EU Regulation 2016/679 - Decision Register

SUPERVISORY AUTHORITY PROFILE / BELGIAN APD

Belgian APD GDPR Fines, Enforcement Record & IAB Europe Case

Belgium's data protection authority is the regulator behind the IAB Europe Transparency and Consent Framework decision, the most significant ruling on programmatic-advertising consent architecture in EU history.

Cumulative fines

~€5M+

Notable fine

€250k (IAB Europe TCF)

CJEU referral

C-604/22 (TCF)

Structure

5 Directors + President

Active since

1992 (as APD since 2018)

EDUCATIONAL ONLY

This page is a reference summary of a published regulator decision. It is not legal advice. Consult a qualified data protection lawyer for advice on your specific situation. The UK GDPR is a separate regime from the EU GDPR following Brexit. Always read the source decision in full before relying on any figure or quote.

PROFILE

Mandate and constitution

The Belgian Autorité de Protection des Données / Gegevensbeschermingsautoriteit (APD/GBA) was established in its current form by the Loi du 3 décembre 2017 portant création de l'Autorité de protection des données, replacing the earlier Commission de la Protection de la Vie Privée. The current structure took effect alongside the GDPR application date of 25 May 2018. The APD is designated as the Belgian supervisory authority under Article 51 GDPR for the territory of Belgium and as lead authority under Article 56 for any controller with its main EU establishment in Belgium.

The APD has a notably structured internal architecture, with five distinct services: Frontline (complaint reception and informal resolution), Investigation (formal inquiries), Litigation (sanctioning chamber), Knowledge (guidance and opinions) and Executive Secretariat. Each service is led by a Director. The structure separates investigation from sanctioning to ensure procedural independence, mirroring the institutional separation in the French CNIL and satisfying ECHR Article 6 requirements on procedural fairness.

The IAB Europe TCF case in detail

The Interactive Advertising Bureau Europe (IAB Europe) Transparency and Consent Framework (TCF) is the technical standard used by the vast majority of European publishers and ad-tech vendors to collect and transmit user consent choices for cookie placement, programmatic-advertising bid request inclusion, and related processing. The framework defines the user-facing consent management platform (CMP) interfaces, a standardised set of purposes (corresponding to processing operations), and a binary encoded string (the TC String) that captures the user's choices and travels with bid requests through the real-time bidding chain.

A coalition of complainants including data-protection NGOs and academic researchers argued that the TCF infringed the GDPR in several material respects: the TC String is personal data, the IAB Europe is a controller for the processing of the TC String, the consent claims encoded in the framework were not validly obtained, the legitimate-interests basis claimed for many processing purposes was not properly assessed, and the security and integrity of the TC String were inadequate. The APD opened an investigation and on 2 February 2022 adopted Decision 21/2022 finding multiple GDPR infringements, imposing a €250,000 fine on IAB Europe and ordering the framework to be brought into compliance within six months.

IAB Europe appealed to the Belgian Market Court (Cour des marchés / Marktenhof). The Market Court referred several preliminary questions to the Court of Justice of the European Union, registered as Case C-604/22 IAB Europe. On 7 March 2024, the Court delivered its judgment. The two key holdings are that the TC String constitutes personal data within the meaning of Article 4(1) GDPR (because it can be linked to an identifiable individual through other available data), and that IAB Europe acts as a joint controller with the framework participants (publishers, ad-tech vendors, advertisers) for the processing of the TC String.

The joint-controllership finding is doctrinally important well beyond IAB Europe. It establishes that a technical standard-setter whose standard involves the processing of personal data can be a joint controller with the standard's participants, even where the standard-setter does not itself process the data. The implications for industry-standard organisations across other sectors (financial messaging, healthcare data exchange, telecoms signalling) are substantial.

Other Belgian decisions

Beyond the TCF case, the APD's enforcement record covers a typical range of national matters. The Proximus (Belgian incumbent telecom) decisions address breach-notification timeliness and customer-data security. Decisions against the Belgian public broadcaster RTBF address marketing consent and newsletter unsubscribe obligations. A 2022 decision against an unnamed political party addressed the unlawful processing of voter data. Multiple decisions against small businesses address direct-marketing and cookie matters under the Belgian implementation of ePrivacy.

The APD also handles complaints concerning processing by EU institutions (European Commission, Council, Parliament secretariats) where they involve Belgian residents, even though the lead supervisory authority for EU institutions is the European Data Protection Supervisor (EDPS) rather than the national DPA. The Brussels-headquartered EU institutional cluster gives the APD an unusual quotient of cross-institutional engagement.

Recent enforcement trends

The APD's 2024-2026 enforcement priorities include continued IAB Europe TCF compliance verification (post-CJEU), AI-system processing (including generative AI), connected vehicles, the Belgian application of the EU AI Act intersect with GDPR, and the perennial cookie/ePrivacy enforcement. The APD has issued joint statements with the EDPB on programmatic-advertising compliance, drawing on the TCF case as the operational reference for industry-wide practice.

FREQUENTLY ASKED

About the Belgian APD

What is the IAB Europe TCF decision?
On 2 February 2022, the Belgian APD ruled that the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF), the technical standard used by most European publishers and ad-tech vendors to collect cookie/RTB consent, was non-compliant in several material respects. The APD found that IAB Europe acted as a controller for the personal data processed within the framework (specifically the TC String, the encoded representation of user consent choices), and that the framework's architecture did not satisfy GDPR requirements on lawful basis, transparency and security.
What did the APD order IAB Europe to do?
The APD imposed a €250,000 fine and ordered IAB Europe to bring the TCF into compliance within six months. The required changes included clearer disclosure of the controllership relationships, additional technical and organisational measures around the TC String, and revision of certain legal-basis claims within the framework. IAB Europe appealed to the Belgian Market Court, which referred several preliminary questions to the Court of Justice (Case C-604/22).
What did the CJEU decide in C-604/22?
In March 2024, the Court of Justice ruled that the TC String constitutes personal data within the meaning of Article 4(1) GDPR, and that IAB Europe acts as a joint controller with the framework participants for the processing of the TC String. The judgment is the leading authority on the controllership status of technical standard-setters whose standards involve the processing of personal data.
Where does the case stand now?
Following the CJEU ruling, the Belgian Market Court resumed the substantive proceedings. IAB Europe published a revised TCF (version 2.2, with further updates) implementing the changes required by the APD. As of April 2026, the case is at the implementation-verification stage with the APD and Market Court.
What other notable Belgian decisions exist?
The APD has issued decisions on Google in connection with right-to-be-forgotten requests, on Proximus (the Belgian telecom) for breach-notification timeliness, on the Belgian public broadcaster RTBF for inadequate consent in marketing, and on several smaller Belgian controllers across the consent, transparency and security dimensions. The APD also handles complaints concerning EU-institution processing, as Brussels hosts the European Commission, Council and Parliament secretariats.
Who heads the Belgian APD?
The APD has a five-member structure with a President and four service Directors (each leading a substantive service: Frontline, Investigation, Litigation, Knowledge). The President and Directors are appointed by the Belgian Parliament. The collegial structure reflects the bilingual Belgian institutional architecture.

CROSS-REFERENCES

Related references

ARTICLE 7

Consent & Cookie Enforcement

The TCF decision is the leading authority on programmatic-advertising consent architecture.

Open reference →

PEER DPA

French CNIL

The other major cookie-enforcement authority, with parallel ad-tech jurisprudence.

Open reference →

RELATED CASE

Google €150M CNIL (2022)

Cookie-banner-UX-level enforcement contrasting with the APD's framework-level TCF action.

Open reference →

PEER DPA

Irish DPC

Cross-border lead authority architecture contrasting with the APD's domestic-focused work.

Open reference →

ARTICLE 5

Article 5 Enforcement

Minimisation principles applied across consent-framework analysis.

Open reference →

REGISTER

Full Decision Register

All major indexed fines.

Open reference →

SOURCES & CITATIONS

Primary sources

Figures as of May 2026. Verified against published DPA decisions.

REGISTER UPDATED 2026-04-28