May the police retain your DNA and fingerprints indefinitely when a crime is suspected?

The processing of sensitive personal data, such as DNA and fingerprints, by police departments balances on the line between effective law enforcement and citizen privacy. In a ruling 20 November 2025, the Court of Justice of the European Union (CJEU) ruled that the police may collect and store biometric and genetic data from suspects of intentional crimes without a legally established maximum period, provided that a periodic review is carried out to determine whether storage is still strictly necessary.

The facts and context of the case

This ruling stems from a case in the Czech Republic in which an individual (hereinafter ‘JH’) was suspected of corruption and economic crimes. During the investigation, despite JH's resistance, the police took fingerprints and DNA samples to identify him and include him in police databases.

JH challenged this in the national court. He argued that the collection of this sensitive data was disproportionate, given that he was only suspected of an economic crime without violence, he had no criminal record, and the likelihood of recidivism was considered low. Moreover, he argued that the police kept this data indefinitely with no clear legal limit.

The Czech Supreme Administrative Court thereupon submitted preliminary questions to the European Court on the interpretation of Directive (EU) 2016/680 (the Police and Justice Data Protection Directive).

The ruling: the rules around biometric data

The Court of Justice's ruling clarifies three crucial points for police practice and the rights of suspects:

1. Collection when intentional crimes are suspected

Police may collect biometric and genetic data from any person suspected or accused of having intentionally committed a criminal offense. The legislation is not required to make strict distinctions between different categories of suspects in advance, as long as the purposes of the collection do not require such distinctions.

2. No hard end date, but periodic review

Article 4(1)(e) of Directive 2016/680 does not oppose a regime where there is no absolute maximum period of storage. However, storage should not be unlimited without control. There should be a regime that sets appropriate time limits for periodic review. During this review it should be assessed whether extension of storage is still strictly necessary.

3. Internal rules and case law as legal basis

The assessment of the necessity of storage may be based on internal rules of the police, as long as these rules oblige the police to respect ‘strict necessity. Moreover, the Court ruled that the concept of ’member state law‘ (the legal basis for data processing) may also be formed by case law, provided it is accessible and foreseeable and establishes the minimum conditions for processing.

Legal analysis and interpretation

This ruling clarifies the application of Directive 2016/680, which was transposed in Belgium in Title 2 of the Personal Data Processing Act.

The criterion of “strict necessity”

The Court emphasizes that special categories of personal data (such as DNA and fingerprints) are subject to heightened protection. Processing is allowed only when strictly necessary. This is a stricter test than for ‘ordinary’ personal data. The police must consider specific factors when assessing this necessity, such as:

• The nature and seriousness of the offense.
• The specific circumstances of the crime.
• The person's judicial record and personal profile.

Even in economic crimes, the collection of DNA may be strictly necessary, for example to investigate possible links to criminal organizations or deter flight risks.

In Belgium, the processing of genetic and biometric data for unique identification is already subject to the requirement of strict necessity (Article 34 Personal Data Processing Act).

The role of jurisprudence as law

Notable is the confirmation that ‘member state law’ includes not only formal legislation, but also settled case law. This is relevant for legal certainty. If legislation (such as the Czech Police Act in this case) is general, case law can fill in the required details and safeguards to meet the requirement of foreseeability.

Internal police rules

That the police may rely on internal rules for evaluating retention periods appears, at first glance, to reduce legal protection because these rules are often not publicly available. However, the Court nuances this: while these rules cannot serve as public proof of compliance, they do not automatically invalidate the processing. Crucially, a judge should always be able to test retrospectively whether the police respected strict necessity in a concrete case.

However, the Personal Data Processing Act (Article 30) seems to set a higher threshold here by requiring that the maximum period be established by a law or decree, and not merely by internal police instructions. Even if the law provides for a system of “periodic review” (to see if retention is still necessary), the Data Processing Act still requires that a final maximum retention period be provided for.

What this specifically means

This ruling has direct implications for defendants, convicts and attorneys in criminal cases.

• For the suspect: You cannot oppose the collection of DNA or fingerprints simply because it is for a ‘lighter’ or non-violent crime (such as fraud). If the police can justify that it is strictly necessary for the investigation (for example, to rule out connections to other facts), the collection is lawful.
• For the defense (attorneys): The focus shifts from contesting the taking to monitoring retention. Attorneys must verify that the maximum retention period has not been exceeded. If data is retained for years without reviewing whether it is still necessary (for example, after an acquittal or after a long time without recidivism), the retention violates Union law.
• Right to erasure: If a periodic review reveals that storage is no longer strictly necessary, the data must be erased. Citizens have the right to request access or erasure through the Supervisory Body for Police Information if the ‘strict necessity’ can no longer be justified.

Frequently Asked Questions (FAQ)

Can the Belgian police keep my DNA forever?
No. Article 30 of the Personal Data Processing Act requires that a maximum retention period be established by law. After this period, the data must be deleted .

Where can I file a complaint about police records?
Complaints about the processing of personal data by police departments should be addressed to the Supervisory Body for Police Information, and not to the Data Protection Authority .

Does DNA collection also apply to minor crimes?
Yes, the police may collect biometric data when suspecting criminal offenses, provided it is strictly necessaryk is for the investigation. The law does not make an exclusive distinction based on the severity of the crime, but proportionality must always be ensured.

Conclusion

The November 20, 2025 ruling confirms that the fight against crime justifies the collection of sensitive personal data, even for non-violent acts. However, the police do not get a blank check: the principle of strict necessity and the obligation of periodic evaluation are the essential safeguards against arbitrary and eternal storage of your biometric data.

With Title 2 of the Law of 30 July 2018, Belgium has a robust legal framework that meets European requirements. While the police have broad powers to collect biometric data in the fight against crime, this is constrained by the requirement of strict necessity and the obligation of pre-detention. It is up to suspects and their counsel to be vigilant that these limits are not exceeded in practice.