GDPR Compliance Checklist for Belgian Businesses (2026)

This GDPR checklist for Belgian businesses covers six areas the GBA (Gegevensbeschermingsautoriteit / Autorité de protection des données) audits in practice. Each section is short. Each section ends with a tick-box list you can run through this week.

The six areas:

• Cookies and consent
• Privacy policy
• Legal notices and KBO display
• Contact and signup forms
• Data processor agreements (DPAs)
• Action plan for this week

Want a free deterministic check first? Scan your website for free and you will see which of these six items already pass.

Checklist at a Glance

Why Belgian Rules Matter

The GBA enforces GDPR plus Belgian add-ons. The regulator has fined companies large and small for cookie consent failures, missing privacy policies and weak data handling.

The most cited Belgian case is the decision against IAB Europe (Decision 21/2022 of 2 February 2022), in which the GBA ruled that the Transparency and Consent Framework used by most ad-tech cookie banners did not meet GDPR. You can read the published GBA decisions in the APD-GBA decisions register.

If your website collects data from anyone in Belgium or you run a Belgian business that sells online, the GBA's rules apply.

Part 1: Cookies and Consent

What needs a banner

Under Belgian law (which implements the ePrivacy Directive), you need explicit prior consent for any tracking cookie. This includes:

• Google Analytics
• Facebook Pixel, Google Ads Pixel, TikTok Pixel
• Hotjar or session recording tools
• Retargeting or advertising cookies
• Any third-party tracking script

Functional cookies (shopping cart, session, basic security) do not need a banner. Just mention them in your privacy policy.

What your banner must do

The GBA has been explicit about what a compliant banner looks like:

• No pre-ticked boxes. Accept and reject buttons must start unticked.
• Reject as easy as accept. The "reject all" button must be as prominent and easy to click as "accept all".
• Granular consent. Let users choose which types of cookies to accept.
• Prior consent. Tracking scripts must not load before the user makes a choice.
• Respect the choice. Do not ask again immediately if they have declined.

The GBA has fined companies for burying the reject button, using dark patterns or pre-ticking non-essential cookies. The IAB Europe decision linked above is the leading example. See the full cookie banner requirements for Belgium for what the GBA audits.

Cookie checklist

• Banner appears before any tracking script loads
• Visitors can reject without accepting
• Reject button is as easy to find as accept
• Each cookie type (analytics, ads, marketing) is listed separately
• Visitors can change their choice later
• Google Analytics and Facebook Pixel do NOT fire on page load. They run only after consent.

Part 2: Privacy Policy

Your privacy policy is a legal document the GBA audits. It must be clear, specific and in the language of your audience. If you market to French or Dutch-speaking Belgians, they need the policy in that language.

What your privacy policy must cover

• Your identity. Business name and contact details (include KBO number).
• What data you collect. Be specific. Email, IP address, browsing behaviour, phone number.
• Why you collect it. Legal basis (contract, consent, legitimate interest or legal obligation).
• Who you share it with. Google (Analytics), Facebook (Pixel), payment processors, email providers.
• How long you keep it. "2 years for analytics" or "5 years for invoices". Be precise.
• People's rights. Right to access, correct, delete and export their data.
• How to exercise rights. An email address or form for access or deletion requests.
• The regulator. Mention the GBA as the Belgian supervisory authority and the right to complain to them.

Privacy policy checklist

• Written in plain language (not legal jargon)
• Explains what data you collect and why
• Lists every third party you share data with
• Explains people's rights to access, correct or delete their data
• Explains how people can contact you about privacy
• Dated and shows when it was last updated
• Translated into French or Dutch if you market to Belgian speakers

Part 3: Legal Notices

Belgium requires specific legal information on your website, beyond what GDPR requires.

What must be displayed

• KBO number. Your Belgian business registration number, required by Belgian commercial law (WER Boek XII).
• Business name and registered address.
• Email and phone contact details.
• VAT number (if applicable).
• For e-commerce. Return and cancellation policy (standard 14-day right in Belgium).

Where to put it

Create a "Legal" or "Mentions Légales / Wettelijke Vermeldingen" page and link to it in your footer. The GBA expects it to be one click away from any page.

Legal notices checklist

• KBO number displayed on the website
• Business name and registered address shown
• Clear contact email and phone number
• For e-commerce: return or cancellation policy displayed
• Legal page linked from the footer on every page
• Translated into French or Dutch depending on your audience

Part 4: Contact Forms and Data Collection

Every form on your site that collects data is a GDPR touchpoint.

For contact forms

• Explain before the form what you will do with the data.
• Include a checkbox confirming they have read your privacy policy.
• State how long you will keep their data.

For newsletter and lead capture forms

• Get explicit consent before adding anyone to a mailing list.
• Explain what emails they will receive and how often.
• Make unsubscribe easy. A one-click link in every email.
• Keep records of consent. When, how and what they agreed to.

For webshop checkout

• Collect only what you need for the order.
• Do not pre-tick "email me marketing offers".
• Show your privacy policy and terms before payment.
• Confirm payment data is encrypted (HTTPS).

Forms checklist

• Every form explains what you will do with the data
• Explicit consent obtained for any mailing list
• Marketing opt-in boxes are unticked by default
• Confirmation emails explain data use
• Email or link provided for data deletion requests
• Payment is sent over HTTPS

Part 5: Data Processor Agreements

If you use tools like Google Analytics, Mailchimp, Shopify or any cloud service that processes customer data, you need written agreements in place. GDPR Article 28 requires this.

What you need

Data Processing Agreements (DPAs) are contracts with your tools. They confirm the tool will only process your customers' data on your behalf and for nothing else. Most major tools offer DPAs as standard documents.

Tools that need DPAs:

• Google Analytics
• Google Workspace (Gmail, Drive)
• Mailchimp or other email services
• Shopify
• Stripe or PayPal
• Dropbox or OneDrive

Tools that usually do not:

• Twitter/X or LinkedIn (if you are just using them as channels)
• YouTube (if you are just embedding videos)

DPA checklist

• DPA signed with Google Analytics
• DPAs signed with Mailchimp, Shopify or any tool processing customer data
• These agreements stored somewhere findable
• You know who your data processor is for each tool

Your Action Plan for This Week

Monday. List every tracking script, every form and every tool that touches customer data.

Tuesday. Check your cookie banner. Does it block tracking until consent? If you do not have one but use tracking, install Cookiebot, Termly, OneTrust or Iubenda.

Wednesday. Read your privacy policy. Does it cover all sections above? If not, rewrite it (budget €200 to €500 for a professional).

Thursday. Check your legal notices page. Does it show your KBO number and business address? If not, create one and link it from your footer.

Friday. Review contact forms for missing data disclosures and pre-ticked boxes. Collect DPA agreements from Google, Mailchimp and Shopify.

Next week. Test in an incognito browser. Does Google Analytics fire before you click accept on the cookie banner? It should not.

What the GBA Enforces

The GBA has fined companies for missing cookie banners, no privacy policy, collecting emails without consent, buried reject buttons, pre-ticked non-essential cookies and sharing data with unlisted third parties. The published cases are in the APD-GBA decisions register.

Fines for small businesses in published GBA decisions have ranged from €5,000 to €20,000, but amounts depend on the violation and the GBA's circumstances assessment. The real cost is the investigation. The GBA can freeze your forms and audit your systems, requiring documented proof of every fix.

The good news. If you follow this checklist, you will be compliant. A good cookie banner costs €15 to €30 per month. A clear privacy policy costs one afternoon. Well-structured compliance pages build trust with Belgian customers.

---

Scan your website for free

Check your cookie banner, HTTPS and tracking setup in 60 seconds. No account required.

---

This is technical analysis, not legal advice.