deploying AI systems that process personal data must consider both the AI Act';s requirements and their GDPR obligations simultaneously. High-risk AI systems as defined by the AI Act will typically require a DPIA under the GDPR, and the GBA has indicated it will work with the Belgian AI regulatory authority on coordinated oversight. Organisations developing or deploying AI tools for recruitment, credit scoring, or customer profiling should treat this intersection as a current compliance priority rather than a future concern.
In financial services, the Digital Operational Resilience Act - DORA - has entered into application, creating new obligations for financial entities and their ICT service providers. Where DORA-related incidents involve personal data, the GDPR';s breach notification obligations apply in parallel. Belgian financial institutions should ensure their incident response procedures address both frameworks and that their data protection officers are integrated into the DORA governance structure.
A practical scenario: a Belgian fintech company using an AI-based credit scoring model must assess whether the model constitutes a high-risk AI system under the AI Act, conduct a DPIA under Article 35 of the GDPR, ensure that data subjects receive meaningful information about automated decision-making under Article 22, and maintain records sufficient to demonstrate compliance to both the GBA and the financial supervisor. This is a genuinely complex multi-framework obligation that requires coordinated legal and technical input.
Given the developments described above, organisations processing personal data in Belgium should focus on several concrete actions in the near term.
First, review and update records of processing activities. The GBA has made clear that Article 30 records must be accurate, current, and sufficiently detailed to support a meaningful assessment of compliance. Records that were created at the time of GDPR implementation and never updated are a liability.
Second, audit consent mechanisms. This applies to cookie consent, marketing consent, and any other processing that relies on consent as its legal basis. Consent must be granular, freely given, informed, and revocable, and the organisation must be able to demonstrate that these conditions were met at the time consent was obtained.
Third, assess data transfers. Any transfer of personal data outside the EEA should be supported by a documented legal basis and, where standard contractual clauses are used, a completed transfer impact assessment. The GBA expects this documentation to be available on request.
Fourth, conduct or update DPIAs for high-risk processing activities. The GBA';s recent decisions confirm that employee monitoring, AI-based decision-making, large-scale processing of special category data, and systematic tracking of individuals all require DPIAs. Existing DPIAs should be reviewed whenever the underlying processing changes materially.
Fifth, ensure data breach response procedures are fit for purpose. The 72-hour notification deadline under Article 33 of the GDPR is strict, and the GBA has penalised organisations that failed to notify within the required period. Incident response plans should be tested and the data protection officer should have a clear escalation path.
Many underestimate the importance of training. The GBA';s decisions frequently reference failures by staff who were unaware of their obligations. Annual data protection training for all staff who handle personal data is a baseline expectation, not an optional enhancement.
What are the most common reasons the GBA opens an investigation against a business?
The majority of GBA investigations are triggered by complaints from data subjects, typically concerning unlawful marketing communications, inadequate responses to access or erasure requests, or non-compliant cookie practices. The GBA also conducts sector-specific audits and may open an own-initiative investigation following a media report or a data breach notification. Organisations that maintain thorough documentation of their processing activities and respond promptly to data subject requests are significantly better positioned when an investigation begins. The GBA';s published decisions show that cooperation and remediation during an investigation can influence the outcome, though they do not eliminate the risk of a formal finding.
How long does a GBA investigation typically take, and what sanctions are possible?
GBA investigations vary considerably in duration. A straightforward complaint about a marketing email may be resolved within a few months, while a complex investigation involving multiple processing activities or cross-border elements can take considerably longer. The GBA has the power to issue warnings, reprimands, orders to bring processing into compliance, temporary or permanent bans on processing, and administrative fines. Fines for the most serious violations can reach up to four percent of total worldwide annual turnover or a fixed ceiling, whichever is higher. In practice, the GBA has imposed fines across a wide range, and the severity tends to reflect the nature of the violation, the organisation';s cooperation, and whether the violation was intentional or negligent.
Does a small or medium-sized Belgian business need a data protection officer?
The obligation to appoint a data protection officer under Article 37 of the GDPR applies to public authorities, organisations whose core activities require large-scale, regular and systematic monitoring of data subjects, and organisations whose core activities involve large-scale processing of special category data or data relating to criminal convictions. Many SMEs do not meet these thresholds and are not legally required to appoint a DPO. However, the GBA has encouraged smaller organisations to designate a responsible person for data protection matters even where a formal DPO is not required. In practice, having a named internal contact who understands the organisation';s processing activities and can respond to data subject requests and regulatory inquiries is a sound risk management measure regardless of legal obligation.
Belgium';s data protection environment is more demanding than it was even a short time ago. The GBA is better resourced, more willing to pursue complex investigations, and increasingly coordinated with other EU supervisory authorities. Organisations that treat compliance as a periodic exercise rather than an ongoing governance function face real enforcement risk. The priorities are clear: accurate records, valid consent, documented transfers, current DPIAs, and tested breach response procedures.
VLO Law Firms advises international clients on data protection matters in Belgium. We can assist with GDPR compliance reviews, DPA investigations, consent mechanism audits, transfer impact assessments, and data protection officer support. To request a consultation, contact: info@vlolawfirm.com