Data & Privacy · Belgium
Data protection & privacy laws in Belgium (2026)
Belgium shaded by its data & privacy status
As an EU member state, Belgium applies the GDPR directly, supplemented by the national Framework Act of 30 July 2018, which fills GDPR opening clauses, transposes the Law Enforcement Directive (EU) 2016/680, and governs intelligence/security-service processing. The independent Belgian DPA (APD/GBA), created by the Act of 3 December 2017, supervises and enforces the regime with full GDPR investigative and corrective powers. The framework is in force and actively enforced through the DPA's Litigation Chamber.
Key points
The GDPR applies directly in Belgium; the Act of 30 July 2018 implements national specifications, transposes Directive (EU) 2016/680 for criminal-justice authorities, and covers intelligence/security service processing. It entered into force on 5 September 2018.
The Belgian Data Protection Authority (APD/GBA), based in Brussels, was established by the Act of 3 December 2017 and became operational on 25 May 2018, succeeding the former Privacy Commission. It is an independent body attached to the Federal Chamber of Representatives.
The DPA comprises five bodies — General Secretariat, Knowledge Centre, First-line Service, Inspection Service, and Litigation Chamber — plus an Executive Committee. The Inspection Service investigates and the Litigation Chamber issues warnings, reprimands, compliance orders, processing bans, and administrative fines.
The Act sets the age of valid consent for information-society services at 13 (Article 7) and imposes extra safeguards for genetic, biometric, and health data, including maintaining a list of authorised persons and binding them to confidentiality.
GDPR fines apply: up to EUR 20 million or 4% of total worldwide annual turnover (whichever is higher) for the most serious infringements such as breaching basic processing principles and consent conditions (Art. 83(5)).
2025 priorities included DPOs, cookies, direct marketing/data brokers, transparency, and processing in schools. The DPA's 2026-2028 strategic plan (consulted Nov 2025) targets high-risk large-scale processing and the processing of minors' data. The landmark IAB Europe/TCF adtech case (EUR 250,000 fine) was upheld by the Brussels Market Court in 2025.
Timeline - major decisions & events
Following a November 2025 public consultation, the DPA published its 2026–2028 strategic framework prioritising large-scale high-risk processing (adtech, data brokers, profiling) and the protection of minors' data. It signals where proactive audits will focus.
Chambers Global Practice Guides ↗The authority introduced a new online portal in June 2025 with a mandatory two-stage process: an initial notification within the GDPR 72-hour window and a detailed follow-up within 21 calendar days. It standardises how controllers report breaches in Belgium.
DLA Piper Data Protection Laws of the World ↗The Market Court annulled the DPA's 2022 decision on procedural grounds but confirmed the substantive findings — that the TC String is personal data and that IAB Europe is a joint controller for TCF processing. The ruling cements GDPR exposure for the online-advertising consent framework.
Belgian Data Protection Authority (APD/GBA) ↗The Court of Justice of the EU held that a TC String can constitute personal data and that IAB Europe acts as a joint controller for TCF processing. The preliminary ruling, prompted by the Belgian DPA case, reshaped adtech consent practices across the EU.
Hunton (reporting CJEU C-604/22) ↗In Decision 21/2022, agreed with 27 other EU authorities, the Litigation Chamber found IAB Europe was a controller lacking a valid legal basis, DPO, DPIA and processing register for its Transparency & Consent Framework, and ordered a compliance action plan. It was a landmark adtech enforcement case.
European Data Protection Board / Belgian DPA ↗The Litigation Chamber fined Google Belgium for failing to respect a citizen's right to be forgotten and for an opaque delisting request form — the DPA's largest fine at the time. It established the authority's willingness to act against major tech platforms.
European Data Protection Board / Belgian DPA ↗Belgium's framework law implementing GDPR open clauses (derogations and additional requirements) took effect, repealing the 1992 privacy law and ending the coexistence of the old regime with the directly applicable GDPR.
Jones Day ↗On the day GDPR became enforceable, the new Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) succeeded the former Commission for the Protection of Privacy as Belgium's supervisory authority.
Belgian Data Protection Authority (APD/GBA) ↗Belgium's foundational data-protection statute (implementing the European data-protection regime of the era) governed personal-data processing for nearly 26 years until it was repealed by the 2018 Act. It established the original privacy-protection framework and the Privacy Commission.
Digital Evidence and Electronic Signature Law Review (translation) ↗Belgium - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →