In this contribution, we provide insight into the complex interplay between criminal procedure law and data protection law when it comes to regulating police use of facial recognition technology. By analysing the Dutch ‘Police Deployment Framework for Facial Recognition Technology’, we show that data protection law and criminal procedure do not interact with each other to a sufficient degree in relation to facial recognition technology. We identify several barriers standing in the way of their cooperation, resulting in notable gaps in the system of checks and balances: (1) a different underlying mindset (maximum versus minimum use of data); (2) a different assessment of the required legal basis (proportionality versus strict necessity); and (3) an ineffective web of supervision. We suggest several ideas for filling these gaps and bridging the disconnection: following the approach in existing Dutch law used for the processing of ANPR and DNA data, encoding the less ‘muddy’ rules of data protection law into digital technology itself, and further research on the feasibility of effective supervision by the Dutch Data Protection Authority. Our contribution shows that in order to properly regulate facial recognition technology, scholars need to look beyond the edges of their own fields of law.