The Belgian Data Protection Authority (GBA/APD) has published its new strategic plan for 2026–2028. Normally the DPA works with six-year plans, but due to the fast environment they work in, the DPA decided to not lock itself into a rigid long-term commitment. Instead, the DPA focuses on a few key points with a much shorter document which will be reevaluated in 2028.
In this blogpost, we will set out the most important point which might affect your company, and/or you as a data subject!
Proactive enforcement
Besides from operational excellency, the DPA mentions the increasing EU digital rulebook as the primary driver behind their planned changed.
The DPA notes that most, if not all, of its enforcement is based on complaints (837) and breach notifications (1455) in 2024. As such, the DPA is explicit in its aim to be less reliant on complaints and to initiate more inspections whilst focusing on cases with real societal impact.
For companies active in the focus points of the DPA, this means there is a higher chance of the DPA initiating an inspection into their practices if the DPA suspects something is going wrong.
We noticed that some companies take a ‘prioritise visible GDPR compliance first’, which resulted in a low risk of complaints. Whilst compliance is not something which can be achieved instantly, the DPA’s more proactive stance might impact the prioritization of companies.
Fast tracking compliance
The DPA notes that even minor disputes undergo a very heavy procedural chain, often taking at least 6 months to be handled. This slows down small disputes and saps resources from bigger disputes and thus the DPA wants to streamline small disputes.
How? In two ways.
- By focusing on mediation for small disputes such as camera disputes, access requests, etc. The idea is that a three-party mediation session to remove data is much more efficient than a full-scale inquiry for the same outcome for the data subject. However, companies not (constructively) engaging in the mediation can expect a fast-track into enforcement.
- When a full-scale inquiry is disproportionate to the (obvious) GDPR breach, the Inspection Service will push for compliance during its inspection.
This will lead to more resources for cases with a larger impact and faster enforcement for minor cases. Businesses can expect a more direct approach to get their practices in line with the GDPR, without intervention from the Inspection Service (unless the breach is very impactful).
Responding to information requests
Another drain on their resources in the requests for information by individuals. In 2024, the DPA handled over 3000 requests, often with delays going up to a year. This model collapses under its own weight and the DPA will rework it going forward:
- Individual requests will not be answered systematically
- Similar requests will be bundled into public FAQs, checklists and guidance documents.
- Reference to their website or other official guidance (like EDPB) will be made
While nobody is being helped with an answer provided after a year, not following up on individual requests does raise the threshold for people with specific or even general questions. The DPA will focus on their core tasks of enforcing the GDPR and companies are expected to be more self reliant. On the other hand, companies will have to wait for standardised guidance instead of being able to ask questions, this places the responsibility for legal certainty on the decision makers, supported by the Data Protection Officer and/or external expert.
Focus points
The Belgian DPA is ambitious and wants to lead on two fronts: large-scale processing and children’s data. The DPA recognises these two themes as having a high impact in the coming years and thus wants to take the lead in the EU.
Large-scale processing
The DPA will focus on large-scale processing, both in the public as in the private sector, with a potential high risk such as (but not limited to):
- Health data in hospitals
- Profiling in banking and insurance
- Registration at restaurants or general practitioners, databases of the tax administration
- AdTech and databrokers
The DPA states that it will further clarify what this focus point means in their yearly plan.
Children’s data
This is a political and strategic choice. Children are framed as a vulnerable group in the digital economy.
Focus areas include:
- social media platforms used by minors,
- profiling and personalisation,
- dark patterns in consent,
- parental oversharing (“sharenting”),
- third-party data flows from kids’ apps and platforms.
So companies with activities in either of these two topics should be aware that the DPA will have a more proactive approach together with heightened scrutiny yet can also expect more guidance.
Other topics
The DPA also highlights a few other topics:
AI Act Enforcement
They do not expect to become the AI Act market surveillance authority but they do expect to play a role where personal data is at stake.
Hiring freeze
The DPA, with currently around 90 FTEs, will do a hiring freeze until 2029 as their funds will not increase. This does force the DPA to work in a more efficient way and streamline processes, as we are seeing in their strategic plan.Cooperation
The DPA recognises the need to cooperate with and participate in authorities and institutions on local, national and international level, such as the Flemish Supervisory Authority, the EDPB, other regulators such as the Telecom regulator, etc.
Advice on new legislation
The DPA often repeats its advice on new legislation and will thus reduce the amount of concrete advice on normative texts and refer to general guidances. For legislation with a high impact, tailored advice will still be provided.
Impact and conclusion
The DPA is aiming for more operational excellence whilst prioritising high impact work. They expect an increase of workload whilst they recognise that their current way of working slows them down. Additionally, they want to focus more resources on high-impact cases whilst also increasing the effectiveness for smaller, clear-cut cases by focusing on mediation.
In general, we foresee:
- More guidance, especially on large-scale processing and the processing of minor’s data.
- Fewer full investigations but more mediation
- This could result in no fines, but a forced remediation
- Less direct contact with the DPA and thus more self-reliance
- More complexity for the enforcement of the Digital Law Package , specifically the AI Act when it comes to personal data
How can you prepare for this renewed DPA?
- Expand on data governance structures so you can more easily adapt to mediation agreements since these will be reached much faster than the time it takes to reach a full decision
- Build further on self-reliance since asking questions directly will be largely ineffective.
- Expect a more proactive approach, superficial GDPR compliance to avoid complaints iwill no longer suffice to avoid investigations.
- For companies operating in large-scale processing such as AdTech, data brokers, insurance, etc or with minors’ data, expect heightened scrutiny and a much more active DPA. This continues the trend of the Belgian DPA so ensure you have your ducks in a row.
