As of March 2025, more than 600 boa employers are required to conduct an external audit and provide the results to the Personal Data Authority (AP). This obligation follows from the Police Data Act (Wpg). The AP oversees this. It concerns boa employers such as municipalities, transportation companies or nature managers. Boa employers have until March 2026 to provide the results of the four-yearly external audit.
Registrations by boas (special investigating officers) can have a deep impact on a person's privacy. Boas, as investigating officers, can make an official report, which in criminal law has special probative value. This information can be used for police duties, among other things. A registration by a Boa can have an impact on a person for many years. The information may be included in a personal file or used for an application for a Certificate of Good Conduct (VOG). Incorrect information or careless handling of it must be prevented.
Audits are an important tool for internal oversight within an organization. By conducting the audit properly and on time, it helps boa employers process personal data properly. The AP encourages internal supervision by overseeing the audit requirement.
The AP emphasizes that the (timely) delivery of a report is a mandatory part of the audit cycle of the Wpg. Conducting audits both internally annually and externally once every four years provides the boa employer with essential information to improve the internal organization of personal data. If the result is unsatisfactory, the law requires an organization to prepare an improvement plan and have it reassessed on these points within one year. By submitting these documents, the AP can conduct effective oversight, including providing guidance and identifying bottlenecks.
Organizations are responsible for checking whether they are subject to the audit requirement. On the AP's website, you can find answers to frequently asked questions.
To avoid time constraints and inaccurate or incomplete reports, the AP reiterates the delivery requirement and the approaching due date. The AP must receive your report between March 1, 2025 and March 1, 2026. The AP will not grant a delay. For the audit cycle, the AP relies on the detailed overview of the audit cycle in the Handreiking Privacy audit Wpg voor boa's from NOREA.
Are you not complying with the obligation to provide information? If so, this may be grounds for the AP to use enforcement powers.
Want to know in which cases an audit is mandatory and what requirements are involved? View the answers to frequently asked questions on the AP's website. The AP is not available to discuss with individual parties whether your organization is subject to the audit requirement. If in doubt, consult a similar organization, trade association or (external) advisor.
