Use of personal data by the police
The police use all sorts of data for the proper performance of police duties. Has a crime been committed, for example? Then the police record data of the victim and any witnesses. The police need these data for conducting an investigation.
The police are only permitted to process personal data for a specific purpose. For example, for detecting perpetrators of punishable offences or for ensuring public order. The data that the police process have to be necessary for achieving the purpose.
On this page
Use of special personal data
Only in exceptional cases are the police permitted to record and use special personal data. These are data about, for example, someone's religion, race/ethnicity, political preference and health. The police are only allowed to do this if it is necessary for the investigation, the provision of assistance or another police duty.
Access to data at the police
Not everyone who works at the police has access to all data. Because the police process such sensitive personal data, the law sets strict requirements to the system that regulates who has access to what.
Necessary for doing the job
Employees of the police are only allowed to access personal data that they need for doing their job. They are not allowed to do anything with personal data (such as collecting and storing personal data) if this is not necessary for their work.
Describing authorisations
The police have to describe clearly for what an employee has been authorised. And therefore, what this employee is allowed to do with personal data. There must be, for example, an overview of which employee has access to which police system and why.
Transfer of personal data to other organisations
The police may transfer personal data to other organisations or persons within or outside the police. Authorised recipients of such data transfers can be found in the Police Data Act (Dutch abbreviation Wpg) and the Police Data Decree (Dutch abbreviation: Bpg). These are a special Act and a special decree for the protection of personal data at the police.
Examples are the Dutch Immigration and Naturalisation Service (IND), directors of prisons, the probation service, partnerships within the municipality, and Europol.
Use of camera images by the police
The police are permitted to use camera images recorded using camera surveillance by the municipality in public places.
In certain cases, the police are also allowed to deploy cameras in public places themselves. Such as short (mobile) camera surveillance at a high-risk professional football match, (threatening) riots, an event or a demonstration.
The police may also deploy (hidden) cameras as a means of investigation. Special powers are required for such camera surveillance.
Read more on the page Camera surveillance in public places.
Disclosure of data of suspects
The police have more scope for disclosing personal data than other organisations. This has been set out in the Wpg. That is why the police are allowed to disclose names and photos of suspects in special cases. This is only permitted if this is necessary for the performance of statutory police duties.
Consent from the Public Prosecution Service (OM) required
The police have to justify that there is an important public interest, such as security. The OM therefore has to consent to the disclosure of the personal data of a suspect. The police and the OM check if the purpose of the investigation is proportionate to the impact on the private life of a suspect as a result of the disclosure of, for example, the name or images of that suspect.
Less far-reaching methods
The police will also have to see whether there are less far-reaching methods for achieving the same purpose. For example, the impact on the suspect is less significant if the police publish ‘blurred’ versions of the images. Or if the police announce that the name and the photo of the suspect will only be released if the suspect does not report themselves to the police before a certain time.
Blog or vlog by the police
The police are not permitted to use names or images of suspects in blogs or vlogs. A blog or vlog kept by a police officer is often intended to provide information about police work. This is not a statutory police duty. That is why it is not permitted to use data that can be traced to suspects for this purpose.
Not the Wpg, but the General Data Protection Regulation (GDPR) applies for information. Under the GDPR, organisations must have a legal basis for processing personal data. This applies, for example, when:
- a citizen can be recognised in an image in a vlog;
- an employee of the police recruits new colleagues using a blog.
The police have also made agreements about the use of social media themselves (in Dutch).
Also see: Privacy legislation for police and judicial authorities.
CTER registration (terrorism, extremism and radicalisation)
The police may process personal data to combat terrorism, extremism and radicalisation. This involves inclusion in a CTER register. CTER stands for 'Counterterrorism, Extremism and Radicalisation'. Such a registration indicates that the police believe that someone, or a group of people, is directly or indirectly involved in terrorism, extremism or radicalisation.
A CTER registration starts with the registration of a specific event. The police then link that event to an individual registration for a particular person. Paragraph 4.3 of the ‘Blind trust?’ report by the National Ombudsman (in Dutch) explains exactly how this works.
Consequences of a CTER registration
People with a CTER registration may end up in trouble unexpectedly. For example, if they are stopped at the border whilst on a trip, asked questions, denied entry to a country or detained. They might not know that this is happening because there is a CTER registration in their name.
You think you might be listed in the CTER register
Do you have reason to think you might be listed in the CTER register? Such as because you ran into issues at the border when you wanted to travel abroad?
In that case, you can request the police for access to your personal data, ask the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, to assist you and/or go to court.
Request for access
Want to know if you are listed in the CTER register? Then request the police for access to your data, and more specifically, ask whether you are listed in the CTER register. The police are obliged to tell you whether this is the case and which of your personal data the police have processed for this purpose. You might find that the data is incorrect, incomplete, or you might think you should not be listed in the CTER register. In that case, you have the right to request that your data be rectified (amended or supplemented) or destroyed.
Please note that inspection is not always possible. Read more at Your privacy rights with the police, special investigation services and judicial authorities.
Asking the AP to assist you
You can also ask the AP to assist you:
- You can call the AP to discuss your questions about a possible CTER registration.
- Maybe you have already submitted a request for access to your data to the police, but you are not satisfied with their response. In that case, you can ask the AP for advice or to mediate on your behalf. You must request the AP's assistance within six weeks of receiving the police's response.
- You can also submit a complaint to the AP directly. This might be because you think you are wrongly listed in the CTER register. You can submit such a complaint directly to the AP.
Going to court
Did the police refuse to give you access to your personal data? Or is there another reason why you are not satisfied with the response you received? You then have the option of going to court. This would involve appealing the police's decision regarding your request for access. You must do so within six weeks of receiving the police's decision. More information about lodging an appeal can be found on the website of the judiciary.
More information
Want to know more about CTER registrations, how they work and what you can do? Please read the Guidelines for access requests in the event of suspicions of unjust observations in the context of terrorism published by the Ministry of Justice and Security.
The AP supervises the police
The police, the Royal Netherlands Military Constabulary, special investigative services (such as the FIOD) and justice organisations (such as the Public Prosecution Service) process all kinds of personal data. They must all comply with the Police Data Act (Wpg in Dutch) and the Judicial Data and Criminal Records Act (Wjsg in Dutch). The AP monitors whether these governmental agencies are indeed in compliance.
Anyone with a question or complaint about the processing of personal data by the police, investigative services or the judiciary can contact the AP. Even if the case in question is not a CTER registration, but other processing of personal data.
More information about CTER registration (in Dutch)
- Letter from the AP to National Ombudsman about CTER registration
- 'Blind trust' report by National Ombudsman
- Letter to the House of Representatives with policy response to the National Ombudsman's report on blind trust
- The AP's letter to the Minister for Justice and Security about CTER registrations and the National Ombudsman report