The Data Processing by Partnerships Act (Wet gegevensverwerking door samenwerkingsverbanden, hereinafter: WGS) was adopted last summer and entered into force on 1 March 2025. The purpose of the Act is to regulate data sharing between public and private parties in the fight against subversive crime. The Act provides a solution for organizations that were already cooperating to combat crime but lacked a clear legal framework within which they could responsibly share data. For additional information about the WGS, the criticism of the Act, and Data Processing by Partnerships Decree (BGS, discussed later), I refer you to my first blog on the WGS.
In this second blog on the WGS, I focus specifically on the requirements for participants in a partnership. I explain the existing partnerships, highlight the possibility of establishing new partnerships, and go into more detail about the safeguards that partnerships must observe.
Existing partnerships
At present, there are four existing partnerships that fall under the supervision of the WGS. These are the Financial Expertise Centre (FEC) [1], the Infobox Criminal and Unexplained Assets (iCOV) [2], the Regional Information and Expertise Centres [3], and the Care and Safety Houses [4]. For each partnership, the WGS describes:
-
the purpose of the partnership;
-
the activities that are carried out;
-
the participants involved;>
-
how mutual data exchange is organized;
-
how special categories of personal data and the citizen service number (BSN) are handled;
-
which data are shared within the partnership; and
-
the legal basis for the processing of the data.
For each existing partnership, the Act provides an extensive description of what is permitted and what is not.
Critical note
Although the description of data exchange for each partnership is extensive, it is striking that in some cases very little concrete detail is provided despite the many words used. One of iCOV’s objectives is “to exercise supervision over the proper functioning of the market” [5]. This is a very broad formulation that could, in essence, allow for the monitoring of virtually the entire society. Processing for this purpose is only permitted insofar as it is necessary for the performance of public-law duties and powers of the participants, but this does not sufficiently concretize the purpose. Similar vagueness appears more often and has attracted criticism from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, hereinafter: AP). The government has taken this criticism into account and incorporated it into the Data Processing by Partnerships Decree (BGS), which serves as an implementation of the WGS.
New partnerships
In addition to the existing partnerships, the WGS also provides the possibility to establish new partnerships. A new partnership must, in the same way as an existing partnership, describe how it is structured, following the list mentioned above. By means of an Executive Degree (Algemene maatregel van bestuur, hereinafter: AMvB), new partnerships may be established to share data for purposes of overriding public interest (in relation to the aforementioned fight against crime) [6].
Critical note
The issue with this approach is that an Executive Degree effectively sidelines both chambers of parliament, as it can in principle be adopted without the involvement of the States General. This point of criticism has also been addressed by the government in the BGS.
What does this mean in practice for your organization?
If your organization is involved, or becomes involved in the future, in a partnership, there are several requirements you must comply with.
Embedding sufficient safeguards in data sharing is the most important element of the partnership. The WGS imposes several mandatory safeguards. For example, access to systems is restricted to designated authorized persons only. This is one of the safeguards already mentioned in the WGS and is explained in detail in the BGS. Authorization is granted only to persons involved in carrying out the data processing, assessing the lawfulness of the processing, or maintaining or supporting the systems. It is mandatory to log all processing activities so that it is clearly recorded which data processing operations have taken place and which persons have had access to the data.
In addition, the WGS and the BGS require that purpose limitation and the necessity of processing are clearly documented. This must be done by means of a clear data-sharing request that specifies which data need to be shared. Furthermore, data sharing must be secured by implementing appropriate organizational measures. The request must also be assessed for factual accuracy.
Lawfulness advisory committee and the DPO
It is mandatory to establish a lawfulness advisory committee within the partnership. This committee assesses the lawfulness of the processing activities and, where necessary, proposes changes to ensure that data processing is carried out lawfully.
The partnership must also appoint a coordinating Data Protection Officer (DPO). This DPO, designated by one of the participating public authorities, is responsible for facilitating cooperation between the DPOs of the participants. For your organization, this means it is essential to appoint a DPO (if this role has not yet been fulfilled) who collaborates with the coordinating DPO and the other DPOs of the public authorities and companies involved in the partnership.
Conclusion
At this stage, the impact of the WGS and the BGS is not easy to predict. The stated objective, creating a clear legal basis for data sharing for the four existing partnerships, has been achieved. The built-in safeguards are intended to ensure that data can be shared safely and responsibly between public and private parties. With clear task definitions and a requirement to assess factual accuracy, the WGS and the BGS together aim to enable partnerships to better combat subversive crime. Although grey areas remain that require strict oversight, the WGS, supplemented by the BGS, forms a solid bridge between government and businesses in the field of targeted data sharing.
Would you like to specialize as a Data Protection Officer (DPO)? Then follow our practical training programme.
[1] WGS Par. 2.1
[2] WGS Par. 2.2
[3] WGS Par. 2.3
[4] WGS Par. 2.4
[5] WGS Art. 2.10
[6] WGS Art. 3.1
