GDPR & Websites in Belgium: The Complete Compliance Guide (2026)

#Why GDPR applies to every Belgian website

Whether you are an SME with five employees or a sole trader, the moment your site has a contact form you are processing personal data. GDPR applies. There is no SME exemption.

#Penalties: what Article 83 of GDPR says

GDPR fines come in two tiers:

• Up to €10 million or 2% of global annual turnover (whichever is higher) for administrative breaches (records, security, breach notification).
• Up to €20 million or 4% of global annual turnover for breaches of core principles (legal basis, consent, data subject rights, transfers outside the EU).

#The 6 core principles (Article 5)

Article 5 sets the foundation. Every processing activity on your site must comply with:

1. Lawfulness, fairness, transparency — the user knows what you do with their data.
2. Purpose limitation — data collected for X is not reused for Y.
3. Data minimisation — collect only what is necessary.
4. Accuracy — data must be up to date; users must be able to correct it.
5. Storage limitation — you don't keep data forever.
6. Integrity and confidentiality — technical security (HTTPS, strong passwords, restricted access).

#Legal bases: what gives you the right to process?

#Cookies: what the Belgian DPA's Recommendation 01/2023 requires

#What your cookie banner must do

• Ask for prior consent: non-essential cookies are not dropped before user action.
• Refusing must be as easy as accepting: a "Reject all" button at the same visual level as "Accept all". An "Accept" button alone, or a "Reject" buried under three menus, is not valid consent.
• No pre-ticked boxes (CJEU Planet49 ruling, C-673/17).
• Granularity: allow consent per category (analytics, marketing, etc.).
• Continued browsing ≠ consent.
• Withdrawal must be as easy as giving consent.
• Consent storage: 6 to 13 months maximum is the recommended window before re-asking.

#Cookies allowed without consent

• Session cookies, cart, authentication
• Language preference (when actively chosen by the user)
• Anti-fraud security cookies

#Mandatory information on your site

#1. Privacy policy

• Identity and contact details of the controller
• DPO contact details if appointed
• Purposes and legal basis
• Legitimate interests pursued, if relied upon
• Recipients of the data (processors: hosting, CRM, email, etc.)
• Transfers outside the EU and safeguards
• Retention period or criteria
• Data subject rights: access, rectification, erasure, restriction, portability, objection
• Right to withdraw consent at any time
• Right to lodge a complaint with the DPA
• Whether providing data is mandatory or optional
• Existence of automated decision-making (profiling)

#2. Legal notice (mentions légales)

• Name / company name
• Geographic address (registered office, not a P.O. box)
• Email and phone number
• Company number (BCE / VAT)
• Competent commercial register (RPM)
• For regulated professions: order, supervisory authority, applicable rules

#3. T&Cs for e-commerce

#User rights (Articles 15–22)

Every visitor whose data you hold can exercise:

#DPO (Data Protection Officer): who needs one?

1. You are a public authority or body.
2. Your core activities involve regular and systematic monitoring at a large scale.
3. Your core activities involve large-scale processing of sensitive data.

#Records of processing activities (Article 30)

It must include, per processing activity:

• Controller's name and contact details (and DPO if applicable)
• Purposes
• Categories of subjects and data
• Categories of recipients
• Transfers outside the EU
• Retention periods
• Description of security measures

#Processors: a contract (Article 28) is mandatory

• Hosting (OVH, Combell, Vercel…)
• Email platform (Mailchimp, Brevo, ActiveCampaign)
• CRM (HubSpot, Pipedrive)
• Analytics (Google Analytics, Plausible, Matomo)
• E-commerce platform (Shopify, hosted WooCommerce)

#Transfers outside the EU: the sensitive topic

For each tool, check:

• Is the vendor DPF-certified (lookup: dataprivacyframework.gov)?
• Otherwise, are Standard Contractual Clauses (SCCs) signed and supplemented by a Transfer Impact Assessment (TIA)?
• Is EU-region storage available (often in Enterprise plans)?

#Data breach notification (Article 33)

#Compliance checklist: 12 actionable items

For a typical SME / freelancer site, the essentials:

1. ✅ HTTPS active on the entire site (valid SSL)
2. ✅ Privacy policy complete and aligned with Article 13
3. ✅ Legal notice compliant with the CDE
4. ✅ Cookie banner with "Reject all" at the same visual level as "Accept all"
5. ✅ No non-essential cookies before consent
6. ✅ No pre-ticked boxes on forms (newsletter, etc.)
7. ✅ Right to object mentioned on every marketing email (1-click unsubscribe)
8. ✅ Records of processing kept up to date
9. ✅ DPAs signed with each processor
10. ✅ Documented process to respond to data subject requests within 1 month
11. ✅ Documented security measures (strong passwords, MFA, backups, logging)
12. ✅ Breach notification procedure ready (who to contact, in what timeframe)

#Common mistakes flagged by the Belgian DPA

Based on public DPA decisions in recent years, the recurring shortcomings are:

• Non-compliant cookie banner ("Accept" more prominent than "Reject", or no reject button)
• Cookies dropped before consent (notably Google Analytics, Meta Pixel)
• Failure to respond to access requests or responses past the 1-month deadline
• Generic privacy policy copied from another site, missing required mentions
• Newsletter without active opt-in
• No DPA signed with main processors
• Indefinite retention of leads in the CRM

#How much does compliance cost for an SME site?

For a Belgian SME's brochure or e-commerce site, in 2026:

• Initial GDPR audit by a specialist consultant: €800 – €2,500
• Consent Management Platform (CMP): €0 – €100/month (Cookiebot, Axeptio, Didomi, or open-source like Klaro)
• Drafting of legal notices by a lawyer: €400 – €1,200
• External DPO (if required): €150 – €600/month

#FAQ

#My site only has a contact form — am I really concerned?

Yes. The moment a name and email are collected, you process personal data. A privacy policy, legal notice and basic security are mandatory.

#Is Google Analytics banned in Belgium?

#Does my SME need a DPO?

In most cases, no. A DPO is mandatory only for public authorities and companies whose core activities involve large-scale monitoring or sensitive data. Appointing an internal point of contact is still good practice.

#Can I copy the privacy policy of another site?

#How long can I keep leads from a contact form?

#What if I receive a complaint from the Belgian DPA?

The takeaway: GDPR compliance is not a project you "finish". It's an ongoing process of documentation, processor reviews and improvement. But 80% of the value comes from a few weeks of structured work — one of the best investments a Belgian SME can make, both for regulatory risk and customer trust.