Skip to content
GDPR by Law

European Union · updated 2026-06-15

Belgium

Conditional

Belgium's APD reshaped adtech for the whole EU by ruling the IAB's TCF consent framework unlawful as designed. If your revenue touches programmatic advertising, Belgian decisions define your consent-string obligations.

Law:
GDPR + Law of 30 July 2018 + Electronic Communications Act
Regulator:
APD/GBA (Autorité de protection des données / Gegevensbeschermingsautoriteit)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Belgium requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy

    Art. 13–14 GDPR

    Privacy notice in the language(s) of your Belgian audience — French and/or Dutch for consumer services — naming the APD as complaint authority.

    How to implement Belgium is multilingual by law: match the notice language to how you market. B2B tech commonly ships English plus one national language.

    Required
  2. Cookie consent banner

    Art. 129 ECA

    Opt-in with first-layer rejection and prior blocking. If you monetise with programmatic ads, TCF version compliance is a Belgian-specific concern.

    How to implement Use a CMP running the current IAB TCF version, and verify your vendor list. The APD treats consent strings as personal data you are jointly responsible for.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities.

    How to implement The APD publishes a ROPA template; keep it in French, Dutch, or English.

    Required
  4. Data protection officer

    Art. 37 GDPR

    GDPR-baseline thresholds; notification to the APD via e-form.

    How to implement Belgian guidance stresses DPO independence — avoid appointing someone who also decides processing purposes (e.g. your CTO), which the APD has fined.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour notification via the APD's form plus an internal breach register.

    How to implement The form is available in French and Dutch; prepare a bilingual incident template if you operate nationally.

    Required

The details

Cookie consent
Opt-in consent required under the Electronic Communications Act. The APD's IAB Europe decision means consent strings themselves are personal data — publishers relying on TCF must verify their CMP runs a compliant TCF version.
Data Protection Officer
GDPR baseline thresholds; Belgian law adds DPO duties for some federal public bodies. Notify the APD of appointments via its e-form.
Processing agreements
Art. 28 GDPR agreements required with all processors, in French, Dutch, or English as appropriate to the relationship.
Breach notification
Notify the APD via its online breach form within 72 hours; high-risk breaches require individual notification without undue delay.
Enforcement in practice
The APD fined IAB Europe €250,000 in 2022 and ordered the redesign of the Transparency & Consent Framework used across most of European adtech.

Data subject rights

What users can demand from you in Belgium, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Respond in the language of the request where reasonable; track the 30-day deadline.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Belgian accounting law requires 7-year retention of books — document the exemption in your retention schedule.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export for consent- and contract-based data.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus support channel.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Belgium's 'Do Not Call Me' list covers telemarketing; email marketing needs opt-in or existing-customer soft opt-in.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

The IAB decision treats real-time-bidding profiles under this lens — ad-funded products should document human oversight and profiling disclosures.

Tools that cover Belgium

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Didomi

    TCF-registered CMP — the safest category of banner for Belgian programmatic publishers.

    Visit Didomi →
  • privacy policy

    iubenda

    Generates French and Dutch privacy policies for Belgium's bilingual market.

    Visit iubenda →
  • compliance suite

    OneTrust

    Enterprise consent and vendor management, with TCF version compliance handled automatically.

    Visit OneTrust →

Frequently asked questions

What did the IAB Europe decision change for ordinary websites?

If your ads run through the IAB's TCF (most programmatic setups), the consent string your CMP generates is personal data, and the framework had to be redesigned. Practically: use a TCF-registered CMP on a current framework version and keep your vendor list reviewed.

Which language must my privacy policy be in for Belgium?

Match your marketing: French for Wallonia, Dutch for Flanders, both for national consumer services. The APD publishes in both languages and expects notices intelligible to the actual audience.

Can my CTO be our DPO in Belgium?

Risky — the APD fined a company €50,000 because its DPO also headed compliance/audit/risk, creating a conflict of interest. Appoint someone who doesn't decide processing purposes, or use an external DPO.

Is Belgium stricter than its neighbours?

On adtech, yes — the APD's litigation chamber has been unusually willing to take on industry-wide frameworks. On everyday SaaS compliance it tracks the EU mainstream: banner, policy, ROPA, DPAs, 72-hour breach reporting.

Similar jurisdictions

Free download

Get GDPR updates for Belgium

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.