GDPR Website Audit for Belgian Businesses: Step-by-Step

The APD/GBA (Gegevensbeschermingsautoriteit / Autorité de Protection des Données) investigates concrete technical findings, not policy declarations. Its landmark ruling on the IAB Europe Transparency and Consent Framework in 2022 demonstrated this: inspectors verified whether the consent mechanism worked correctly in technical terms, not whether a privacy policy existed somewhere on the server. In 2024, the APD/GBA imposed a €25,000 daily penalty on Mediahuis because the technical operation of the cookie banner did not match what was presented to the user (Beslissing 113/2024).

A proper GDPR website audit examines what happens technically behind your website, not what your privacy policy claims. This step-by-step guide works through that technical layer systematically.

Run an automated scan of your website. It automatically checks for the most common cookie, tracking and privacy issues.

What you need for the audit

• Access to your website's front end and CMS admin panel
• A list of all plugins, analytics tools and external services
• A browser with developer tools (Chrome, Firefox or Edge)
• A spreadsheet to record findings

Always work in a private or incognito browser window. This shows you exactly what a new visitor sees, without previous cookies or consent choices influencing the result.

Step 1: Cookie banner and consent mechanism

This is where most violations are found. The Wet van 13 juni 2005 betreffende de elektronische communicatie governs the placement of cookies and similar technologies. GDPR applies whenever a cookie processes personal data.

Test the banner's basic operation

Visit your homepage in an incognito window and work through these checks.

Does a banner appear? If your website uses Google Analytics, a Facebook Pixel or comparable tools, a consent banner is required.

Does the banner offer a clear reject option? A banner with only an OK button or "I understand" is not valid consent. The user needs a genuine choice.

Is the reject button as prominent as the accept button? Same size and same visual weight as accept. The APD/GBA cited visual imbalance explicitly in the Mediahuis decision as an invalid dark pattern. Accept and reject must be equally easy to use on the first layer.

How many clicks does it take to reject? If accepting costs one click, rejecting should not require four clicks through a settings menu.

Check whether trackers load before consent

Open developer tools (F12), go to the Network tab and reload the page without touching the cookie banner.

Filter for "analytics", "facebook" or "hotjar". If you see requests to google-analytics.com, facebook.com/tr or similar tracking domains before you have clicked anything, your banner is not actually blocking the scripts. This is the technical failure the APD/GBA marked as invalid in the IAB Europe TCF case: the consent interface concealed that processing was already under way before the click.

Build a cookie inventory

In developer tools, go to Application > Cookies (Chrome) or Storage > Cookies (Firefox). Note each cookie's name, domain, purpose and retention period. Categorise each cookie.

• Strictly necessary (session, shopping cart, language preference): no consent required
• Analytics (_ga, _gid): consent required
• Marketing (_fbp, _gads): consent required
• Functional (live chat, embedded video): consent typically required

Compare the list with your cookie policy page. Cookies present on your site but not listed in the policy mean the policy is incomplete. The APD/GBA checks this during investigations.

Step 2: Privacy policy

Open your privacy policy and put a spreadsheet next to it. Mark each element as present, missing or too vague.

GDPR Articles 13 and 14, as supplemented by the Wet van 30 juli 2018 (Belgium's national GDPR implementation act), set the minimum requirements. Check each point.

Controller identity: company name, full address and KBO/BCE number. If you have a DPO, their contact details too.

Purpose and legal basis per processing activity: not one general statement for everything. Each activity (contact form, newsletter, analytics, orders) needs its own stated purpose and legal basis: consent, contract, legal obligation or legitimate interest.

Categories of personal data: be specific. List name, email address, IP address, payment details and browsing behaviour.

Recipients: name your hosting provider, analytics tool, email platform and payment processor.

Retention periods: "as long as necessary" is too vague for the APD/GBA. Give concrete timeframes per category. Note the Belgian requirement: the Code of Companies and Associations (Wetboek van Vennootschappen en Verenigingen) mandates 10-year retention for accounting documents. Where customer data is linked to invoices or orders, that 10-year period applies to the accounting dimension of those records, longer than the 7-year period cited in many other EU countries.

Data subject rights: access, rectification, erasure, restriction, portability and the right to object. Explain how to exercise each right and within what timeframe you will respond (30 days).

Right to lodge a complaint with the APD/GBA: include a working link to the APD/GBA's complaints page.

International transfers: if you use US-based services (Google, Mailchimp, Stripe), data transfers to the United States are taking place. Check whether those services are certified under the EU-US Data Privacy Framework.

Brussels bilingual obligation

If your website serves visitors in the Brussels-Capital Region, your privacy policy must be available in both French and Dutch under Brussels regional language law. This is a regional legal obligation, not part of GDPR itself. Both are checked at the same inspection visit.

Step 3: Forms

Review every form on your website. The most common issues by type.

Contact forms

Is there a link to the privacy policy near the form's submit button, directly above or below? Are you only collecting what you need for handling the enquiry? A contact form does not need date of birth or phone number. Where does the submission go: the CMS database, your inbox or an external service? Each destination must be covered in your privacy policy.

Newsletter signups

Is consent for the newsletter separate from other declarations? Is the checkbox unchecked by default? The EU Court of Justice settled this in Planet49 (C-673/17): pre-checked boxes do not constitute valid consent. Do you use double opt-in? This is the recommended approach in Belgium for legally sound consent evidence.

Order process

Are marketing checkboxes separate from the mandatory acceptance of general terms and conditions? Is payment data retained? If so, in PCI DSS-compliant infrastructure?

Step 4: External services and processor agreements

List all external services that see personal data from your visitors.

• Hosting provider
• Email platform (Mailchimp, Brevo, ActiveCampaign)
• Analytics (Google Analytics, Matomo, Plausible)
• Payment processor (Mollie, Stripe, Adyen)
• Live chat or helpdesk
• CDN or security proxy (Cloudflare)
• Marketing automation
• CRM

For each service: do you have a Data Processing Agreement (DPA) in place? The major SaaS providers offer these as standard in their account settings or acceptance process. Keep evidence of acceptance.

Google Fonts: loading Google Fonts from Google's servers sends each visitor's IP address to Google on every page load, without consent. Host the font files locally on your own server.

Google Maps and YouTube: directly embedded Maps iframes and YouTube videos load tracking cookies as soon as the page appears. Replace direct embeds with a static image and a "Click to load the map" button that loads the actual integration only after the user clicks.

Step 5: Security headers and HTTPS

GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. Several basics are the minimum expected.

• HTTPS everywhere: visit your site via http:// and check that it automatically redirects to https://. Mixed content (an HTTPS page loading HTTP resources) counts as a failure.
• Valid TLS certificate: use SSL Labs for a thorough check.
• HSTS header: forces browsers to always use HTTPS.
• Content-Security-Policy: protects against XSS attacks.
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin

In developer tools, go to Network, the first request, then Response headers. This shows which headers are active.

Data breaches at SMBs typically come through two routes: an outdated plugin (especially in WordPress) or a stolen password. Update your CMS and plugins monthly and enable two-factor authentication on all admin accounts.

Step 6: Retention periods

Beyond GDPR, specific legal retention periods apply in Belgium.

• Accounting records: 10 years (Code of Companies and Associations / Wetboek van Vennootschappen en Verenigingen)
• Customer data without an accounting dimension: for the duration of the relationship plus a reasonable follow-up period (typically 2 years)
• Newsletter subscribers: until unsubscribe, then delete or anonymise
• Contact form submissions: until handled plus any follow-up period (3–12 months depending on the type of enquiry)
• Log files with IP addresses: typically 6–12 months

Do your systems have an automated deletion routine? Many businesses have a written policy but no technical execution. The APD/GBA has treated this as an aggravating circumstance in several investigations.

Step 7: Data breach procedure

A data breach that poses a risk to individuals must be reported to the APD/GBA within 72 hours of becoming aware of it. Do you have a response plan?

Test yourself: suppose tomorrow morning a hacker publishes your customer database. Do you know who to call, how to file a notification with the APD/GBA (notification form on gegevensbeschermingsautoriteit.be) and how to inform the affected individuals? If not, write a basic one-page plan today.

Preparing the audit report

After working through the steps above, you have a spreadsheet of findings. Categorise them.

• Fix immediately (this week): scripts loading before consent, missing privacy policy, pre-checked consent boxes
• Plan for this month: incomplete policy, missing processor agreements, security headers, retention period implementation
• Strategic: supplier review, CMS update, bilingual policy for Brussels-facing websites

Keep the audit report. If a complaint or APD/GBA investigation arises, a documented audit history is your strongest argument: it shows you take privacy seriously and act on findings.

For a 35-point compliance checklist covering all the items above, see our GDPR compliance checklist for Belgian businesses.

---

This article is technical analysis, not legal advice. Consult a lawyer or GDPR specialist for advice tailored to your situation.

Sources

• APD/GBA (gegevensbeschermingsautoriteit.be)
• GDPR Regulation 2016/679 (EUR-Lex)
• Wet van 30 juli 2018 (ejustice.just.fgov.be)
• Wet van 13 juni 2005 (ejustice.just.fgov.be)
• APD/GBA: report a data breach