Data & Privacy - Belgium

The GDPR applies directly in Belgium; the Act of 30 July 2018 implements national specifications, transposes Directive (EU) 2016/680 for criminal-justice authorities, and covers intelligence/security service processing. It entered into force on 5 September 2018.

The Belgian Data Protection Authority (APD/GBA), based in Brussels, was established by the Act of 3 December 2017 and became operational on 25 May 2018, succeeding the former Privacy Commission. It is an independent body attached to the Federal Chamber of Representatives.

The DPA comprises five bodies — General Secretariat, Knowledge Centre, First-line Service, Inspection Service, and Litigation Chamber — plus an Executive Committee. The Inspection Service investigates and the Litigation Chamber issues warnings, reprimands, compliance orders, processing bans, and administrative fines.

The Act sets the age of valid consent for information-society services at 13 (Article 7) and imposes extra safeguards for genetic, biometric, and health data, including maintaining a list of authorised persons and binding them to confidentiality.

GDPR fines apply: up to EUR 20 million or 4% of total worldwide annual turnover (whichever is higher) for the most serious infringements such as breaching basic processing principles and consent conditions (Art. 83(5)).

2025 priorities included DPOs, cookies, direct marketing/data brokers, transparency, and processing in schools. The DPA's 2026-2028 strategic plan (consulted Nov 2025) targets high-risk large-scale processing and the processing of minors' data. The landmark IAB Europe/TCF adtech case (EUR 250,000 fine) was upheld by the Brussels Market Court in 2025.