How long does the GBA typically take to resolve a complaint?

The GBA's litigation chamber handles complaints in distinct phases. An initial admissibility review is followed by a substantive investigation phase, which can extend from several months to over a year for complex matters. Where the complaint involves cross-border processing and multiple supervisory authorities, the one-stop-shop coordination process extends timelines further. Organisations under investigation should treat the process as a sustained engagement, not a short-form resolution.

Is a Belgian data processing agreement different from a standard GDPR template?

A common misconception is that any GDPR-compliant DPA template satisfies Belgian requirements without adaptation. The mandatory content under EU data protection law is uniform across member states. However, Belgian implementing legislation introduces specific provisions for certain sectors – including health data processing and employment contexts – that must be reflected in agreements covering those activities. In addition, the GBA's litigation chamber has interpreted certain DPA provisions strictly. Practitioners advise that DPAs used in Belgium are reviewed against current GBA guidance and recent enforcement decisions, not just against the GDPR text.

Does a company based outside the EU need a representative in Belgium?

Engaging a lawyer in Belgium with cross-border GDPR experience is particularly important for non-EU businesses that process personal data of Belgian residents without having an establishment in the EU. EU data protection law requires such organisations to designate a written representative in an EU member state where they offer goods or services to, or monitor the behaviour of, individuals in the EU. The representative must be authorised to deal with supervisory authorities and data subjects. Appointing a representative in Belgium may be appropriate where the relevant processing activities are concentrated there. The representative does not shield the controller from liability but is the GBA's primary point of contact.

Data Protection in Belgium

An international company sets up its European hub in Brussels, appoints a local entity as the primary point of contact for customer data. Additionally. Assumes that a single privacy policy translated into Dutch and French will satisfy Belgian regulators. Within months, the Gegevensbeschermingsautoriteit (Belgian Data Protection Authority, or GBA) opens an investigation. The policy addressed consent in general terms but failed to reflect Belgium's specific enforcement priorities – and the company had no appointed representative with genuine decision-making authority on the ground.

Data protection in Belgium is governed by the EU General Data Protection Regulation (GDPR) as directly applicable EU law, supplemented by Belgian implementing legislation that modifies certain GDPR flexibilities for the domestic context. Organisations acting as a data controller or data processor in Belgium must comply with lawful basis requirements. Respond to data subject requests within strict deadlines. Additionally, notify the GBA of qualifying breaches within 72 hours of becoming aware. Non-compliance carries administrative fines reaching into the tens of millions of euros or a percentage of global annual turnover.

This page sets out the legal instruments, procedural requirements, common pitfalls, cross-border considerations, and a self-assessment checklist for international businesses managing data protection obligations in Belgium.

The Belgian data protection environment

Belgium occupies a structurally important position in European data governance. As the seat of the European Commission, the European Parliament, and a dense concentration of multinational headquarters, Belgium generates a disproportionate volume of cross-border data flows. Regulatory scrutiny from the GBA reflects this reality.

The applicable body of law has two tiers. At EU level, the GDPR applies directly and uniformly. At national level, Belgian data protection legislation adjusts specific GDPR opening clauses. covering areas such as the processing of sensitive categories of data. The age threshold for children's consent. Additionally, restrictions on automated decision-making in certain employment and public sector contexts. Organisations that approach Belgium as a straightforward GDPR-only environment routinely miss these national overlays.

The GBA is the competent supervisory authority for Belgium. It operates through several distinct bodies: an executive committee responsible for enforcement, a litigation chamber that issues binding decisions and fines, and a knowledge centre that publishes guidance. The litigation chamber has established a consistent pattern of enforcement focused on transparency failures, unlawful consent mechanisms, and deficient data transfer safeguards. Its decisions carry precedential weight within Belgium and attract attention from other EU supervisory authorities.

One non-obvious feature of the Belgian system is the GBA's willingness to initiate own-motion investigations – meaning that a complaint from a data subject is not always the trigger. Controllers operating in Belgium without visible, functioning compliance programmes have faced proactive scrutiny, particularly in sectors such as digital advertising, financial services, and health technology.

Belgian corporate legislation also intersects with data protection obligations. The appointment of a Data Protection Officer (DPO), where mandatory, must be reflected in internal governance documents. Where a company's Belgian entity is part of a wider group. The allocation of controller and processor responsibilities across the group requires careful drafting in intra-group data processing agreements. a step that is frequently underestimated during M&A integration.

Core legal instruments and procedural requirements

GDPR compliance in Belgium rests on a set of interlocking instruments. Each has specific conditions, timelines, and documentary requirements that differ in material ways from what many non-EU companies expect.

Lawful basis documentation. Every processing activity requires an identified lawful basis under EU data protection law. In a commercial context, the most commonly invoked bases are consent, contract performance, legitimate interests, and legal obligation. The GBA has consistently scrutinised organisations that rely on legitimate interests without conducting a structured balancing test. In practice, the authority expects a documented legitimate interests assessment to exist before processing begins – not retrospectively. Relying solely on generic consent tick-boxes without granular purpose specification has generated a significant share of Belgian enforcement actions.

Records of processing activities (ROPA). Controllers and processors above certain thresholds are required to maintain a ROPA. Belgian practitioners note that the GBA treats the absence of a current, accurate ROPA as an aggravating factor in fine calculations. The ROPA must identify each processing activity, its purpose, data categories, recipient categories, and retention periods. Organisations that copy a template ROPA without aligning it to actual data flows expose themselves to material regulatory risk.

Data subject rights management. Belgian data protection law preserves all GDPR data subject rights: access, rectification, erasure, restriction, portability, and objection. The standard response deadline is one calendar month from receipt of a valid request, extendable by two further months where the request is complex or numerous. A common mistake is treating internal handling time as part of the extension – the clock starts from receipt, not from the date the request is forwarded internally. Failing to acknowledge a request within the initial month, even when an extension is legitimately invoked, constitutes a breach.

Breach notification. Personal data breaches must be notified to the GBA within 72 hours of the controller becoming aware, unless the breach is unlikely to result in a risk to individuals. This timeline is tight. Organisations without a pre-drafted breach response protocol consistently miss the deadline. Where a breach is also likely to result in high risk to individuals, direct communication to affected data subjects is additionally required without undue delay. Processors must notify their controller without undue delay – a contractual obligation that should be reflected explicitly in data processing agreements.

Data processing agreements (DPAs). Where a controller engages a third party to process personal data on its behalf, a written data processing agreement is mandatory under EU data protection law. The agreement must specify the subject matter, duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Belgian practitioners have observed that many international groups operate with DPAs that meet the formal checklist but fail on substance. for example. By permitting the processor to determine processing purposes. This transforms the processor into a controller with separate compliance obligations.

For international businesses managing AI and automated systems in Belgium, data protection requirements intersect directly with the EU AI Act compliance obligations – particularly around high-risk AI systems that process personal data at scale.

To receive an expert assessment of your data protection compliance position in Belgium, contact us at info@ferrazwhitmore.com.

Pitfalls that surface in cross-border operations

International businesses tend to encounter data protection problems in Belgium not at the moment of set-up. However. Months or years later. when a regulatory investigation, a data subject complaint. Alternatively, a due diligence exercise exposes gaps that accumulated silently.

Consent mechanism failures. The GBA has repeatedly found that consent obtained through pre-ticked boxes, bundled consent clauses. Alternatively. Consent obtained as a condition of service does not meet the GDPR standard of freely given, specific, informed, and unambiguous indication of agreement. For digital advertising businesses in particular, the authority has examined consent management platforms in detail and found that dark patterns. design choices that nudge users toward accepting all tracking – do not constitute valid consent. The commercial cost of rebuilding a consent architecture after an enforcement order can substantially exceed the cost of designing it correctly from the outset.

Data transfer compliance. Belgium, as an EU member state, applies the GDPR restrictions on transfers of personal data to third countries. Transfers to countries without an EU adequacy decision require appropriate safeguards – most commonly standard contractual clauses (SCCs). However, Belgian enforcement experience shows that executing SCCs is not sufficient on its own. Controllers must conduct a transfer impact assessment (TIA) to verify that the legal system in the destination country does not undermine the protection offered by the SCCs. Organisations that relied on SCCs alone, without TIAs, have faced enforcement action. The Schrems II decision of the Court of Justice of the EU shifted this from a theoretical to a practical compliance requirement.

DPO appointment and positioning. Where a DPO is mandatory. for public authorities, controllers engaged in large-scale systematic monitoring. Alternatively. Processors handling sensitive data at scale. Belgian corporate practice requires that the DPO has genuine independence, adequate resources. Additionally, direct access to senior management. A DPO who is subordinate to the IT department, lacks a defined budget, or cannot escalate concerns to board level does not meet the standard. The GBA has found inadequate DPO positioning as a standalone violation, separate from any underlying data protection breach.

Intra-group transfers and role allocation. In multinational groups, the assumption that an intra-group transfer is inherently lower-risk is incorrect under Belgian law. An intra-group transfer is a transfer. It requires the same lawful basis and, if crossing to a non-EEA country, the same transfer safeguards as any external transfer. Groups that centralise data processing in a single entity. whether in Switzerland, the US. Alternatively. India. without putting appropriate intra-group agreements in place expose both the Belgian entity and the central entity to parallel regulatory risk.

Retention and deletion. Many organisations define retention periods in their privacy notices but do not enforce them operationally. Belgian enforcement has highlighted the gap between stated policy and actual practice. Where a controller's ROPA records a two-year retention period for customer data but the database shows records from seven years ago. The GBA treats the discrepancy as evidence of systemic non-compliance rather than an administrative error.

For clients with operations across both Belgium and Portugal, our analysis of data protection requirements in Portugal outlines how the Portuguese supervisory authority's enforcement priorities compare and where group-level compliance programmes require jurisdiction-specific adaptation.

Cross-border strategy and EU-level considerations

Belgium's position within the EU single market creates both complexity and opportunity for international businesses managing data protection across multiple jurisdictions.

One-stop-shop mechanism. Where a multinational group has its main establishment in Belgium. meaning the place of central administration or the establishment where decisions about processing purposes and means are taken for the EU as a whole. it may designate the GBA as its lead supervisory authority under the GDPR's one-stop-shop mechanism. This concentrates enforcement risk and compliance engagement with a single authority. The GBA then coordinates with other concerned supervisory authorities through the consistency mechanism before issuing binding decisions. For groups assessing where to locate their EU data hub, Belgium's regulatory track record and the GBA's active enforcement posture are material factors in the analysis.

Cross-border data flows: Portugal and the Atlantic dimension. For businesses operating between Belgium and Portugal. a common structure for Iberian-based companies with EU headquarters. both jurisdictions are EEA member states. This means that transfers between them require a lawful basis but no additional transfer safeguard. The operative risk lies in ensuring that the controller–processor relationship and the applicable lawful basis are consistently documented on both sides. Where Portuguese entities act as sub-processors for Belgian controllers, the sub-processing chain must be authorised in the head DPA and governed by a compliant sub-processing agreement.

Interaction with the EU AI Act. For businesses deploying AI systems that process personal data in Belgium, the EU AI Act and the GDPR interact at several points. High-risk AI systems require conformity assessments that include evaluation of data governance practices. GDPR data minimisation and purpose limitation principles constrain the training data practices of AI developers. Belgian data protection law's implementing measures add a further layer for certain automated decisions. Businesses treating these two regimes as separate compliance exercises risk creating inconsistencies that expose them to both data protection enforcement and AI Act penalties.

Enforcement cooperation. The Belgian GBA participates actively in the European Data Protection Board (EDPB), the body that coordinates consistency across EU supervisory authorities. EDPB guidelines and opinions are not legally binding but are followed by the GBA in practice. Where the EDPB issues guidance on a specific processing practice – cookie consent, children's data, or health data, for example – the GBA will typically align its enforcement approach within a short period. Monitoring EDPB output is therefore as important as monitoring GBA decisions for businesses operating in Belgium.

A practical guide to the company formation process in Belgium, including corporate governance obligations that intersect with data protection appointments, is available in our guide to company formation in Belgium.

For a tailored strategy on data protection compliance and cross-border data transfers in Belgium, reach out to info@ferrazwhitmore.com.

Self-assessment checklist for Belgium

This checklist reflects the conditions under which a structured data protection compliance programme in Belgium is both required and commercially prudent.

Scope conditions – this service applies if:

Your organisation collects, processes, or stores personal data of individuals located in Belgium, regardless of where your entity is established.
Your Belgian entity acts as a data controller, a data processor, or both, in relation to any personal data processing activity.
Your group operates a cross-border data transfer arrangement involving Belgium as an origin or destination jurisdiction.
Your organisation is subject to mandatory DPO appointment criteria under EU data protection law.
Your business deploys automated decision-making or profiling technologies that affect individuals in Belgium.

Before initiating or reviewing compliance, verify:

Your ROPA is current, accurate, and reflects actual data flows – not a template.
Every processing activity has a documented lawful basis, including a written legitimate interests assessment where that basis is relied upon.
All third-party processors are covered by written DPAs that meet the substantive requirements of EU data protection law.
Data transfers to non-EEA countries are covered by SCCs supplemented by TIAs specific to each destination country.
Your consent management platform has been reviewed for dark pattern compliance against current GBA guidance.
Your breach response protocol has been tested and assigns clear roles, escalation paths, and a 72-hour tracking mechanism.
Your DPO, if appointed, has documented independence, a defined mandate, and direct reporting access to senior management.

When to escalate to a different strategy:

If the GBA has opened a preliminary inquiry or issued a request for information, the matter shifts from compliance management to regulatory defence. The litigation chamber's procedures are adversarial. Early legal intervention – before the initial response is filed – materially affects the outcome. If a DPA investigation in another EU member state is pending on the same processing activity, Belgium's GBA may be drawn in as a concerned authority. Coordinated legal representation across jurisdictions is then required.

Frequently asked questions

How long does the GBA typically take to resolve a complaint?: The GBA's litigation chamber handles complaints in distinct phases. An initial admissibility review is followed by a substantive investigation phase, which can extend from several months to over a year for complex matters. Where the complaint involves cross-border processing and multiple supervisory authorities, the one-stop-shop coordination process extends timelines further. Organisations under investigation should treat the process as a sustained engagement, not a short-form resolution.
Is a Belgian data processing agreement different from a standard GDPR template?: A common misconception is that any GDPR-compliant DPA template satisfies Belgian requirements without adaptation. The mandatory content under EU data protection law is uniform across member states. However, Belgian implementing legislation introduces specific provisions for certain sectors – including health data processing and employment contexts – that must be reflected in agreements covering those activities. In addition, the GBA's litigation chamber has interpreted certain DPA provisions strictly. Practitioners advise that DPAs used in Belgium are reviewed against current GBA guidance and recent enforcement decisions, not just against the GDPR text.
Does a company based outside the EU need a representative in Belgium?: Engaging a lawyer in Belgium with cross-border GDPR experience is particularly important for non-EU businesses that process personal data of Belgian residents without having an establishment in the EU. EU data protection law requires such organisations to designate a written representative in an EU member state where they offer goods or services to, or monitor the behaviour of, individuals in the EU. The representative must be authorised to deal with supervisory authorities and data subjects. Appointing a representative in Belgium may be appropriate where the relevant processing activities are concentrated there. The representative does not shield the controller from liability but is the GBA's primary point of contact.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients on data protection, AI regulation, and technology law across 46 jurisdictions. Our data protection practice assists international businesses operating in Belgium with GDPR compliance programmes, GBA regulatory defence, cross-border data transfer structuring, DPO advisory, and consent mechanism review. As a law firm in Belgium and across the EU, we combine Portuguese civil law expertise with English common law tradition to deliver compliance solutions that operate consistently across multiple legal systems. The firm's data protection team has advised clients before the EDPB consistency mechanism and on cross-border enforcement matters involving several EU supervisory authorities simultaneously. We work with international entrepreneurs, institutional investors, and in-house legal teams who need a law firm in Belgium with genuine cross-border capability. To discuss your data protection position in Belgium, contact us at info@ferrazwhitmore.com.

Daniel Ferreira Managing Partner

Daniel Ferreira leads our Western European desk. He advises German, French and Dutch corporate groups on cross-border transactions involving Portugal, Spain and the wider EU. His M&A practice spans the manufacturing, technology and consumer sectors, with particular depth in mid-market transactions. Daniel started his career at a top-tier Lisbon firm before moving to a London-based magic-circle firm where he spent four years on cross-border deals. He is the lead author of our Portugal-Germany corporate guides series and has authored over 120 jurisdiction-specific guides.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.