On 20 November 2025, the Court of Justice of the European Union (‘the Court’ or CJEU) delivered a judgment on the compatibility of a national legislation allowing the police to collect and store biometric and genetic data of suspects or accused persons with several provisions of the Law Enforcement Directive (Directive 2016/680 or LED).
- Facts and proceedings of the case
At national level, a Czech public official (JH) was accused and then convicted of breach of trust and misconduct in public office. As a Deputy Minister, he had used his influence to secure approval of a subsidy for a civil association he knew did not meet the conditions for receiving it. During the criminal proceedings, and in accordance with Paragraph 65 of the Law on the Czech Police (as cited in para. 15, C-57/23), the police collected several samples for future identification purposes: a buccal smear to generate a DNA profile, photographs, and fingerprints. On 8 March 2016, he challenged the collection and storage of his biometric and genetic data as well as the creation of an entry in police databases on the ground that they constituted unlawful interference with his fundamental right to privacy. On 23 June 2022, the Prague City Court (Městský soud v Praze) found the procedures carried out by the police unlawful and requested that the police delete all personal data resulting from those procedures. The Police Directorate (policejní prezidium) appealed the judgment before the Czech Supreme Court (Nejvyšší správní soud), which referred the case to the CJEU and asked three questions on the interpretation of the LED.
- The Court’s ruling
The CJEU started by answering the third question relating to the concept of ‘Member State law’ to determine whether case-law interpreting the conditions for the collection, storage and erasure of the data can be considered as ‘Member State law’ within the meaning of Article 8 of the LED [lawfulness of processing]and Article 10 of the LED [rules for the processing of sensitive data].
2.1 Notion of ‘Member State law’
The police collected JH’s biometric and genetic data in accordance with Paragraph 65 of the Law on Czech Police. While the law allows the police to collect various samples, it does not specify the conditions for collecting, storing and erasing the collected data. However, case law of administrative courts supplements the law by providing elements that the police must take into account, e.g., the type of criminal offence, the personality of the perpetrator, and the time elapsed between the criminal offence at stake and other offences. But does case law qualify as Member State law?
The Court recalled that any limitations to fundamental rights as provided for in Article 52 of the Charter, such as limitations to Article 8 of the Charter (fundamental right of data protection), must be provided by law. While the law defines the scope of the limitation, it can be formulated in broad terms ‘to adapt to different scenarios’ over time. And, national courts can interpret the ‘actual scope of that limitation’ if they take into account the wording of the law, its general scheme, and the objectives of the limitation (based on an analogy with Case C-817/19, para. 114). Article 8 of the LED requires a legal basis for processing, which specifies the objectives and purposes of processing as well as the personal data to be processed. Based on the case law of the European Court of Human Rights, the term ‘law’ must be understood in its substantive sense, i.e., it need not result from a legislative act but must meet certain qualities, i.e., be clear and precise, accessible and foreseeable in its application. As a consequence, a provision of general formulation that lays down the minimum conditions for collection, storage and erasure of biometric and genetic data, as interpreted by national courts’ case law that is accessible and sufficiently foreseeable, qualifies as ‘Member State law’. Thus, the concept of ‘Member State law’ extends to case law under those conditions.
2.2 Indiscriminate (but not systematic) collection of biometric and genetic data
Moving on to the first question relating to the collection of JH’s biometric and genetic data by the Czech Police that happened before the entry into force of the LED, the Court addressed the admissibility of the question before answering it. According to the Court, although the collection of those data occurred before the entry into force of the LED, they were still stored in the Czech police databases after the delay given to Member States to implement the LED rules into their national legislation (i.e., after 6 May 2018). Consequently, as noted by the Advocate General de la Tour, personal data lawfully collected before the entry into force of the LED, but which would be in breach of the LED rules after the transposition deadline, could not be legally stored (para. 34 of his Opinion). Thus, the Court found the question admissible.
On the substance, the question is whether Article 6 [distinction between the different categories of data subject]or Article 4(1)(c) of the LED [data minimisation principle]in conjunction with Article 10 of the LED [rules on the processing of sensitive data]precludes national law that allows the indiscriminate collection of biometric and genetic data of all suspects and accused persons of having committed an intentional criminal offence.
In its reasoning, the Court distinguished the scope of Article 6 of the LED concerning the different categories of data subjects from the obligations that data controllers (i.e. here the police) must follow based on Article 4(1)(c) and Article 10 of the LED. Concerning the first point, the Court explained that, while according to Article 6 of the LED, Member States should ensure that data controllers make a distinction between the data of different categories of data, this obligation is ‘not absolute’ and should be assessed in each individual case and the purpose of processing. Based on information given by the Czech Government to the CJEU, the purpose of the processing did not require such as a distinction.
Second, following Article 4(1)(c) of the LED in conjunction with Article 10 of the LED, Member States should not only comply with the principle of data minimisation but also provide appropriate safeguards for the processing of sensitive data and ensure that their processing is strictly necessary. The strict necessity of processing is assessed in light of its purpose(s). Yet, according to the Court, such processing is ‘regarded as necessary solely in a limited number of cases’ (para.78). Besides, the processing purpose must be distinguished from the processing objectives. While the objectives can be indicated at a high level (i.e., according to the general objectives listed in Article 1(1) of the LED, such as a criminal investigation), the processing purposes are ‘the specific and real aims’ pursued by the processing (para. 81). Assessing the strict necessity of collecting genetic and biometric data of suspects or accused persons of intentional criminal offences implies taking into account various factors, as identified by the Court (e.g., nature and gravity of the presumed offence, link between the offence and other ongoing proceedings, and the individual’s criminal record), and checking the compliance with the principle of data minimisation (paras 84-85). In that regard, and in relation to the use and storage of DNA data, the Court suggested relying ‘exclusively on polymorphisms present in non-coding areas of DNA’, i.e. DNA portions that do not reveal ethnicity or genetic data (para. 86). This suggestion is further discussed in the last section of the blog post.
The Court further clarified that Member States can delegate to competent authorities (here, the police) the assessment of whether the processing of sensitive data is strictly necessary or provide in their national legislation the assessment criteria for the competent authorities. In the case at stake, the Law on the Czech Police grants the police (‘they may’) the right to collect biometric and genetic data from suspects or accused persons. By granting them a right, the law does not allow systematic collection of sensitive data, nor does it breach the principle of data minimisation. Additionally, the national case law sets requirements that the police must comply with before collecting DNA samples. Those requirements include, among others, ‘the criminal history’ and ‘personality of the perpetrator’, as well as the seriousness’ and ‘the specific circumstances of th[e]offence’ leading to the collection of samples (para. 92). Therefore, it is up to the national courts to assess whether the police have carried out the collection of biometric and genetic data in breach of data principles and of the conditions for the processing of sensitive data, respectively under Articles 4 and 10 of the LED. But in doing so, they must be aware that neither the economic nature of the offence nor the collection of biometric and genetic data of the suspect or accused person’s prior to their conviction is sufficient to exclude the strict necessity of the collection as the existence of various risks, such as involvement in other criminal activities or criminal organisation or flight risk, may justify that collection (para. 93).
In conclusion, the Court interpreted Article 6 and 4(1) (c) of the LED in conjunction with Article 10 of the LED as not precluding national legislation permitting the indiscriminate collection of biometric and genetic data of persons accused or suspected of having committed an intentional criminal offence if the processing purposes do not require distinguishing between the two categories of data subjects and the controllers must comply with all data principles and requirements of Articles 4 and 10 of the LED, in accordance with national law and case law.
2.3 Continued storage of biometric and genetic data
Finally, the Court addressed the question concerning the storage of biometric and genetic data, and more specifically, whether Article 4(1)(e) of the LED [storage limitation principle]precludes national legislation that provides that the continued retention of biometric and genetic data is assessed by the police under their internal rules without a maximum retention period being specified in the legislation. The Law on the Czech Police does not set a maximum retention period for the collected biometric and genetic data, but it provides a periodic review to determine the need to retain them. The Court distinguished two issues: the absence of data storage time limits in legislation and the assessment of the continued retention of the collected data on the basis of the police’s internal rules.
Concerning the first issue, the Court reminded that the LED does not impose an obligation to set absolute time limits for data retention. Article 4(1)(e) of the LED provides that personal data should not be kept longer than necessary, while Article 5 of the LED obliges Member States to define appropriate time limits for data erasure or for a periodic review to assess the necessity to store the data. In the case at stake, the Law on the Czech Police provides for a periodic review of data storage every three years (Paragraph 82 (1) of the Law on the Czech Police). The Court specified elements to be considered to assess whether a time limit for review is appropriate. First, the appropriateness is assessed at the time of review. So, if at that time, the stored data are no longer needed, they should be erased; otherwise, the storage is not strictly necessary. Second, despite the set time for the periodic review, the time limit would not be considered appropriate if a change in the ‘criminal status of the data subject’ (such as a dismissal) would not result in an obligation for the police to re-examine the need to store the data within a reasonable period of time (para. 103).
Concerning the second issue, i.e., the need for the continued storage of the biometric and genetic data, the police may use their internal rules to assess the strict necessity of their storage. However, as these rules remain internal and are, thus, not accessible, the police cannot rely on them to demonstrate compliance with their obligations. The non-accessibility of the rules does not render the processing (i.e., storage) unlawful, but the police must establish independently of those internal rules that the continued storage of the biometric and genetic data is strictly necessary (para. 105). The Court left it to the referring Court to check whether the DNA profiles of the persons suspected or accused had to be erased, providing, however some hints about elements that could be taken into account to make this assessment: for instance, the fact that they did not commit any other crimes, that they are no longer accused or suspected or that they are not accused or suspected in other criminal proceedings. It is also left to the national Court to decide, based on the purpose of the storage of biometric and genetic data, whether a three-year time limit for a periodic review is appropriate (paras 107-109).
In conclusion, the Court interpreted the LED provisions as allowing national legislation that permits the continued retention of biometric and genetic data, provided the national legislation lays down an appropriate time limits for a periodic review of the need to store the data and the strict necessity of that storage is assessed at the time of the review.
- Analysis
This judgment is part of a series of recent CJEU decisions interpreting the LED regarding the collection and storage of biometric and genetic data for a law enforcement purpose. These decisions are Case C-205/21 (recording of biometric and genetic data by the police I), followed by Case C-80/23 (recording of biometric and genetic data by the police II) and Case C-118/22 (erasure of biometric and genetic data).
In Case C-57/23, the CJEU clarifies the concept of strict necessity in relation to the collection and storage of sensitive data, namely, biometric and genetic data. The Court builds on previous decisions but also goes further, suggesting what could constitute a less restrictive measure regarding DNA data. Concerning the collection of biometric and genetic data of suspects or accused persons, the Court permits ‘indiscriminate’ collection applicable to suspects and accused persons of intentional criminal offences. However, this indiscriminate collection is not equivalent to a systematic collection, which the Court did not allow in C-205/21 and the subsequent decisions. The difference between the decisions lies in the absence of an obligation for the police to automatically collect biometric and genetic data of suspects and accused persons. The Law on the Czech Police allows the police to collect such data but does not require it. As it grants a right to the police, the Court considered it was not incompatible with the principle of data minimisation.
The Court provides further guidance of what constitutes strictly necessary processing. In Case C-205/21, the Court found that national legislation providing the systematic collection of biometric and genetic data of anyone accused of an intentional crime, and thus leading to indiscriminate and generalised collection, was incompatible with the requirement of strict necessity (paras 128-129, C-205/21). But the Court did not go further. In C-57/23, the Court provides an example of a measure that will pass the test of strict necessity, because it is considered less restrictive on fundamental rights. In relation to genetic data, the Court suggests, as far as it is possible, to rely ‘exclusively on polymorphisms present in non-coding areas of DNA that are not known to provide any information about those persons’ ethnicity or genetic diseases’ (para. 86, C-57/23). While one might welcome the Court’s assessment of the existence of a less restrictive measure, one might wonder on what the Court based the proposal of such a solution. First, this solution comes out of the blue in the decision: the Advocate General did not mention it in his Opinion, and there is no justification for it. Second, what ‘polymorphisms in non-coding areas of DNA’ are, is not common knowledge. In a report on ‘The Regulatory Landscape of Forensic DNA phenotyping in Europe’, the authors show that several Member States restrict the ‘use of DNA analysis to non-coding (understood as non-informative) markers’ (Table 2 of the report). This seems to be the case in Austria, Poland, and Ireland, among others. The report further explains that coding areas of DNA are ‘parts of DNA which encode proteins and which can therefore provide information about an individual’s phenotype (i.e. their observable characteristics)’ (p.11, report). Based on this information, it is understandable that the Court advised extracting only these DNA data, as it seems to limit the amount of information it can reveal about someone. According to Tuazon, the Court has created a ‘separate’ category of ‘genetic’ data for law enforcement use (limited to ‘the purposes of identification or comparison’, in the Court’s decision, para. 86). Tuazon calls this new category of data, ‘genometric’ data’ (‘Genometric Data Enters CJEU Jurisprudence’, 15 January 2026, European Law Blog). However, if, as he analysed, the Court has created a new category of data linked to genetic data, one could wonder whether such an interpretation fits within the definition of genetic data in Article 3(12) of the LED, as a sub-category of genetic data, or whether the Court has created a new category of sensitive data. Yet one could observe that genetic data are protected as sensitive data under the LED (and the GDPR), irrespective of the information they can reveal about ethnicity or health (see Art.10 LED and Art.9(1) GDPR respectively). But while ethnicity and diseases might need to be concealed, one could wonder whether other observable characteristics should also not be concealed (nor extracted). In any case, while the Court provided an example of a possible alternative to conceal part of the genetic information, this solution would require further explanation from the Court.
