EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

European Criminal Records Information System — conviction information on third-country nationals (ECRIS-TCN)

European Criminal Records Information System — conviction information on third-country nationals (ECRIS-TCN)

 

SUMMARY OF:

Regulation (EU) 2019/816 setting up a centralised system for the identification of EU countries holding conviction information on non-EU nationals and stateless persons (ECRIS-TCN)

WHAT IS THE AIM OF THIS REGULATION?

It establishes:

  • a system to identify the EU countries which hold information on previous convictions of ‘third-country’ (i.e. non-EU) nationals (‘ECRIS-TCN’);
  • the conditions under which national authorities, Eurojust, Europol and the European Public Prosecutor’s Office (EPPO) may access ECRIS-TCN in order to obtain information on previous convictions through the European Criminal Records Information System (ECRIS) (Framework Decision 2009/315/JHA — see summary);
  • the terms under which ECRIS-TCN helps to facilitate and assist in the correct identification of people registered in ECRIS-TCN.

KEY POINTS

The legislation applies to the processing of identity information of non-EU nationals with a prior conviction* in one of the EU countries to determine which EU country handed down the sentence. It applies equally to EU citizens who also hold non-EU nationality. Information on the conviction itself can only be obtained from the convicting EU country using ECRIS.

The technical architecture of ECRIS-TCN consists of:

National authorities create a data record in ECRIS-TCN as quickly as possible for each non-EU national they convict. This contains:

  • family and first name, date and place of birth, nationality(ies), gender, previous names if applicable and the code of the convicting EU country;
  • if available, details of the individual’s identity documents, pseudonyms or aliases;
  • fingerprint data collected according to national law and satisfying certain technical specifications;
  • facial images if allowed under the national law of the convicting EU country.

National authorities may use ECRIS-TCN to obtain information on an individual’s previous convictions when this is required for the purposes of criminal proceedings against that individual or for:

  • checking a person’s own criminal record at their request;
  • security clearance;
  • a licence or permit;
  • employment vetting;
  • voluntary activities involving direct and regular contact with children or vulnerable people;
  • visa, citizenship, migration and asylum procedures;
  • checks linked to public contracts and public examinations.

Eurojust, Europol and the EPPO:

  • may access ECRIS-TCN directly to identify the EU countries holding criminal records information on a non-EU national;
  • may not enter, correct or erase any data in ECRIS-TCN;
  • may request criminal records information from the EU country concerned when a hit occurs;
  • are responsible for their technical connection to ECRIS-TCN;
  • shall provide staff with appropriate training, especially on data security, data protection and fundamental rights.

Non-EU countries and international organisations may address requests to Eurojust for criminal records information help for the purposes of criminal proceedings. If there is a hit*, and the EU country concerned consents, Eurojust shall inform the non-EU country or international organisation which EU country is concerned, so that they may ask that country for the relevant extracts from the criminal records.

Data:

  • are stored in the central system for as long they are kept in the national criminal records;
  • are erased by national authorities when the national retention period expires;
  • may be modified or erased by EU countries which entered them in the central system;
  • may only be processed to identify the EU countries holding criminal records information of non-EU nationals.

eu-LISA is responsible for:

  • developing ECRIS-TCN, its operational management and maintaining the ECRIS reference implementation*;
  • supervising the communication infrastructure, including its security;
  • maintaining procedures for carrying out quality checks on data stored in ECRIS-TCN and monitoring its functioning and technical maintenance;
  • submitting regular reports to the European Parliament, the Council and the European Commission;
  • providing the necessary technical training;
  • applying appropriate rules on professional secrecy and confidentiality;
  • taking the necessary measures to ensure ECRIS-TCN’s security;
  • logging all data processing operations in ECRIS-TCN;
  • giving the Commission monthly statistics on the recording, storage and exchange of information extracted from criminal records through ECRIS-TCN and the ECRIS reference implementation.

EU countries are responsible for:

  • a secure connection between their national criminal records, fingerprint databases and national central access point;
  • management of duly authorised staff of the central authorities and their training;
  • lawful processing of data recorded in ECRIS-TCN and, in particular, that:
    • only authorised staff have access to the data;
    • the data are collected and entered into ECRIS-TCN lawfully, respecting non-EU nationals’ human dignity and fundamental rights;
    • the information is accurate and up-to-date when entered into ECRIS-TCN.
  • each central authority taking the necessary measures to comply with the legislation;
  • national supervisory authorities monitoring the legality of the processing of personal data.

An individual or EU country suffering damage from behaviour incompatible with the Regulation may receive compensation from:

  • the EU country responsible for the damage;
  • eu-LISA if the agency has not complied with its obligations.

Non-EU nationals may contact an EU country’s central authority to request access to their personal data, its correction, erasure or restriction on its use.

Penalties or disciplinary measures apply with respect to any misuse of data entered in ECRIS-TCN.

The European Data Protection Supervisor monitors eu-LISA’s personal data processing activities and produces an audit at least every 3 years for the European Parliament, EU governments and the Commission.

FROM WHEN DOES THE REGULATION APPLY?

It has applied since 11 June 2019. EU countries have to take the necessary measures to comply as soon as possible so as to ensure the proper functioning of ECRIS-TCN. The Commission must be satisfied that certain conditions are met before determining the date from which EU countries may start entering data into the ECRIS TCN.

BACKGROUND

For more information, see:

KEY TERMS

Conviction: any final decision by a criminal court against an individual and entered in the criminal records.
Hit: a match between the identity information recorded in the central system and that used for a search.
ECRIS reference implementation: software developed by the Commission and made available to EU countries for the exchange of criminal records data through ECRIS.

MAIN DOCUMENT

Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, pp. 1-26)

Successive amendments to Regulation (EU) 2019/816 have been incorporated into the original document. This consolidated version is of documentary value only.

RELATED DOCUMENTS

Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, pp. 23-32)

See consolidated version.

Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, pp. 138-183)

Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, pp. 99-137)

See consolidated version.

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39-98)

Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, pp. 1-71)

Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, pp. 53-114)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)

See consolidated version.

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)

See consolidated version.

last update 21.04.2020

Top