Launch of new portal for data breach notification by the Belgian Data Protection Authority

The Belgian Data Protection Authority (BDPA) has just launched a new portal for data breach notification, which went live on 10 June 2025 (see announcement in French or Dutch). This significant development aims to streamline the process of notifying data breaches in Belgium. We provide an overview of the key changes and requirements introduced by this new portal and offer practical guidance to ensure compliance.

What are the key changes and requirements?

The new portal consolidates the notification process, requiring data controllers to use a single platform for all data breach notifications. This centralisation is designed to improve efficiency and ensure that all notifications are handled uniformly.

Under this new system, every organisation must create a single “company account” on the portal; no multiple or parallel accounts are permitted for the same controller. To facilitate secure authentication, the BDPA now relies on the Federal Authentication Service (FAS), meaning that companies registered in Belgium must connect to the portal through a federally recognised identity system, such as eID or itsme. Only individuals assigned a specific role may submit and manage notifications on behalf of the organisation.

The notification process is now divided into two parts (see below).

New two-part data breach notification process

Once an organisation has established its account, the new portal requires that data breaches be notified in two parts.

Part 1 contains the initial and most important information, typically to be submitted within the GDPR-mandated 72-hour window. Completion of this first part generates an official case reference number starting with “DBN”, which confirms the notification has been recorded. This part can be submitted without a company account if the responsible person is not available to authenticate via FAS.

Part 2 collects additional details about the scope, cause and impact of the breach, along with any relevant attachments requested by the BDPA. Organisations then have a maximum of 21 calendar days to complete the second part. Not providing all required information within this 21-day timeframe results in the earlier entries being treated as the organisation’s final submission, so it is essential to monitor this deadline closely. During that period, the portal allows a temporary “save” function, enabling controllers to update and amend their submissions as new facts become available.

What else is on the new portal?

The portal’s focus extends beyond breach notifications; it also allows users to manage other key responsibilities, such as registering, updating and removing a DPO through what is termed a “DPO case”.

Also note that certain fields in the notification forms are pre-completed based on the company’s registration details, such as the BCE number, European VAT number or national unique number. This feature reduces the administrative burden and ensures accuracy. Should those details no longer match your company’s current circumstances (for instance, because of a new address or a changed legal name), the portal provides the means to communicate corrections and ensure the BDPA’s records remain accurate.

Any practical guidance?

Considering these developments, your company is encouraged to take these steps to effectively manage future data breach notifications:

1. Update your internal data breach procedure. Review and update your internal data breach procedure to align with the new portal requirements. This includes ensuring that responsible personnel are familiar with the two-part notification process and the deadlines for each part.
    
2. Create and manage the company account. Ensure that a company account is created on the BDPA portal. This involves authenticating via FAS using eID or itsme and assigning the role of “GBA_Documentum_Vertegenwoordiger”/ “APD_Documentum_Représentant” to the appropriate personnel.
    
3. Monitor and respond to communications. Regularly check the portal for any messages or requests for additional information from the BDPA. Promptly respond to these communications to avoid compliance issues.
    
4. Verify DPO registration. DPOs should verify their registration on the new portal to ensure accuracy. This includes checking that the correct contact email address is listed, as only one email address can be registered for communication between the BDPA and the DPO. Companies can only register one DPO per data controller. If multiple DPOs were previously registered, the most recent registration will be retained. Companies should ensure that the correct DPO is registered and should update the portal if necessary.
    
5. Training and awareness. Conduct training sessions for staff involved in data breach management to ensure they understand the new portal’s functionalities and requirements. This will help in maintaining compliance and efficiently managing data breaches.
    
6. Keep in mind the compliance deadlines:
   • 72-hour deadline: Initial notification (Part 1) must be submitted within 72 hours of discovering the breach.
   • 21-day deadline: Detailed follow-up (Part 2) must be completed within 21 days of completing Part 1.
7. Monitor official announcements for technical issues. Always check the latest updates from the BDPA regarding the technical status of the new portal before preparing or submitting a data breach notification. The BDPA regularly publishes information about outages and restoration timelines. If the portal is offline, keep internal records (such as screenshots or copies of announcements) to evidence the unavailability.

For further assistance, please contact CMS experts Tom De Cordier and Thomas Dubuisson. Did you know our Tech & Data practice is recognised as Tier 1 (best-in-class) by both Chambers and Legal 500?