What you need to know.    

The police may ask your company to disclose personal data. For example, they might request that you send them such data on one of your employees in the context of an investigation, or hand over a list of persons who attended an event of yours in order to conduct a background check. Since it is clear that the GDPR cannot impede the police from doing their duty and such requests usually have a basis in the national legislation, your company will almost certainly have to cooperate.

The GDPR provides that, in the context of such requests, the police are to be regarded as a third party, meaning that they will escape from the application of the GDPR provisions. As a result, while the police can demand that certain data be transferred to them, they usually will not sign an agreement with your company regarding the processing of the transferred data.

However, it is important to note that the so-called Police Directive entered into force together with the GDPR. This EU Directive sets out the rules for the processing of data by police authorities and should provide the necessary assurances that the data disclosed to the police will be dealt with properly, even without the conclusion of a specific processing agreement.

What you need to do. 

In accordance with the GDPR, many national legislatures have adopted rules restricting the rights of data subjects within the context of the processing of their data for the prevention, investigation and detection of criminal offences. Therefore, if your company receives a data request from the police, it is important to obtain confirmation from them that the request is part of the prevention, investigation or detection of a criminal offence (in so far as this was not immediately clear). In particular, although under the GDPR your company normally has to provide the data subjects with certain information, thus necessarily making them aware of the data transfer, national law might lift such an information obligation when a transfer in the context of a police investigation is involved.

Secondly, it is important to note that requests for data made by the police can be very broadly formulated. It is your company’s duty not to disclose more data than necessary to the police. Therefore, your company should engage in a discussion with them regarding what data is truly necessary for the prevention, investigation or detection of the criminal offence.    

Lastly, specific thought needs to be devoted to the manner in which your company will make the requested data available to the police. This is preferably done in a way that excludes any possibility of this data being modified by the police. In addition, should your company give the police access to a system or database containing the requested information, this access should not be granted for any longer than is necessary for the police to perform the action for which they requested the data.