Slowly but surely, organizations are getting used to the AVG. In addition, organizations employing special investigating officers must comply with the Police Data Act. This means quite a lot. What is expected of them and how can they and their employers comply with this law?
First, here are the changes. The General Data Protection Regulation (AVG) applies to the processing of personal data, but not to the processing of personal data relating to the prevention, detection or prosecution of criminal offenses. These 'police data' fall under a separate regime: the Police Data Act (Wpg). Since 2008, the Wpg has already applied to the police, the National Criminal Investigation Department and the Royal Netherlands Military Constabulary. Since 2009, the law has also applied to special investigation services such as the FIOD and the Intelligence and Investigation Service of the Ministry of Infrastructure and Water Management (ILT-IOD). The European Directive dealing with investigation, which came into being at the same time as the AVG, has resulted in a number of changes in the Wpg. The most important change for the Netherlands, is the fact that the Wpg now also applies to the BOA. This has been further elaborated in the"BOA Decree" that has been in effect since March 9, 2019. This decree stipulates, among other things, which articles from the Wpg and the Police Data Decree are declared applicable by analogy to data processing by the BOA.
All organizations where BOAs work, such as municipalities and environmental services, but also private law organizations, must adapt their work processes and systems in accordance with the Police Data Act. In the Extraordinary Investigating Officer Decree, the BOA's employer is designated as the data controller. So this means you have to get to work. Municipal enforcers, parking inspectors, environmental inspectors, compulsory education officers, ov enforcement officers and social investigators: in addition to their investigative powers, they also have a supervisory task. These two different hats result in them processing data under both the AVG and the Wpg: another touch more complicated, in other words.
For BOAs, the law mainly affects how they account for their work: in which systems do they work and with whom are they allowed to share data, when do they work under the AVG and when under the Wpg? The Wpg is more specific than the AVG: different time limits apply, you may use data once collected for other purposes, and you may collect and further process data without the data subject's consent. The six processing bases of the AVG do not appear in the Wpg. In the Wpg, for example, we talk about "data processed for the performance of daily police duties," also known as Article 8 data. For the BOA, especially article 8-, 9,- and 13-data are relevant. By labeling these, it is possible to handle the data appropriately when it comes to timely deletion and destruction, sharing with partners and shielding data. Moreover, because the BOA has two different hats, it is necessary to label police data so that it can be distinguished from AVG data and only people with investigative authority can access it.
Suzanna Franken is the instructor of the one-day course Privacy Law in Detection: the Wpg for BOAs.
The course is intended for privacy experts from all public and private organizations where BOAs are employed. Think privacy consultants, lawyers, Chief information security officers and, of course, Data Protection Officers. The course is also open to HR and ICT managers tasked with making the work environment in organizations where BOAs work compliant.
