GDPR Compliance Checklist for Belgian Businesses (2026)

In February 2022, the APD/GBA (Gegevensbeschermingsautoriteit / Autorité de Protection des Données) ruled that IAB Europe's Transparency and Consent Framework, the consent management system used across thousands of European websites, did not meet GDPR requirements. The Brussels Court of Appeal upheld that decision in 2023. In 2024, the same authority imposed a €25,000 daily penalty on Mediahuis for a cookie banner where the Accept button was visually prominent and the Reject option was nearly hidden (Beslissing 113/2024). These are not isolated cases involving only large publishers.

The APD/GBA's current strategic plan explicitly names SMBs as an enforcement priority. Your website likely processes more personal data than you realise. The 35 checkpoints below follow the same structure the APD/GBA applies when reviewing business websites, starting with legal identification obligations specific to Belgium and working through cookies, privacy policy, forms, processors and security.

Run a free scan of your website for common GDPR issues

Domain 1: Legal identification (5 points)

Belgian law imposes specific identification requirements on top of GDPR that are typically checked at the same inspection visit.

☐ 1. KBO/BCE number displayed on the website

Under Book III of the Code of Economic Law (Wetboek van Economisch Recht / Code de droit économique), all Belgian businesses must display their enterprise number (KBO/BCE number) visibly on their website. The number has 10 digits in the format 0123.456.789. It should appear in the footer and on any legal notice page.

☐ 2. VAT number listed (for VAT-registered businesses)

VAT-registered businesses list their Belgian VAT number: BE followed by the KBO/BCE number. This appears on invoices and in general terms and conditions for online sellers.

☐ 3. Full company name and registered address

A P.O. box is not sufficient. List the full statutory address and legal form (BV, NV, VZW/ASBL).

☐ 4. Working contact email address

A contact email address is required under the Code of Economic Law and also serves as the channel for exercising GDPR rights (access, correction, deletion). GDPR Article 13(1)(a) requires the identity and contact details of the controller in every privacy policy.

☐ 5. Bilingual consumer information for Brussels-based businesses

Companies established in the Brussels-Capital Region that address the public must provide consumer information in both French and Dutch under Brussels regional language law. This covers legal notices, general terms and conditions and the privacy policy. A French-only or Dutch-only privacy policy on a Brussels-facing website fails this test and triggers a regional law violation independent of GDPR.

Domain 2: Cookie consent (7 points)

Belgian cookie law operates in two layers. The Wet van 13 juni 2005 betreffende de elektronische communicatie governs the placement of cookies and similar technologies. GDPR applies whenever those cookies process personal data. Most cookies do.

☐ 6. Cookie consent banner present when non-functional cookies are used

If your website loads analytics, marketing trackers or social media plugins, a consent banner is required. An informational notice that says "This site uses cookies" with a single OK button is not valid consent. The visitor needs a genuine choice between accepting and refusing.

☐ 7. Reject button as visible as the Accept button

The APD/GBA ruled in Beslissing 113/2024 (Mediahuis) that a large coloured Accept button paired with a small or hidden Reject option does not constitute valid consent. Both options must be visually equivalent on the first layer of the banner. Equal prominence means equal size and equal visual weight, not a bright green button next to a grey text link.

☐ 8. Tracking scripts blocked before consent is given

Test this yourself: click Reject in your own cookie banner, then open the Network tab in browser developer tools (F12). If requests to google-analytics.com or facebook.com appear, your banner is not blocking scripts effectively. This is the technical failure the APD/GBA identified in the IAB Europe TCF decision: the consent interface concealed that processing was already under way before the user clicked.

☐ 9. No pre-checked boxes for non-essential categories

Analytics and marketing categories must be unchecked by default in any preference panel. The user must actively opt in. The obligation is on your side to ensure non-essential processing does not begin until the user makes a deliberate choice.

☐ 10. Consent stored across visits

The banner should not reappear on every visit if the user has already made a choice. Consent must be stored for a reasonable period and recalled on subsequent visits.

☐ 11. Link to manage preferences on every page

A "Manage cookie preferences" link (or equivalent) in the footer lets users withdraw or change their consent at any time. GDPR Article 7(3) requires that withdrawing consent be as easy as giving it.

☐ 12. No cookie wall blocking site access

A wall that denies access to the website unless the user accepts marketing cookies is in most cases invalid. The APD/GBA has confirmed this position in published guidance: access to a service cannot generally be made conditional on consent to non-essential processing.

Domain 3: Privacy policy (7 points)

GDPR Articles 13 and 14, as supplemented by the Wet van 30 juli 2018 betreffende de bescherming van persoonsgegevens (Belgium's national GDPR implementation act), set what a privacy policy must contain.

☐ 13. Privacy policy accessible from every page

A link in the footer on every page satisfies this. The policy must load as a dedicated page, not a pop-up.

☐ 14. Controller identity including KBO/BCE number

Your company name, registered address and KBO/BCE number must appear in the policy. If you have a Data Protection Officer (DPO), their contact details are listed separately.

☐ 15. Purpose and legal basis per processing activity

One general statement does not satisfy Article 13(1)(c). For each activity (contact form, newsletter, analytics, order processing) state the purpose and the legal basis: consent, contract, legitimate interest or legal obligation. You cannot pick one basis for everything.

☐ 16. Specific retention periods

"As long as necessary" is too vague for the APD/GBA. State concrete timeframes per category. Note the Belgian-specific requirement: the Code of Companies and Associations (Wetboek van Vennootschappen en Verenigingen) mandates 10-year retention for accounting records. Customer data linked to invoices or orders falls under this rule for the accounting dimension, which is longer than the 7-year period cited in many other EU countries.

☐ 17. Processors named specifically

Every external service handling personal data on your behalf must be named in the policy: your hosting provider, analytics platform, email service and payment processor. "Third parties" without names does not satisfy Article 13(1)(e).

☐ 18. Data subject rights with a contact channel

List all rights (access, rectification, erasure, restriction, portability and the right to object) and explain concretely how to exercise them. A working email address for rights requests is sufficient. Also include the right to lodge a complaint with the APD/GBA and a link to their complaints page.

☐ 19. International transfers disclosed

If you use US-based services (Google, Meta, Stripe, Mailchimp), personal data is transferred to the United States. Check whether your provider is certified under the EU-US Data Privacy Framework and document this transfer and its legal basis in your privacy policy.

Domain 4: Forms and data collection (6 points)

☐ 20. Privacy policy link near every form's submit button

Each form collecting personal data should carry a link to the privacy policy near the submit button. This satisfies the GDPR requirement to inform people at the point of collection.

☐ 21. Newsletter consent separate from other declarations

Newsletter subscription consent cannot be bundled with acceptance of general terms and conditions or any other declaration. Each distinct purpose requires a separate checkbox or consent action.

☐ 22. No pre-checked marketing boxes

Pre-ticked consent boxes are invalid under both GDPR and the Wet van 13 juni 2005. The EU Court of Justice confirmed this in Planet49 (C-673/17): any consent collected through a pre-checked box is legally void.

☐ 23. Consent records maintained

You must be able to demonstrate when and how a user gave consent. Most email platforms (Mailchimp, Brevo) record this automatically. For forms you manage directly, log the timestamp, source page and the wording of the consent presented.

☐ 24. Working unsubscribe link in every marketing email

Every commercial email must contain a working unsubscribe link. Under Belgian commercial law, removal must take effect within 10 working days.

☐ 25. Data minimisation applied to form fields

GDPR Article 5(1)(c) prohibits collecting more data than necessary for the stated purpose. A contact form does not need date of birth, gender or home address if those fields serve no function in handling the enquiry. Remove any field you cannot justify.

Domain 5: Processors and data agreements (4 points)

☐ 26. Data Processing Agreements in place

GDPR Article 28 requires a written Data Processing Agreement (DPA) with every third party that handles personal data on your behalf. Hosting providers, email platforms, analytics services and payment processors all require one. Most reputable providers (Google, Mailchimp, Stripe) offer a DPA in their account settings or legal pages. Keep evidence of acceptance.

☐ 27. Current processor inventory maintained

A simple spreadsheet listing each tool, its purpose, the data it processes and where its servers are located lets you answer APD/GBA questions without delay and speeds up incident response.

☐ 28. Google Fonts hosted locally

Loading Google Fonts from Google's CDN sends each visitor's IP address to Google on every page load, without prior consent. Download the font files and host them on your own server. A German court awarded 100 euros in damages per visitor for this exact issue in 2022 (LG München I, Az. 3 O 17493/20).

☐ 29. Google Maps and YouTube loaded only after consent

Directly embedded Google Maps iframes and YouTube videos set tracking cookies as soon as the page loads. Replace direct embeds with a static placeholder image that loads the actual integration only after the user clicks.

Domain 6: Security and technical measures (6 points)

GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. A data breach caused by neglected basics is a compliance failure, not solely an IT problem.

☐ 30. HTTPS on every page

No exceptions. Every page must load over HTTPS, including checkout, admin login and any page with a form. Check that the site redirects automatically from HTTP to HTTPS and that no mixed-content warnings appear.

☐ 31. CMS and plugins updated regularly

Outdated WordPress or Joomla installations with known security vulnerabilities are a common entry point for breaches involving SMB websites. Enable automatic updates for non-critical components and review pending updates weekly.

☐ 32. Data breach notification procedure ready

Under GDPR Article 33, breaches that pose a risk to individuals must be reported to the APD/GBA within 72 hours of becoming aware of them. Know who in your organisation handles this, where the APD/GBA breach notification form is and what information you will need to provide.

☐ 33. Record of Processing Activities (ROPA) maintained

Article 30 requires businesses whose processing is not occasional to maintain a ROPA. For most active commercial websites running analytics, contact forms and newsletters continuously, the occasional-processing exemption does not apply. A simple spreadsheet with columns for activity, purpose, data categories, recipients, legal basis and retention period is sufficient.

☐ 34. Strong passwords and two-factor authentication on admin accounts

Your CMS admin account gives access to all personal data the system contains. Use unique, strong passwords and enable two-factor authentication on every admin account. Do not share login credentials between staff members.

☐ 35. Regular backups verified

Automated backups run on a schedule and are tested periodically. A backup that has never been tested for restoration offers unreliable protection.

What the APD/GBA has sanctioned in Belgium

APD/GBA vs IAB Europe (February 2022): The APD/GBA ruled that the TCF framework used by thousands of advertising-supported websites did not provide a valid legal basis for processing personal data. IAB Europe was identified as a joint data controller. The Brussels Court of Appeal upheld the ruling in 2023. The decision established that consent management systems must technically prevent processing before consent is given, not merely display a consent interface.

APD/GBA vs Mediahuis (Beslissing 113/2024): A €25,000 daily penalty for a dark pattern in a cookie banner. The Accept button was large and brightly coloured; the Reject option was barely visible. The decision is published on the APD/GBA's website and is directly applicable to any Belgian website using a similar design.

APD/GBA cookie banner sweep 2023–2024: The APD/GBA systematically reviewed cookie banners across Belgian websites, including SMBs in retail and services. Businesses received formal notices with correction deadlines.

For a step-by-step technical audit of your website covering each of these domains, see our GDPR website audit for Belgian businesses.

---

This article is technical analysis, not legal advice. Consult a lawyer or GDPR specialist for advice tailored to your situation.

Sources

• APD/GBA (gegevensbeschermingsautoriteit.be)
• GDPR Regulation 2016/679 (EUR-Lex)
• Wet van 30 juli 2018 (ejustice.just.fgov.be)
• Wet van 13 juni 2005 (ejustice.just.fgov.be)
• APD/GBA: report a data breach