Last updated on November 2, 2025
No. Deploying AI systems in Belgium without complying with the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AI Act) is strictly prohibited. Both frameworks impose binding obligations to ensure lawful, ethical, and transparent AI practices.
Two Pillars of Trust: GDPR and AI Act
Belgium, as an EU Member State, operates under a robust legal architecture designed to protect individuals’ rights in the digital age. The first pillar is the GDPR, in force since 2018, which governs all processing of personal data. The second is the AI Act, the world’s first comprehensive AI regulation, which entered into force on 1 August 2024. Together, they form a legal shield ensuring that innovation does not compromise privacy, fairness, or safety.
The GDPR applies whenever AI systems process personal data—whether for training, prediction, or automated decision-making. It demands principles like lawfulness, fairness, transparency, purpose limitation, and data minimization. Meanwhile, the AI Act introduces a risk-based framework: minimal-risk systems face light obligations, while high-risk systems—such as those used in recruitment or credit scoring—must meet stringent requirements, including risk management, human oversight, and technical documentation.
Why Compliance Is Mandatory
Under the AI Act, certain practices are outright banned. Systems enabling social scoring, manipulative behavior, or certain biometric identifications in public spaces are prohibited. High-risk AI systems must undergo conformity assessments before being placed on the market. Failure to comply can result in penalties of up to EUR 35 million or 7% of global turnover, making non-compliance a costly gamble.
The Belgian Data Protection Authority (APD) reinforces this stance. It emphasizes that AI systems must respect GDPR principles such as data accuracy, storage limitation, and security of processing. Automated decision-making that significantly affects individuals requires safeguards, including the right to human intervention and explanation.
Historical and Cultural Context
Europe’s regulatory approach reflects a long-standing commitment to human rights and democratic values. The GDPR was a landmark in global privacy law, granting individuals unprecedented control over their data. The AI Act builds on this legacy, addressing emerging risks posed by machine learning and generative AI. This proactive stance positions the EU—and Belgium—as global leaders in ethical tech governance.
Practical Implications for Businesses
For companies operating in Belgium, compliance is not optional—it’s a strategic necessity. Businesses must:
- Map their AI systems and classify them by risk level.
- Implement governance structures aligned with GDPR and AI Act requirements.
- Conduct impact assessments and maintain transparency with users.
- Ensure human oversight for high-risk systems.
These steps are not mere formalities; they are essential for building trust and avoiding severe sanctions.
Enforcement and Oversight
The AI Act’s governance involves the European AI Office and national authorities, which supervise compliance and investigate incidents. In Belgium, the APD collaborates with these bodies to ensure that AI systems respect both privacy and fundamental rights. This multilevel oversight guarantees that violations are swiftly addressed.
The Cost of Ignoring the Rules
Non-compliance risks more than financial penalties—it can damage reputation and erode consumer trust. In a market where trust is currency, failing to meet legal and ethical standards can shut doors faster than any regulator’s notice. The message is clear: innovate boldly, but play by the rules.
See more on Belgium
Sources
European Commission – Artificial Intelligence Act comes into force
https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_24_4123/IP_24_4123_EN.pdf
01/08/2024
Autorité de Protection des Données – Artificial Intelligence Systems and the GDPR
https://www.autoriteprotectiondonnees.be/publications/artificial-intelligence-systems-and-the-gdpr—a-data-protection-perspective.pdf
Ongoing