Obligation to provide external Wpg audit report to AP from March 2025
As from March 2025, more than 600 controllers that process police data, which have enforcement officers in employment (Dutch abbreviation: BOAs), are be obliged to have an external audit carried out and provide the reports to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. This obligation arises from the Dutch Police Data Act (Wpg). The AP monitors compliance with this obligation. It concerns controllers that are responsible for the data processing by BOAs, such as municipalities, transport companies or nature managers. Employers of BOAs have until March 2026 to pass on the results of the four-yearly external audit.
Registrations by BOAs (special investigating officers) may intervene seriously in a person's private life. As investigating officers, they can draw up an official report, to which special evidential value is given in criminal law. This information may be used for police tasks, among other things. A registration by a BOA may have an impact on a person that lasts for years. The data may be included in a suspect file or may be used for an application for a Certificate of Conduct (Dutch VOG). Incorrect information or careless handling of these data must be prevented.
Audits are an important tool for the internal supervision within an organisation. Carrying out the audit correctly and on time helps controllers process personal data in the right manner. The AP encourages internal supervision by monitoring the obligation to have an audit carried out.
Legal obligation
The AP emphasises that the (timely) provision of a report is a mandatory part of the Wpg audit cycle. Carrying out internal audits annually and external audits every four years provides the controller with essential information that can be used to improve the internal organisation of personal data processing. If the audit result is insufficient, the law states that the controller has to draft an improvement plan, which should be reassessed within one year. Submitting the audit results enables the AP to monitor the organisation effectively, among other things by providing guidance and identifying issues.
Organisations have a responsibility to assess if they are obliged to have an audit carried out. On the website of the AP, you can find answers to frequently asked questions.
To avoid time constraints or incomplete reports, the AP once again points out the obligation to provide the report and the approaching deadline. The AP must receive your report between 1 March 2025 and 1 March 2026. The AP does not grant any postponement. The AP uses the detailed overview of the audit cycle in the Handreiking Privacy audit Wpg voor boa’s on the website of NOREA (in Dutch) as a starting point for the audit cycle.
Failure to comply with with the obligation to submit the audit report
Do you fail to meet the obligation to provide the report? This may be a reason for the AP to deploy enforcement powers.
More information about the Wpg audit
Do you want to know in which cases carrying out an audit is mandatory and which requirements such audit has to meet? Take a look at the answers to frequently asked questions on the website of the AP. The AP is not available for consultations with individual parties. When in doubt, consult a comparable organisation, industry association or (external) advisor.
iseur.
