1. Data protection
    1. 1. Local data protection laws and scope
    2. 2. Data protection authority
    3. 3. Anticipated changes to local laws
    4. 4. Sanctions & non-compliance
    5. Administrative sanctions:
    6. Criminal sanctions:
    7. Others:
    8. 5. Registration / notification / authorisation
    9. 6. Main obligations and processing requirements
    10. 7. Data subject rights
    11. 8. Processing by third parties
    12. 9. Transfers out of country
    13. 10. Data Protection Officer
    14. 11. Security
    15. 12. Breach notification
    16. 13. Direct marketing
    17. 14. Cookies and adtech
    18. 15. Risk scale
    19. 16. Useful links
  2. Cybersecurity
    1. 1. Local cybersecurity laws and scope
    2. 2. Anticipated changes to local laws
    3. 3. Application 
    4. 4. Authority
    5. 5. Key obligations 
    6. 6. Sanctions & non-compliance 
    7. Administrative sanctions:
    8. Criminal sanctions:
    9. Others:
    10. 7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 
    11. 8. National cybersecurity incident management structure
    12. 9. Other cybersecurity initiatives 
    13. 10. Useful links

jurisdiction

Belgium
Add jurisdiction

Data protection

1. Local data protection laws and scope

  • General Data Protection Regulation n° 2016/679 (GDPR);
  • Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (Privacy Act) and implementing decrees;
  • Law of 5 September 2018 establishing the Information Security Committee and amending various laws concerning the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  • Law of 21 March 2007 on the use of surveillance cameras as amended by the Law of 21 March 2018 (“Camera Act”);
  • Law of 3 December 2017 on the creation of a Data Protection Authority as amended by the Act of 7 September 2023 and the Act of 25 December 2023 (DPA Act);
  • Law of 13 June 2005 on electronic communications (on cookies);
  • Book VI and Book XII Belgian Economic Code (on direct marketing and cookies);
  • Royal Decree of 3 February 2019 on the implementation of the Law of 25 December 2016 on the processing of passenger data, including the obligations for bus carriers;
  • Royal Decree of 3 February 2019 on the implementation of the law of 25 December 2016 on the processing of passenger data, including the obligations for HST (High Speed Train) carriers and HST ticket machines;
  • Royal Decree of 6 December 2018 determining the places where the controller can direct his surveillance cameras towards the perimeter directly surrounding the site, keep the images of the surveillance cameras for three months and give real-time access to the images to the police services;
  • Royal Decree of 8 May 2018 on declarations of installation and use of surveillance cameras and on the register of activities for the processing of images from surveillance cameras;
  • Royal Decree of 10 February 2008 on vaststelling van de wijze waarop wordt aangegeven dat er camerabewaking plaatsvindt
  • Royal decree of 4 April 2003 regulating advertising by electronic mail;

To consult these laws, see hyperlinks below.

Law of 3 December 2017:

Law of 5 September 2018:

Privacy Act:

The Privacy Act (Articles 2 and 4) applies when:

  • the processing is carried out wholly or partly by automatic means or otherwise forms part of or is intended to form part of a filing system
    AND
  • the processing is carried out in the context of the effective and actual activities of a permanent establishment of the controller or processor on Belgian territory or a place where Belgian law applies by virtue of private international law; or
  • the processing of personal data of data subjects on Belgian territory or a place where Belgian law applies by virtue of private international law is carried out by a controller or processor not established in Belgium/a place where Belgian law applies by virtue of private international law where the processing activities are related to:
    • the offering of goods and services to such data subjects; or
    • the monitoring of their behaviour as far as their behaviour takes place in Belgium or a place where Belgian law applies by virtue of private international law.

Book VI and Book XII of the Belgian Economic Code apply to all processing/marketing activities on Belgian territory.

2. Data protection authority

Data Protection Authority: https://www.dataprotectionauthority.be

3. Anticipated changes to local laws

There are no anticipated changes to local laws.

4. Sanctions & non-compliance

Administrative sanctions:

The BDPA has investigative and enforcement powers, meaning that it can, among others, conduct investigations and impose administrative fines on companies (as provided for in Article 83 GDPR, and Articles 221-230 Privacy Act).

The BDPA can also propose a settlement, dismiss a complaint, formulate warnings, order compliance with data subject requests to exercise their rights and publish the decision on its website.

Criminal sanctions:

The Privacy Act also provides for criminal sanctions (which can only be imposed by court order): with a maximum criminal fine of EUR 30,000 (to be multiplied by the factor applying to criminal fines i.e. eight at the time of the last update of this document); confiscation of any carriers containing personal data to which the breach relates; court order to erase such personal data; court order to publish all or part of the court decision.

Failure to comply with the obligations in the Belgian Economic Code/Royal Decree of 4 April 2003 may result in a criminal fine of up to EUR 200,000.

Others:

A data subject may (in addition to making a complaint to the BDPA) also make a claim to the courts for compensation for material or non-material damage (which may include distress). There is the potential for class actions to be brought.

5. Registration / notification / authorisation

Data Protection Officers must be registered with the BDPA (Article 63, Privacy Act). For more information, see 

As from 25 May 2018, surveillance cameras must be registered with police authorities (instead of the BDPA). For more information, see 

6. Main obligations and processing requirements

In a nutshell, the Privacy Act:

  • sets the age of children to validly consent to information society services at 13 (Article 7, Privacy Act);
  • provides a comprehensive list of the processing activities considered as “processing necessary for reasons of substantial public interest” (Article 8(1), Privacy Act);
  • requires that the controller, when processing genetic data, biometric data and data concerning health, lists the categories of persons having access to those personal data (Article 9, Privacy Act);
  • specifies a limitative list of cases where the processing of data relating to criminal convictions and offences is authorised (Article 10, Privacy Act);
  • enunciates some of the derogations and exemptions to the rights of data subjects as authorised under Article 23, GDPR (Articles 11-17, Privacy Act);
  • provides derogations and exemptions for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 24, Privacy Act);
  • introduces the possibility to seek an injunction (“action en cessation”; “vordering tot staking”) (under summary proceedings) before the president of the Court of First Instance in case of a violation of the GDPR or the Privacy Act (Article 209, Privacy Act);
  • provides administrative fines (except on public sector entities) and criminal sanctions for violations of the GDPR or the Privacy Act (Articles 221-230, Privacy Act)

7. Data subject rights

The Privacy Act provides for some limitations to these rights, e.g. in the context of processing of personal data by state intelligence services (Articles 11-17, Privacy Act).

8. Processing by third parties

There are no derogations from the GDPR.

9. Transfers out of country

There are no derogations from the GDPR.

10. Data Protection Officer

There are no derogations from the GDPR.

11. Security

There are no derogations from the GDPR.

12. Breach notification

There are no derogations from the GDPR.

13. Direct marketing

Whereas the Privacy Act does not contain any additional requirements for direct marketing, the Belgian Code of Economic Law does contain specific rules regarding opt-in requirements for direct marketing.

If by ‘electronic message’ (by email, SMS): need to obtain consent, unless you can rely on (i) the soft opt-in exemption (existing customers, own similar products or services, and opt-out at the time of collection and afterwards in every marketing communication) or (ii) the B2B exemption (if the phone number/email address is of an impersonal nature).

If by regular mail: opt-out regime.

If by (manual) call: opt-out regime (you can freely call consumers unless they have subscribed to a do-not-call-me list or otherwise indicated that they do not want you to contact them for marketing purposes).

In January 2020, the BDPA adopted detailed guidelines on direct marketing (https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-01-2020.pdf). Please note that a revised version of the recommendation is currently up for public consultation (https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-01-2025-over-de-verwerking-van-persoonsgegevens-bij-direct-marketing.pdf).

14. Cookies and adtech

Based on article 10/2 of the Privacy Act, the use and storage of cookies requires prior informed, freely given, specific and unambiguous consent, unless cookies are used for the sole purpose of carrying out a transmission of a communication over an electronic communications network or if strictly necessary to provide a service explicitly requested by the user. Data subjects should be allowed to withdraw consent at any time, free of charge, and without prejudice.

The DPA published guidelines on the compliant use of cookies in its ‘Cookie Checklist’ (https://www.gegevensbeschermingsautoriteit.be/publications/cookie-checklist.pdf).

The BDPA has already issued several enforcement decisions concerning the non-compliant use of cookies.   

15. Risk scale

Moderate.

Template record of processing activities:

Guidance on the need to conduct a Data Protection Impact Assessment (DPIA) and non-exhaustive list of processing operations requiring a DPIA to be carried out:

List of processing operations requiring a DPIA:

Form to request a prior consultation on high-risk data processing activities:

Guidelines on the implementation of cookies:

To notify a data breach to the BDPA, you must use the web portal available here:

Internal Rules of Procedure of the Data Protection Authority

Recommendation of 1 December 2021 on the processing of biometric data

Recommendation of 17 January 2020 concerning the processing of personal data for direct marketing purposes:

Please note that a revised version of the recommendation is currently up for public consultation:

 Information brochure on the interplay between the GDPR and the AI Act:

Cybersecurity

1. Local cybersecurity laws and scope

  • Law of 1 July 2011 on the security and protection of critical infrastructure (Critical Infrastructures Act)
  • Law of 11 December 1998 on classification, security clearances, security certificates and security advice (Classification Act)
  • Act of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of public importance for public safety (Belgian NIS2 Act)
  • Royal Decree of 9 June 2024 implementing the Act of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of public interest for public safety (NIS2 Royal Decree)
  • Ministerial Decree of 5 September 2024 delegating powers of the sectoral government for the energy sector within the framework of the Act of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of public interest for public safety
  • Ministerial Decree of 18 September 2024 delegating the powers of the sectoral government for the digital infrastructure sector, only with regard to trust service providers, and the digital providers sector within the framework of the Act of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of public interest for public safety

2. Anticipated changes to local laws

There are no anticipated changes to local laws.

3. Application 

Critical Infrastructures Act: sets out security obligations for European and national critical infrastructure in the energy, transport, financial and electronic communications sector

Classification Act: covers the main processes to evaluate which information should be classified, and determining which individuals may be granted a security access level.

Belgian NIS2 Act: covers a number of obligations imposed on important and essential entities to implement risk management measures to increase the cybersecurity of their network and information systems, thus ensuring continuous service provision. It also includes the obligation to notify significant incidents, measures regarding the involvement of management, supervisory and enforcement powers for regulators and more.

NIS2 Royal Decree: specifies the Belgian NIS2 Act on topics such as (obligatory or voluntary) periodical conformity assessments and the assignment of sectoral authorities. 

4. Authority

5. Key obligations 

  • Critical Infrastructures Act
    • Appoint a security officer and establish a security plan
    • Take necessary to comply with mandatory reporting obligation of incidents threatening the security of critical infrastructure
  • Classification Act
    • Ensure classified nature of data that may cause a threat to national security or the national interest of Belgium
    • Map security practices to assigned classification levels
  • Belgian NIS2 Act
    • Conduct a NIS2 scope analysis and register as an important and essential entity if required
    • Implement and document the necessary cybersecurity risk management measures, in combination with having periodical conformity assessments performed if necessary.
    • Set up the necessary incident notification procedures

6. Sanctions & non-compliance 

Administrative sanctions:
  • Belgian NIS2 Act
    • Administrative fine up to EUR 7,000,000 or 1.4% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.
    • Administrative fine up to EUR 10,000,000 or 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.
Criminal sanctions:
  • Belgian NIS2 Act
    • None
  • Critical Infrastructures Act
    • Imprisonment of up to one year
    • Criminal fine of up to EUR 80,000
  • Classification Act
    • Imprisonment of up to five years
    • Criminal fine of up to EUR 40,000
Others:
  • Belgian NIS2 Act

Member States must ensure that their authorities have a range of enforcement powers over essential entities to ensure compliance with the Directive. The most significant powers are as follows.

  • Issuing warnings for infringements
  • Adopting binding instructions, including setting deadlines for corrective actions and reporting
  • Ordering entities to inform affected service users or clients about significant cyber threats and possible protective actions
  • Appointing a monitoring officer to oversee compliance for a set period
  • Ordering public disclosure of certain aspects of infringements

Should an entity fail to act after supervisory measures have been imposed, authorities can:

  • temporarily suspend certifications or authorisations for part or all of the entity’s services or activities; and/or
  • request that courts or relevant bodies temporarily prohibit individuals in top management positions from exercising their managerial functions within the entity.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

  • CERT.be is the federal cyber emergency team that assists companies with: (i) coordination in the event of cyber incidents; (ii) advice on finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.
  • Cert.be is part of the CCB
  • The Centre for Cybersecurity Belgium (CCB) is the national CSIRT.
  • Sectoral CSIRTs could be designed in the future to support the national CSIRT.

8. National cybersecurity incident management structure

Incident notifications must be made through the CCB notification platform: 

The NIS2 incident notification rules concerning notification contents and deadlines do not materially differ from those found in the NIS2 Directive.

9. Other cybersecurity initiatives 

N/A

10. Useful links

An overview of the NIS2 legislation’s scope of application, obligations and more (including FAQs and regulatory guidance on the definition of ‘significant incident’) can be found here: