Personal Data Protection: Business Obligations in Belgium

The Legal Framework in Belgium

The General Data Protection Regulation (GDPR), in force since May 25, 2018, is directly applicable in Belgium. It is supplemented by the Belgian Act of July 30, 2018, on the protection of natural persons with regard to the processing of personal data. The Data Protection Authority (DPA) is the Belgian supervisory body.

Fundamental GDPR Principles

• Lawfulness, fairness, and transparency: data must be processed lawfully and transparently
• Purpose limitation: collection for specified and legitimate purposes
• Data minimization: collect only what is necessary
• Accuracy: keep data up to date
• Storage limitation: do not retain beyond what is necessary
• Integrity and confidentiality: ensure data security

Key Business Obligations

1. Record of Processing Activities

Any company with more than 250 employees must maintain a record of processing activities. In practice, this obligation applies to virtually all companies that regularly process personal data. The record must contain:

• The purposes of processing
• Categories of data and data subjects
• Recipients of the data
• Transfers outside the EU
• Retention periods
• Security measures

2. Data Protection Impact Assessment (DPIA)

A DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals:

• Large-scale profiling
• Systematic monitoring of a publicly accessible area
• Large-scale processing of sensitive data

3. Appointment of a DPO

A Data Protection Officer (DPO) must be appointed when:

• Processing is carried out by a public authority or body
• Core activities involve regular and systematic monitoring on a large scale
• Core activities involve large-scale processing of sensitive data

4. Informing Data Subjects

Companies must inform data subjects in a clear and transparent manner about:

• The identity of the data controller
• The purposes and legal basis of processing
• Data subject rights (access, rectification, erasure, portability, objection)
• Retention period
• Any transfers outside the EU

5. Breach Notification

In case of a personal data breach, the company must:

• Notify the DPA within 72 hours if the breach is likely to result in a risk
• Inform data subjects if the risk is high
• Document any breach in an internal register

DPA Sanctions

The Belgian Data Protection Authority can impose significant sanctions:

• Administrative fines: up to €20 million or 4% of annual worldwide turnover
• Warnings and reprimands
• Orders for compliance
• Temporary or permanent ban on processing

In 2025, the DPA imposed several significant fines on Belgian companies, particularly in the direct marketing and video surveillance sectors.

Best Practices

• Conduct regular GDPR compliance audits
• Train staff on data protection
• Implement procedures for managing data subject rights
• Secure data through encryption and access control
• Document all decisions related to data protection

Conclusion

Want to bring your company into GDPR compliance? LegalBelgique conducts your compliance audit, drafts your privacy policies, and guides you through implementing the necessary measures. Protect your data and your clients' data.