Personal Data Authority concerned about failure to conduct mandatory Police Data Act audit

June 29th 2022 / in News / by Daisy Brugman

Not every organization is equally advanced with the mandatory Wpg privacy audit. Last week the Dutch Personal Data Authority (AP) reported in a press release that the low number of Wpg privacy audit reports submitted is of great concern to the AP.

Wpg audits are mandatory
The Police Data Act (Wpg) requires employers of boa’s (including municipalities, public transport companies and the Forestry Commission) to have an external audit conducted by a registered IT Auditor (RE) two years after the Wpg entered into force (and every four years thereafter).[1] Annually, employers of boa’s must conduct an internal audit. The report of the external audit must be submitted to the AP. Depending on the organization, the Wpg audit and its follow-up may require a more or less substantial effort. The fact remains that specific attention is required for data processing by public officers.

Employers given one year’s postponement
The results from the external audit and any external re-audit must be shared with the AP. That audit requirement went into effect as of March 9, 2019. Originally, employers of boa’s were required to have the external Wpg audit conducted and submitted for the first time in 2021. The AP cannot change the law. Thus, the Wpg audit must still (at least) see 2019 and 2020. The report may now ‘only’ be submitted later. The audit requirement remains exactly the same. Internal audits must take place annually as of 2019. This does not change that either.

After a year’s postponement, the deadline for submitting Wpg audit reports is December 31, 2022. In order to avoid time constraints for organizations and incomplete reports, the AP is therefore again drawing attention to the obligation and the approaching deadline.

Deliver on time
Failure to comply will risk enforcement action by the regulator.[2] The AP can, without much effort, identify organizations that employ boa’s and have not met their obligations. An administrative order will be at your own expense, so make sure that your organization has conducted the external Wpg audit before 2023, even if your organization does not yet meet all the requirements of the Wpg! Performing an audit does not mean that all deficiencies resulting from the audit must be resolved. The point is that an audit has been performed, not that everything is already ‘green’. It is important to use the results of the audit to set improvements in motion.

More information about the Wpg audit
The professionals at Lex Digitalis have extensive experience with Wpg compliance and are happy to support you in this process. We provided a webinar on June 24, 2021 on the subject and gave practical guidance to public and private organizations who want to make their organization Wpg-proof. Therefore, please contact me today if you would like to know more about what Lex Digitalis can do for you and your organization. You can reach me by phone at 06 43413086 or by email at

[1] Article 33 Wpg, article 6:5 Bpg.
[2] Article 33 paragraph 2 Wpg.