GDPR website check Belgium: scan your site free

This free GDPR website check for Belgian businesses tests in 60 seconds whether your site meets the rules enforced by the Belgian Data Protection Authority (GBA/APD). The GBA/APD explicitly named SMEs as an enforcement priority in its 2020-2025 strategic plan, yet many Belgian businesses still do not know whether their website complies with the GDPR.

Start the free GDPR website check or read below what our scanner actually tests.

---

What the scanner checks

Cookie banner: does it actually work?

Most websites have a cookie banner. But if a visitor clicks "Reject", do the trackers really stop? Our scanner simulates a real visitor clicking "Reject" and then checks whether Google Analytics, Facebook Pixel and other scripts are still loading.

The legal basis was renewed in 2022. Cookie consent sits in Article 10/2 of the Act of 30 July 2018 (the "Kaderwet"), inserted by the Act of 21 December 2021 and in force since 10 January 2022. The old cookie provision in the Act of 13 June 2005 (Article 129 WEC) was repealed at the same time, and supervision lies with the GBA/APD. The consent requirement covers every tracking technique – cookies, pixels, fingerprinting, local storage – with only two exceptions: pure transmission and what is strictly necessary for the service the visitor requested.

What the GBA/APD concretely expects is set out in its Cookie Checklist of October 2023 (NL / FR):

• A "reject all" button on the first layer of the banner, as prominent as "accept all" – a "manage settings" button is not enough
• No cookie walls and no consent inferred from scrolling, browser settings or pre-ticked boxes
• Withdrawal in one click, with real effect on the trackers
• A consent cookie lifetime of around 6 months is considered "in principle reasonable"
• Even first-party analytics require consent in Belgium – there is no exemption like the French CNIL one for anonymised statistics
• Keep dated, versioned copies of your banner and cookie policy as evidence of what the visitor saw

Our guide to Belgian cookie banner requirements walks through each point with examples.

Tracking scripts before consent

Do scripts already load before the visitor has clicked anything in the cookie banner? This is one of the most common GDPR violations. Our scanner records every script that loads before the cookie banner is visible.

Privacy policy present and findable

Is there a privacy policy? Can it be reached from every page? Our scanner looks for a footer link and checks that the page exists. This point weighs more than ever in 2026: on 19 March 2026 the EDPB launched its coordinated enforcement action CEF 2026 on transparency and information obligations (Articles 12-14 GDPR), with 25 European supervisory authorities taking part. A missing or unfindable privacy policy is exactly what that campaign targets.

Company number (Belgium-specific)

The Code of Economic Law (Article III.74 WER/CDE) requires Belgian businesses to display their company number on their website. Visitors can look up the 10-digit KBO/BCE number publicly via kbopub.economie.fgov.be. Our scanner searches your pages for the number automatically.

SSL security

Does your website load over HTTPS? Is your certificate valid? Are the security headers configured correctly?

Accessibility

Does your website meet the basic requirements of the European Accessibility Act (EAA), in force across the EU since 28 June 2025? Belgium transposed the rules for services through the Act of 5 November 2023. Watch out for a Belgian catch: micro-enterprises (fewer than 10 staff and at most €2 million turnover) are only excluded from scope until 28 June 2030. The penalties follow the WER levels: level 2 via Article XV.99/1 (up to €80,000 or 4% of turnover) and, in cases of bad faith, level 3 via Article XV.101/1 (up to €200,000 or 6%).

Image licences

Are you using stock photos that may not be correctly licensed? Agencies such as CopyTrack and PicRights send demand letters automatically, averaging €800 to €1,500 per image.

---

How it works

Step 1: Enter your website address in the box below.

Step 2: Our scanner visits your website automatically and runs more than 35 checks.

Step 3: Within 60 seconds you get a score (0-100) and an overview of the issues found.

The free report shows your score and the number of issues per category. For detailed findings with explanations, screenshots and step-by-step instructions, choose the full report (€9 one-time).

---

Belgian context: seven years of cookie enforcement

The GBA/APD is one of the most active privacy regulators in the Benelux, and its cookie cases form a clear line:

• 2019 – the first Belgian cookie fine. In Decision 12/2019 (17 December 2019) the publisher of a legal news site received €15,000 for a privacy policy that did not match reality (and existed only in English for a Dutch- and French-speaking audience) plus pre-ticked boxes (decisions of the Litigation Chamber).
• 2022 – Roularta. In Decision 85/2022 (25 May 2022) Roularta Media Group (knack.be, levif.be) was fined €50,000 for dozens of cookies placed before consent, pre-ticked boxes and consent that was hard to withdraw.
• 2024 – Mediahuis. In Decision 113/2024 the Litigation Chamber ordered an equally prominent reject button, backed by a penalty payment of €25,000 per day. The Marktenhof annulled that decision on 19 March 2025 (case 2024/AR/1690) – but solely on procedural grounds tied to the admissibility of the complaint. The substantive requirement of an equivalent reject button was not rejected, and the file is back with the GBA/APD.
• 2025 – DPG Media. With interlocutory Decision 16/2025, a similar cookie banner case against DPG Media is ongoing (decisions of the Litigation Chamber).

And beyond cookies: on 12 May 2026 the Litigation Chamber announced three new fines (Decisions 101 to 103/2026) – including €176,000 for keeping a former employee's mailbox for about a year. Cookie violations themselves are fined under the GDPR regime, where the ceilings reach €20 million or 4% of worldwide turnover for breaches of Articles 5-7 and 12-14. The dark-pattern principles from the EDPB Guidelines 03/2022 remain the benchmark there.

Outside the GDPR, failing to display your company number on your website is punishable under Article XV.77 WER: a criminal fine of €26 to €10,000 that the statutory surcharge factors (opdeciemen, factor 8) can raise to €80,000. The FOD Economie / SPF Économie enforces this.

---

The five problems we see most often

Our scans of Belgian SME websites keep surfacing the same findings:

1. No reject button on the first layer. The banner shows "Accept" and "Settings", but rejecting takes three extra clicks – exactly what the GBA/APD checklist forbids.
2. Trackers loading before the choice. Google Analytics or the Meta Pixel fires on page load, before the banner has even appeared.
3. An outdated or wrong privacy policy. References to the repealed cookie provision in the Act of 13 June 2005, or to the Dutch AP instead of the Belgian GBA/APD.
4. No company number in the footer. Often present on the contact page, but not "easily, directly and permanently accessible" as Article XII.6 WER requires.
5. Withdrawal does not work. There is no permanent cookie settings link, or withdrawing consent does not actually stop the trackers.

After the scan, fix things in this order. First the trackers that load before consent (the most cited breach in the GBA/APD cookie cases), then the equivalent reject button, then the privacy policy and finally the footer details. For a structured walkthrough, follow our step-by-step GDPR website audit for Belgian businesses and the overview of GDPR website obligations for Belgian businesses.

---

Common questions

What does the free GDPR website check test?

Our scanner tests your cookie banner (including whether rejecting actually works), your privacy policy, tracking scripts, security (SSL, headers), accessibility, image licences and Belgium-specific requirements such as the company number.

Is the scan really free?

Yes. The free scan gives you a score and an overview of the issues found. The full report with detailed findings, screenshots and fix instructions costs €9 as a one-time payment.

How long does the scan take?

The free scan completes in 60 seconds. The full report, which includes a deeper analysis, takes 2-3 minutes.

Which law governs cookies in Belgium?

Cookie consent is governed by Article 10/2 of the Act of 30 July 2018 (the "Kaderwet"), inserted by the Act of 21 December 2021 and in force since 10 January 2022. The GBA/APD supervises it and published a Cookie Checklist in October 2023 setting out its concrete expectations, including an equally prominent reject button on the first layer of the banner.

---

Scan your website now

Enter your website address and start the free check →

No account needed. No credit card. Results within 60 seconds.

Sources

• Regulation (EU) 2016/679 - GDPR (eur-lex.europa.eu)
• Act of 30 July 2018 ("Kaderwet"), art. 10/2 - cookie provision (ejustice.just.fgov.be)
• Act of 21 December 2021 - insertion of art. 10/2 (etaamb.openjustice.be)
• GBA Cookie Checklist, October 2023, NL (gegevensbeschermingsautoriteit.be)
• APD checklist cookies, October 2023, FR (autoriteprotectiondonnees.be)
• GBA Decision 85/2022 - Roularta (gegevensbeschermingsautoriteit.be)
• GBA Decision 113/2024 - Mediahuis (gegevensbeschermingsautoriteit.be)
• Marktenhof, judgment of 19 March 2025, case 2024/AR/1690 (gegevensbeschermingsautoriteit.be)
• GBA/APD, Litigation Chamber imposes 3 fines, 12 May 2026 (gegevensbeschermingsautoriteit.be)
• EDPB, CEF 2026 coordinated enforcement action on transparency (edpb.europa.eu)
• Act of 5 November 2023 - accessibility requirements for services (ejustice.just.fgov.be)
• Code of Economic Law - Book XII Electronic commerce (economie.fgov.be)
• Crossroads Bank for Enterprises - Public Search (kbopub.economie.fgov.be)

---

This is technical analysis, not legal advice. Consult a qualified lawyer for specific legal guidance.