Last reviewed: January 2025

☒         omnibus – all personal data

☒         sector-specific — e.g., financial institutions, governmental bodies

Telecoms and electronic communications data, CCTV systems, consumer credit, national registry number, processing by tax and law enforcement authorities, cookies, direct marketing, education, adtech, employee personal data, financial data, whistleblowing, private investigations

☒         constitutional

Last reviewed: January 2025

Please note that this Chapter focuses solely on specific local laws and regulations. Please refer to the EU Chapter of the Global Data & Cyber Handbook for detailed information regarding EU-wide data privacy and other data-related legislation that are also applicable in Belgium, such as the GDPR, EU AI Act, etc.

• Constitution: available in French here and in Dutch here
• Criminal Code: available in French here and in Dutch here
• Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data: available in French here and in Dutch here
• Act of 3 December 2017 on the creation of the Belgian Data Protection Authority: available in French here and in Dutch here
• Act of 8 August 1983 organizing a National Registry for natural persons: available in French here and in Dutch here
• Belgian Economic Law Code of 28 February 2013: available in French here and in Dutch here
• Belgian Act of 3 August 2012 laying down various provisions as regards the processing of personal data carried out by the Federal Public Service Finance within the framework of its missions (as amended by the Act of 5 September 2018): available in French here and in Dutch here
• Belgian Act of 21 March 2007 regarding the installation of surveillance camera, as amended by the Act of 21 March 2018: available in French here and in Dutch here
• Act of 5 September 2018 establishing the information security committee and amending various acts regarding the implementation of Regulation (EU) 2016/679: available in French here and in Dutch here
• Act of 13 June 2005 on Electronic Communications (as amended): available in French here and in Dutch here
• Act of 13 December 2006 containing various health provisions, as amended by the Act of 5 September 2018: available in French here and in Dutch here
• Act of 9 May 2019 modifying the Act of 2 October 2017 regulating private and particular security concerning the processing of personal data: available in French here and in Dutch here
• Act of 18 May 2024 regulating private investigations (“Private Investigation Act”): available in French here and in Dutch here;
• Flemish Decree of 8 June 2018 adjusting decrees to the Regulation (UE) 2016/679 (GDPR): available in French here and in Dutch here
• Decree of 25 January 2019 of the Flemish Government adjusting the decrees of the Flemish Government to Regulation (UE) 2016/679 (GDPR): available in French here and in Dutch here
• Decree of 23 November 2018 of the Flemish Government relating to data protection officers referred to under Article 9 of the Decree of 18 July 2018 relating to the electronic exchange of administrative data: available in French here; available in Dutch here
• Royal Decree of 3 February 2019 on the implementation of the Act of 25 December 2016 on the processing of passenger data, including the obligations for bus carriers: available in French here and in Dutch here
• Royal Decree of 3 February 2019 on the implementation of the Act of 25 December 2016 on the processing of passenger data, including the obligations for HST ("High Speed Train") carriers and HST ticket machines: available in French here and in Dutch here
• Royal Decree of 6 December 2018 determining the places where the controller can direct his surveillance cameras towards the perimeter directly surrounding the site, keep the images of the surveillance cameras for three months and give real-time access to the images to the police services: available in French here and in Dutch here
• Royal Decree of 8 May 2018 on declarations of installation and use of surveillance cameras and on the register of activities for the processing of images from surveillance cameras: available in French here and in Dutch here
• Royal decree of 4 April 2003 regulating advertising by electronic mail: available in French here and in Dutch here

Last reviewed: January 2025

Please note that this Chapter focuses solely on specific local laws and regulations. Please refer to the EU Chapter of the Global Data & Cyber Handbook for detailed information regarding EU-wide cybersecurity and other data-related legislation, also applicable in Belgium such as the Cybersecurity Act, DORA, the NIS 2 Directive, etc.

• Belgian Criminal Code, as amended by the Act of 28 November 2000 on Cybercrime and the Act of 15 May 2006 on Cybercrime, in particular Article 210bis on computer-related forgery, Articles 259bis and 314bis on interception of electronic communications, Article 504quater on computer-related fraud, Article 550bis on illegal access (hacking), and Article 550ter on computer sabotage: available in French here and in Dutch here
• Act of 1 July 2011 on the security and protection of critical infrastructures ("Critical Infrastructures Act"): available in French here and in Dutch here, implementing the Critical Infrastructures Directive (Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection available here)
• Act of 11 December 1998 on classification, security clearances, security certificates and security advice ("Classification Act"): available in French here and in Dutch here
• Belgian Act of 11 March 2018 on the statute and supervision of payment institutions and electronic money institutions, access to the business of payment service providers and to the activity of issuing electronic money, and access to payment systems ("PSD2 Act"): available in French here and in Dutch here; implementing the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market available here ("PSD2 Directive")
• Act of 20 July 2022 on cybersecurity certification of information and communication technologies and designating a national cybersecurity certification authority: available in French here and in Dutch here
• Act of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security ("Belgian NIS 2 Act"): available in French here and in Dutch here
• Royal Decree of 9 June 2024 executing the Act of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security ("NIS 2 Royal Decree"): available in French here and in Dutch hereRoyal Decree of 25 May 2024 seeking to transpose some provisions of Directive 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector: available in French here and in Dutch here

Last review date: January 2025

Please note that this Chapter focuses solely on specific local laws and regulations. Please refer to the EU Chapter of the Global Data & Cyber Handbook for detailed information regarding EU-wide legislation relating to non-personal data, also applicable in Belgium such as the Regulation on the free flow of personal data, the Data Governance Act, Data Act, etc.

• Act of 15 May 2024 implementing Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending (EU) regulation 2018/1724 : available in French here and in Dutch here
• Royal Decree of 1 October 2024 implementing the Act of 15 May 2024 implementing Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending (EU) regulation 2018/1724: available in French here and in Dutch here
• Belgian Economic Law Code of 28 February 2013: available in French here and in Dutch here
• Act of 14 March 2023 relating to the institution and organisation of the Health Data Agency: available in French here and in Dutch here
• lemish Decree of 23 June 2023 amending the Decree of 18 July 2008 on the electronic exchange of administrative data, the Decree of 13 July 2012 on the creation and organisation of a Flemish service integrator, the Governance Decree of 7 December 2018 and the Decree of 2 December 2022 authorising the creation of the external autonomous agency under private law Flemish Public Data Service ("Vlaams Datanutsbedrijf") in the form of a public limited company, in order to strengthen the framework for the digital exchange of data: available in French here and in Dutch here
• Act of 21 April 2024 implementing Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for digital services and amending Directive 2000/31/EC, amending Books XII and XV of the Code of Economic Law and amending the Law of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors: available in French here and in Dutch here

Last reviewed: January 2025

Yes.

Directive (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (“CER”) is expected to be implemented into Belgian law in the course of 2025. According to the latest information at our disposal, the draft implementing Act is in the process of being transmitted to the Belgian Parliament for discussion and vote.