EUROPEAN COMMISSION

Brussels, 29.6.2017

COM(2017) 344 final

2017/0144(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) and amending Regulation (EU) No 1077/2011

{SWD(2017) 248 final}

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

·Reasons for and objectives of the proposal

The European Council and the Justice and Home Affairs Council have reiterated at several occasions the importance of improving the existing ECRIS. The improvement of the existing ECRIS with regard to third country nationals is part of a set of coordinated measures spelled out in the European Agenda on Security. 4

To this end, on 19 January 2016, the Commission proposed a Directive (COM(2016) 07 final) aimed at amending Council Framework Decision 2009/315/JHA as regards the ECRIS system and as regards the exchange of information on third country nationals and stateless people (TCN) and replacing Council Decision 2009/316/JHA. 5 However, developments since then have demonstrated that further action is necessary through a supplementary legislative proposal to establish a centralised system for the processing of identity information on TCN. This centralised system will allow the Member State's authorities to identify which other Member States hold criminal records on the TCN concerned, so that they can then use the existing ECRIS sytem to address requests for conviction information only to these Member States. These developments can be summarised as follows.

Firstly, further horrific terrorist attacks in European cities have led to security issues becoming even more prominent. The political stance regarding systematic use of fingerprints for secure identification and generally the attitude towards data sharing and security has changed 6 , focussing on effectiveness and efficiency and the need to exploit synergies between different European information exchange systems. The creation of a centralised ECRIS-TCN system containing both fingerprints and other identity information can support this approach, since it would make it possible to create a shared biometric matching service and a common identity repository for the interoperability of information systems, if so decided by the legislators in the future. A decentralised solution would not create the same opportunities for future synergies.

Secondly, the Communication "Stronger and Smarter Information Systems for Borders and Security" 7 contains concrete and practical suggestions to further develop existing tools, but also concrete suggestions and ideas on new forms of interoperability. The Commission calls for more efficiency and interoperability of existing European databases and electronic information exchange systems, including an ECRIS-TCN system. The work to follow up on the Communication was led by the High Level Expert Group on Interoperability 8 , and the ECRIS-TCN system proposed here is one of the systems that is part of this interoperability initiative. Such interoperability would not be possible if a decentralised solution as proposed in January 2016 would have been pursued.

Thirdly, over the course of 2016 it has become clear that the decentralised system proposed in January 2016 poses technical problems, notably with respect to decentralised exchanges of pseudonymised fingerprints. Such technical problems do not exist for a centralised system, considering that the fingerprints would only be collected in one database, under the management of eu-LISA, and supervised by the European Data Protection Supervisor.

Adoption of a new ECRIS-TCN Regulation to better protect the security of our citizens is one of the legislative priorities included in the Joint Declaration of the Commission, the Council and the European Parliament on the EU's legislative priorities for 2017, which mentions ECRIS specifically.

·Consistency with existing policy provisions in the policy area

·Consistency with other Union policies

·the systems can be searched simultaneously using a European search portal, in full compliance with purpose limitations and access rights, to make better use of existing information systems, possibly with more streamlined rules for law enforcement access;

·the systems use one shared biometric matching service to enable searches across different information systems holding biometric data, possibly with hit/no-hit flags indicating the connection with related biometric data found in another system;

·the systems share a common identity repository with alphanumeric identity data, to detect if a person is registered under multiple identities in different databases.

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

·Legal basis

The proposed legal instrument is a Regulation based on Article 82(1)(d) of the Treaty on the Functioning of the European Union. Article 82(1)(d) is the legal basis for the Union’s right to act in the field of judicial cooperation in criminal matters to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions. The proposed action falls squarely within this area and supplements existing relevant EU legislation.

·Subsidiarity (for non-exclusive competence)

·Proportionality

·Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

·Ex-post evaluations/fitness checks of existing legislation

·Stakeholder consultations

During the same Expert meeting the Commission also consulted the Member States on the possible repercussions of the work of the High Level Expert Group on Information Systems and Interoperability on the legislation underway. According to the Member States the emphasis should lie on quickly creating the ECRIS-TCN system. Whilst the other concepts were interesting, and the system should be designed to take possible future interconnections into consideration, the Member States confirmed that the one element which they could immediately support would be the use of a shared biometric matching service. In addition, Member States indicated that the possibility to store facial images should be created from the start, so that at a later stage facial recognition software could be deployed for even more effective identification.  

·Collection and use of expertise

In addition to the studies and data used in the preparation of the 2016 proposal, a study on the feasibility/cost assessment of using fingerprints 14 was commissioned in March 2016. Also, a complementing study on the costs impacts of a centralised option including fingerprints allowed for solid assessment of the chosen scenario, as well as reflections on the possible use of the shared biometric matching system and the future proofing of the centralised system for interoperability. 15

·Impact assessment

·Fundamental rights

4.BUDGETARY IMPLICATIONS

The financial envelope foreseen for the implementation of the Regulation for the EU is €13.002.000 as far as the one-off costs are concerned. The proposed envelope is compatible with the current Multi-annual Financial Framework and costs will be met through the Justice programme for the period 2018-2020. From 2021 onwards, the cost will be reduced and stabilise to cover maintenance activities. Further details are provided in the legislative financial statement accompanying this proposal. The Commission envisages entrusting the implementation and the maintenance of the ECRIS TCN system to eu-LISA. The execution of the activities will require additional human resources for eu-LISA. Five contract agents will be recruited as from 2018 for the development phase

5.OTHER ELEMENTS

·Implementation plans and monitoring, evaluation and reporting arrangements

·Detailed explanation of the specific provisions of the proposal

Article 1 sets out the subject matter of the Regulation.

The ECRIS-TCN central system should ensure that the competent authorities can find out quickly and efficiently in which other Member State(s) criminal record information on a third country national is stored.

Article 2 defines the scope of the Regulation. The Regulation applies to processing the identity information of third country nationals, not to the conviction information that is regulated by the Framework Decision 2009/315/JHA, as amended by the Directive proposed by the Commission in 2016. The ECRIS-TCN system should process only the identity information of third country nationals who were subject to final decisions of criminal courts within the European Union in order to obtain information on such previous convictions through the European Criminal Records Information System established by Council Framework Decision 2009/315/JHA.

Article 3 contains a list of definitions for terms used in the Regulation. While some definitions already exist in the relevant acquis, other concepts are defined here for the first time.

A definition of 'third country national' is added to clarify that for the purposes of this Regulation this group of persons includes also stateless persons and persons whose nationality is not known to the convicting Member State. This definition should be the same as the one used in the Framework Decision, as amended by the Directive proposed by the Commission in 2016.

In the context of the application of this Regulation, the ‘competent authorities’ means the central authorities of the Member States, as well as Eurojust, Europol, [and the European Public Prosecutor 's Office.] 17

Article 4 describes the technical architecture of the ECRIS-TCN system. The Communication Infrastructure used should be the secure Trans European Services for Telematics between Administrations (sTESTA) or any further development thereof. The Article also clarifies that the interface software for the new system will be integrated into the existing ECRIS Reference Implementation, in order to create a seamless and convenient user experience.

Article 5 sets an obligation for the convicting Member State to create a data record in the Central ECRIS-TCN System for each convicted TCN as soon as possible after the conviction was entered into the national criminal records register.

The ECRIS-TCN system should contain only the identity information of third country nationals convicted by a criminal court within the European Union. Such identity information should include alphanumeric data, fingerprint data in accordance with Framework Decision 2009/315/JHA as amended by the Directive proposed by the Commission in 2016, and facial images in as far as they are recorded in the national criminal records databases of the Member States.

In order to ensure the maximum effectiveness of the system, this Article also obliges the Member States to create records in the ECRIS-TCN system of 'historical' convictions of third country nationals, i.e. convictions handed down prior to the entry into force of the Regulation. Under Article 25, Member States should complete this process within 24 months after the entry into force of this Regulation. However, Member States should not be obliged to collect information for this purpose which was not already entered into their criminal records prior to the entry into force of the Regulation.

Article 6 addresses the use of facial images. For the moment, facial images included in the ECRIS-TCN system may only be used for the purpose of verification of identification. In the future, it is not excluded that, following the development of the facial recognition software, the facial images might be used for automated biometric matching, provided that the technical requirements to do so have been met.

Article 7 provides for the rules of using of the ECRIS-TCN system in order to identify the Member State(s) holding criminal records information in order to obtain information on such previous convictions through the European Criminal Records Information System established by Council Framework Decision 2009/315/JHA. The purpose limitations included in the Framework Decision as amended by the Directive proposed in 2016 will be applicable to any ensuing exchanges of criminal records information.

It sets up an obligation for the Member States to make use of the ECRIS-TCN system in all cases where they receive a request for information on previous convictions of third country nationals in accordance with national law, and to follow up on any hits with the Member States identified through the ECRIS system. This obligation should concern both requests for information for the purpose of criminal proceedings, as well as for other relevant purposes.

A Member State wishing to identify Member State(s) holding criminal record information on a particular TCN can do so by performing a “hit/no hit” search in the central TCN system using either the alphanumeric data or the fingerprints of that TCN, depending on the availability of such data. In case of a "hit", the name of the Member State(s) which provided the data shall be communicated, together with the reference data, and any associated identity data. This will allow the Member States to make use of the existing ECRIS to verify the identification of the persons concerned before exchanging criminal record information.

A hit indicated by the ECRIS-TCN system should not automatically mean that the third country national concerned was convicted in the indicated Member State(s), nor that the indicated Member State(s) hold criminal record information on that third county national. The existence of previous convictions should only be confirmed based on information received from the criminal records of the Member States concerned.

Article 8 relates to the retention period for data storage.

National provisions on retention of data in criminal records and fingerprint systems vary considerably between the Member States, and this proposal does not aim at harmonising them. The well-established principle of following the retention periods of the convicting Member State is also applicable here in relation to the data transmitted to the Central System. After all, as long as the conviction data are kept in the criminal records of the Member States, they should also be available to be taken into consideration by the authorities of other Member States. This also entails that all data concerning the convicted person should be kept during that period, even if fingerprints which originated from another database than the criminal record would already have been deleted from a national fingerprint database. Conversely, even if fingerprints would continue to be kept at national level, these must be deleted from the Central System if all conviction information is deleted from the national criminal records. The approach is the same here for convictions of TCN as for convictions of EU nationals notified to the Member States of nationality under the Framework Decision.

Article 9 includes obligations for the Member States to verify the accuracy of the data sent to the Central System and to correct them, as well as to amend the data sent to the Central System in case of any subsequent amendment in national criminal records. Again, this follows the logic of the Framework Decision for EU-nationals.

Article 11 entrusts eu-LISA with the task of developing and operationally managing the ECRIS-TCN system, given its experience with managing other large scale centralised systems in the justice and home affairs area. eu-LISA is also entrusted with the task of further developing and maintaining the ECRIS reference implementation in order to ensure the seamless functioning of the ECRIS-TCN system and the ECRIS system as such. The reference implementation provides for the interconnection software currently referred to in Article 3(1)(a) of the ECRIS Council Decision.

Article 12 lists the responsibilities of the Member States in relation to the ECRIS-TCN system. The Member States remain solely responsible for their national criminal records databases.

Article 13 addresses responsibility for the use of data.

Article 14 nominates Eurojust as the contact point for third countries and international organisations which wish to request conviction information on a TCN. The purpose is to avoid third countries and international organisations having to send requests to multiple Member States. Eurojust should not give any information to the requesting third State or international organisation, including any information on the Member State(s) holding the conviction data – it should only inform the Member State(s) concerned in case of a hit. It would be up to the Member States concerned to decide whether or not to contact the third State or international organisation in order to indicate that information on previous convictions of TCN could be provided in accordance with national legislation.

Article 15 grants direct access to the ECRIS-TCN system to Eurojust, Europol, [and the European Public Prosecutor's Office] for the purpose of fulfilling their statutory tasks. However, these competent authorities should not have access to the ECRIS as such in order to request the conviction information itself, but should make use of their established channels with the national authorities to obtain such information. This approach respects the rules established in the statutory instruments for those organisations concerning their contacts with Member States' authorities.

Article 16 lists the responsibilities of the Eurojust, Europol, [and the European Public Prosecutor's Office] in relation to the ECRIS-TCN system.

Article 17 governs the question of data security.

Article 18 concerns the liability of the Member States towards individuals or other Member States for any unlawful processing operation or any act incompatible with this Regulation. Rules on the liability of the Member States in respect to damage arising from such a breach of this Regulation should be laid down at national level.

Article 19 obliges the Member States to monitor the compliance with this Regulation at national level by their designated central authorities. 

Article 20 makes any use of data entered in the ECRIS-TCN system in contravention to this Regulation punishable under national law.  

Article 21 indicates the data controllers and data processor.

Article 29 governs the question of keeping of logs by eu-LISA and the competent authorities.

Article 30 addresses the use of data for reporting and statistics and makes eu-LISA responsible for preparing statistics in relation to the ECRIS-TCN system and the ECRIS reference implementation. It also lays down an obligation on the Member States to provide eu-LISA with the statistics necessary for the preparation of its statistical compilations and analysis, and to provide the Commission with statistics on the number of convicted TCN, as well as the number of TCN convictions on their territory.

Article 31 regulates the costs. Notwithstanding the possibility of using the Union’s financial programmes in accordance with the applicable rules, each Member State should bear its own costs arising from the implementation, administration, use and maintenance of its criminal records database, and from the implementation, administration, use and maintenance of the technical alterations needed to be able to use the ECRIS-TCN system.

Article 32 stipulates the obligation for Member States to notify their central authorities to eu-LISA and for eu-LISA to publish these.

Article 33 stipulates that it is the Commission which will determine the date from which the ECRIS-TCN system is to start operations and enumerates the pre-conditions to be met before the system can go live.

Article 35 concerns the comitology procedure to be used, based on a standard provision.

Article 36 provides that an Advisory Group will be set up by eu-LISA, which will assist in the development and operations of the ECRIS-TCN system and the ECRIS reference implementation.

Article 37 governs the amendments to Regulation (EU) 1077/2011 as regards the new responsibilities and tasks of eu-LISA.

2017/0144 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) and amending Regulation (EU) No 1077/2011

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty of the Functioning of the European Union, and in particular Article 82(1)(d) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured, in conjunction with appropriate measures to prevent and combat crime.

(2)This objective requires that information on convictions handed down in the Member States be taken into account outside the convicting Member State, both in the course of new criminal proceedings, as laid down in Council Framework Decision 2008/675/JHA 19 , as well as in order to prevent new offences.

(3)This objective presupposes the exchange of information extracted from criminal records between the competent authorities of the Member States. Such an exchange of information is organised and facilitated by the rules set out in Council Framework Decision 2009/315/JHA 20 and by the European Criminal Records Information System (ECRIS) which has been established by Council Decision 2009/316/JHA 21 .

(4)The ECRIS legal framework, however, does not sufficiently cover the particularities of requests concerning third country nationals. Although it is now possible to exchange information on third country nationals through ECRIS, there is no procedure or mechanism in place to do so efficiently.

(5)Information on third country nationals is not gathered within the Union in the Member State of nationality as it is for nationals of Member States, but only stored in the Member States where the convictions have been handed down. A complete overview of the criminal history of a third country national can therefore be ascertained only if such information is requested from all Member States.

(6)Such 'blanket requests' impose an administrative burden on all Member States, including those not holding information on that third country national. In practice, this burden deters Member States from requesting information on third country nationals, and leads to Member States limiting the criminal record information to information stored in their national register.

(7)To improve the situation, a system should be established by which the central authority of a Member State can find out quickly and efficiently in which other Member State(s) criminal record information on a third country national is stored so that the existing ECRIS framework can then be used to request the criminal record information from that Member State or those Member States in accordance with Framework Decision 2009/315/JHA.

(8)This Regulation should therefore lay down rules on creating a centralised system containing personal data at the level of the Union, the division of responsibilities between the Member State and the organisation responsible for its development and maintenance, as well as any specific data protection provisions needed to supplement the existing data protection arrangements and provide for an adequate overall level of data protection and data security. The fundamental rights of the persons concerned should be protected as well.

(9)The European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council 22 to identify the Member State(s) holding information on previous convictions of third country nationals (ʻECRIS-TCN system’) should be entrusted with the task of developing and operating the new centralised ECRIS-TCN system, given its experience with managing other large scale systems in the area of justice and home affairs. Its mandate should be amended to reflect these new tasks.

(10)Given the need to create close technical links between the ECRIS-TCN system and the current ECRIS system, eu-LISA should also be entrusted with the task of further developing and maintaining the ECRIS reference implementation, and its mandate should be amended to reflect this.

(11)The ECRIS-TCN system should contain only the identity information of third country nationals convicted by a criminal court within the Union. Such identity information should include alphanumeric data, fingerprint data in accordance with Framework Decision 2009/315/JHA, and facial images in as far as they are recorded in the national criminal records databases of the Member States.

(12)In the event that there is a match between data recorded in the Central System and those used for search by a Member State (hit), the identity information against which a 'hit' was recorded is provided together with the hit. That information should only be used to assist in confirming the identity of the third country national concerned. This may include the recording of such data in the national criminal record database of the querying Member States as an alias of the third country national.

(13)In the first instance, facial images included in the ECRIS-TCN system should only be used for the purpose of verifying the identity of a third country national. In the future, it is possible that, following the development of facial recognition software, facial images might be used for automated biometric matching, provided that the technical requirements to do so have been met.

(14)The use of biometrics is necessary as it is the most reliable method of identifying third country nationals within the territory of the Member States, who are often not in possession of documents or any other means of identification, as well as for more reliable matching of third country nationals data.

(15)Member States should create records in the ECRIS-TCN system regarding convicted third country nationals as soon as possible after their conviction was entered into the national criminal record.

(16)Member States should also create records in the ECRIS-TCN system regarding third country nationals convicted prior to the entry into force of the Regulation in order to ensure the maximum effectiveness of the system. However, for this purpose Member States should not be obliged to collect information which was not already entered into their criminal records prior to the entry into force of this Regulation.

(17)Improving the circulation of information on convictions should assist Member States in their implementation of Framework Decision 2008/675/JHA, which obliges the Member States to take account of previous convictions in the course of new criminal proceedings.

(18)Member States should be obliged to make use of the ECRIS-TCN system in all cases where they receive a request for information on previous convictions of third country nationals in accordance with national law, and follow up on any hits with the Member States identified through the ECRIS system. This obligation should not be limited only to requests in connection with criminal investigations.

(19)A hit indicated by the ECRIS-TCN system should not automatically mean that the third country national concerned was convicted in the indicated Member State(s), nor that the indicated Member State(s) hold criminal record information on that third country national. The existence of previous convictions should only be confirmed based on information received from the criminal records of the Member States concerned.

(20)Notwithstanding the possibility of using the Union’s financial programmes in accordance with the applicable rules, each Member State should bear its own costs arising from the implementation, administration, use and maintenance of its criminal records database and national fingerprint databases, and from the implementation, administration, use and maintenance of the technical alterations necessary to be able to use the ECRIS-TCN system, including their connections to the national central access point.

(21)The European Union Agency for Law Enforcement Cooperation (Europol) established by Regulation (EU) 2016/794 of the European Parliament and of the Council 23 , Eurojust established by Council Decision 2002/187/JHA 24 [and the European Public Prosecutor's Office established by Regulation (EU) …/… 25  ] should have access to the ECRIS-TCN system for identifying the Member State(s) holding criminal record information on a third county national in order to support their statutory tasks.

(22)This Regulation establishes strict access rules to the ECRIS-TCN system and the necessary safeguards, including the responsibility of the Member States in collecting and using the data. It also sets out the individuals' rights to compensation, access, correction, deletion and redress, in particular the right to an effective remedy and the supervision of processing operations by public independent authorities. It therefore respects the fundamental rights and freedoms and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, including the right to protection of personal data, the principle of equality before the law and the general prohibition of discrimination.

(23)Directive (EU) 2016/680 of the European Parliament and of the Council  26 should apply to the processing of personal data by competent national authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Regulation (EU) 2016/679 of the European Parliament and of the Council 27 should apply to the processing of personal data by national authorities provided that national provisions transposing Directive (EU) 2016/680 do not apply. Coordinated supervision should be ensured in accordance with Article 62 of [the new data protection regulation for Union institutions and bodies].

(24)Rules on the liability of the Member States in respect to damage arising from any breach of this Regulation should be laid down.

(25)Since the objective of this Regulation, namely to enable the rapid and efficient exchange of criminal record information on third country nationals, cannot be sufficiently achieved by the Member States, but can rather, by reason of the necessary synergy and interoperability, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve that objective.

(26)In order to ensure uniform conditions for the establishment and operational management of the ECRIS-TCN system, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council 28 .

(27)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(28)In accordance with Articles 1, 2 and 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, those Member States are not taking part in the adoption of this Directive and are not bound by it or subject to its application.

[or]

In accordance with Article 3 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, those Member States have notified their wish to take part in the adoption and application of this Directive.

(29)Since the United Kingdom notified on 29 March 2017 its intention to leave the Union, pursuant to Article 50 of the Treaty on European Union, the Treaties will cease to apply to the United Kingdom from the date of the entry into force of the withdrawal agreement or, failing that, two years after the notification, unless the European Council, in agreement with the United Kingdom, decides to extend that period. As a consequence, and without prejudice to any provisions of the withdrawal agreement, this above-mentioned description of the participation of the UK in proposal only applies until the United Kingdom ceases to be a Member State.

(30)The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council 29 and delivered an opinion on … 30 ,

HAVE ADOPTED THIS REGULATION:

CHAPTER 1
General Provisions

Article 1
Subject matter

This Regulation:

(a)establishes a system to identify the Member State(s) holding information on previous convictions of third country nationals (’ECRIS-TCN system’);

(b)lays down the conditions under which the ECRIS-TCN system shall be used by competent authorities in order to obtain information on such previous convictions through the European Criminal Records Information System (ECRIS) established by Decision 2009/316/JHA. 

Article 2
Scope

This Regulation applies to the processing of identity information of third country nationals who have been subject to final decisions against them of criminal courts in the Member States for the purpose of identifying the Member State(s) where such decisions were handed down.

Article 3
Definitions

For the purposes of this Regulation, the following definitions shall apply:

(a)'conviction' means any final decision of a criminal court against a natural person in respect of a criminal offence, to the extent that the decision is entered in the criminal record of the convicting Member State;

(b)'criminal proceedings’ means the pre-trial stage, the trial stage itself and the execution of the conviction;

(c)'criminal record' means the national register or registers recording convictions in accordance with national law;

(d)'convicting Member State' means the Member State in which a conviction is handed down;

(e)'central authority' means the authority(ies) designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA;

(f)'competent authorities' means the central authorities and the Union bodies competent to access the ECRIS-TCN system in accordance with this Regulation;

(g)'third country national' means a national of a country other than a Member State regardless of whether the person also holds the nationality of a Member State, or a stateless person or a person whose nationality is unknown to the convicting Member State;

(h)'Central System' means the database(s) holding identity information on third country nationals who have been subject to final decisions against them of criminal courts in the Member States, developed and maintained by eu-LISA;

(i)'Interface Software' means the software hosted by the competent authorities allowing them to access the Central System through the Communication Infrastructure referred to in Article 4;

(j)'identification' means the process of determining a person’s identity through a database search against multiple sets of data;

(k)'alphanumeric data' means data represented by letters, digits, special characters, spaces and punctuation marks;

(l)'fingerprint data' means the data relating to plain and rolled impressions of the fingerprints of all ten fingers;

(m)'facial image' means a digital image of the face;

(n)'hit' means a match or matches established by comparison between data recorded in the Central System and those used for search by a Member State;

(o)'national central access point' means the national connection point to the Communication Infrastructure referred to in Article 4;

(p)'ECRIS reference implementation' means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS.

Article 4
Technical architecture of the ECRIS-TCN system

1.The ECRIS-TCN system shall be composed of:

(a)a Central System where identity information on convicted third country nationals is stored;

(b)a national central access point in each Member State;

(c)Interface Software enabling the connection of the central authorities to the Central System via the national central access point and the Communication Infrastructure;

(d)a Communication Infrastructure between the Central System and the national central access point.

2.The Central System shall be hosted by eu-LISA in its two technical sites.

3.The Interface Software shall be integrated with the ECRIS reference implementation. The Member States shall use the ECRIS reference implementation to query the ECRIS-TCN system, as well as to send subsequent requests for criminal records information.

CHAPTER II
Entry and use of data by central authorities

Article 5
Data entry in the ECRIS-TCN system

1.For each convicted third country national, the central authority of the convicting Member State shall create a data record in the Central System. The data record shall include the following data:

(a)    surname (family name); first name(s) (given names); date of birth; place of birth (town and country); nationality or nationalities; gender; parents' names; where applicable previous names, pseudonym(s) and/or alias name(s); the code of the convicting Member State;

(b)fingerprint data in accordance with Framework Decision 2009/315/JHA 31  and with the specifications for the resolution and use of fingerprints referred to in point (b) of Article 10(1); the reference number of the fingerprint data of the convicted person including the code of the convicting Member State.

2.The data record may also contain facial images of the convicted third country national.

3.The convicting Member State shall create the data record as soon as possible after the conviction was entered into the national criminal records register.

4.The convicting Member States shall create data records also for convictions handed down prior to [date of entry into force of this Regulation] to the extent that such data are stored in its national criminal records or national fingerprints database.

Article 6
Specific rules for facial images

1.Facial images as referred to in Article 5(2) shall be used only to confirm the identity of a third country national who has been identified as a result of an alphanumeric search or a search using fingerprints.

2.As soon as this becomes technically possible, facial images may also be used to identify a third country national on the basis of this biometric identifier. Before this functionality is implemented in the ECRIS-TCN system, the Commission shall present a report on the availability and readiness of the required technology, on which the European Parliament shall be consulted.

Article 7
Use of the ECRIS-TCN system for identifying the Member State(s) holding criminal record information

1.When criminal records information on a third country national is requested in a Member State for the purposes of criminal proceedings against that third country national or for any purposes other than that of criminal proceedings in accordance with its national law, the central authority of that Member State shall use the ECRIS-TCN system to identify the Member State(s) holding criminal record information on that third county national in order to obtain information on previous convictions through ECRIS.

2.Europol, Eurojust [and the European Public Prosecutor's Office] shall have access to the ECRIS-TCN system for identifying the Member State(s) holding criminal record information on a third county national in accordance with Articles 14, 15 and16.

3.The competent authorities may query the ECRIS-TCN system using the data referred to in Article 5(1).

4.The competent authorities may also query the ECRIS-TCN system using the facial images referred to in Article 5(2), provided that such functionality has been implemented in accordance with Article 6(2).

5.In the event of a hit, the Central System shall automatically provide the competent authority with information on the Member State(s) holding criminal record information on the third country national, along with the associated reference number(s) and any corresponding identity information. Such identity information shall only be used for the purpose of verification of the identity of the third country national concerned.

6.In the event that there is no hit, the Central System shall automatically inform the competent authority thereof.

CHAPTER III
Retention and amendment of the data

Article 8
Retention period for data storage

1.Each individual data record shall be stored in the Central System as long as the data related to the conviction(s) of the person concerned are stored in the national criminal records register.

2.Upon expiry of the retention period referred to in paragraph 1, the central authority of the convicting Member State shall erase the individual data record without delay from the Central System, and in any event no later than one month after the expiry of that retention period.  

Article 9
Amendment and deletion of data

1.The Member States shall have the right to amend or delete the data which they have introduced into the ECRIS-TCN system.

2.Any subsequent amendment in the national criminal records of the information which led to the creation of a data record in accordance with Article 5 shall entail identical amendment of the information stored in that data record in the Central System by the convicting Member State.

3.If a Member State has reason to believe that the data it has recorded in the Central System are inaccurate or that data were processed in the Central System in contravention of this Regulation, it shall check the data concerned and, if necessary, amend them or delete them from the Central System without delay.

4.If a Member State other than the Member State which entered the data has reason to believe that data recorded in the Central System are inaccurate or that data was processed in the Central System in contravention of this Regulation, it shall contact the central authority of the convicting Member State without delay. The convicting Member State shall check the accuracy of the data and the lawfulness of its processing within one month.

CHAPTER IV
Development, Operation and Responsibilities

Article 10
Adoption of implementing acts by the Commission

1.The Commission shall adopt the acts necessary for the development and technical implementation of the ECRIS-TCN system, and in particular rules on:

(a)the technical specifications for the processing of the alphanumeric data;

(b)the technical specifications for the resolution and processing of fingerprints in the ECRIS-TCN system;

(c)the technical specifications of the Interface Software referred to in point (c) of Article 4(1);

(d)the technical specifications for the processing of facial images;

(e)data quality, including a mechanism and procedures to carry out data quality checks;

(f)entering the data in accordance with Article 5;

(g)accessing the data in accordance with Article 7;

(h)amending and deleting the data in accordance with Articles 8 and 9;

(i)keeping and accessing the logs in accordance with Article 29;

(j)providing statistics in accordance with Article 30;

(k)performance and availability requirements of the ECRIS-TCN system.

2.The implementing acts referred to in paragraph 1 shall be adopted in accordance with the examination procedure referred to in Article 35(2).

Article 11
Development and operational management

1.eu-LISA shall be responsible for the development and operational management of the ECRIS-TCN system. The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

2.eu-LISA shall also be responsible for the further development and maintenance of the ECRIS reference implementation.

3.eu-LISA shall define the design of the physical architecture of the ECRIS-TCN system including its technical specifications and their evolution as regards the Central System referred to in point (a) of Article 4(1), the national central access point referred to in point (b) of Article 4(1) and the Interface Software referred to in point (c) of Article 4(1). That design shall be adopted by its Management Board, subject to a favourable opinion of the Commission.

4.eu-LISA shall develop and implement the ECRIS-TCN system before [two years after the entry into force of this Regulation] and following the adoption by the Commission of the measures provided for in Article 10.

5.Prior to the design and development phase, a Programme Management Board composed of a maximum of ten members shall be established by the Management Board of eu-LISA. It shall be composed of eight representatives appointed by the Management Board, the Chair of the ECRIS-TCN system Advisory Group referred to in Article 36 and one member appointed by the Commission. The members appointed by the Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing the ECRIS and which will participate in the ECRIS-TCN system. The Management Board shall ensure that the representatives it appoints shall have the necessary experience and expertise in the development and management of IT systems supporting judicial and criminal records authorities. The Programme Management Board shall meet at least once every three months, and more often when necessary. It shall ensure the adequate management of the design and development phase of the ECRIS-TCN system. The Programme Management Board shall submit written reports every month to eu-LISA’s Management Board on progress of the project. It shall have no decision-making power nor any mandate to represent the members of the Management Board.

6.The Programme Management Board shall establish its rules of procedure which shall include in particular rules on:

(a)chairmanship;

(b)meeting venues;

(c)preparation of meetings;

(d)admission of experts to the meetings;

(e)communication plans ensuring full information to non-participating Members of the Management Board.

7.The chairmanship shall be held by the Member State holding the Presidency of the Council of the European Union, provided that it is fully bound under Union law by the legislative instruments governing the ECRIS and which will participate in the ECRIS-TCN system. If this requirement is not met, the chairmanship shall be held by the Member State which shall next hold the Presidency and which meets that requirement.

8.All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by the Agency and Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. The Programme Management Board’s secretariat shall be ensured by eu-LISA.

9.During the design and development phase, the ECRIS-TCN system Advisory Group referred to in Article 36 shall be composed of the national ECRIS-TCN system project managers. During the design and development phase it shall meet at least once a month until the start of operations of the ECRIS-TCN system. It shall report after each meeting to the Management Board of eu-LISA. It shall provide the technical expertise to support the tasks of the Management Board and shall follow-up on the state of preparation of the Member States.

10.eu-LISA shall ensure, in cooperation with the Member States, at all times the best available technology, subject to a cost-benefit analysis.

11.eu-LISA shall be responsible for the following tasks related to the Communication Infrastructure referred to in point (d) of Article 4(1):

(a)supervision;

(b)security;

(c)the coordination of relations between the Member States and the provider.

12.The Commission shall be responsible for all other tasks relating to the Communication Infrastructure, in particular:

(a)tasks relating to the implementation of the budget;

(b)acquisition and renewal;

(c)contractual matters.

13.eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in the ECRIS-TCN system and shall provide regular reports to the Member States. eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

14.Operational management of the ECRIS-TCN system shall consist of all the tasks necessary to keep the ECRIS-TCN system operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality in accordance with the technical specifications.

15.eu-LISA shall perform tasks related to providing training on the technical use of the ECRIS-TCN system and the ECRIS reference implementation.

16.Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the Central System. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 12
Responsibilities of the Member States

1.Each Member State shall be responsible for:

(a)ensuring a secure connection between their national criminal records databases and fingerprints databases and the national central access point;

(b)the development, operation and maintenance of the connection referred to in point (a);

(c)ensuring a connection between their national systems and the ECRIS reference implementation;

(d)the management and arrangements for access of duly authorised staff of the central authorities to the ECRIS-TCN system in accordance with this Regulation and to establish and regularly update a list of such staff and their profiles.

2.Each Member State shall give the staff of its authorities which have a right to access the ECRIS-TCN system appropriate training, in particular on data security and data protection rules and on relevant fundamental rights, before authorising them to process data stored in the Central System.

Article 13

Responsibility for the use of data

1.In accordance with Directive (EU) 2016/680, each Member State shall ensure that the data recorded in the ECRIS-TCN system is processed lawfully, and in particular that:

(a)only duly authorised staff have access to the data for the performance of their tasks;

(b)the data are collected lawfully and fully respect the human dignity of the third country national;

(c)the data are included lawfully in the ECRIS-TCN system;

(d)the data are accurate and up-to-date when they are included in the ECRIS-TCN system.

2.eu-LISA shall ensure that the ECRIS-TCN system is operated in accordance with this Regulation and the implementing acts referred to in Article 10, as well as in accordance with Regulation (EC) No 45/2001 [or its successor Regulation]. In particular, eu-LISA shall take the necessary measures to ensure the security of the Central System and the Communication Infrastructure between the Central System and the national central access point, without prejudice to the responsibilities of each Member State.

3.eu-LISA shall inform the European Parliament, the Council and the Commission as well as the European Data Protection Supervisor of the measures it takes pursuant to paragraph 2 for the start of operations of the ECRIS-TCN system.

4.The Commission shall make the information referred to in paragraph 3 available to the Member States and the public by a regularly updated public website.

Article 14
Contact point for third countries and international organisations

1.Third countries and international organisations may address their requests for information on previous convictions of third country nationals to Eurojust.

2.When Eurojust receives a request as referred to in paragraph 1, it shall use the ECRIS-TCN system to determine which Member State(s) hold information on the third country national concerned, and shall, in cases where Member State(s) are identified, transmit the request immediately to the central authorities of those Member State(s). The Member States concerned shall be responsible for further dealing with such requests in accordance with their national law.

3.Neither Eurojust, Europol, [the European Public Prosecutor's Office] nor any central authority of a Member State may transfer or make available to a third country, any international organisation nor a private party, information obtained from the ECRIS-TCN system on previous convictions of a third country national, or information on the Member State(s) which may hold such information.

Article 15
Access for Eurojust, Europol[, and the European Public Prosecutor's Office]

1.Eurojust shall have direct access to the ECRIS-TCN system for the purpose of the implementation of Article 14, as well as for fulfilling its statutory tasks.

2.Europol [and the European Public Prosecutor's Office] shall have direct access to the ECRIS-TCN system for the purpose of fulfilling their statutory tasks.

3.Following a hit indicating the Member State(s) holding criminal records information on a third country national, Eurojust, Europol[, and the European Public Prosecutor's Office] may use their contacts with the national authorities of those Member States established in accordance with their respective constituting legal instruments to request the conviction information.

4.Each of the bodies referred to in this Article shall be responsible for the management of and arrangements for access of duly authorised staff to the ECRIS-TCN system in accordance with this Regulation and shall also be responsible for establishing and regularly updating a list of such staff and their profiles.

Article 16
Responsibilities of Eurojust, Europol[, and the European Public Prosecutor's Office]

1.Eurojust, Europol[, and the European Public Prosecutor's Office] shall establish the technical means to connect to the ECRIS-TCN system and shall be responsible for maintaining that connection.

2.The bodies referred to in paragraph 1 shall give their staff who have a right to access the ECRIS-TCN system appropriate training, in particular on data security and data protection rules and on relevant fundamental rights, before authorising them to process data stored in the Central System.

3.The bodies referred to in paragraph 1 shall ensure that the personal data processed by them under this Regulation is protected in accordance with the applicable data protection provisions.

Article 17
Data Security

1.eu-LISA shall take the necessary measures to ensure the security of the ECRIS-TCN System, without prejudice to the responsibilities of each Member State, taking the security measures specified in paragraph 3 into consideration.

2.As regards the operation of the ECRIS-TCN system, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 3 including the adoption of a security plan and a business continuity and disaster recovery plan.

3.The Member States shall ensure the security of the data before and during the transmission to and receipt from the national central access point. In particular, each Member State shall:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to national installations in which the Member State carries out operations related to the ECRIS-TCN system;

(c)prevent the unauthorised reading, copying, modification or removal of data media;

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data;

(e)prevent the unauthorised processing of data in the ECRIS-TCN system and any unauthorised modification or deletion of data processed in the ECRIS-TCN system;

(f)ensure that persons authorised to access the ECRIS-TCN system have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only;

(g)ensure that all authorities with a right of access to the ECRIS-TCN system create profiles describing the functions and responsibilities of persons who are authorised to enter, amend, delete, consult and search the data and make their profiles available to the national supervisory authorities referred to in Article 25 without delay at their request;

(h)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment;

(i)ensure that it is possible to verify and establish what data has been processed in the ECRIS-TCN system, when, by whom and for what purpose;

(j)prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the ECRIS-TCN system or during the transport of data media, in particular by means of appropriate encryption techniques;

(k)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation.

Article 18
Liability

1.Any person or Member State that has suffered damage as a result of an unlawful processing operation or any act incompatible with this Regulation shall be entitled to receive compensation from the Member State which is responsible for the damage suffered. That Member State shall be exempted from its liability, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.

2.If any failure of a Member State to comply with its obligations under this Regulation causes damage to the ECRIS-TCN system, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in the ECRIS-TCN system failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of the defendant Member State.

Article 19
Self-monitoring

Member States shall ensure that each central authority takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority and national supervisory authority.

Article 20
Penalties

Member States shall take the necessary measures to ensure that any use of data entered in the ECRIS-TCN system in contravention of this Regulation is punishable by penalties in accordance with national law, that are effective, proportionate and dissuasive.

CHAPTER V
Rights and supervision on data protection

Article 21
Data controller and data processor

1.Each central authority of the Member State is to be considered as controller in accordance with Directive (EU) 2016/680 for the processing of the personal data by that Member State under this Regulation.

2.eu-LISA shall be considered as data processor in accordance with Regulation (EC) No 45/2001/EU as regards the personal data entered into the Central System by the Member States.

Article 22
Purpose of the processing of personal data

1.The data included in the Central System shall only be processed for the purpose of the identification of the Member State(s) holding the criminal records information of third country nationals.

2.Access to the ECRIS-TCN system for entering, amending, deleting and consulting the data referred to in Article 5 shall be reserved exclusively to duly authorised staff of the central authorities, and to duly authorised staff of the bodies referred to in Article 15 for consulting the data. That access shall be limited to the extent needed for the performance of the tasks in accordance with the purpose referred to in paragraph 1, and proportionate to the objectives pursued.

Article 23
Right of access, correction and deletion

1.The requests of third country nationals related to the rights set out in Articles 14 and 16 of Directive (EU) 2016/680 may be addressed to the central authority of any Member State.

2.If a request is made to a Member State other than the convicting Member State, the authorities of the Member State to which the request has been made shall check the accuracy of the data and the lawfulness of the data processing in the ECRIS-TCN system within a time limit of one month if that check can be done without consulting the convicting Member State. Otherwise, the Member State other than the convicting Member State shall contact the authorities of the convicting Member State within 14 days and the convicting Member State shall check the accuracy of the data and the lawfulness of the data processing within one month from the contact.

3.In the event that data recorded in the ECRIS-TCN system are factually inaccurate or have been recorded unlawfully, the convicting Member State shall correct or delete the data in accordance with Article 9. The convicting Member State or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without delay that action has been taken to correct or delete data relating to that person.

4.If the Member State to which the request has been made does not agree that data recorded in the ECRIS-TCN system are factually inaccurate or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the person concerned without delay why it is not prepared to correct or delete data relating to him.

5.The Member State which has adopted the administrative decision pursuant to paragraph 4 shall also provide the person concerned with information explaining the steps which that person can take if he or she does not accept the explanation. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the supervisory authorities, that is available in accordance with the national law of that Member State.

6.Any request made pursuant to paragraphs 1 and 2 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraphs 1 and 2 and shall be erased immediately afterwards.

7.Whenever a person requests data relating to him- or herself in accordance with paragraph 2, the central authority shall keep a record in the form of a written document that such a request was made and how it was addressed and by which authority and shall make that document available to the supervisory authorities without delay.

Article 24
Cooperation to ensure the rights on data protection

1.The central authorities of the Member States shall cooperate with eachother in order to enforce the rights laid down in Article 23.

2.In each Member State, the supervisory authority shall, upon request, assist and advise the person concerned in exercising his or her right to correct or delete data relating to him or her.

3.In order to achieve those aims, the supervisory authority of the Member State which transmitted the data and the supervisory authorities of the Member States to which the request has been made shall cooperate with each other.

Article 25
Remedies

1.In each Member State any person shall have the right to bring an action or a complaint in the Member State which refused the right of access to or the right of correction or deletion of data relating to him or her, provided for in Article 23.

2.The assistance of the supervisory authorities shall remain available throughout the proceedings.

Article 26
Supervision by the supervisory authority

1.Each Member State shall ensure that the supervisory authority or authorities designated pursuant to Article 41 of Directive (EU) 2016/680 shall monitor the lawfulness of the processing of personal data referred to in Article 6 by the Member State concerned, including their transmission to and from the ECRIS-TCN system.

2.The supervisory authority shall ensure that an audit of the data processing operations in the national criminal records and fingerprints databases is carried out in accordance with relevant international auditing standards at least every four years from the start of operations of the ECRIS-TCN system.

3.Member States shall ensure that their supervisory authority has sufficient resources to fulfil the tasks entrusted to it under this Regulation.

4.Each Member State shall supply any information requested by the supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 12, 13 and 17. Each Member State shall grant the supervisory authorities access to their records pursuant to Article 29 and allow them access at all times to all their ECRIS-TCN system related premises.

Article 27
Supervision by the European Data Protection Supervisor

1.The European Data Protection Supervisor shall ensure that the personal data processing activities of eu-LISA concerning the ECRIS-TCN system are carried out in accordance with this Regulation.

2.The European Data Protection Supervisor shall ensure that an audit of the Agency's personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, the Council, eu-LISA, the Commission, the supervisory authorities and the national supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3.eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its records referred to in Article 29 and allow him or her access to all of its premises at any time.

Article 28
Cooperation among supervisory authorities and the European Data Protection Supervisor

Coordinated supervision should be ensured in accordance with Article 62 of [new data protection Regulation for Union institutions and bodies].

Article 29
Keeping of logs

1.eu-LISA and the competent authorities shall ensure, in accordance with their respective responsibilities, that all data processing operations in the ECRIS-TCN system data are logged for the purposes of checking the admissibility of the request, monitoring the lawfulness of the data processing and data integrity and security, and self-monitoring.

2.The log or documentation shall show:

(a)    the purpose of the request for access to ECRIS-TCN system data;

(b)the data transmitted as referred to in Article 5;

(c)    the national file reference;

(d)    the date and exact time of the operation;

(e)    the data used for a query;

(f)    the identifying mark of the official who carried out the search and of the official who ordered the search.

3.The logs of consultations and disclosures shall make it possible to establish the justification of such operations.

4.Logs and documentation shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 34. Those logs shall be protected by appropriate measures against unauthorised access and deleted after one year, if they are no longer required for monitoring procedures which have already begun.

5.On request, eu-LISA shall make the logs of its processing operations available to the central authorities without undue delay.

6.The competent national supervisory authorities responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security shall have access to those logs at their request for the purpose of fulfilling their duties. On request, the central authorities shall make the logs of their processing operations available to the competent supervisory authorities without undue delay.

 CHAPTER VI
Final provisions

Article 30
Use of data for reporting and statistics

1.The duly authorised staff of eu-LISA, the competent authorities, and the Commission shall have access to the data processed within the ECRIS-TCN system solely for the purposes of reporting and providing statistics without allowing for individual identification.

2.For the purpose of paragraph 1, eu-LISA shall establish, implement and host a central repository in its technical site(s) containing the data referred to in paragraph 1 which would not allow for the identification of individuals and would allow to obtain customisable reports and statistics. Access to the central repository shall be granted by means of secured access with control of access and specific user profiles solely for the purpose of reporting and statistics.

3.Detailed rules on the operation of the central repository and the data protection and security rules applicable to the repository shall be adopted in accordance with the examination procedure referred to in Article 35(2).

4.The procedures put in place by eu-LISA to monitor the functioning of the ECRIS-TCN system referred to in Article 34 as well as the ECRIS reference implementation shall include the possibility to produce regular statistics for ensuring that monitoring.

Every month eu-LISA shall submit to the Commission non-personal statistics relating to the recording, storage and exchange of information extracted from criminal records through the ECRIS-TCN system and the ECRIS reference implementation. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation.

5.The Member States shall provide eu-LISA with the statistics necessary to fulfil its obligations referred to in this Article. They shall provide statistics on the number of convicted third country nationals, as well as the number of convictions of third country nationals on their territory to the Commission.

Article 31
Costs

1.The costs incurred in connection with the establishment and operation of the Central System, the Communication Infrastructure, the Interface Software and the ECRIS reference implementation shall be borne by the general budget of the Union.

2.The costs of connection of Eurojust, Europol and [the European Public Prosecutor's Office] to the ECRIS-TCN system shall be borne by the budget of those bodies.

3.Other costs shall be borne by the Member States, specifically the costs incurred by the connection of the existing national criminal record registers, fingerprints databases and the central authorities to the ECRIS-TCN system, as well as the costs of hosting the ECRIS reference implementation.

Article 32
Notifications

The Member States shall notify eu-LISA of their central authorities which have access to enter, amend, delete consult or search data. eu-LISA shall regularly publish a list of these central authorities.

Article 33
Start of operations

1.The Commission shall determine the date from which the ECRIS-TCN system is to start operations, after the following conditions are met:

(a)    the measures referred to in Article 10 have been adopted;

(b)    eu-LISA has declared the successful completion of a comprehensive test of the ECRIS-TCN system, which shall be conducted by eu-LISA in cooperation with the Member States;

(c)    the Member States have validated the technical and legal arrangements to collect and transmit the data referred to in Article 5 to the ECRIS-TCN system and have notified them to the Commission.

2.eu-LISA shall notify the Commission of the successful completion of the test referred to in point (b) of paragraph (1). The Commission shall inform the European Parliament and the Council of the results of the test carried out pursuant to point (b) of paragraph 1.

3.The Commission decision referred to in paragraph 1 shall be published in the Official Journal.

4.The Member States shall start using the ECRIS-TCN system from the date determined by the Commission in accordance with paragraph 1.

Article 34
Monitoring and evaluation

1.eu-LISA shall ensure that procedures are in place to monitor the development of the ECRIS-TCN system in light of objectives relating to planning and costs and to monitor the functioning of the ECRIS-TCN system and the ECRIS reference implementation in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.For the purposes of monitoring the functioning of the system and its technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the ECRIS-TCN system and the ECRIS reference implementation.

3.By [six months after the entry into force of this Regulation] and every six months thereafter during the development phase, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of the ECRIS-TCN system. Once the development is finalised, a report shall be submitted to the European Parliament and the Council explaining how the objectives, in particular relating to planning and costs, were achieved, as well as justifying any divergences.

4.Two years after the start of operations of the ECRIS-TCN system and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of the ECRIS-TCN system and the ECRIS reference implementation, including the security thereof, based in particular on the statistics on the functioning and use of ECRIS-TCN system and on the exchange, through the ECRIS reference implementation, of information extracted from the criminal records.

5.Three years after the start of operations of the ECRIS-TCN system and every four years thereafter, the Commission shall produce an overall evaluation of the ECRIS-TCN system and the ECRIS reference implementation. That overall evaluation shall include an assessment of the application of the Regulation, an examination of results achieved against objectives and the impact on fundamental rights, and an assessment of the continuing validity of the underlying rationale, the application of the Regulation, the security of the system and any implications on future operations, and shall make any necessary recommendations. The Commission shall transmit the evaluation report to the European Parliament and the Council.

6.The Member States, Eurojust, Europol[, and the European Public Prosecutor's Office] shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in this Article according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

7.eu-LISA shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 5.

Article 35
Committee procedure

1.The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 32

2.Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 36
Advisory Group

An Advisory Group shall be established by eu-LISA and provide it with the expertise related to the ECRIS-TCN system and the ECRIS reference implementation, in particular in the context of preparation of its annual work programme and its annual activity report. During the design and development phase, Article 11 applies.

Article 37
Amendment of Regulation (EU) No 1077/2011

Regulation (EU) No 1077/2011 is amended as follows:

(1)In Article 1, paragraph 2 is replaced by the following:

“2. The Agency shall be responsible for the operational management of the Information System, the Visa Information System, Eurodac, [the Entry/Exit System], [ETIAS], [the automated system for registration, monitoring and the allocation mechanism for applications for international protection] the ECRIS-TCN system and the ECRIS reference implementation.

(2)The following Article is inserted:

"Article 5a

Tasks related to the ECRIS-TCN system

In relation to the ECRIS-TCN system and the ECRIS reference implementation, the Agency shall perform:

(a)the tasks conferred on it by Regulation (EU) No XXX/20XX of the European Parliament and of the Council*;

(b)tasks relating to training on the technical use of the ECRIS-TCN system and the ECRIS reference implementation.

__________

*    Regulation (EU) No XXX/20XX of the European Parliament and of the Council* of X.X.X establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) and amending Regulation (EU) No 1077/2011 (OJ L …).”

(3)In Article 7, paragraph 5 is replaced by the following:

“5. Tasks relating to the operational management of the communication infrastructure may be entrusted to external private-sector entities or bodies in accordance with Regulation (EC, Euratom) No 966/2012. In such a case, the network provider shall be bound by the security measures referred to in paragraph 4 and shall have no access to SIS II, VIS, Eurodac, [EES], [ETIAS], [the automated system for registration, monitoring and the allocation mechanism for applications for international protection] the ECRIS-TCN system operational data, or to the SIS II-related SIRENE exchange, by any means.

(4)In Article 8, paragraph 1 is replaced by the following:

“1. The Agency shall monitor the developments in research relevant for the operational management of SIS II, VIS, Eurodac, [EES], [ETIAS], [the automated system for registration, monitoring and the allocation mechanism for applications for international protection], the ECRIS-TCN system and other large-scale IT systems”.

(5)In Article 12, paragraph 1 is amended as follows:

(a)a new point (sa) is added after point (s):

“(sa) adopt the reports on the development of the ECRIS-TCN system pursuant to Article 34(3) of Regulation (EU) No XXX/20XX of the European Parliament and of the Council of X.X.X establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) and amending Regulation (EU) No 1077/2011 (OJ L …)”.

(b)point (t) is replaced by the following:

“(t) adopt the reports on the technical functioning of SIS II pursuant to Article 50(4) of Regulation (EC) No 1987/2006 and Article 66(4) of Decision 2007/533/JHA respectively [or Article 54(7) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006 and Article 71(7) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU] and of VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA, [of EES pursuant to Article 64(4) of Regulation (EU) XX/XX of XXX and of ETIAS pursuant to Article 81(4) of Regulation (EU) XX/XX of XXX, and of the ECRIS-TCN system and the ECRIS reference implementation pursuant to Article 34(4) of Regulation (EU) XX/XXX;"

(c)point (v) is replaced by the following:

"(v)    adopt formal comments on the European Data Protection Supervisor's reports on the audits pursuant to Article 45(2) of Regulation (EC) No 1987/2006, Article 42(2) of Regulation (EC) No 767/2008 and Article 31(2) of Regulation (EU) No 603/2013, Article 50(2) of Regulation (EU) XX/XX of XXX [establishing the EES) and Article 57 of Regulation (EU) XX/XX of XXX [establishing the ETIAS) and to Article 27(2) of Regulation (EU) XX/XXXX) [establishing the ECRIS-TCN system] and ensure appropriate follow-up of those audits;”.

(d)the following point is inserted after point (xa):

“(xb) Publish statistics related to the ECRIS-TCN system and to the ECRIS reference implementation pursuant to Article 30 of Regulation XXXX/XX;" .

(e) Point y is replaced by the following:

"(y)    ensure annual publication of the list of competent authorities authorised to search directly the data contained in SIS II pursuant to Article 31(8) of Regulation (EC) No 1987/2006 and Article 46(8) of Decision 2007/533/JHA, together with the list of Offices of the national systems of SIS II (N.SIS II) and SIRENE Bureaux as referred to in Article 7(3) of Regulation (EC) No 1987/2006 and Article 7(3) of Decision 2007/533/JHA respectively [or by Article 36(8) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006 and by Article 53(8) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU together with the list of Offices of the national systems of SIS II (N.SIS II) and SIRENE Bureaux as referred to in Article 7(3) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks and Article 7(3) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters respectively; [as well as the list of competent authorities pursuant to Article 8(2) of Regulation (EU) XX/XXXX establishing the EES]; [the list of competent authorities pursuant to Article 11 of Regulation (EU) XX/XXXX establishing the ETIAS] and [the list of central authorities pursuant to Article 32 of Regulation XX/XXX establishing the ECRIS-TCN system];"

(6)In Article 15, paragraph 4 is replaced by the following:

"4.    Europol and Eurojust may attend the meetings of the Management Board as observers when a question concerning SIS II, in relation to the application of Decision 2007/533/JHA, is on the agenda. [The European Border and Coast Guard may attend the meetings of the Management Board as observers when a question concerning SIS in relation to the application of Regulation (EU) 2016/1624 or of Regulation XXX of XXX is on the agenda]. Europol may also attend the meetings of the Management Board as observer when a question concerning VIS, in relation to the application of Decision 2008/633/JHA, or a question concerning Eurodac, in relation to the application of Regulation (EU) No 603/2013, is on the agenda. [Europol may also attend the meetings of the Management Board as an observer when a question concerning EES in relation to the application of Regulation XX/XXXX (establishing the EES) is on the agenda or when a question concerning ETIAS in relation to Regulation XX/XXXX (establishing ETIAS) is on the agenda. The European Border and Coast Guard may also attend the meetings of the Management Board when a question concerning ETIAS in relation with the application of Regulation XX/XX of XXX is on the agenda.] [EASO may also attend the meetings of the Management Board as an observer when a question concerning the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast) COM(2016) 270 final-2016/0133(COD), is on the agenda.] [Eurojust, Europol and the European Public Prosecutor's Office may also attend the meetings of the Management Board as observers when a question concerning Regulation XX/XXXX (establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS), and amending Regulation (EU) No 1077/2011 (ECRIS-TCN system) is on the agenda.]The Management Board may invite any other person whose opinion may be of interest, to attend its meetings as an observer.

(7)In Article 17, paragraph 5, point (g) is replaced by the following:

“(g) without prejudice to Article 17 of the Staff Regulations, establish confidentiality requirements in order to comply with Article 17 of Regulation (EC) No 1987/2006, Article 17 of Decision 2007/533/JHA, Article 26(9) of Regulation (EC) No 767/2008, Article 4(4) of Regulation (EU) No 603/2013, [Article 34(4) of Regulation (EU) XX/XX of XX (establishing the EES)] 33 , Article 64(2) of Regulation XX/XXXX (establishing the ETIAS)and Article 11(16) of [Regulation (EU) XX/XX of XXX establishing the ECRIS-TCN system.]”

(8)In Article 19, paragraph 1 is replaced by the following:

“1. The following Advisory Groups shall provide the Management Board with expertise relating to large-scale IT systems and, in particular, in the context of the preparation of the annual work programme and the annual activity report:

(a)SIS II Advisory Group;

(b)VIS Advisory Group;

(c)Eurodac Advisory Group;

(d)[EES-ETIAS] Advisory Group;

(e)ECRIS-TCN system Advisory Group;

(f)any other Advisory Group relating to a large-scale IT system when so provided in the relevant legislative instrument governing the development, establishment, operation and use of that large-scale IT system."

Article 38
Implementation and transitional provisions

1.Member States shall take the necessary measures to comply with the provisions of this Regulation by 24 months after its entry into force.

2.For convictions handed down prior to [date of entry into force of this Regulation], the central authorities shall create the individual data records in the Central System at the latest by 24 months after the entry into force of this instrument, to the extent that such data are stored in its national criminal records or national fingerprint database(s).

Article 39
Entry into force and applicability

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels,

LEGISLATIVE FINANCIAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned in the ABM/ABB structure

1.3.Nature of the proposal/initiative

1.4.Objective(s)

1.5.Grounds for the proposal/initiative

1.6.Duration and financial impact

1.7.Management mode(s) planned

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

2.2.Management and control system

2.3.Measures to prevent fraud and irregularities

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

3.2.Estimated impact on expenditure 

3.2.1.Summary of estimated impact on expenditure

3.2.2.Estimated impact on operational appropriations

3.2.3.Estimated impact on appropriations of an administrative nature

3.2.4.Compatibility with the current multiannual financial framework

3.2.5.Third-party contributions

3.3.Estimated impact on revenue

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned in the ABM/ABB structure 34  

1.3.Nature of the proposal/initiative

◻ The proposal/initiative relates to a new action 

◻ The proposal/initiative relates to a new action following a pilot project/preparatory action 35  

⌧ The proposal/initiative relates to the extension of an existing action 

◻ The proposal/initiative relates to an action redirected towards a new action 

1.4.Objective(s)

1.4.1.The Commission's multiannual strategic objective(s) targeted by the proposal/initiative

1.4.2.Specific objective(s) and ABM/ABB activity(ies) concerned

1.4.3.Expected result(s) and impact

Specify the effects which the proposal/initiative should have on the beneficiaries/groups targeted.

1.4.4.Indicators of results and impact

Specify the indicators for monitoring implementation of the proposal/initiative.

1.5.Grounds for the proposal/initiative

1.5.1.Requirement(s) to be met in the short or long term

1.5.2.Added value of EU involvement

1.5.3.Lessons learned from similar experiences in the past

1.5.4.Compatibility and possible synergy with other appropriate instruments

1.6.Duration and financial impact

◻ Proposal/initiative of limited duration

–◻    Proposal/initiative in effect from [DD/MM]YYYY to [DD/MM]YYYY

–◻    Financial impact from YYYY to YYYY

⌧ Proposal/initiative of unlimited duration

–Implementation with a start-up period from 2018 to 2020, followed by full-scale operation.

1.7.Management mode(s) planned 36  

⌧ Direct management by the Commission

–⌧ by its departments, including by its staff in the Union delegations;

–⌧    by the executive agencies 37  

◻ Shared management with the Member States

◻ Indirect management by entrusting budget implementation tasks to:

–◻ third countries or the bodies they have designated;

–◻ international organisations and their agencies (to be specified);

–◻the EIB and the European Investment Fund;

–◻ bodies referred to in Articles 208 and 209 of the Financial Regulation;

–◻ public law bodies;

–◻ bodies governed by private law with a public service mission to the extent that they provide adequate financial guarantees;

–◻ bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that provide adequate financial guarantees;

–◻ persons entrusted with the implementation of specific actions in the CFSP pursuant to Title V of the TEU, and identified in the relevant basic act.

–If more than one management mode is indicated, please provide details in the ‘Comments’ section.

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

Specify frequency and conditions.

2.2.Management and control system

2.2.1.Risk(s) identified

2.2.2.Information concerning the internal control system set up

2.2.3.Estimate of the costs and benefits of the controls and assessment of the expected level of risk of error

2.3.Measures to prevent fraud and irregularities

Specify existing or envisaged prevention and protection measures.

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

• Existing budget lines

In order of multiannual financial framework headings and budget lines.

3.2.Estimated impact on expenditure

3.2.1.Summary of estimated impact on expenditure

3.2.2. Estimated impact on operational appropriations

3.2.2.1.Estimated impact on eu-LISA budget, Operational Expenditure

–◻    The proposal/initiative does not require the use of operational appropriations

–⌧    The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

3.2.3.Estimated impact on human resources

3.2.3.1.Estimates on eu-LISA Staff Expenditure: Summary

–◻    The proposal/initiative does not require the use of appropriations of an administrative nature

–⌧    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

Estimate to be expressed in full time equivalent units

The recruitment of the 5 contract agents during the implementation phase is planned for project management, development follow-up, quality assurance and testing of the system. From 2021 onwards, the staffing is expected to be reduced and carry out project management and some maintenance ans support activities of the system.

3.2.4.Estimated impact on appropriations of an administrative nature

3.2.4.1. DG Justice and Consumers summary

–◻    The proposal/initiative does not require the use of appropriations of an administrative nature

–⌧    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

EUR million (to three decimal places)

3.2.4.2.Estimated requirements of human resources

–◻    The proposal/initiative does not require the use of human resources.

–⌧    The proposal/initiative requires the use of human resources, as explained below:

Estimate to be expressed in full time equivalent units

       XX is the policy area or budget title concerned

The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.    

Description of tasks to be carried out:

3.2.5.Compatibility with the current multiannual financial framework

–⌧    The proposal/initiative is compatible the current multiannual financial framework.

–◻    The proposal/initiative will entail reprogramming of the relevant heading in the multiannual financial framework.

–◻    The proposal/initiative requires application of the flexibility instrument or revision of the multiannual financial framework.

3.2.6.Third-party contributions

–⌧ The proposal/initiative does not provide for co-financing by third parties.

–◻ The proposal/initiative provides for the co-financing estimated below:

Appropriations in EUR million (to three decimal places)

3.3.Estimated impact on revenue

–⌧    The proposal/initiative has no financial impact on revenue.

–◻    The proposal/initiative has the following financial impact:

–◻    on own resources

–◻    on miscellaneous revenue

EUR million (to three decimal places)

For miscellaneous ‘assigned’ revenue, specify the budget expenditure line(s) affected.

Specify the method for calculating the impact on revenue.

(1) OJ L 93, 7.4.2009, p. 23, and, p. 33.

(2)  In line with the Commission's 2016 proposal (COM(2016) 07 final), the current proposal equally applies to third country nationals also holding the nationality of a Member State, in order to ensure that the information can be found whether or not the additional nationality is known. See page 12 of the explanatory memorandum on that proposal.

(3) Report from the Commission concerning the exchange through the European Criminal Records Information System (ECRIS) of information extracted from criminal records between the Member States.

(4) 'European Agenda on Security' - Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 28 April 2015 (COM (2015)185 final).

(5) The proposal was accompanied by an Impact Assessment (SWD(2016) 4. It is still being negotiated in the Council. The European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) adopted its report on the Commission's 2016 proposal for a Directive on 27 June 2016.

(6) In the impact assessment accompanying the Commission's 2016 proposal, the option of creating a fully centralised database containing the identity information of the convicted persons, as well as the complete conviction information, was briefly discussed, but quickly discarded. The reason for that was that through consultation with the Member States, in particular at the September 2014 ECRIS Expert Meeting, it became clear that this was not a politically feasible option, since it was only supported by very few Member States.

(7) COM(2016) 205 final, 6.4.2016.

(8) The final report of the High Level Expert Group was published on 11 May. It is available at: http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetailDoc&id=32600&no=1

(9) See Article 3 of Council Decision 2009/316.

(10) COM(2017) 261 final, 16.5.2017.

(11) Council Framework Decision 2008/675/JHA of 24 July 2008 on taking account of convictions in the Member States of the European Union in the course of new criminal proceedings, OJ L 220, 15.8.2008, p. 32.

(12) OJ L 286, 1.11.2011, p.1.

(13) COM(2016) 6 final, 19.1.2016.

(14) http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=82547

(15) http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=82551

(16) SWD(2016) 4 final

(17) As long as the Regulation establishing the European Public Prosecutor's Office is not adopted, references to it have been placed between sqaure brackets.

(18) OJ L 55, 28.2.2011, p.13.

(19) Council Framework Decision 2008/675/JHA of 24 July 2008 on taking account of convictions in the Member States of the European Union in the course of new criminal proceedings (OJ L220, 15.8.2008, p. 32).

(20) Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, p. 23).

(21) Council Decision 2009/316/JHA of 6 April 2009 on the establishment of the European Criminal Records Information System (ECRIS) in application of Article 11 of Framework Decision 2009/315/JHA (OJ L 93, 7.4.2009, p. 33).

(22) Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286 1.11.2011, p. 1).

(23) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

(24) Council Decision 2002/187/JHA of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime (OJ L 063, 6.3.2002, p.1).

(25) Regulation (EU) .../... (OJ L ...).

(26) Directive (EU 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89)

(27) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(28) Regulation (EU) No 182/2011 of the European Parliament and the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13)

(29) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 008, 12.1.2001, p.1).

(30) OJ C …

(31) As amended by Directive of the European Parliament and the Council amending Council Framework Decision 2009/315/JHA, as regards the exchange of information on third country nationals and as regards the European Criminal Records Information System (ECRIS), and replacing Council Decision 2009/316/JHA (….).

(32) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).

(33) Regulation on EES.

(34) ABM: activity-based management; ABB: activity-based budgeting.

(35) As referred to in Article 54(2)(a) or (b) of the Financial Regulation.

(36) Details of management modes and references to the Financial Regulation may be found on the BudgWeb site: http://www.cc.cec/budg/man/budgmanag/budgmanag_en.html

(37) The budget will be allocated to eu-LISA by a budget transfer from the budget of the Justice Programme up to and including 2020. From 2021 onwards, the costs will be included in the budget of eu-LISA, after adoption of the new Multiannual Financial Framework.

(38) Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.

(39) EFTA: European Free Trade Association.

(40) Candidate countries and, where applicable, potential candidate countries from the Western Balkans.

(41) The budget will be allocated to eu-LISA by a budget transfer from the budget of the Justice Programme up to 2020. From 2021 onwards, the system will be operational and the costs will be reduced to recurring costs for the maintenance of the system which will be included in the budget of eu-LISA when the new Multiannual Financial Framework will be adopted.

(42) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).

(43) As described in point 1.4.2. ‘Specific objective(s)…’

(44) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.

(45) Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).

(46) As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 25 % for collection costs.