Audit under the Dutch Police Data Act (Wpg audit)

Are you as an organisation responsible for the processing of data for investigative tasks? And do you, as a result, fall under the Dutch Police Data Act (Wpg)? Then you are obliged to conduct an internal privacy audit every year. This is called a Wpg audit. In addition, you must have an external Wpg audit conducted once every 4 years.

On this page

Rules for Wpg audit

The legislator has set rules for the way in which organisations have to conduct the internal and external Wpol audit and for the contents of these audits. These rules have been incorporated in:

Requirements for Wpg audit

For you as an organisation, the following requirements, among others, apply for a Wpg audit:

  • The audit must be about how the processing of police data has been organised, the measures and procedures applicable to this processing, and the effect of these measures and procedures.
  • The parties conducting the Wpg audit are obliged to keep the personal data provided to them secret.
  • The external auditor must be independent and meet the requirements set by the Regulations on periodic audits of police data with regard to working method, expertise and reliability.
  •  You have to send the results of the external Wpg audit (the audit report) to the Dutch Data Protection Authority (Dutch DPA).
  • Does the external Wpg audit show that you do not (fully) meet the requirements of the Wpg? Then you will have to draw up an improvement plan for the parts that do not meet the requirements set. Next, you must have a subsequent audit conducted within 1 year. You do not have to send the improvement plan to the Dutch DPA. You do have to send the results of the subsequent audit, though.

Note: The implementation and application of these rules are your own responsibility. The Dutch DPA cannot give an opinion or provide advice about this. The Dutch DPA is unable to do this, because it requires an assessment of your specific situation with all facts, circumstances and interests. And it is not the Dutch DPA that has the best insight into this, but you as the controller.

Role of the DPO in Wpg audit

You are not allowed to have the Wpg audits conducted by your Data Protection Officer (DPO). The task of the DPO is to exercise supervision of compliance with the Wpg in your organisation. This includes the audits. This is why the DPO cannot conduct the audits themselves.

You are allowed to involve the DPO in the performance of the audits, because it is the task of the DPO to inform and advise you about compliance with the Wpg. 

Wpg audit obligation for employers of special investigating officers

Special investigating officers who process personal data for their investigative tasks are subject to the Wpg. This means that the Wpg audit obligation also applies for employers of special investigating officers.

As the employer of special investigating officers, you are the controller. The Wpg audit obligation also applies if you are a private organisation that employs special investigating officers. This means that you have to conduct an internal Wpg audit every year and have an external Wpg audit conducted every 4 years.

Note: Do you hire special investigating officers? Or is there a partnership? In that case, too, you are responsible for what the special investigating officers do on your instructions. Depending on the specific situation, the supplying party or the partnership may conduct an audit or have an audit conducted, while you, as the hiring or collaborating party, assume responsibility for the results. After all, the results may be a reason to modify agreements.

Audit report template

To make the results of the audits comparable, use the Handreiking Privacy audit Wet politiegegevens (Wpg) voor Boa's on the website of NOREA (in Dutch) . You can also use this guide for the internal audit.

Time for external Wpg audits for special investigating officers

The Wpg stipulates that as an employer of special investigating officers, you must have the external audit carried out for the first time 2 years after the audit requirement comes into force. And every 4 years thereafter. This means that the next audit will focus on the handling of police data in the period 2021-2024.

The Dutch DPA must receive your report between 1 March 2025 and 1 March 2026. The Dutch DPA will not grant a delay. For the audit cycle, the Dutch DPA relies on the detailed overview of the audit cycle in the Handreiking Privacy audit Wet politiegegevens (Wpg) voor Boa's (in Dutch) from NOREA.

Submission of external Wpg audit report to the Dutch DPA

You submit the report of the external Wpol audit digitally through: 
wpg-audit@autoriteitpersoonsgegevens.nl. Pay attention to the following points:

  • Remove names of persons from the document. After you have done this, it not necessary for you to send the document in an encrypted form.
  • Choose a legible file format, preferably pdf/A.
  • Make sure that the size of the file is not bigger than a few MBs.

After sending the file, you receive an automatic confirmation of receipt. Always keep a copy of the external audit reports submitted by you for your own records.

You will not receive an individual response from the Dutch DPA to your audit report. The Dutch DPA registers the Wpg audit reports submitted. In doing so, the Dutch DPA checks whether you meet your statutory obligation to send the audit report to the Dutch DPA. 

In addition, the Dutch DPA uses the audit reports received as general input for the supervision of the Dutch DPA. For example, for checking whether more information is necessary about certain topics.

Follow-up to external Wpg audit

For the rest, you do not have to take any action towards the Dutch DPA. Of course, you have to give an appropriate follow-up to the external Wpg audit by drawing up improvement plans and having subsequent audits conducted.

Do you have to draw up an improvement plan after the external Wpg audit? And have a subsequent audit conducted within 1 year? Then you have to send the results of your subsequent audit to the Dutch DPA. You do not have to send your improvement plan to the Dutch DPA. The same applies for reports of internal Wpg audits.

Current