European Union · updated 2026-06-15
Belgium
Belgium's APD reshaped adtech for the whole EU by ruling the IAB's TCF consent framework unlawful as designed. If your revenue touches programmatic advertising, Belgian decisions define your consent-string obligations.
- Law:
- GDPR + Law of 30 July 2018 + Electronic Communications Act
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Belgium requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy
Art. 13–14 GDPRPrivacy notice in the language(s) of your Belgian audience — French and/or Dutch for consumer services — naming the APD as complaint authority.
How to implement Belgium is multilingual by law: match the notice language to how you market. B2B tech commonly ships English plus one national language.
Required -
Cookie consent banner
Art. 129 ECAOpt-in with first-layer rejection and prior blocking. If you monetise with programmatic ads, TCF version compliance is a Belgian-specific concern.
How to implement Use a CMP running the current IAB TCF version, and verify your vendor list. The APD treats consent strings as personal data you are jointly responsible for.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register of processing activities.
How to implement The APD publishes a ROPA template; keep it in French, Dutch, or English.
Required -
Data protection officer
Art. 37 GDPRGDPR-baseline thresholds; notification to the APD via e-form.
How to implement Belgian guidance stresses DPO independence — avoid appointing someone who also decides processing purposes (e.g. your CTO), which the APD has fined.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification via the APD's form plus an internal breach register.
How to implement The form is available in French and Dutch; prepare a bilingual incident template if you operate nationally.
Required
The details
- Cookie consent
- Opt-in consent required under the Electronic Communications Act. The APD's IAB Europe decision means consent strings themselves are personal data — publishers relying on TCF must verify their CMP runs a compliant TCF version.
- Data Protection Officer
- GDPR baseline thresholds; Belgian law adds DPO duties for some federal public bodies. Notify the APD of appointments via its e-form.
- Processing agreements
- Art. 28 GDPR agreements required with all processors, in French, Dutch, or English as appropriate to the relationship.
- Breach notification
- Notify the APD via its online breach form within 72 hours; high-risk breaches require individual notification without undue delay.
- Enforcement in practice
- The APD fined IAB Europe €250,000 in 2022 and ordered the redesign of the Transparency & Consent Framework used across most of European adtech.
Data subject rights
What users can demand from you in Belgium, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Respond in the language of the request where reasonable; track the 30-day deadline.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Belgian accounting law requires 7-year retention of books — document the exemption in your retention schedule.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export for consent- and contract-based data.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus support channel.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Belgium's 'Do Not Call Me' list covers telemarketing; email marketing needs opt-in or existing-customer soft opt-in.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
The IAB decision treats real-time-bidding profiles under this lens — ad-funded products should document human oversight and profiling disclosures.
Tools that cover Belgium
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Didomi
TCF-registered CMP — the safest category of banner for Belgian programmatic publishers.
Visit Didomi → -
privacy policy
iubenda
Generates French and Dutch privacy policies for Belgium's bilingual market.
Visit iubenda → -
compliance suite
OneTrust
Enterprise consent and vendor management, with TCF version compliance handled automatically.
Visit OneTrust →
Frequently asked questions
What did the IAB Europe decision change for ordinary websites?
If your ads run through the IAB's TCF (most programmatic setups), the consent string your CMP generates is personal data, and the framework had to be redesigned. Practically: use a TCF-registered CMP on a current framework version and keep your vendor list reviewed.
Which language must my privacy policy be in for Belgium?
Match your marketing: French for Wallonia, Dutch for Flanders, both for national consumer services. The APD publishes in both languages and expects notices intelligible to the actual audience.
Can my CTO be our DPO in Belgium?
Risky — the APD fined a company €50,000 because its DPO also headed compliance/audit/risk, creating a conflict of interest. Appoint someone who doesn't decide processing purposes, or use an external DPO.
Is Belgium stricter than its neighbours?
On adtech, yes — the APD's litigation chamber has been unusually willing to take on industry-wide frameworks. On everyday SaaS compliance it tracks the EU mainstream: banner, policy, ROPA, DPAs, 72-hour breach reporting.
Similar jurisdictions
Free download
Get GDPR updates for Belgium
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.