Departing from Retention Periods Because of Cold Cases?
Do cold cases justify retaining police data for longer than legally prescribed? According to the Council of State, this situation should be brought to an end as soon as possible.
What Are Cold Cases?
Cold cases are unresolved serious crimes. These include homicide (murder or manslaughter) or other very serious offences punishable by a minimum prison sentence of 12 years. When a cold case remains unsolved for many years, it is understandable that the police may have an interest in data going back decades. Somewhere in that data may lie the crucial clue needed to solve the case.
Guidance from the Council of State
Nevertheless, on 10 March 2025, the Advisory Division of the Council of State published guidance rejecting the indefinite retention of police data in connection with cold cases.
This guidance was prompted by a question from former Minister of Justice and Security, Ferdinand Grapperhaus. He asked what conditions apply to retaining data collected by the police in the course of their daily duties for several decades. What led up to this?
In 2019, Grapperhaus informed the House of Representatives that, according to the Chief of Police, the current retention periods under the Dutch Police Data Act (Wet politiegegevens, “Wpg”) are too short for cold case investigations. Specifically, this concerned “Article 8 police data”, such as records of neighbour disputes, reports by community police officers about routine patrols, or the handling of traffic incidents. These are police data relating to individuals who are not suspected of a criminal offence.
According to Grapperhaus, it would be better “to accept this imperfection in compliance with the law and to settle for the measures taken by the Chief of Police to limit access to the data to what is strictly necessary.” He thereby allowed the police not to install software that would automatically delete data. The Chief of Police stated that it is impossible to determine in advance which information should be retained.
As a result, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) also requested clarification from the police. Why were the data of millions of people being retained? Ultimately, in March, the Council of State provided a clear answer: the indefinite retention of this information is, in short, not necessary. Concrete figures demonstrating the use of this data in solving cold cases are lacking, and retaining such data can have far-reaching consequences.
Retention Periods Under the Wpg
It is now clear that retention periods under the Wpg cannot simply be set aside. But how exactly do retention periods and the processing of police data work? This is relevant not only for the police, but also for special investigating officers (buitengewoon opsporingsambtenaren, “BOAs”) who process data in their role as investigating officers. When BOAs act in a supervisory capacity, the GDPR applies.
The Daily Police Task
Police data processed in the context of routine police work fall under Article 8 Wpg. Examples include registering a report of neighbourhood nuisance or drafting an official report following an incident. These data may be freely used within the police organisation during the first year, without requiring an additional decision.
After this first year, Article 8 police data remain available for four years for automated comparison with other police data, or for combined processing to determine whether connections exist between datasets. Article 8 police data may remain available for up to five years after the start of processing, unless they are no longer needed earlier for the original purpose. In that case, they must be removed, meaning they are no longer accessible for use. After the retention period expires, the data must be destroyed, meaning they are irreversibly erased.
After the initial processing, a total period of ten years applies, after which the data must be destroyed. In the cold case debate, the issue was precisely the omission of this ten-year destruction requirement.
An exception to this retention period is possible. If Article 8 police data are necessary for other police tasks, the data may be further processed under Article 9 or 10 Wpg. In that case, the retention regime of Article 8 no longer applies.
What If Data Are Needed for Longer?
Unlike Article 8 police data, Article 9 and 10 police data relate to concrete investigations into criminal offences.
Criminal Investigations and Exploratory Investigations: Article 9 Police Data
Article 9 police data are intended for criminal investigations or exploratory inquiries. Examples include collecting CCTV footage, witness statements, or observation data where there is suspicion of a criminal offence. When these data are no longer necessary for the purpose of the investigation, they must be removed. The purpose of the investigation should be documented within one week.
The purpose is in any event considered achieved once prosecution follows an investigation and a court has rendered a judgment. In unresolved cases, data remain “necessary for the purpose of the investigation” until the offence becomes time-barred. Article 9 police data in unsolved cases, such as cold cases, may therefore remain available for as long as the offence is not time-barred. There is no statute of limitations for homicide, meaning that in practice these data may be retained indefinitely.
Consider, for example, investigations from the 1990s in which new DNA techniques are applied. Old observation data or witness statements may then regain value.
Reuse of Article 9 police data is also possible after the purpose has been achieved. An authorised official may share Article 9 police data for use in other investigations for a period of six months.
Threat Assessment and Security Intelligence
The purpose of Article 10 police data is to establish an intelligence position regarding serious crime. Examples include involvement in serious criminal offences or acts posing a serious threat to the rule of law, a serious disturbance of public order, or offences punishable by eight years’ imprisonment or more. This includes signals of radicalisation, criminal networks, or threats of terrorist offences. Such information does not always immediately lead to a criminal case, but it does affect public safety.
Article 10 police data must be removed no later than five years after the date of the last processing activity, and earlier if they are no longer necessary for the purpose of processing. In consultation with an authorised official, these data may be used, among other things, for further processing for investigations as described in Articles 8 or 9 Wpg.
Combined Processing for Support Purposes
Article 13 Wpg provides the option to further process data processed under Articles 8, 9, or 10 Wpg if they are needed to support the execution of police tasks. It is possible for data to be processed simultaneously under multiple articles.
The retention period for such data depends on the period determined by the data controller in an Article 13 protocol. In this protocol, the police or a BOA records, among other things, access rights, which data are processed, and for how long. After the specified processing period, the data must not be removed but destroyed.
Article 14 Wpg
Article 14 Wpg provides the legal basis for the destruction period applicable to removed Article 8 or 9 police data. This period is set at five years, with a view to handling complaints and ensuring accountability, such as audits and inspections by the Dutch Data Protection Authority. In addition, police data within this five-year period may be used for scientific research and statistical purposes.
Practice: Why This Really Matters
The lesson from recent decisions, such as those of the Council of State, is clear: retention periods are not a paper tiger. As a data controller, whether you are the police or a private employer of BOAs, you must have your data management in order. Know where your data are stored, in which systems, how long they are retained, and how you ensure they are removed and destroyed on time.
A Wpg audit assesses whether this is actually the case in practice: are employees aware of the correct retention periods? Are processes in place for automatic or manual deletion? Is there oversight of compliance? These questions are becoming increasingly urgent. The police are now advocating for longer retention periods in light of cold cases, periods of up to 75 years have even been mentioned. Whether that is legally sustainable remains highly questionable.
Ultimately, everything comes down to a fundamental tension: the interests of criminal investigation versus the interests of citizens. Solving cold cases is important. But so is preventing unjustified registration, misuse of data, or damage to a person’s reputation. Especially since data from police files can still have an impact many years later, for example as evidence in criminal proceedings.
Anyone who works with police data therefore carries a great responsibility, not only technical and legal, but also moral.
Do You Work with Police Data?
Then make sure you not only know the rules but also apply them. Take retention periods seriously, set up your processes properly, and avoid unpleasant surprises during audits or complaints. Do you have questions or want to be sure your organisation complies with the Wpg? Contact us.
