EU Court of Justice: the police authorities of a Member State can decide, on the basis of inter-nal rules, whether it is necessary to retain the biometric and genetic data of a person who is being prosecuted or suspected of having committed a crime.

A Czech civil servant was interviewed by the police in criminal proceedings against him. Although he objected, the police ordered his fingerprints to be taken, an oral sample taken from which he derived a genetic profile, photographs and a description of himself. This information has been entered into databases. In 2017, the official was finally convicted, in particular of abuse of power.

In separate proceedings, he challenged the identification measures taken by the police in accordance with Czech law and the retention of the data obtained, considering them to constitute an unlawful interference in his private life. The Czech court upheld the appeal and ordered the police authorities to delete from their databases all personal data resulting from those acts. The Czech police appealed on a point of law against that decision to the Czech Supreme Administrative Court. In that context, that court raised the question of the compatibility of the legal regime established by the Law on the Czech Police with Directive (EU) 2016/680.

It asks, first, whether the case-law of the Czech administrative courts may be classified as 'Member State law'; second, do the requirements laid down by that directive preclude the indiscriminate collection of biometric and genetic data for any person suspected of having committed an intentional crime? and, thirdly, does that directive preclude the retention of biometric and genetic data without an explicit maximum retention period?

In the judgment C-57/23 | Policejní prezidium, the Court of Justice considers that, as regards the collection, retention and erasure of biometric and genetic data, the concept of 'Member State law' refers to a provision of general application setting out the minimum conditions for the collection, retention and erasure of such data, as interpreted by the case-law of the national courts,  provided that such case-law is accessible and sufficiently predictable. Moreover, EU law does not preclude national legislation which allows, without distinction, the collection of biometric and genetic data of any person prosecuted for committing an intentional  offence or suspected of having committed such an offence. The Court does, however, lay down two conditions in that regard: first, the purposes of that collection must not require a distinction to be drawn between those two categories of persons. On the other hand, controllers must be required, in accordance with national law, including the case-law of national courts, to comply with all the specific principles and requirements applicable to the processing of sensitive data.

Finally, the Court holds that EU law allows, under certain conditions, the existence of national legislation under which the need to retain biometric and genetic data is assessed by the police authorities on the basis of national rules. Provided that national legislation sets adequate periods for the regular verification of the need to retain such data and, on the occasion of that review, the strict need to continue such retention is assessed, national legislation does not necessarily have to provide for a maximum retention period.