Does GDPR apply to my small Belgian website?

Yes. GDPR applies whenever your website processes personal data, regardless of business size. A contact form, Google Analytics or a newsletter signup on your Belgian website is enough to trigger the obligation. The APD/GBA (Belgian Data Protection Authority) has confirmed in its strategic plan that SMBs are an enforcement priority.

What is the APD/GBA and how does it differ from France's CNIL?

The APD/GBA (Autorité de Protection des Données / Gegevensbeschermingsautoriteit) is Belgium's independent data protection authority. It is entirely separate from France's CNIL. The APD/GBA can impose fines up to €20 million or 4% of global turnover. In 2022, it issued a landmark ruling against IAB Europe on cookie consent mechanisms, which the Belgian Market Court confirmed in May 2025.

How long must I keep customer data in Belgium?

Accounting records must be kept for 10 years under the Belgian Code of Companies and Associations, longer than the 7-year period common in other countries. Customer data tied to invoices or orders falls under this 10-year rule for the accounting dimension. Marketing data should be kept only as long as necessary for its specific purpose.

GDPR & Privacy

GDPR Compliance Checklist for Belgian Businesses (2026)

Q: Do Brussels-based businesses need a bilingual privacy policy?

Yes. Companies in the Brussels-Capital Region that address the public must provide consumer information in both French and Dutch under Brussels regional language law. This applies to privacy policies and legal notices, on top of standard GDPR requirements.

Steven | TrustYourWebsite · 4 May 2026 · Last updated: May 2026

In February 2022, the APD/GBA (Gegevensbeschermingsautoriteit / Autorité de Protection des Données) ruled that IAB Europe's Transparency and Consent Framework, the consent management system used across thousands of European websites, did not meet GDPR requirements. The Belgian Market Court confirmed that ruling in May 2025 and upheld the sanctions against IAB Europe. In 2024, the same authority imposed a penalty of €25,000 per day per non-compliant press site on Mediahuis for a cookie banner where the Accept button was visually prominent and the Reject option was nearly hidden (Beslissing 113/2024, annulled by the Marktenhof on 19 March 2025 (AR/1690) on the basis that the underlying complaint constituted legal abuse). The annulment removes the dwangsom but not the substantive view that pre-consent trackers and uneven banner buttons are non-compliant under the GBA's cookie recommendations.

The APD/GBA's current strategic plan explicitly names SMBs as an enforcement priority. Your website likely processes more personal data than you realise. The 35 checkpoints below follow the same structure the APD/GBA applies when reviewing business websites, starting with legal identification obligations specific to Belgium and working through cookies, privacy policy, forms, processors and security.

Run a free scan of your website for common GDPR issues

Domain 1: Legal identification (5 points)

Belgian law imposes specific identification requirements on top of GDPR that are typically checked at the same inspection visit.

☐ 1. KBO/BCE number displayed on the website

Under Book III of the Code of Economic Law (Wetboek van Economisch Recht / Code de droit économique), all Belgian businesses must display their enterprise number (KBO/BCE number) visibly on their website. The number has 10 digits in the format 0123.456.789. It should appear in the footer and on any legal notice page.

☐ 2. VAT number listed (for VAT-registered businesses)

VAT-registered businesses list their Belgian VAT number: BE followed by the KBO/BCE number. This appears on invoices and in general terms and conditions for online sellers.

☐ 3. Full company name and registered address

A P.O. box is not sufficient. List the full statutory address and legal form (BV, NV, VZW/ASBL).

☐ 4. Working contact email address

A contact email address is required under the Code of Economic Law and also serves as the channel for exercising GDPR rights (access, correction, deletion). GDPR Article 13(1)(a) requires the identity and contact details of the controller in every privacy policy.

☐ 5. Bilingual consumer information for Brussels-based businesses

Companies established in the Brussels-Capital Region that address the public must provide consumer information in both French and Dutch under Brussels regional language law. This covers legal notices, general terms and conditions and the privacy policy. A French-only or Dutch-only privacy policy on a Brussels-facing website fails this test and triggers a regional law violation independent of GDPR.

Belgian cookie law operates in two layers. The Wet van 13 juni 2005 betreffende de elektronische communicatie governs the placement of cookies and similar technologies. GDPR applies whenever those cookies process personal data. Most cookies do.

If your website loads analytics, marketing trackers or social media plugins, a consent banner is required. An informational notice that says "This site uses cookies" with a single OK button is not valid consent. The visitor needs a genuine choice between accepting and refusing.

☐ 7. Reject button as visible as the Accept button

The APD/GBA ruled in Beslissing 113/2024 (Mediahuis, later annulled on appeal by the Marktenhof but indicative of the GBA's reading of the EDPB Guidelines 03/2022 on dark patterns) that a large coloured Accept button paired with a small or hidden Reject option does not constitute valid consent. Both options must be visually equivalent on the first layer of the banner. Equal prominence means equal size and equal visual weight, not a bright green button next to a grey text link.

Test this yourself: click Reject in your own cookie banner, then open the Network tab in browser developer tools (F12). If requests to google-analytics.com or facebook.com appear, your banner is not blocking scripts effectively. This is the technical failure the APD/GBA identified in the IAB Europe TCF decision: the consent interface concealed that processing was already under way before the user clicked.

☐ 9. No pre-checked boxes for non-essential categories

Analytics and marketing categories must be unchecked by default in any preference panel. The user must actively opt in. Non-essential processing must not begin until the user makes a deliberate choice. That obligation sits with you.

The banner should not reappear on every visit if the user has already made a choice. Consent must be stored for a reasonable period and recalled on subsequent visits.

☐ 11. Link to manage preferences on every page

A "Manage cookie preferences" link (or equivalent) in the footer lets users withdraw or change their consent at any time. GDPR Article 7(3) requires that withdrawing consent be as easy as giving it.

A wall that denies access to the website unless the user accepts marketing cookies is in most cases invalid. The APD/GBA has confirmed this position in published guidance: access to a service cannot generally be made conditional on consent to non-essential processing.

Domain 3: Privacy policy (7 points)

GDPR Articles 13 and 14, as supplemented by the Wet van 30 juli 2018 betreffende de bescherming van persoonsgegevens (Belgium's national GDPR implementation act), set what a privacy policy must contain.

☐ 13. Privacy policy accessible from every page

A link in the footer on every page satisfies this. The policy must load as a dedicated page, not a pop-up.

☐ 14. Controller identity including KBO/BCE number

Your company name, registered address and KBO/BCE number must appear in the policy. If you have a Data Protection Officer (DPO), their contact details are listed separately.

☐ 15. Purpose and legal basis per processing activity

One general statement does not satisfy Article 13(1)(c). For each activity (contact form, newsletter, analytics, order processing) state the purpose and the legal basis: consent, contract, legitimate interest or legal obligation. You cannot pick one basis for everything.

☐ 16. Specific retention periods

"As long as necessary" is too vague for the APD/GBA. State concrete timeframes per category. Note the Belgian-specific requirement: the Code of Companies and Associations (Wetboek van Vennootschappen en Verenigingen) mandates 10-year retention for accounting records. Customer data linked to invoices or orders falls under this rule for the accounting dimension, which is longer than the 7-year period cited in many other EU countries.

☐ 17. Processors named specifically

Every external service handling personal data on your behalf must be named in the policy: your hosting provider, analytics platform, email service and payment processor. "Third parties" without names does not satisfy Article 13(1)(e).

☐ 18. Data subject rights with a contact channel

List all rights (access, rectification, erasure, restriction, portability and the right to object) and explain concretely how to exercise them. A working email address for rights requests is sufficient. Also include the right to lodge a complaint with the APD/GBA and a link to their complaints page.

☐ 19. International transfers disclosed

If you use US-based services (Google, Meta, Stripe, Mailchimp), personal data is transferred to the United States. Check whether your provider is certified under the EU-US Data Privacy Framework and document this transfer and its legal basis in your privacy policy.

Domain 4: Forms and data collection (6 points)

☐ 20. Privacy policy link near every form's submit button

Each form collecting personal data should carry a link to the privacy policy near the submit button. This satisfies the GDPR requirement to inform people at the point of collection.

Newsletter subscription consent cannot be bundled with acceptance of general terms and conditions or any other declaration. Each distinct purpose requires a separate checkbox or consent action.

☐ 22. No pre-checked marketing boxes

Pre-ticked consent boxes are invalid under both GDPR and the Wet van 13 juni 2005. The EU Court of Justice confirmed this in Planet49 (C-673/17): any consent collected through a pre-checked box is legally void.

You must be able to demonstrate when and how a user gave consent. Most email platforms (Mailchimp, Brevo) record this automatically. For forms you manage directly, log the timestamp, source page and the wording of the consent presented.

☐ 24. Working unsubscribe link in every marketing email

Every commercial email must contain a working unsubscribe link. Under Belgian commercial law, removal must take effect within 10 working days.

☐ 25. Data minimisation applied to form fields

GDPR Article 5(1)(c) prohibits collecting more data than necessary for the stated purpose. A contact form does not need date of birth, gender or home address if those fields serve no function in handling the enquiry. Remove any field you cannot justify.

Domain 5: Processors and data agreements (4 points)

☐ 26. Data Processing Agreements in place

GDPR Article 28 requires a written Data Processing Agreement (DPA) with every third party that handles personal data on your behalf. Hosting providers, email platforms, analytics services and payment processors all require one. Most reputable providers (Google, Mailchimp, Stripe) offer a DPA in their account settings or legal pages. Keep evidence of acceptance.

☐ 27. Current processor inventory maintained

A simple spreadsheet listing each tool, its purpose, the data it processes and where its servers are located lets you answer APD/GBA questions without delay and speeds up incident response.

☐ 28. Google Fonts hosted locally

Loading Google Fonts from Google's CDN sends each visitor's IP address to Google on every page load, without prior consent. Download the font files and host them on your own server. A German court awarded 100 euros in damages per visitor for this exact issue in 2022 (LG München I, Az. 3 O 17493/20).

Directly embedded Google Maps iframes and YouTube videos set tracking cookies as soon as the page loads. Replace direct embeds with a static placeholder image that loads the actual integration only after the user clicks.

Domain 6: Security and technical measures (6 points)

GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. A data breach caused by neglected basics is a compliance failure, not solely an IT problem.

☐ 30. HTTPS on every page

No exceptions. Every page must load over HTTPS, including checkout, admin login and any page with a form. Check that the site redirects automatically from HTTP to HTTPS and that no mixed-content warnings appear.

☐ 31. CMS and plugins updated regularly

Outdated WordPress or Joomla installations with known security vulnerabilities are a common entry point for breaches involving SMB websites. Enable automatic updates for non-critical components and review pending updates weekly.

☐ 32. Data breach notification procedure ready

Under GDPR Article 33, breaches that pose a risk to individuals must be reported to the APD/GBA within 72 hours of becoming aware of them. Know who in your organisation handles this, where the APD/GBA breach notification form is and what information you will need to provide.

☐ 33. Record of Processing Activities (ROPA) maintained

Article 30 requires businesses whose processing is not occasional to maintain a ROPA. For most active commercial websites running analytics, contact forms and newsletters continuously, the occasional-processing exemption does not apply. A simple spreadsheet with columns for activity, purpose, data categories, recipients, legal basis and retention period is sufficient.

☐ 34. Strong passwords and two-factor authentication on admin accounts

Your CMS admin account gives access to all personal data the system contains. Use unique, strong passwords and enable two-factor authentication on every admin account. Do not share login credentials between staff members.

☐ 35. Regular backups verified

Automated backups run on a schedule and are tested periodically. A backup that has never been tested for restoration offers unreliable protection.

What the APD/GBA has sanctioned in Belgium

APD/GBA vs IAB Europe (February 2022): The APD/GBA ruled that the TCF framework used by thousands of advertising-supported websites did not provide a valid legal basis for processing personal data. IAB Europe was identified as a joint data controller. The Belgian Market Court confirmed the violations and upheld the sanctions in May 2025. The case established that consent management systems must technically prevent processing before consent is given, not merely display a consent interface.

APD/GBA vs Mediahuis (Beslissing 113/2024): A penalty of €25,000 per day per non-compliant press site for a dark pattern in a cookie banner across four news websites (De Standaard, Gazet van Antwerpen, Het Belang van Limburg, Het Nieuwsblad). The Accept button was large and brightly coloured. The Reject option was barely visible. The decision was annulled by the Marktenhof on 19 March 2025 (AR/1690) on procedural grounds, but the GBA's analysis of the underlying design is still indicative of how the regulator reads dark-pattern cases.

APD/GBA vs RTL Belgium (Beslissing 131/2024): The GBA reprimanded RTL Belgium for failing to include a "Reject all" button on the first layer of its cookie banner, and for using deceptive colours that made the Accept button stand out. The Contentious Chamber found that all consent buttons must carry equal visual weight. RTL Belgium was ordered to bring its banner into compliance.

APD/GBA cookie consent enforcement: The GBA publishes its decisions on gegevensbeschermingsautoriteit.be. Cookie banner design, pre-ticked boxes and missing Reject buttons are recurring grounds for findings across sectors.

For a step-by-step technical audit of your website covering each of these domains, see our GDPR website audit for Belgian businesses.

This article is technical analysis, not legal advice. Consult a lawyer or GDPR specialist for advice tailored to your situation.

Sources

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR Fines for Small Businesses: Real Cases and Amounts

Real GDPR fines for small businesses: actual cases from 1,000 to 50,000 EUR. What triggers enforcement and how to avoid it.