Collaborative organizations that structurally share personal data, such as Care and Security Centers and Regional Information and Expertise Centers (RIECs), have to deal with the Data Processing by Collaborative Organizations Act (WGS). Among other things, the law requires the appointment of a "coordinating Data Protection Officer." What exactly does this position entail, and what are the concerns and benefits for collaborating parties? Whitney Naomi van den Brand of L2P explains.
The Data Processing by Collaborative Societies Act (WGS), which came into effect on March 1, 2025, provides a framework for the processing and exchange of personal data within cooperative ventures. The law sets rules for the task, organization and working methods of collaborations such as Care and Safety Houses and Regional Information and Expertise Centers (RIECs). Among other things, the WGS requires the cooperating parties - such as municipalities, police and public prosecutors - to appoint a coordinating Data Protection Officer (FG).
The coordinating FG is a new position aimed at streamlining personal data protection and ensuring the lawfulness of data processing within collaborations. The appointment of a central FG prevents ambiguities about who is responsible for internal privacy oversight in a collaboration, and ensures a unified approach to data protection.
The coordinating FG is responsible for coordination between the FGs of the collaboration participants. In addition, the coordinating FG oversees the partnership's compliance with privacy rules. What does this mean in daily practice?
Article 1.4(2) of the WGS stipulates that one of the FGs of the participating government agencies in a cooperative arrangement appoints a coordinating FG. In many cases, the FG of a (large) municipality will assume this function, in addition to the position as FG of its own organization.
According to the Explanatory Memorandum, the coordinating FG has the same duties as the FG under Article 39 of the General Data Protection Regulation (GDPR). Like the participants' FGs, the coordinating FG is also independent. Moreover, the coordinating FG does not possess any hierarchical authority over the FGs of the participating parties.
Key duties of the coordinating FG are:
- Facilitate structured cooperation and consensus building among the participating FGs on
privacy issues and compliance.
- Coordinate and monitor unambiguous application of measures for the protection of
personal data and privacy within the partnership.
- Act as the central point of contact of the partnership for the Personal Data Authority (AP) and
for the FGs of the participating agencies. The participants' FGs are the first point of contact for the
own organization. The coordinating FG is also the contact person for data subjects who file complaints about the
processing of personal data within the partnership.
- Checking whether data processing operations within the partnership comply with laws and regulations, such as the
AVG and WGS.
- Initiating, preparing and supervising internal and external audits to evaluate the effectiveness of measures for the
protection of personal data. Article 1.18 of the WGS requires the
partnership to conduct a privacy audit every four years to assess compliance with the WGS. The first
audit will take place no later than two years after the WGS comes into force, i.e., in March 2027. This audit is intended
to review the design and results of the measures and procedures taken within the
partnership to ensure compliance with the WGS. The audit should be conducted by an independent
auditor with expertise in the protection of personal data and the operation of partnerships. The
coordinating FG and the legality advisory committee will receive the audit results.
In addition to the coordinating FG, the WGS also introduces two other bodies:
the legality advisory committee and the contact point.
Lawfulness Advisory Committee
The legality advisory committee is (pursuant to Article 1.13 of the WGS) an independent advisory body that oversees the protection of personal data within a partnership. Its members are drawn from the participating organizations and/or external experts.
The committee advises the collaborative on the lawfulness of data processing and on privacy risks. For example, the committee pays attention to new initiatives by the partnership to process personal data.
Contact point
A partnership is obliged to designate a contact point (as described in Article 26(1) of the AVG). The contact point enables data subjects to exercise AVG rights, and regulates the information obligation of the AVG. For example, the contact point publishes the privacy statement on the partnership's website. In addition, the contact point coordinates reports of data breaches.
The contact point is particularly important because in a collaborative arrangement there is joint processing responsibility. By making mutual agreements on the handling of requests and complaints from data subjects, the alliance prevents citizens from having to write to various participating agencies to exercise AVG rights. In addition, a one-stop shop for data breaches reduces the risk that a notification to data subjects and the AP is made too late (i.e. after 72 hours after the incident).
The coordinating FG fulfills a crucial role in the collaborations covered by the WGS. The coordinating FG acts as an intermediary between the FGs of the participating parties, and ensures unambiguous handling of personal data.
The concrete benefits of the coordinating FG to the partnership include:
- More efficient compliance with privacy laws and regulations. The coordinating FG operates as a central
expertise point and prevents conflicting
decisions by the FGs of the collaborative participants.
- Improved governance. The coordinating FG develops a structured process for dealing with
privacy issues within the collaborative, which reduces (legal) risks.
- Clear reporting and accountability. The coordinating FG monitors privacy audits and proposes
improvement measures. The reports lay the foundation for transparency about data processing by
the partnership.
The WGS currently applies to Care and Security Centers, RIECs, the Financial Expertise Center (FEC) and the Infobox Criminal and Unexplained Assets (iCOV). It is possible that a General Administrative Order may also designate other structural collaborations as a collaborative in the sense of the WGS. For example, collaborations engaged in preventing and combating serious forms of crime.
In addition, the mandatory appointment of a coordinating FG is included in the bill for the Data Processing Personalized Approach to Radicalization and Terrorist Activities Act (PARTA Act).
So it is quite possible that more and more government organizations in the Netherlands will soon have to deal with a coordinating FG.
What are the challenges to consider then?
- In many cases, the function of coordinating FG comes on top of the already full agenda of a (municipal) FG.
- Another concern is the potential conflicts of interest between the processing responsibility for the
collaborative and one's own organization. An FG who is also coordinating FG needs a keen eye
to always distinguish the different angles.
If the position is filled well, the coordinating FG contributes to efficient, transparent and lawful processing of personal data within a collaborative. The combination of the appointment of a coordinating FG with the conduct of independent privacy audits and oversight by the lawfulness advisory committee is the success factor here. Indeed, the three forms of oversight provide a robust basis for data processing that does justice to the various aspects of a collaborative venture - from the societal interest to the right to privacy of data subjects.
