Discover our new Policy Prototyping report on the EU AI Act's value chain requirement  

Read and download here
Beleidsmonitor covers GBA 202615
04.06.2026

Belgium – Belgian DPA publishes information brochure on AI and privacy

Summary

The Belgian Data Protection Authority (DPA) published an information brochure to help citizens better understand AI, privacy and data protection. It explains how AI systems work, outlines the main privacy risks and shows how citizens can retain control over their personal data. This article provides an overview of the main points highlighted by the DPA, as well as its practical recommendations for citizens. 

Introduction

The DPA starts with the observation that AI is increasingly becoming part of citizens’ everyday lives. Many AI systems are trained with personal data collected from a wide range of sources, such as social media feeds or online searches. Due to the opacity and complexity of AI systems, citizens often do not know which personal data is being collected, for what purpose it is processed or how decisions are made. As a result, they risk losing control over their personal data and are less able to challenge unfair or inaccurate outcomes. Against this backdrop, the DPA explains in accessible language what AI systems are, how they process personal data, which privacy risks arise from this and which rights citizens can invoke under the  General Data Protection Regulation (GDPR).

Understanding AI systems

The DPA takes the definition set out in the AI Act as a starting point to explain what an AI system actually is. It describes an AI system as a machine-based system that operates with varying levels of autonomy and can generate output based on analysis and pattern recognition. In doing so, the DPA emphasises that AI systems differ from traditional automated systems because they have the ability to infer on the basis of data or knowledge. The DPA further clarifies the distinction between an AI system and an AI model using a cooking analogy. Training an AI model is compared to developing a cake recipe, while the AI system is the one that actually prepares the cake. The quality of the output, or the cake, therefore, depends on the quality of the data, the ingredients, the reliability of the AI model architecture, the recipe, and the algorithm, the steps to be followed.

 

The DPA categorises AI systems into different types according to their purpose, namely expert systems, autonomous systems, cognitive computing, computer vision, AI powered robots and AI systems for natural language processing. Each category processes different types of personal data. Expert systems, for instance, often require structured personal data to function, while AI systems for natural language processing typically use chat histories and voice commands.

 

Regardless of the type of AI system, AI systems generally go through similar data processing activities throughout their life cycle. The DPA clarifies that data protection is relevant at every stage of this life cycle. The life cycle encompasses various steps:

 

  1. problem definition, where the purpose of the AI system is determined;
  2. data collection;
  3. data storage and management;
  4. data cleaning and preparation;
  5. training and validation;
  6. deployment and inference;
  7. monitoring,  maintenance and governance; and
  8. retention, deletion or archiving of data.

Privacy risks

The DPA identifies several privacy risks that are either amplified or created by AI systems. First, AI systems increase the risk of excessive or disproportionate data collection, which may conflict with the principle of data minimisation. This is because AI systems can collect, combine and process vast amounts of personal data in real time. Risks that were previously more isolated, such as manual profiling or targeted advertising, can become systemic problems due to the speed, scale and opacity of AI systems. As a result, it becomes more difficult to prevent, detect or challenge breaches of data protection rules.

 

The DPA also points to the risk that human oversight of automated decision making may be weakened, including in everyday contexts such as creditworthiness assessments or recruitment processes. When decisions are made wholly or partly by AI systems, important questions arise regarding transparency, fairness and accountability.

 

Another risk is that AI systems may infer sensitive information from indirect sources without citizens’ knowledge or consent. This can lead to unlawful processing, categorisation and profiling. Moreover, such inferences may be misleading or inaccurate because they are probabilistic in nature.

How can citizens protect their personal data?

The DPA provides several tips to help citizens better protect their personal data:

  1. Check privacy policies, terms and conditions, and default privacy settings. This gives citizens a clearer understanding of which personal data is collected, how it is processed and with whom it is shared. It also makes it easier for them to effectively exercise their rights under the GDPR.
  2. Be cautious when sharing personal data. The DPA advises citizens to ask themselves the following question: “If I were having dinner with people I do not know, would I share this information about myself or someone else with them?”
  3. Keep software and firmware up to date. Regular updates help reduce security risks and address vulnerabilities.
  4. Actively manage app and device permissions. Citizens should check which apps and devices are allowed to access things such as their microphone, camera or location data. Permissions that are not essential can be disabled or enabled only when needed.

Rights of the data subject

The DPA outlines the rights that citizens can exercise under the GDPR regarding their personal data:

 

  1. the right to information, which requires controllers to provide clear and accessible information about how personal data is processed;
  2. the right of access, which allows citizens to verify whether their personal data is being processed;
  3. the right to erasure, which allows citizens to request the deletion of their personal data when certain conditions are met;
  4. the right to object, which allows citizens to object to the processing of their personal data. The DPA explains here how citizens can object to the use of their personal data for training AI systems by Meta;
  5. the right to restriction of processing, which allows citizens to request that the processing of their personal data be suspended in specific circumstances;
  6. the right to rectification, which allows citizens to request the correction of inaccurate personal data and the completion of incomplete data;
  7. the right to data portability, which allows citizens to receive their personal data in a structured, commonly used and machine readable format and to transmit those data to another controller;
  8. the right not to be subject to automated decision making, which protects citizens against decisions based solely on automated processing, including profiling.

 

These rights can be exercised by contacting the data controller, preferably through the Data Protection Officer (DPO). The DPA has prepared template letters that citizens can use for this purpose. It also recommends keeping a copy of the request in case further action becomes necessary.

 

In principle, data controllers must respond to such requests within one month. This period may be extended by two additional months where justified. If the data controller does not respond, or if the response is insufficient, citizens can contact the DPA through its contact form. According to the DPA, mediation is usually the most efficient way to resolve such disputes. If mediation does not lead to a solution, citizens can still file a formal complaint.

Conclusion

AI systems offer significant opportunities, but their increasing use also creates new and amplified risks for the protection of personal data. The GDPR provides a strong framework for mitigating those risks, with rights that empower citizens to maintain control over their personal data. However, those rights are only effective if citizens know they exist and how to exercise them. Digital resilience therefore starts with awareness: understanding how AI works, approaching data sharing with a critical eye and, when necessary, knowing how to contact the data controller or the DPA.

Author

Sabra Ibnouthen

Sabra Ibnouthen

email hidden; JavaScript is required