top of page

BELGIUM - Data Protection and GDPR Review

The history of data protection in Belgium reflects the evolution of privacy and data security regulations in Europe. Here's a detailed overview:

1. Early Data Protection Efforts

The development of data protection in Belgium began in the 1980s, in parallel with international concerns about privacy. As computers and digital technologies became widespread, it became necessary to establish legal protections for personal information.

2. The Law of 8 December 1992

Belgium's primary data protection legislation was the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data. This law laid down principles regarding the processing of personal data, defined the rights of the data subjects, and set up the Commission for the Protection of Privacy (Privacy Commission).

3. Transposing the EU Data Protection Directive

In 1995, the European Union adopted the Data Protection Directive (95/46/EC), requiring member states to implement legislation that would harmonize data protection across the EU. Belgium's Law of 8 December 1992 was subsequently amended to comply with the Directive.

4. The Creation of the Data Protection Authority (DPA)

In 2017, Belgium adopted the Law of 3 December 2017 establishing the Data Protection Authority, replacing the Privacy Commission. This new independent administrative body was designed to better align with the upcoming GDPR, ensuring more robust enforcement of data protection laws in Belgium.

5. Implementation of the GDPR

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and had significant implications for data protection in Belgium and across the EU. The GDPR introduced stricter requirements for processing personal data, increased the rights of data subjects, and established hefty penalties for non-compliance.

Belgium's existing data protection laws were adapted to the GDPR, with additional national provisions set out in the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

6. Sector-Specific Legislation

In addition to the general data protection laws, Belgium has also enacted various sector-specific regulations. These include laws governing data protection in healthcare, telecommunications, and finance, among others.

7. Ongoing Challenges and Developments

Belgium continues to face challenges in implementing and enforcing data protection laws, particularly in ensuring that businesses and organizations are aware of and comply with their obligations. The Data Protection Authority plays an active role in education, enforcement, and guidance, promoting a culture of data protection and privacy within Belgium.

The history of data protection in Belgium is marked by a series of legislative developments that have evolved in line with technological advancements and international standards. From the early concerns about digital privacy to the implementation of GDPR, Belgium's commitment to data protection reflects a broader European trend towards robust privacy protections. The country continues to adapt its laws and regulations, ensuring that the rights and interests of individuals are safeguarded in an increasingly interconnected digital world.

Belgium, as a member of the European Union (EU), adheres to the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. This guide provides an overview of data protection in Belgium, focusing on GDPR compliance.

Key GDPR Principles in Belgium

  1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully and transparently, with clear communication to the data subjects.

  2. Purpose Limitation: Data should only be collected for specific, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.

  3. Data Minimization: Only data that is necessary for the intended purpose should be collected and processed.

  4. Accuracy: Personal data must be accurate and up-to-date.

  5. Storage Limitation: Data should not be stored longer than necessary for its intended purpose.

  6. Integrity and Confidentiality: Data must be secured against unauthorized access, loss, or destruction.

Belgian Data Protection Authority (DPA)

The Data Protection Authority in Belgium is responsible for overseeing and enforcing data protection laws. The DPA provides guidance, processes complaints, conducts investigations, and can impose fines for violations.

Rights of Data Subjects

Individuals in Belgium have several rights under the GDPR:

  • Right to Information: Data subjects must be informed about the processing of their data.

  • Right of Access: Individuals can request access to their personal data.

  • Right to Rectification: Data subjects can correct or update inaccurate data.

  • Right to Erasure: Individuals can request the deletion of their data under certain conditions.

  • Right to Restrict Processing: Data subjects can request a limitation on how their data is used.

  • Right to Data Portability: Individuals can request their data be transferred to another service provider.

  • Right to Object: Data subjects can object to the processing of their data in specific situations.

Obligations for Data Controllers and Processors

Entities that control or process personal data must adhere to several obligations under GDPR:

  • Data Protection Impact Assessments (DPIAs): Certain types of processing may require a DPIA to assess potential risks.

  • Data Protection Officer (DPO): Organizations with specific processing activities must appoint a DPO to ensure compliance.

  • Record-Keeping: Data controllers and processors must maintain records of processing activities.

  • Notification of Data Breaches: Breaches must be reported to the DPA and potentially to the affected data subjects, depending on the circumstances.

  • Compliance with International Data Transfers: Special provisions must be followed for transferring data outside the European Economic Area (EEA).

National Specificities in Belgium

Belgium's Law of 30 July 2018 includes specific provisions that supplement the GDPR, including special rules concerning the processing of personal data by judicial authorities and additional conditions for processing genetic, biometric, or health data.


Non-compliance with the GDPR can lead to substantial fines in Belgium. The maximum fine is €20 million or 4% of the company's annual global turnover, whichever is higher.


Compliance with GDPR in Belgium requires a thorough understanding of the regulation's principles, the rights of data subjects, and the obligations of data controllers and processors. Regular consultation with legal experts, continuous monitoring of compliance, and cooperation with the Belgian DPA are essential for organizations to navigate the complex landscape of data protection in Belgium.


bottom of page