the Dutch DPA
Close menu

Filter search results

Privacy legislation for police and judicial authorities

In addition to the General Data Protection Regulation (GDPR), the police and judiciary authorities have to deal with the Police Data Act (Wpg) and the Judicial Data and Criminal Records Act (Wjsg). These laws arise from the European Directive on data protection in the law enforcement sector. Which privacy law the police and judicial authorities have to comply with in the performance of their job depends on the task they carry out.

On this page

When Wpg/Wjsg and when GDPR?

When performing specific tasks for the purposes of investigation and prosecution, the police and judicial authorities have to comply with the Wpg and the Wjsg. These laws also apply for:

  • the enforcement of punishments imposed;
  • tasks for monitoring public safety;
  • tasks for preventing criminal offences.

The GDPR applies for other tasks of the police and the judicial authorities. For example, for the processing of personal data of their own personnel.

Privacy legislation for the police

There is a special law for the protection of personal data with the police: the Wpg. It regulates the processing of personal data for the performance of police duties by, among others, the National Police and organisations for special investigations.

The Wpg also applies, for example, for the processing of police data as part of the enforcement of the Traffic Regulations (Administrative Enforcement) Act.

The Dutch Data Protection Authority (Dutch DPA) monitors compliance with the Wpg. Also see: Police Data Act Audit (Wpg audit).

When does the GDPR apply to the police?

Sometimes, a data processing by the police does not fall under the Wpg, but the GDPR. This is the case if the police process personal data for:

  • certain police duties, such as the enforcement of the Dutch Aliens Act and for border control;
  • supervisory duties based on special laws, such as granting (firearms) licences and the supervision thereof;
  • information tasks of the police, such as when releasing camera images in the (social) media;
  • payroll administration and other HR matters.

Want to know more? Read the page Use of personal data by the police.

Privacy legislation for the judicial authorities

There is a special law for the protection of personal data with the judicial authorities: the Wjsg. This law regulates the processing of:

  • judicial data in suspect files;
  • judicial data for the certificate of conduct (Dutch VOG);
  • criminal-law data.

The Dutch DPA supervises the processing of judicial and criminal-law data under the Wjsg. If organisations that fall under the judicial authorities process personal data that are not judicial or criminal-law data, it is not the Wjsg but the GDPR that applies. The Dutch DPA also supervises these processing operations. 

Want to know more? Read the page Use of personal data by the judicial authorities.

Separate directive on data protection for police and judicial authorities

In addition to the GDPR, there is a separate European Directive for data protection by the police and judicial authorities. This is called the Directive on data protection in the law enforcement sector.

Its official name is: ‘Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data’.

All Member States of the European Union (EU) have converted this Directive on data protection in the law enforcement sector into national legislation of their own. In the Netherlands, the Directive has been implemented in the Wpg and the Wjsg.

Similarities between the GDPR and the Directive

Both the GDPR and the Directive on data protection in the law enforcement sector ensure:

  • strong privacy rights for the people whose data are processed;
  • heavy responsibilities for organisations that process personal data;
  • strong powers for all European data protection agencies.

The starting points for data protection are therefore almost the same. Think of:

  • keeping a processing register;
  • appointing a DPO;
  • carrying out a data protection impact assessment (DPIA);
  • applying for a prior consultation.

The starting points for transferring personal data to countries outside the EEA are also largely the same.

Differences between the GDPR and the Directive

These are the most important differences between the GDPR and the Directive on data protection in the law enforcement sector or, as the case may be, the Wpg/Wjsg: 

General provisions

  • The Directive pertains to criminal law: the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties by the government. Including the protection of public safety. The GDPR pertains to personal data processing operations that are based on private-law and administrative legal relationships.
  • At the implementation of the Directive, the legislator chose to designate the controller by law. In the GDPR, this is done on points of fact. Under the GDPR, the controller is the party that determines the purpose of and the means for the personal data processing.
  • The Directive contains a regulation for the difference between facts and opinions that the GDPR does not have. In addition, the Directive stipulates that a distinction must be made between different parties, such as suspects, witnesses and victims.

Legal bases

  • The Directive is based on the law only. Do the police and judicial authorities process personal data for the performance of a task that falls under the Wpg or Wjsg? Then this statutory task is the legal basis. The GDPR contains a number of legal bases for processing personal data.
  • The Wpol and Wjsg contain concrete retention periods. The GDPR does not contain concrete retention periods. 

Rights of data subjects

  • The legal protection is different. Data subjects have the same privacy rights, such as the right of access, the right to rectification, and the right to erasure of data. But compared to the GDPR, the Directive has more restrictions and exceptions. These may be necessary for the investigation and prosecution of criminal offences.

Security

  • The Directive contains a logging obligation, the GDPR does not. 
  • The Directive makes it possible that the police and judicial authorities sometimes may (temporarily) omit to report a data breach to the victims. This is permitted when the interests of investigation and prosecution outweigh the privacy interests of the victims. The GDPR does not have this exception to the data breach notification obligation.

Supervisory authority

  • Under the GDPR, the Dutch DPA has more elaborated powers to take corrective action than under the Wpg and Wjsg.
  • Contrary to the GDPR, the Directive does not offer room to the supervisory authority to draw up a list of processing operations for which carrying out a DPIA is mandatory. On the other hand, investigation services have to ask the AP for a prior consultation in more cases. 

Other

  • The Wpg has an audit obligation.
Back to subject Police, special investigation services and judicial authorities

Also see

More information

Back to subject Police, special investigation services and judicial authorities