BELGIUM: An Introduction to TMT: Data Protection

In 2024, Belgium witnessed several significant developments in the field of data protection law, reflecting both domestic regulatory evolution and broader EU initiatives. They underscore a growing emphasis on transparency, accountability and digital resilience. Below is a high-level overview of some impactful updates and trends shaping the Belgian data protection landscape between 2024 and 2025.

IAB Europe: Belgium Makes Its Mark on the Online Advertising Industry

In 2024, the CJEU delivered a landmark judgment following a request for a preliminary ruling from the Belgian Markets Court in the case between Interactive Advertising Bureau (IAB) Europe and the Belgian Data Protection Authority (DPA). On 14 May 2025, the Markets Court issued its decision, guided by the CJEU’s ruling.

The case revolves around the Transparency and Consent Framework (TCF), a consent management system developed by IAB Europe in the context of targeted advertising. When someone visits a website that has implemented the TCF, they are prompted to accept or reject data processing via a cookie banner. The user’s preferences are stored as a character string (the “TC String”), which is shared with advertising partners to determine whether they can display targeted ads. In 2019, the DPA received a series of complaints regarding the TCF’s General Data Protection Regulation (GDPR) compliance.

In 2022, the DPA concluded that the TCF was not GDPR-compliant. It held that the TC String constitutes personal data, and that IAB Europe should be regarded as a joint controller both for processing related to the collection and distribution of users’ consent, preferences and objections and for the subsequent processing based on information encoded in the TC String (eg, for personalised advertising).

IAB Europe appealed the decision with the Markets Court, which referred two questions to the CJEU:

• does the TC String constitute personal data?; and
• can IAB Europe be considered a (joint) controller for the processing of the TC String alongside its members, even if it does not itself have access to the data processed – and if so, does this joint controllership automatically extend to subsequent processing by third parties?

The CJEU confirmed both points, as follows.

• The TC String – as a structured sequence of characters representing a user’s preferences – may be personal data if the user can be indirectly identified through reasonable means (it is not necessary for a single entity to hold all the elements required to identify the individual).
• IAB Europe can be qualified as a joint controller if it plays a crucial role in determining the purposes and means of the data processing via the TCF. Joint controllership does not necessitate that each party has direct access to the personal data. However, should joint controllership be established, it does not automatically extend to subsequent data processing.

While the Markets Court confirmed several key findings of the DPA, it ultimately annulled the DPA’s 2022 decision on procedural grounds.

Central to the Market Court’s ruling was the affirmation that the TC String constitutes personal data under the GDPR, based on the idea that IAB Europe had access to information reasonably likely to allow the identification of natural persons, directly or indirectly.

The Markets Court also determined that IAB Europe acted as a joint controller for the processing of user preferences through the TC String, as it played a decisive role regarding this personal data: it imposed binding obligations on TCF participants and effectively shaped how data was processed across the ecosystem. The shared purpose – to capture and transmit user preferences in a standardised way – was deemed sufficient in this respect. However, the Markets Court drew a clear line when it came to further processing, considering that IAB Europe was not a joint controller for such processing.

New Direct Marketing Recommendation

Direct marketing remains a key topic, featuring prominently in the DPA’s decisions. In March 2025, the DPA launched a public consultation on its direct marketing recommendation, reflecting recent developments in case law, regulatory decisions and guidance from the European Data Protection Board (EDPB).

The aim was not to introduce a fundamental shift in the DPA’s position regarding direct marketing, but rather to clarify the rights and obligations of the parties involved. A revised definition of direct marketing now covers any “set of activities resulting in direct communication to one or more identified or identifiable individuals, containing promotional content”.

The DPA elaborates on the legal bases available for data processing in the context of direct marketing. Two legal bases may generally be relied upon (under conditions): consent and legitimate interests. With respect to consent, the DPA rejects certain controversial practices – most notably “consent or pay” models – which have been the subject of discussions in recent years. As for legitimate interests, one of the key considerations is whether the data subject can reasonably expect to receive direct marketing from the controller. While this question is relatively straightforward when it comes to existing customers, the situation is more complex for prospects. In all cases, transparency is key, and the balancing test must be properly performed.

The updated recommendation also addresses data retention. The DPA reiterates that retention periods may be assessed by considering the nature of the relationship between the controller and the data subject, as well as the lifecycle of the relevant product or service. However, once consent is withdrawn or an objection is raised, data must be promptly deleted.

The DPA further emphasises that, when a request is ambiguously worded – such that the controller cannot determine its exact scope – or when the data subject has not correctly identified the right they wish to exercise, the controller has to seek clarification and ensure the request is properly understood and addressed.

Finally, the draft recommendation includes two practical annexes that provide guidance on Articles 13.1 and 13.2 of the ePrivacy Directive and their transposition into Belgian law, as well as their interplay with the GDPR, and practical information on telemarketing.

None of Your Business (NOYB) Complaints Rejected

In Decision 112/2024, the DPA dismissed a complaint filed by NOYB on the grounds that the organisation lacked a valid mandate under Article 80(1) of the GDPR to represent the complainant.

The complaint filed by NOYB pursuant to Article 80(1) of the GDPR concerned the alleged unlawful transfer of personal data from a Belgian website to the USA. At the heart of the decision was the issue of whether NOYB held a proper and authentic mandate from the complainant, who was an intern employed by NOYB at the time the complaint was filed.

The investigation revealed that NOYB had filed the complaint as part of a broader “test case” strategy, actively recruiting individuals, including interns and employees, to act as data subjects in co-ordinated complaints. This practice raised concerns regarding the complainants’ autonomy and genuine interest.

The mandate given to NOYB was found to be unclear, insufficiently detailed and ultimately invalid in light of the strict requirements of Article 80(1) of the GDPR (ie, that data subjects must voluntarily and independently empower an organisation to represent them). Furthermore, while Article 80(2) of the GDPR allows organisations to file complaints without a mandate, Belgian law has not implemented this possibility. Consequently, NOYB could not rely on Article 80(2) to justify its autonomous action.

This decision confirms the importance of ensuring that mandates under Article 80(1) of the GDPR reflect a true and autonomous choice of the data subject, rather than serving as vehicles for organisational or political agendas.

It is worth noting that, following this decision, the DPA issued several other rulings in which NOYB’s representative mandate was again assessed. However, in these cases, the DPA did not reject the complaints on the grounds of a fictitious mandate, clarifying that it will intervene only when there is concrete and demonstrable evidence of a fictitious mandate or an abuse of procedural rights.

Revision of the DPA's Composition and Procedural Rules

In June 2024, an amended Organic Law of the DPA came into effect. The DPA also issued new internal procedural rules. Changes were made to the DPA’s internal organisation, composition and functioning.

The DPA has been reorganised around six bodies: the Management Committee, the General Secretariat, the Frontline Service, the Authorisation and Advisory Service (which replaces the Knowledge Centre and has an expanded ethical mandate), the Inspection Service and the Litigation Chamber. Each is headed by a different member of the Management Committee.

One notable change concerns the Frontline Service, which is now empowered to proactively engage in mediation. This will enable the handling of simpler cases without escalation, easing overall workload.

The Litigation Chamber’s procedure has also been adapted to ensure greater legal certainty and efficiency. As of April 2025, it will operate under a single president – a magistrate – marking a shift towards more centralised, and potentially more streamlined, case handling.

Another major innovation is the creation of a pool of external, multidisciplinary experts who will assist the DPA starting May 2025. Their role is to provide complementary technical or ethical expertise on complex matters. However, they will neither represent the DPA nor participate in its deliberations.

Last, the Management Committee has an enhanced steering role: it now co-ordinates the prioritisation of cases, internal policy development and synergies between services. The goal is to establish more coherent and responsive governance, while maintaining a balance between specialisation and cross-functionality.