GDPR Compliance Checklist for Belgian Businesses (2026)

Running a business website in Belgium means navigating EU-wide GDPR and Belgium-specific rules enforced by the GBA (Gegevensbeschermingsautoriteit / Autorité de protection des données)—one of Europe's more active data protection regulators.

This checklist covers everything you need to do to stay compliant: cookies, privacy policy, legal notices, contact forms, and data processor agreements.

Why Belgian Rules Matter

The GBA doesn't just enforce GDPR—Belgium layers in specific local requirements on top. The GBA has fined companies large and small for cookie consent failures, missing privacy policies, and inadequate data handling. In 2022–2024, the GBA (Gegevensbeschermingsautoriteit) took action against multiple businesses for consent violations and insufficient privacy notices.

If your website collects data from anyone in Belgium, or you're a Belgian business serving anyone online, the GBA's rules apply.

Part 1: Cookies and Consent

What needs a banner

Under Belgian law (implementing the ePrivacy Directive), you need explicit prior consent for any tracking cookie. This includes:

• Google Analytics
• Facebook Pixel, Google Ads Pixel, TikTok Pixel
• Hotjar or session recording tools
• Retargeting or advertising cookies
• Any third-party tracking script

Functional cookies (shopping cart, session, basic security) do not need a banner—just mention them in your privacy policy.

What your banner must do

The GBA has made clear what a compliant banner looks like:

• No pre-ticked boxes: Accept/reject buttons must start unticked
• Reject as easy as accept: The "reject all" button must be as prominent and easy to click as "accept all"
• Granular consent: Let users choose which types of cookies to accept
• Prior consent: Tracking scripts must not load before the user makes a choice
• Respect the choice: Don't ask again immediately if they've declined

The GBA has fined companies for burying the reject button, using dark patterns, or pre-ticking non-essential cookies. See the full cookie banner requirements for Belgium for what the GBA audits.

Cookie checklist

• Banner appears before any tracking script loads
• Visitors can reject without accepting
• Reject button is as easy to find as accept
• Each cookie type (analytics, ads, marketing) is listed separately
• Visitors can change their choice later
• Google Analytics and Facebook Pixel do NOT fire on page load—only after consent

Part 2: Privacy Policy

Your privacy policy is a legal document the GBA audits. It must be clear, specific, and in the language of your audience—if you market to French or Dutch-speaking Belgians, they need the policy in that language.

What your privacy policy must cover

• Your identity: Business name and contact details (include KBO number)
• What data you collect: Be specific—email, IP address, browsing behaviour, phone number
• Why you collect it: Legal basis (contract, consent, legitimate interest, legal obligation)
• Who you share it with: Google (Analytics), Facebook (Pixel), payment processors, email providers
• How long you keep it: "2 years for analytics," "5 years for invoices"—be precise
• People's rights: Right to access, correct, delete, and export their data
• How to exercise rights: An email address or form for access or deletion requests
• The regulator: Mention the GBA as the Belgian supervisory authority and that people can complain to them

Privacy policy checklist

• Written in plain language (not legal jargon)
• Explains what data you collect and why
• Lists every third party you share data with
• Explains people's rights to access, correct, and delete their data
• Explains how people can contact you about privacy
• Dated and shows when it was last updated
• Translated into French and/or Dutch if you market to Belgian speakers

Part 3: Legal Notices

Belgium requires specific legal information displayed on your website, beyond what GDPR requires.

What must be displayed

• KBO number: Your Belgian business registration number—required by Belgian commercial law (WER Boek XII)
• Business name and registered address
• Email and phone contact details
• VAT number (if applicable)
• For e-commerce: Return and cancellation policy (standard 14-day right in Belgium)

Where to put it

Create a "Legal" or "Mentions Légales / Wettelijke Vermeldingen" page and link to it in your footer. The GBA expects it to be one click away from any page.

Legal notices checklist

• KBO number displayed on the website
• Business name and registered address shown
• Clear contact email and phone number
• For e-commerce: return/cancellation policy displayed
• Legal page linked from the footer on every page
• Translated into French or Dutch depending on your audience

Part 4: Contact Forms and Data Collection

Every form on your site that collects data is a GDPR touchpoint.

For contact forms

• Explain before the form what you'll do with the data
• Include a checkbox confirming they've read your privacy policy
• State how long you'll keep their data

For newsletter/lead capture forms

• Get explicit consent before adding anyone to a mailing list
• Explain what emails they'll receive and how often
• Make unsubscribe easy (one-click link in every email)
• Keep records of consent—when, how, what they agreed to

For webshop checkout

• Collect only what you need for the order
• Don't pre-tick "email me marketing offers"
• Show your privacy policy and terms before payment
• Confirm payment data is encrypted (HTTPS)

Forms checklist

• Every form explains what you'll do with the data
• Explicit consent obtained for any mailing list
• Marketing opt-in boxes are unticked by default
• Confirmation emails explain data use
• Email or link provided for data deletion requests
• Payment is sent over HTTPS

Part 5: Data Processor Agreements

If you use tools like Google Analytics, Mailchimp, Shopify, or any cloud service that processes customer data, you need written agreements in place.

What you need

Data Processing Agreements (DPAs) are contracts with your tools confirming they'll only process your customers' data on your behalf and for nothing else. Most major tools offer DPAs as standard documents.

Tools that need DPAs:

• Google Analytics
• Google Workspace (Gmail, Drive)
• Mailchimp or other email services
• Shopify
• Stripe or PayPal
• Dropbox or OneDrive

Tools that usually don't:

• Twitter/X, LinkedIn (if you're just using them as channels)
• YouTube (if you're just embedding videos)

DPA checklist

• DPA signed with Google Analytics
• DPAs signed with Mailchimp, Shopify, or any tool processing customer data
• These agreements stored somewhere findable
• You know who your data processor is for each tool

Your Action Plan for This Week

Monday: List every tracking script, every form, and every tool that touches customer data.

Tuesday: Check your cookie banner. Does it block tracking until consent? If you don't have one but use tracking, install Cookiebot, Termly, OneTrust, or Iubenda.

Wednesday: Read your privacy policy. Does it cover all sections above? If not, rewrite it (budget €200–500 for a professional).

Thursday: Check your legal notices page. Does it show your KBO number and business address? If not, create one and link it from your footer.

Friday: Review contact forms for missing data disclosures and pre-ticked boxes. Collect DPA agreements from Google, Mailchimp, Shopify.

Next week: Test in an incognito browser. Does Google Analytics fire before you click accept on the cookie banner? It shouldn't.

What the GBA Enforces

The GBA has fined companies for: missing cookie banners, no privacy policy, collecting emails without consent, buried reject buttons, pre-ticked non-essential cookies, and sharing data with unlisted third parties.

Fines for small businesses start at €5,000–€20,000. But the real cost is the investigation—the GBA can freeze your forms and audit your systems, requiring documented proof of every fix.

The good news: if you follow this checklist, you'll be compliant. A good cookie banner costs €15–30/month. A clear privacy policy costs one afternoon. And transparent, well-structured compliance pages actually build trust with Belgian customers.

---

Scan your website for free →

Check your cookie banner, HTTPS, and tracking setup in 60 seconds. No account required.

---

This is technical analysis, not legal advice.