Can the police request data from companies?

By Reqport4 min read
Illustration of an official data request arriving at a small business on a laptop, with an orange accent on the incoming document.

Across the EU the police regularly ask companies to hand over data. But being asked is not the same as being required to hand it over, and handing over customer data is something the GDPR limits. What matters is knowing when you actually have to comply, and when you are even allowed to.

Can the police ask for data?

Yes. When the police or a prosecutor are investigating a crime, they can ask a company for information. But an authority asking is not the same as the company being obliged to answer.

Does the company have to comply?

Not just because the police ask. An ordinary request, even from a prosecutor, does not in itself force a company to hand anything over. To actually require it, the authorities normally need a decision from a court, or they have to seize the data. In some countries a prosecutor can order it directly. Until something like that is in place, a company is allowed to help, but does not have to.

Some businesses are an exception, because the law does require them to hand over data when asked. This usually covers banks and other financial firms, and phone and internet providers. Companies covered by anti-money-laundering rules also have to answer their country's financial-crime unit. Most other businesses have no such standing duty, and hand over data voluntarily if they choose to.From August 2026, the e-Evidence Regulation lets an authority in one EU country send a production order directly to online and communication service providers, such as telecom, hosting, marketplaces, and social networks, in another. It widens who must respond, but it applies to those service providers, not to financial firms. It also only covers certain cross-border cases.

What does the GDPR mean here?

Handing customer data to the police counts as using personal data, so the GDPR applies even when a company is trying to help.

If the law clearly requires the company to hand the data over, that is reason enough. If nothing requires it, the company cannot simply assume it is allowed. It would have to be able to point to a genuine reason for helping and weigh that against the customer's privacy, and it needs to be ready to defend that decision. Whatever the situation, hand over only what was actually asked for, and make sure the request is really from the police. Handing data to someone pretending to be an officer is a serious breach in itself.

What if the data is about a suspected crime?

Some data is about a person's criminal record or offences, and that kind of data is more sensitive and more tightly protected. Not everything the police ask for is like that: basic account details or a list of transactions usually are not, just because an investigator wants them. But when the data really is about crimes a person has committed, a company is much more limited in what it can do with it, and needs clear legal cover. So it is worth being sure what a request is actually about.

Can the company tell the customer?

Often not. Normally a company should be open with customers about how their data is used. That can be held back, but only when the law allows it, or when the request itself comes with a duty to keep it confidential, not simply because the company would rather not say anything. So for each request, the company has to work out whether it is allowed to tell the customer or has to stay quiet.

What if the request comes from outside the EU?

This needs extra care. A demand from an authority outside the EU does not, on its own, give a company the right to hand data over. As a rule it has to go through a formal agreement between countries, and sending data outside the EU comes with its own rules on top. The safest course is to turn down a direct request from a foreign authority and point them to the official channel between governments.

What should a business keep in mind?

Treat a request as a request, not an order, and don't share on reflex just because it's the police.

Before you share, do three things: 1) check the request is real, 2) send only what was asked, and 3) keep a record of what you shared, with whom, and why, since you may have to prove later that you got it right.

Doing this from an inbox is hard, so it helps to have one consistent way of handling every request: a fixed route that verifies who is asking, keeps the data secure, and logs what was shared. That turns a scramble into a routine, and gives you a clean record if anyone ever asks.

---

Reqport replaces manual, unverified workflows for handling authority requests with a purpose-built portal. Each request is verified, encrypted and structured into a trackable case, and recorded with a full audit trail, so a company can show exactly what it disclosed, to whom, and on what basis. See how Reqport works.

---

This article is for informational purposes only and does not constitute legal advice. Many of the obligations described are implemented through national law, which varies by member state. For how they apply to your specific situation, consult qualified legal counsel.

Reqport

Reqport

Reqport is a platform for handling law enforcement and other authority data requests.

LinkedIn

Related articles

What is the e-Evidence Regulation?
Regulation

What is the e-Evidence Regulation?

The EU e-Evidence Regulation lets authorities in one EU country demand user data directly from providers in another. What it requires, who is in scope, and the 18 August 2026 deadline