Audit under the Dutch Police Data Act (Wpg audit)

Rules for Wpg audit

The legislator has set rules for the way in which organisations have to conduct the internal and external Wpol audit and for the contents of these audits. These rules have been incorporated in:

• Article 33 of the Wpg
• Article 6:5 of the Dutch Police Data Decree
• the Regulations on periodic audits of police data.

Requirements for Wpg audit

For you as an organisation, the following requirements, among others, apply for a Wpg audit:

• The audit must be about how the processing of police data has been organised, the measures and procedures applicable to this processing, and the effect of these measures and procedures.
• The parties conducting the Wpg audit are obliged to keep the personal data provided to them secret.
• The external auditor must be independent and meet the requirements set by the Regulations on periodic audits of police data with regard to working method, expertise and reliability.
•  You have to send the results of the external Wpg audit (the audit report) to the Dutch Data Protection Authority (Dutch DPA).
• Does the external Wpg audit show that you do not (fully) meet the requirements of the Wpg? Then you will have to draw up an improvement plan for the parts that do not meet the requirements set. Next, you must have a subsequent audit conducted within 1 year. You do not have to send the improvement plan to the Dutch DPA. You do have to send the results of the subsequent audit, though.

Note: The implementation and application of these rules are your own responsibility. The Dutch DPA cannot give an opinion or provide advice about this.

The Dutch DPA is unable to do this, because it requires an assessment of your specific situation with all facts, circumstances and interests. And it is not the Dutch DPA that has the best insight into this, but you as the controller.

Role of the DPO in Wpg audit

You are not allowed to have the Wpg audits conducted by your Data Protection Officer (DPO). The task of the DPO is to exercise supervision of compliance with the Wpg in your organisation. This includes the audits. This is why the DPO cannot conduct the audits themselves.

You are allowed to involve the DPO in the performance of the audits, because it is the task of the DPO to inform and advise you about compliance with the Wpg. 

Wpg audit obligation for employers of special investigating officers

Special investigating officers who process personal data for their investigative tasks are subject to the Wpg. This means that the Wpg audit obligation also applies for employers of special investigating officers.

As the employer of special investigating officers, you are the controller. The Wpg audit obligation also applies if you are a private organisation that employs special investigating officers. This means that you have to conduct an internal Wpg audit every year and have an external Wpg audit conducted every 4 years.
 

Note: Do you hire special investigating officers? Or is there a partnership? In that case, too, you are responsible for what the special investigating officers do on your instructions. Depending on the specific situation, the supplying party or the partnership may conduct an audit or have an audit conducted, while you, as the hiring or collaborating party, assume responsibility for the results. After all, the results may be a reason to modify agreements.

Time for external Wpg audits for special investigating officers

Under the Wpg, you as an employer of special investigating officers must have the first external audit conducted 2 years after the audit obligation entered into force. As from 1 January 2019 (entry into force of the new Wpg), that audit obligation took effect for (the employers of) special investigating officers.

You were therefore obliged to have the first external Wpg audit conducted in 2021. And after that, you have to do this once every 4 years. This means that you must have the next external Wpg audit conducted in 2025 (on the state of affairs in 2024).

Audit report template

Do you want to compare the results of your audit with those of others? And with the audits that you conduct yourself in the future? Then using a template is handy. You can, for example, use the template of NOREA, the professional organisation of IT auditors, for this purpose. See for this: Handreiking Privacy audit Wet politiegegevens (Wpg) voor Boa’s on the website of NOREA (in Dutch).

Submission of external Wpg audit report to the Dutch DPA

You submit the report of the external Wpol audit digitally through: 
wpg-audit@autoriteitpersoonsgegevens.nl. Pay attention to the following points:

• Remove names of persons from the document. After you have done this, it not necessary for you to send the document in an encrypted form.
• Choose a legible file format, preferably pdf/A.
• Make sure that the size of the file is not bigger than a few MBs.

After sending the file, you receive an automatic confirmation of receipt. Always keep a copy of the external audit reports submitted by you for your own records.

You will not receive an individual response from the Dutch DPA to your audit report. The Dutch DPA registers the Wpg audit reports submitted. In doing so, the Dutch DPA checks whether you meet your statutory obligation to send the audit report to the Dutch DPA. 

In addition, the Dutch DPA uses the audit reports received as general input for the supervision of the Dutch DPA. For example, for checking whether more information is necessary about certain topics.

Follow-up to external Wpg audit

For the rest, you do not have to take any action towards the Dutch DPA. Of course, you have to give an appropriate follow-up to the external Wpg audit by drawing up improvement plans and having subsequent audits conducted.

Note: Do you have to draw up an improvement plan after the external Wpg audit? And have a subsequent audit conducted within 1 year? Then you have to send the results of your subsequent audit to the Dutch DPA. 

You do not have to send your improvement plan to the Dutch DPA. The same applies for reports of internal Wpg audits.