Belgium’s data Protection Authority Dismisses Complaints Filed by NOYB
At the heart of the dismissals lies a procedural limitation under Belgian law. Associations like NOYB are only allowed to file complaints as representatives of specific individuals, not independently in their own name.
The Litigation Chamber of Belgium’s Data Protection Authority (APD) announced the dismissal of 16 complaints across five cases submitted by NOYB (None of Your Business), an Austrian privacy advocacy group known for its proactive role in defending citizens’ data rights under the General Data Protection Regulation (GDPR).
The APD emphasised that all final decisions of the Litigation Chamber are published and accessible to the public to ensure transparency. However, due to the procedural nature of these dismissals, the APD issued an additional explanatory statement to provide broader context.
At the heart of the dismissals lies a procedural limitation under Belgian law. Associations like NOYB are only allowed to file complaints as representatives of specific individuals, not independently in their own name. The dismissed cases involved situations where NOYB appeared to have structured the complaints around projects defined by the organisation, using automated tools to detect alleged GDPR violations and then instructing individuals (often affiliated with NOYB) on how to authorise the organisation to submit complaints on their behalf.
This approach was previously scrutinised in a 19 March 2025 ruling by the Belgian Market Court. In that case, NOYB filed complaints against the media group Mediahuis regarding cookie banners. The court found that NOYB had committed an abuse of rights by orchestrating the complaints in a way that circumvented legal requirements, specifically by failing to properly separate the roles of complainants and the organisation itself.
The APD stated that similar procedural issues were found in the five newly closed cases (decisions 106/2025 to 110/2025), with evidence that NOYB not only identified the data controllers using automated means but also gave specific instructions to individuals regarding complaint content and delegation of authority.
Two earlier decisions from 2024 (22/2024 and 112/2024) were also dismissed on similar grounds, and neither NOYB nor the complainants appealed those outcomes.
Despite the dismissals, the APD acknowledged the valuable role organisations like NOYB play in advancing data protection and ensuring regulatory oversight. The authority reiterated that NOYB remains fully entitled to represent individuals before the APD, provided there is a valid mandate from the data subject and no procedural abuse is involved.
Importantly, the APD highlighted that Belgian law currently does not allow privacy organisations to file GDPR complaints independently, a legal option available in some EU member states. The authority supports a legislative amendment to expand this right in Belgium, aligning with broader European practices.
Hielke Hijmans, Director of the Litigation Chamber, noted that European supervisory authorities receive over 100,000 GDPR-related complaints annually. He praised the contribution of organisations like NOYB but stressed the need for clear legal boundaries. “It would be a positive step if the legislator considers expanding the legal possibilities for such associations,” he stated.
The APD has made its decisions publicly available: 106/2025, 107/2025, 108/2025, 109/2025, and 110/2025.
