Recently, the Belgian Data Protection Authority (¨GBA¨) issued Decision no. 51/2025 on a case related to a complainant who tried to register their child for a conservatory using an online platform called "Z". Users were required to create an account and, of course, accept Z's general terms and conditions. The complainant rejected having to create an account and introduce the personal data of their child within a third-party platform which was unrelated to the conservatory. Consequently, they requested the deletion of the personal data, due to the fact that there was no legal relationship with Z. In turn, Z claimed it was acting on behalf of the conservatory and processed data lawfully. Z was found to be in breach for multiple infringements of the GDPR and corrective measures were applied by the GBA
Besides the multiple infringements found by the GBA, the novel position taken by the Belgian authority revolves around "check back regularly" clauses bundled within privacy policies. The platform concerned by Decision 51/2025 used such a clause and the GBA openly criticized its use, the wording being: "The user is required to regularly check the privacy policy for changes." This clear shift in the burden of staying informed was deemed incompatible with the transparency obligations under the GDPR.
The Decision at hand outlines that the controller's responsibility to properly inform the data subject also means that the data subject cannot be held liable for not regularly verifying the privacy policy. An update to the privacy policy cannot be considered to respect the GDPR standards on consent and transparency, without the controller properly notifying the data subject about the changes. Even more, communication from the controller is to be expected especially in case of significant changes to the policy, such as changes affecting the purposes, the legal basis or third-party recipients of the data.
Thus, the GBA reinforces the idea that transparency under the GDPR should be seen as an active obligation of controllers. Mechanisms such as pop-up or push notifications, app banners, mandatory review screens or even emails can be used in order to comply with these requirements. The notification should refer to what has changed, and it should indicate the effective date of the modifications. It is recommended that the controllers also keep some sort of proof that the changes were notified, pursuant to their accountability obligations. In addition to this, all versions of the updated policy must be kept, alongside publishing dates and methods used for the notification of data subjects.
Close attention should be given to changes in processing requiring consent and whether the change implies the renewal of that consent by the data subject. Similarly, clauses stating that the continued use of the service amounts for consent should be closely reviewed for compliance, given that the general idea is that users should be given a real choice regarding the processing of their data. Additionally, as a general requirement, changes should be clearly highlighted in the policy. If the burden of checking regularly cannot be placed on the data subject, then the data subject cannot be expected to actively compare the updated and the old version of the policy. This implies visual highlights, clear language and respecting accessibility standards.
Therefore, privacy policies, cookies policies, and even T&Cs should be checked for such clauses and amended for compliance, in order to illustrate that informing about changes to the policy is still the duty of the controller, similar to how, at first, the controller must inform the data subject in a clear and complete manner. While the data subject can still be encouraged to check the policy regularly, the document must make clear the fact that no legal consequences are to be drawn from the lack of monitoring done by the data subject.
Although this clause is omnipresent in privacy policies and similar documents, it is clear the GBA has interpreted the transparency requirements in the reasonable manner of prioritizing the data subject, which is consistent with the overall aim of the GDPR. For the future, it will be interesting to note if and how other national data protection authorities will comment on this practice. Given its widespread, it is hard to imagine that the GBA Decision will be the only one that touches on this topic.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
