Belgian data watchdog targets adtech with sweeping enforcement strategy

The Belgian Data Protection Authority published its 2026-2028 strategic framework following public consultation in November 2025, establishing two priority themes for enforcement. The first targets large-scale data processing operations presenting high risks to citizen rights and freedoms. The second focuses exclusively on processing minors' personal data.

These priorities signal intensified scrutiny for advertising technology companies, programmatic platforms, and data brokers operating across European markets. The strategic document identifies advertising technology processing, cross-border data sharing among data brokers, and large-scale profiling systems as examples falling within enforcement scope.

The authority manages oversight of data protection enforcement in Belgium alongside four other specialized directorates handling initial complaints, legislative advisory functions, and general administration. The contentious chamber issues binding decisions including administrative fines for GDPR violations.

Complaint volumes increased 20% from 694 in 2023 to 837 in 2024. Data breach notifications rose from 1,292 to 1,455 during the same period. Inspection cases jumped from 86 to 157 year-over-year. The litigation chamber maintained steady output at 173 decisions in 2024 compared to 171 in 2023.

Budget constraints compound rising caseloads. Belgium's parliamentary accounting commission recently froze recruitment credits for personnel expansion through 2029. The authority employs approximately 90 staff members supported by 18 external specialists from an expert reserve established to supplement internal capabilities.

Prioritization becomes essential under these resource limitations. The strategic plan establishes frameworks for allocating enforcement capacity toward cases with significant societal impact rather than attempting comprehensive investigation of every violation.

The authority restructures complaint handling through expanded mediation conducted by its frontline service. This approach resolves straightforward disputes without formal enforcement proceedings when possible. Cases failing mediation advance to investigation or direct adjudication depending on complexity and impact assessments.

Traditional complaint processing involved sequential review by frontline intake, investigative services, and the litigation chamber for most cases. The reformed workflow enables frontline staff to close matters through settlement or forward cases directly to adjudication when investigation adds minimal value.

Investigation reports will concentrate on factual violation findings rather than legal analysis. This division of responsibility allows investigators to focus on evidence gathering using statutory powers while the litigation chamber handles legal interpretation and sanction determinations.

Information requests receive differentiated treatment under the new framework. The authority acknowledges legal obligations do not require individual responses to every inquiry submitted by citizens and data processors. Resources shift toward comprehensive guidance materials, thematic publications, and targeted sector outreach rather than personalized advice.

The reallocation creates capacity for proactive enforcement less dependent on reactive complaint-driven investigations. Complaint-driven models limit authority initiative in identifying systemic violations or emerging compliance risks requiring regulatory attention before citizen complaints accumulate.

Cross-border cooperation intensifies through bilateral arrangements with other member state authorities and coordinated activities through the European Data Protection Board. Belgium's authority commits staff from all five directorates to EDPB participation rather than limiting engagement to specific units.

The Transparency and Consent Framework faced enforcement from Belgian authorities in 2022, with IAB Europe fined €250,000 for GDPR violations related to consent string processing. Belgian courts subsequently limited IAB Europe's joint controllership responsibilities while maintaining violation findings.

Legislative advisory functions shift toward selective detailed analysis for regulations presenting significant interference with fundamental rights or enabling substantial improvements through technical recommendations. Standardized guidance accompanies other regulatory consultations rather than customized opinions for each submission.

The authority projects receiving expanded responsibilities under European regulatory developments including the AI Act, Data Act, European Health Data Space regulation, and Digital Services Act. National implementation of these frameworks will determine specific Belgian DPA roles beyond baseline GDPR enforcement.

AI Act implementation involves regulatory sandbox development and potential market surveillance responsibilities for high-risk systems. The authority maintains GDPR enforcement authority for AI system development and deployment regardless of market surveillance assignments.

Data Act provisions establish notification requirements and supervision mandates for the Belgian DPA. Data Governance Act national implementation involves collaboration between economic affairs authorities and data protection oversight. NIS 2 directive transposition assigns additional coercive functions related to cybersecurity breaches.

Advisory opinions concentrate on normative texts establishing data processing frameworks rather than individual processing operations. The authority strengthens its consultative relationship with legislators to shape future mandates enabling effective prioritization rather than accepting all assignments regardless of feasibility.

Authorization decisions receive enhanced technical expertise allocation. The cybersecurity domain particularly requires rapid turnaround as public authorities cannot proceed with processing operations pending approval or rejection determinations.

Data breach notification handling implements stronger prioritization filters. New case management systems enable automated processing for low-impact incidents while concentrating analytical resources on breaches presenting significant societal consequences.

Codes of conduct receive strict utility assessments before Belgian DPA investment. Industry frameworks must demonstrate concrete compliance improvements beyond restating GDPR requirements. The authority may proactively engage sectors where codes would address specific processing challenges.

European Data Protection Board guideline development receives preference over national-only positions. Belgian DPA enhances EDPB participation to influence shared standards applicable across member states rather than maintaining isolated national interpretations.

Cookie consent mechanisms have drawn repeated Belgian enforcement against media companies. Mediahuis faced corrective orders in September 2024 for consent interface violations including inadequate reject options and misleading design elements. Similar proceedings advanced against DPG Media in February 2025 following noyb complaints about cookie practices.

Cooperation protocols establish formal relationships with Belgium's competition authority regarding Digital Markets Act enforcement and accreditation bodies for certification schemes. Digital Services Act and Data Act implementation will formalize collaboration with telecommunications regulators.

Federal data protection supervisor coordination continues through existing mechanisms. Regional authority cooperation remains contingent on GDPR compliance by regional entities and legislative framework completion by competent regional lawmakers.

Stakeholder engagement expands through sustained relationships with industry sectors, civil society organizations, and data protection officers. The authority considers DPOs priority audiences given their organizational influence over compliance practices.

The shift toward large-scale processing enforcement affects hospital health data systems, banking and insurance profiling operations, reservation platforms, general practitioner record systems, tax databases, advertising technology infrastructures, and data broker networks according to strategic document examples.

Minor data processing receives dedicated attention reflecting vulnerability concerns in digital environments. Young people experience continuous data collection, sharing, and analysis often without comprehension of implications. The authority frames current protection efforts as empowerment enabling future generations to develop appropriate data protection reflexes.

Balanced protection acknowledges data protection rights require weighing against other fundamental rights and legitimate economic or social interests. The authority rejects absolutist interpretations while maintaining that protection prevents discrimination, exclusion, identity fraud, and psychological or physical harm.

Transparent operations involve public disclosure of priorities, positions, and resource utilization. The strategic plan itself demonstrates commitment to external accountability regarding objective setting and implementation approaches.

Independent authority values remain paramount. The constitution and GDPR prohibit external influence or instruction acceptance during mission execution and power exercise. No Belgian DPA decisions reflect political pressure or industry lobbying according to organizational values.

Proactive orientation involves continuous analysis, anticipation, and strategic planning regarding technological and regulatory developments. Enhanced prioritization creates capacity for forward-looking enforcement rather than purely reactive complaint processing.

Expertise positioning establishes the authority as Belgium's data protection knowledge center serving citizens, data protection officers, organizations, media, policymakers, and legislators through diverse communication channels.

Efficiency maximizes limited resource impact through clear prioritization, targeted work approaches, transparent structures, defined processes, and logical role distributions across the five directorates.

Evaluation occurs at plan conclusion in late 2028 with potential orientation updates based on implementation experience and changed circumstances.

Timeline

• January 2022: Telecom company receives €100,000 fine for 14-month delay responding to data access request
• February 2022: TCF deemed non-compliant with GDPR Article 6, IAB Europe fined €250,000
• September 2024: Mediahuis faces strict measures for cookie consent violations on news websites
• February 2025: DPG Media case proceeds on cookie practice complaints
• November 2025: Public consultation conducted on strategic plan
• December 17, 2025: Brussels court overturns data fine in direct marketing ruling, clarifying legitimate interest requirements
• December 23, 2025: Belgian DPA publishes 2026-2028 strategic plan

Summary

Who: Belgium's Data Protection Authority, employing approximately 90 staff across five directorates (Frontline Service, Inspection Service, Litigation Chamber, Authorization and Advisory Service, General Secretariat) supported by 18 external experts, operating under a management committee directing strategic policy and coordinating cross-directorate activities.

What: A strategic framework establishing prioritization and collaboration as fundamental principles for 2026-2028, targeting large-scale data processing presenting high risks to rights and freedoms plus minors' personal data processing, while restructuring complaint handling through expanded mediation, selective investigation, differentiated information responses, and enhanced cross-border cooperation amid recruitment freezes limiting personnel expansion.

When: Published December 23, 2025, following November 2025 public consultation, covering implementation period from 2026 through 2028, with evaluation and potential updates scheduled for late 2028, operating under recruitment constraints extending through 2029 per parliamentary accounting commission decision.

Where: Belgium, exercising jurisdiction over data controllers and processors operating within Belgian territory or targeting Belgian data subjects, participating in European Data Protection Board activities affecting cross-border enforcement coordination, and establishing cooperation protocols with Belgian competition authorities, accreditation bodies, telecommunications regulators, and fellow federal and regional supervisory bodies.

Why: Rising caseloads including 837 complaints in 2024 (up 20% from 2023), 1,455 data breach notifications, 157 inspection cases, and 173 litigation decisions combined with frozen recruitment budgets necessitate strategic prioritization enabling maximum societal impact from limited resources while adapting to expanding responsibilities under AI Act, Data Act, European Health Data Space, Digital Services Act implementation requiring sustainable enforcement approaches balancing reactive complaint processing against proactive risk-based supervision.