Legal-Updates
Legal-Updates

Data Protection Update in Belgium: Q2 2026

Belgium';s data protection landscape is shifting at pace. The Belgian Data Protection Authority - the Gegevensbeschermingsautoriteit, or GBA - has intensified enforcement, issued new guidance, and aligned its supervisory approach with EU-wide priorities. For international businesses operating in Belgium, the practical stakes are significant: fines, corrective orders, and reputational exposure are all live risks. This guide covers the most material developments in belgium data protection 2026, including regulatory changes, enforcement decisions, cross-border coordination, and the concrete compliance steps organisations should take now.

What has changed in Belgian data protection law recently

The foundational framework remains the General Data Protection Regulation and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which implements the GDPR in Belgian national law and governs the GBA';s mandate. Recent legislative activity has focused on two areas: the transposition of EU directives that touch on data processing, and targeted amendments to the 2018 Act itself.

The Belgian legislature has moved to align national law with the EU Data Governance Act and the AI Act, both of which carry significant implications for how organisations handle personal data in automated systems. The AI Act, in particular, imposes obligations that intersect directly with GDPR requirements - particularly around transparency, human oversight, and the prohibition of certain high-risk processing activities. Belgian supervisory guidance has begun to address how these instruments interact, signalling that the GBA will treat AI-related data processing as a priority inspection area.

A non-obvious requirement that many foreign operators miss is that the 2018 Act contains specific provisions on processing for journalistic, academic, artistic, and literary purposes, as well as derogations for public-interest research. These national derogations are narrower than many assume, and the GBA has recently clarified their scope in published guidance. Organisations relying on these exemptions should review whether their processing genuinely qualifies.

The Belgian Act also governs the processing of sensitive categories of data by public authorities and certain regulated sectors. Recent amendments have tightened the conditions under which health data may be processed outside the healthcare sector, a change with direct relevance to insurers, HR technology providers, and wellness platforms operating in Belgium.

GBA enforcement trends and recent decisions

The GBA has significantly increased the volume and severity of its enforcement activity. Its decisions are publicly available on the GBA website and provide a reliable guide to current supervisory priorities. Several themes emerge from recent decisions.

Consent management remains the single most litigated area. The GBA has issued corrective orders and fines against organisations whose cookie banners and consent interfaces did not meet the standard of freely given, specific, informed, and unambiguous consent. A common mistake is designing consent flows that make refusal more difficult than acceptance - so-called "dark patterns" - which the GBA treats as a per se violation of Article 7 GDPR. Organisations should audit their consent interfaces against the GBA';s published guidance on cookie compliance, which was updated recently to reflect the European Data Protection Board';s guidelines on deceptive design.

Data subject rights enforcement has also intensified. The GBA has sanctioned several controllers for failing to respond to access requests within the one-month statutory deadline, and for providing incomplete or evasive responses. In practice, founders and compliance officers should consider whether their request-handling workflows are documented, assigned to a responsible person, and tested against realistic scenarios. Many underestimate the operational burden of rights requests when data is spread across multiple processors and legacy systems.

Cross-border cases involving Belgian establishments of multinational groups have drawn particular attention. Where Belgium is the lead supervisory authority under the GDPR';s one-stop-shop mechanism, the GBA has demonstrated willingness to pursue investigations to conclusion and to coordinate with other EU data protection authorities through the consistency mechanism. Conversely, where another authority leads, the GBA has been active as a concerned supervisory authority, raising objections and requesting information.

The GBA';s Litigation Chamber - the body that issues binding decisions and fines - has also addressed processor accountability. Several decisions have found that controllers failed to conduct adequate due diligence on processors, in breach of Article 28 GDPR. The GBA expects controllers to verify that data processing agreements contain all mandatory clauses and that processors can demonstrate compliance, not merely assert it contractually.

If your organisation is facing a GBA inquiry or needs to review its processor agreements, contact info@vlolawfirm.com. We can assist with documents and filings.

Cross-border data transfers and international data flows from Belgium

International data transfers remain a live compliance issue for businesses with Belgian operations. The GDPR';s Chapter V restrictions apply to any transfer of personal data to a third country, and the GBA has made clear it will scrutinise transfer mechanisms as part of broader investigations.

The standard contractual clauses adopted by the European Commission remain the primary transfer tool for most organisations. However, the GBA - in line with the EDPB - expects controllers to conduct a transfer impact assessment before relying on SCCs. This assessment must evaluate the legal framework of the destination country and determine whether supplementary measures are needed to bring the level of protection up to EU standards. A common mistake is treating the execution of SCCs as a complete solution without conducting the underlying assessment.

The EU-US Data Privacy Framework provides a valid adequacy decision for transfers to certified US organisations. Belgian controllers transferring data to US processors or sub-processors should verify that the recipient is currently certified under the framework and that the certification covers the categories of data being transferred. Certification lapses are not uncommon, and a lapsed certification invalidates the adequacy basis for the transfer.

For transfers to other third countries, adequacy decisions exist for a defined list of jurisdictions. Where no adequacy decision applies and SCCs are used, the transfer impact assessment process is mandatory. The GBA has indicated it will treat the absence of a documented TIA as an aggravating factor in enforcement proceedings.

Belgian businesses using cloud services, analytics platforms, or HR systems hosted outside the EEA should map their data flows and document the transfer mechanism for each. Many underestimate the number of third-country transfers embedded in standard SaaS arrangements, particularly where sub-processors are located in non-adequate countries.

AI, automated decision-making, and emerging technology obligations

The intersection of the AI Act and GDPR is the most significant emerging compliance challenge for Belgian organisations. The AI Act classifies certain AI systems as high-risk, including systems used in employment, credit scoring, and access to essential services. Where such systems process personal data, both the AI Act and GDPR apply concurrently, and the obligations are cumulative, not alternative.

Under Article 22 GDPR, individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Belgian supervisory guidance has clarified that this right applies broadly and that human review must be genuine, not merely formal. A non-obvious requirement is that the human reviewer must have the ability and authority to override the automated output - a rubber-stamp process does not satisfy the standard.

Data protection impact assessments are mandatory for high-risk processing activities, including most AI-driven profiling. The GBA has published a list of processing types that presumptively require a DPIA, and this list has been updated to include several AI use cases. Organisations deploying AI systems that process personal data should conduct a DPIA before deployment, not after. In practice, many organisations conduct DPIAs retrospectively following an incident or inquiry, which the GBA treats as a compliance failure in itself.

The AI Act also introduces transparency obligations that parallel GDPR requirements. Where an AI system interacts with individuals - for example, a chatbot or automated customer service tool - disclosure obligations apply under both instruments. Belgian organisations should review their AI deployments against both frameworks and ensure that privacy notices, consent mechanisms, and DPIA documentation are aligned.

Practical scenario: a Belgian fintech company using an AI-based credit scoring model must comply with Article 22 GDPR, conduct a DPIA, ensure that human review is substantive, and - if the model qualifies as high-risk under the AI Act - meet the additional conformity assessment and documentation requirements of that regulation. The compliance burden is substantial and requires coordination between legal, technology, and product teams.

Practical compliance steps for businesses operating in Belgium

For international businesses with Belgian operations, the current regulatory environment requires a structured compliance review. The following areas represent the highest-priority items based on current GBA enforcement patterns and recent legislative developments.

Consent and cookie compliance should be reviewed against the GBA';s current guidance. This means auditing the consent management platform, reviewing the design of consent interfaces for dark patterns, and ensuring that consent records are stored and retrievable. Many organisations implemented cookie banners at GDPR implementation and have not revisited them since. The standard has evolved, and legacy implementations frequently do not comply.

Data processing agreements with all processors should be reviewed to ensure they contain the mandatory clauses required by Article 28 GDPR. The GBA expects controllers to go beyond boilerplate and to verify that processors can actually demonstrate compliance. Due diligence records should be maintained.

Data subject rights procedures should be documented and tested. This means assigning responsibility, setting internal deadlines shorter than the statutory one-month period to allow for review, and ensuring that all relevant data stores - including those held by processors - can be searched in response to a request.

Transfer impact assessments should be conducted for all third-country data flows. This is not a one-time exercise: TIAs should be reviewed when the legal framework of the destination country changes or when the processing arrangement changes materially.

DPIAs should be conducted or updated for any high-risk processing activity, including AI-driven profiling, large-scale processing of sensitive data, and systematic monitoring. The DPIA should be documented and retained, and the GBA should be consulted where the residual risk remains high after mitigation.

Practical scenario: a Belgian subsidiary of a US technology group discovers that its HR platform transfers employee data to a US parent company without a current TIA or updated SCCs. The correct response is to conduct a TIA, execute updated SCCs with the parent, implement any required supplementary measures, and document the entire process. Notifying the GBA proactively, where the risk is material, is advisable and may be treated as a mitigating factor in any subsequent enforcement action.

To structure a compliance review or respond to a GBA inquiry, contact info@vlolawfirm.com. We can help structure the setup correctly the first time.

Frequently asked questions

What are the most common reasons the GBA opens an investigation against a business?

The GBA opens investigations on the basis of complaints from data subjects, referrals from other supervisory authorities, and own-initiative inquiries. Complaints most frequently concern consent violations, failures to respond to access requests, and unlawful processing of sensitive data. Own-initiative inquiries have focused on cookie compliance, AI-driven processing, and cross-border data transfers. Businesses should treat any GBA correspondence as a priority matter, as the authority has shown willingness to escalate from inquiry to formal investigation where responses are inadequate or delayed. Engaging legal counsel at the inquiry stage is advisable, as early cooperation is treated as a mitigating factor.

How long does a GBA enforcement process typically take, and what are the potential consequences?

A GBA investigation can take anywhere from several months to over a year, depending on complexity and whether the case involves cross-border coordination with other EU authorities. Outcomes range from reprimands and corrective orders to fines of up to four percent of global annual turnover or twenty million euros, whichever is higher, under the GDPR';s penalty framework. The GBA also has the power to impose temporary or permanent bans on processing. In practice, many cases are resolved through corrective orders rather than fines, particularly where the controller cooperates and implements remedial measures promptly. However, repeat violations and deliberate non-compliance attract more severe sanctions.

Does a Belgian company need a data protection officer, and what are the practical requirements?

A data protection officer is mandatory under Article 37 GDPR for public authorities, organisations that carry out large-scale systematic monitoring of individuals, and organisations that process special categories of data or criminal conviction data on a large scale. Many Belgian SMEs fall outside these thresholds, but the GBA has indicated that the thresholds should be interpreted in light of the actual risk profile of the processing, not merely its volume. Where a DPO is required, the role must be genuinely independent, adequately resourced, and involved in all data protection matters from the outset. A common mistake is appointing a DPO who lacks the authority or resources to perform the role effectively, which the GBA treats as a compliance failure rather than a mitigating factor.

Conclusion

Belgium';s data protection environment is more demanding than it was even a few years ago. The GBA is a well-resourced, active authority with a clear enforcement agenda. For international businesses, the combination of GDPR obligations, national implementing law, and emerging AI regulation creates a layered compliance challenge that requires ongoing attention, not a one-time review.

VLO Law Firms advises international clients on data protection matters in Belgium. We can assist with GDPR compliance reviews, DPA negotiations, DPIA preparation, transfer impact assessments, and GBA inquiry responses. To request a consultation, contact: info@vlolawfirm.com