Compliance data protection

Compliance data protection 

Strategic Plan 2026-2028 

“Large-scale data processing with a significant impact on individuals’ rights and freedoms will remain a priority focus for supervisory action.”“Large-scale data processing with a significant impact on individuals’ rights and freedoms will remain a priority focus for supervisory action.”

The Belgian Data Protection Authority (“BDPA”)’s strategic plan provides insight into where Belgian data privacy enforcement and guidance will sharpen over the next three years. The Belgian Data Protection Authority (“BDPA”)’s strategic plan provides insight into where Belgian data privacy enforcement and guidance will sharpen over the next three years.

Two specific areas are highlighted as priorities for supervision:Two specific areas are highlighted as priorities for supervision:

1. large-scale data processing operations, in both the public and private sector, that may entail a high risk to the rights and freedoms of data subjects, with illustrative examples ranging from health data processing and profiling in regulated sectors to advertising technologies and large public databases. These priorities will be further specified through the annual management plans, indicating that enforcement focus may evolve over time. 1. large-scale data processing operations, in both the public and private sector, that may entail a high risk to the rights and freedoms of data subjects, with illustrative examples ranging from health data processing and profiling in regulated sectors to advertising technologies and large public databases. These priorities will be further specified through the annual management plans, indicating that enforcement focus may evolve over time.

2. protection of minors’ personal data, recognising children as a particularly vulnerable group in a digital environment characterised by continuous data collection and analysis. Alongside enforcement, the authority stresses the importance of awareness-raising and empowerment, aiming to ensure that young people develop the necessary reflexes to protect their personal data as future adults.2. protection of minors’ personal data, recognising children as a particularly vulnerable group in a digital environment characterised by continuous data collection and analysis. Alongside enforcement, the authority stresses the importance of awareness-raising and empowerment, aiming to ensure that young people develop the necessary reflexes to protect their personal data as future adults.

While enforcement remains proportionate, the strategic plan underlines that “societally relevant infractions” will be pursued and may lead to corrective measures or fines where appropriate. While enforcement remains proportionate, the strategic plan underlines that “societally relevant infractions” will be pursued and may lead to corrective measures or fines where appropriate.

The BDPA intends to intensify communication, collaboration and guidance efforts with stakeholders, and align more with European guidance (EDPB). The BDPA intends to intensify communication, collaboration and guidance efforts with stakeholders, and align more with European guidance (EDPB).

The plan also situates data protection enforcement within a broader digital regulatory landscape (AI Act, Data Governance Act, Data Act, etc.), reinforcing that privacy compliance is interlinked with other EU digital rules. We already mentioned before that companies should anticipate cumulative compliance obligations across data, AI, cybersecurity and digital markets. The Strategic Plan includes an annex with a brief overview of relevant legislation:The plan also situates data protection enforcement within a broader digital regulatory landscape (AI Act, Data Governance Act, Data Act, etc.), reinforcing that privacy compliance is interlinked with other EU digital rules. We already mentioned before that companies should anticipate cumulative compliance obligations across data, AI, cybersecurity and digital markets. The Strategic Plan includes an annex with a brief overview of relevant legislation:

• AI Act: Risk-based regulation of AI systems

• Data Act: Fair access to and use of data; impacts data sharing, IoT contracts and cloud switching.

• Data Governance Act: Framework for data altruism, data intermediaries and public-sector data reuse.

• Interoperability Regulation: Promotes cross-border and cross-sector data exchange, especially for public services.

• European Health Data Space (EHDS): New rules for access, secondary use and governance of health data.

• Digital Services Act (DSA): Platform obligations on content moderation, transparency and systemic risk.

• Transparency & Targeted Political Advertising Regulation: Enhanced transparency and restrictions on political ad targeting.

• GDPR Procedural Regulation: Harmonised enforcement rules across EU DPAs (cross-border cases, procedures).

• NIS 2: Expanded cybersecurity obligations, governance and incident reporting for essential & important entities.

• Cyber Resilience Act: Mandatory cybersecurity requirements for products with digital elements.

• ETIAS & EES (Entry/Exit System): Large-scale EU databases impacting data protection, security and travel compliance.