This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document

establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726

(a) a system to identify the Member States holding information on previous convictions of third-country nationals (‘ECRIS-TCN’);

(b) the conditions under which ECRIS-TCN shall be used by the central authorities in order to obtain information on such previous convictions through the European Criminal Records Information System (ECRIS) established by Decision 2009/316/JHA, as well as the conditions under which Eurojust, Europol and the EPPO shall use ECRIS-TCN;

(c) the conditions under which ECRIS-TCN contributes to facilitating and assisting in the correct identification of persons registered in ECRIS-TCN under the conditions and for the purposes of Article 20 of Regulation (EU) 2019/818 of the European Parliament and of the Council ( 1 ), by storing identity data, travel document data and biometric data in the CIR.

This Regulation applies to the processing of identity information of third-country nationals who have been subject to convictions in the Member States for the purpose of identifying the Member States where such convictions were handed down. With the exception of point (b)(ii) of Article 5(1), the provisions of this Regulation that apply to third-country nationals also apply to citizens of the Union who also hold the nationality of a third country and who have been subject to convictions in the Member States. This Regulation also facilitates and assists in the correct identification of persons in accordance with this Regulation and with Regulation (EU) 2019/818.

(1) ‘conviction’ means any final decision of a criminal court against a natural person in respect of a criminal offence, to the extent that the decision is entered in the criminal records of the convicting Member State;

(2) ‘criminal proceedings’ means the pre-trial stage, the trial stage and the execution of the conviction;

(3) ‘criminal record’ means the national register or registers recording convictions in accordance with national law;

(5) ‘central authority’ means an authority designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA;

(6) ‘competent authorities’ means the central authorities and Eurojust, Europol and the EPPO, which are competent to access or query ECRIS-TCN in accordance with this Regulation;

(7) ‘third-country national’ means a person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, or who is a stateless person or a person whose nationality is unknown;

(9) ‘interface software’ means the software hosted by the competent authorities allowing them to access the central system through the communication infrastructure referred to in point (d) of Article 4(1);

(10) ‘identity information’ means alphanumeric data, fingerprint data and facial images that are used to establish a connection between these data and a natural person;

(11) ‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks;

(12) ‘fingerprint data’ means the data relating to plain and rolled impressions of the fingerprints of each of a person's fingers;

(14) ‘hit’ means a match or matches established by comparison between identity information recorded in the central system and the identity information used for a search;

(15) ‘national central access point’ means the national connection point to the communication infrastructure referred to in point (d) of Article 4(1);

(16) ‘ECRIS reference implementation’ means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS;

(17) ‘national supervisory authority’ means an independent public authority which is established by a Member State pursuant to applicable Union data protection rules;

(18) ‘supervisory authorities’ means the European Data Protection Supervisor and the national supervisory authorities;

(19) ‘CIR’ means the common identity repository established by Article 17(1) of Regulation (EU) 2019/818;

(20) ‘ECRIS-TCN data’ means all data stored in the central system and in the CIR in accordance with Article 5;

(c) interface software enabling the connection of the competent authorities to the central system via the national central access points and the communication infrastructure referred to in point (d);

(e) a communication infrastructure between the central system and the central infrastructures of the ESP and the CIR.

3. The interface software shall be integrated with the ECRIS reference implementation. The Member States shall use the ECRIS reference implementation or, in the situation and under the conditions set out in paragraphs 4 to 8, the national ECRIS implementation software to query ECRIS-TCN and to send subsequent requests for criminal records information.

4. The Member States which use their national ECRIS implementation software shall be responsible for ensuring that their national ECRIS implementation software allows their national criminal records authorities to use ECRIS-TCN, with the exception of the Interface Software, in accordance with this Regulation. For that purpose, they shall, before the date of start of operations of ECRIS-TCN in accordance with Article 35(4), ensure that their national ECRIS implementation software functions in accordance with the protocols and technical specifications established in the implementing acts referred to in Article 10, and with any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts.

5. For as long as they do not use the ECRIS reference implementation, Member States which use their national ECRIS implementation software shall also ensure the implementation of any subsequent technical adaptations to their national ECRIS implementation software required by any changes to the technical specifications established in the implementing acts referred to in Article 10, or changes to any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts, without undue delay.

6. The Member States which use their national ECRIS implementation software shall bear all the costs associated with the implementation, maintenance and further development of their national ECRIS implementation software and its interconnection with ECRIS-TCN, with the exception of the interface software.

7. If a Member State which uses its national ECRIS implementation software is unable to comply with its obligations under this Article, it shall be obliged to use the ECRIS reference implementation, including the integrated interface software, to make use of ECRIS-TCN.

8. In view of the assessment to be carried out by the Commission pursuant to point (b) of Article 36(10), the Member States concerned shall provide the Commission with all necessary information.

1. For each convicted third-country national, the central authority of the convicting Member State shall create a data record in ECRIS-TCN. The data record shall include:

(i) information to be included unless, in individual cases, such information is not known to the central authority (obligatory information):

— identity number, or the type and number of the person's identification documents, as well as the name of the issuing authority,

(i) fingerprint data that have been collected in accordance with national law during criminal proceedings;

— where the third-country national has received a custodial sentence of at least 6 months;

— or

— where the third-country national has been convicted of a criminal offence which is punishable under the law of the Member State by a custodial sentence of a maximum period of at least 12 months.

1a. The CIR shall contain the data referred to in point (b) of paragraph 1 and the following data of point (a) of paragraph 1: surname (family name), first names (given names), date of birth, place of birth (town and country), nationality or nationalities, gender, previous names, if applicable, where available pseudonyms or aliases, where available, the type and number of the person's travel documents, as well as the name of the issuing authority. The CIR may contain the data referred to in paragraph 3. The remaining ECRIS-TCN data shall be stored in the central system.

2. The fingerprint data referred to in point (b) of paragraph 1 of this Article shall have the technical specifications for the quality, resolution and processing of fingerprint data provided for in the implementing act referred to in point (b) of Article 10(1). The reference number of the fingerprint data of the convicted person shall include the code of the convicting Member State.

3. The data record may also contain facial images of the convicted third-country national, if the law of the convicting Member State allows for the collection and storage of facial images of convicted persons.

4. The convicting Member State shall create the data record automatically, where possible, and without undue delay after the conviction has been entered into the criminal records.

5. The convicting Member States shall also create data records for convictions handed down prior to the date of start of entry of data in accordance with Article 35(1) to the extent that data related to convicted persons are stored in their national databases. In those cases, fingerprint data shall be included only where they have been collected during criminal proceedings in accordance with national law, and where they can be clearly matched with other identity information in criminal records.

6. In order to comply with the obligations set out in points (b)(i) and (ii) of paragraph 1, and in paragraph 5, Member States may use fingerprint data collected for purposes other than criminal proceedings, where such use is permitted under national law.

1. Until the entry into force of the delegated act provided for in paragraph 2, facial images may be used only to confirm the identity of a third-country national who has been identified as a result of an alphanumeric search or a search using fingerprint data.

2. The Commission is empowered to adopt delegated acts in accordance with Article 37 supplementing this Regulation concerning the use of facial images for the purpose of identifying third-country nationals in order to identify the Member States holding information on previous convictions concerning such persons, when it becomes technically possible. Before exercising this empowerment, the Commission, taking into account necessity and proportionality, as well as technical developments in the field of facial recognition software, shall assess the availability and readiness of the required technology.

Use of ECRIS-TCN for identifying the Member States holding criminal records information

1. The central authorities shall use ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in order to obtain information on previous convictions through ECRIS, when criminal records information on that person is requested in the Member State concerned for the purposes of criminal proceedings against that person, or for any of the following purposes, if provided for under and in accordance with national law:

— vetting for voluntary activities involving direct and regular contacts with children or vulnerable persons,

However, in specific cases other than those in which a third-country national asks the central authority for information on his or her own criminal record, or where the request is made in order to obtain criminal records information pursuant to Article 10(2) of Directive 2011/93/EU, the authority requesting criminal records information may decide that such use of ECRIS-TCN is not appropriate.

2. Any Member State which decides, if provided for under and in accordance with national law, to use ECRIS-TCN for purposes other than those set out in paragraph 1 in order to obtain information on previous convictions through ECRIS, shall, by the date of start of operations as referred to in Article 35(4), or any time thereafter, notify the Commission of such other purposes and any changes to such purposes. The Commission shall publish such notifications in the Official Journal of the European Union within 30 days of receipt of the notifications.

3. Eurojust, Europol and the EPPO are entitled to query ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in accordance with Articles 14 to 18. However, they shall not enter, rectify or erase any data in ECRIS-TCN.

4. For the purposes referred to in paragraphs 1, 2 and 3, the competent authorities may also query ECRIS-TCN to verify whether, in respect of a citizen of the Union, any Member State holds criminal records information concerning this person as a third-country national.

5. When querying ECRIS-TCN, the competent authorities may use all or only some of the data referred to in Article 5(1). The minimum set of data that is required to query the system shall be specified in an implementing act adopted in accordance with point (g) of Article 10(1).

6. The competent authorities may also query ECRIS-TCN using facial images, provided that such functionality has been implemented in accordance with Article 6(2).

7. In the event of a hit, the central system shall automatically provide the competent authority with information on the Member States holding criminal records information on the third-country national, along with the associated reference numbers and any corresponding identity information. Such identity information shall only be used for the purpose of verifying the identity of the third-country national concerned. The result of a search in the central system may only be used for the purpose of making a request according to Article 6 of Framework Decision 2009/315/JHA or a request referred to in Article 17(3) of this Regulation.

8. In the event that there is no hit, the central system shall automatically inform the competent authority.

1. Each data record shall be stored in the central system and the CIR for as long as the data related to the convictions of the person concerned are stored in the criminal records.

2. Upon expiry of the retention period referred to in paragraph 1, the central authority of the convicting Member State shall erase the data record, including any fingerprint data or facial images, from the central system and the CIR. The erasure shall be done automatically, where possible, and in any event no later than one month after the expiry of the retention period.

1. The Member States may modify or erase the data which they have entered into ►M1 the central system and the CIR ◄ .

2. Any modification of the information in the criminal records which led to the creation of a data record in accordance with Article 5 shall include identical modification of the information stored in that data record in ►M1 the central system and the CIR ◄ by the convicting Member State without undue delay.

3. If a convicting Member State has reason to believe that the data it has recorded in ►M1 the central system and the CIR ◄ are inaccurate or that data were processed in ►M1 the central system and the CIR ◄ in contravention of this Regulation, it shall:

(a) immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate;

(b) if necessary, rectify the data or erase them from ►M1 the central system and the CIR ◄ without undue delay.

4. If a Member State other than the convicting Member State which entered the data has reason to believe that data recorded in ►M1 the central system and the CIR ◄ are inaccurate or that data were processed in ►M1 the central system and the CIR ◄ in contravention of this Regulation, it shall contact the central authority of the convicting Member State without undue delay.

(a) immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate;

(b) if necessary, rectify the data or erase them from ►M1 the central system and the CIR ◄ without undue delay;

(c) inform the other Member State that the data have been rectified or erased, or of the reasons why the data have not been rectified or erased, without undue delay.

1. The Commission shall adopt the implementing acts necessary for the technical development and implementation of ECRIS-TCN as soon as possible, and in particular acts concerning:

(d) the technical specifications for the quality, resolution and processing of facial images for the purposes of and under the conditions set out in Article 6;

(l) performance and availability requirements of ECRIS-TCN, including minimal specifications and requirements on the biometric performance of ECRIS-TCN in particular in terms of the required false positive identification rate and false negative identification rate.

2. The implementing acts referred to in paragraph 1 shall be adopted in accordance with the examination procedure referred to in Article 38(2).

1. eu-LISA shall be responsible for the development of ECRIS-TCN in accordance with the principle of data protection by design and by default. In addition, eu-LISA shall be responsible for the operational management of ECRIS-TCN. The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

2. eu-LISA shall also be responsible for the further development and maintenance of the ECRIS reference implementation.

3. eu-LISA shall define the design of the physical architecture of ECRIS-TCN including its technical specifications and evolution as regards the central system, the national central access point and the interface software. That design shall be adopted by its Management Board, subject to a favourable opinion of the Commission.

4. eu-LISA shall develop and implement ECRIS-TCN as soon as possible after the entry into force of this Regulation and following the adoption by the Commission of the implementing acts provided for in Article 10.

5. Prior to the design and development phase of ECRIS-TCN, the Management Board of eu-LISA shall establish a Programme Management Board composed of ten members.

The Programme Management Board shall be composed of eight members appointed by the Management Board, the Chair of the Advisory Group referred to in Article 39 and one member appointed by the Commission. The members appointed by the Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing ECRIS and which will participate in ECRIS-TCN. The Management Board shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial and criminal records authorities.

eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of ECRIS-TCN and on any other related work and activities.

The Programme Management Board shall meet at least once every three months, and more often when necessary. It shall ensure the adequate management of the design and development phase of ECRIS-TCN and shall ensure consistency between central and national ECRIS-TCN projects, and national ECRIS implementation software. The Programme Management Board shall submit written reports regularly and if possible every month to the Management Board of eu-LISA on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the Management Board.

6. The Programme Management Board shall establish its rules of procedure which shall include in particular rules on:

(e) communication plans ensuring that non-participating Members of the Management Board are kept fully informed.

7. The chairmanship of the Programme Management Board shall be held by a Member State which is fully bound under Union law by the legislative instruments governing ECRIS and the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA.

8. All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA. Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. The Programme Management Board's secretariat shall be ensured by eu-LISA.

9. During the design and development phase, the Advisory Group referred to in Article 39 shall be composed of the national ECRIS-TCN project managers and chaired by eu-LISA. During the design and development phase it shall meet regularly, if possible at least once a month, until the start of operations of ECRIS-TCN. It shall report after each meeting to the Programme Management Board. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow up on the state of preparation of the Member States.

10. In order to ensure the confidentiality and integrity of data stored in ECRIS-TCN at all times, eu-LISA shall, in cooperation with the Member States, provide for appropriate technical and organisational measures, taking into account the state of the art, the cost of implementation and the risks posed by the processing.

11. eu-LISA shall be responsible for the following tasks related to the communication infrastructure referred to in point (d) of Article 4(1):

12. The Commission shall be responsible for all other tasks relating to the communication infrastructure referred to in point (d) of Article 4(1), in particular:

13. eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data stored in ECRIS-TCN and shall provide regular reports to the Member States. eu-LISA shall provide regular reports to the Commission covering the issues encountered and the Member States concerned.

14. The operational management of ECRIS-TCN shall consist of all the tasks necessary to keep ECRIS-TCN operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that ECRIS-TCN functions at a satisfactory level in accordance with the technical specifications.

15. eu-LISA shall perform tasks related to providing training on the technical use of ECRIS-TCN and the ECRIS reference implementation.

16. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 ( 2 ), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the central system. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

(a) ensuring a secure connection between its national criminal records and fingerprints databases and the national central access point;

(d) the management of and arrangements for access of duly authorised staff of the central authorities to ECRIS-TCN in accordance with this Regulation and for establishing and regularly updating a list of such staff and the profiles referred to in point (g) of Article 19(3).

2. Each Member State shall give the staff of its central authority who have a right to access ECRIS-TCN appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights, before authorising them to process data stored in the ►M1 the central system and the CIR ◄ .

1. In accordance with applicable Union data protection rules, each Member State shall ensure that the data recorded in ECRIS-TCN are processed lawfully, and in particular that:

(b) the data are collected lawfully in a manner that fully respects the human dignity and fundamental rights of the third-country national;

2. eu-LISA shall ensure that ECRIS-TCN is operated in accordance with this Regulation, with the delegated act referred to in Article 6(2) and with the implementing acts referred to in Article 10, as well as in accordance with Regulation (EU) 2018/1725. In particular, eu-LISA shall take the necessary measures to ensure the security of ►M1 the central system, the CIR ◄ and the communication infrastructure referred to in point (d) of Article 4(1), without prejudice to the responsibilities of each Member State.

3. eu-LISA shall inform the European Parliament, the Council and the Commission as well as the European Data Protection Supervisor as soon as possible of the measures it takes pursuant to paragraph 2 in view of the start of operations of ECRIS-TCN.

4. The Commission shall make the information referred to in paragraph 3 available to the Member States and to the public through a regularly updated public website.

1. Eurojust shall have direct access to ECRIS-TCN for the purpose of the implementation of Article 17, as well as for fulfilling its tasks under Article 2 of Regulation (EU) 2018/1727, in order to identify the Member States holding information on previous convictions of third-country nationals.

2. Europol shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under points (a) to (e) and (h) of Article 4(1) of Regulation (EU) 2016/794, in order to identify the Member States holding information on previous convictions of third-country nationals.

3. The EPPO shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under Article 4 of Regulation (EU) 2017/1939, in order to identify the Member States holding information on previous convictions of third-country nationals.

4. Following a hit indicating the Member States holding criminal records information on a third-country national, Eurojust, Europol, and the EPPO may use their respective contacts with the national authorities of those Member States to request the criminal records information in the manner provided for in their respective founding acts.

Eurojust, Europol and the EPPO shall be responsible for the management of and arrangements for access of duly authorised staff to ECRIS-TCN in accordance with this Regulation and for establishing and regularly updating a list of such staff and their profiles.

(a) establish the technical means to connect to ECRIS-TCN and be responsible for maintaining that connection;

(b) provide appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights to those members of their staff who have a right to access ECRIS-TCN before authorising them to process data stored in the central system;

(c) ensure that the personal data processed by them under this Regulation is protected in accordance with the applicable data protection rules.

1. Third countries and international organisations may, for the purposes of criminal proceedings, address requests for information on which Member States, if any, hold criminal records information on a third-country national to Eurojust. To that end, they shall use the standard form set out in the Annex to this Regulation.

2. When Eurojust receives a request under paragraph 1, it shall use ECRIS-TCN to identify which Member States, if any, hold criminal records information on the third-country national concerned.

3. If there is a hit, Eurojust shall ask the Member State that holds criminal records information on the third-country national concerned whether it consents to Eurojust informing the third country or the international organisation of the name of the Member State concerned. Where that Member State gives its consent, Eurojust shall inform the third country or the international organisation of the name of that Member State, and of how it can introduce a request for extracts from the criminal records with that Member State in accordance with the applicable procedures.

4. In cases where there is no hit or where Eurojust cannot provide an answer in accordance with paragraph 3 to requests made under this Article, it shall inform the third country or international organisation concerned that it has completed the procedure, without providing any indication of whether criminal records information on the person concerned is held by one of the Member States.

Providing information to a third country, international organisation or private party

Neither Eurojust, Europol, the EPPO nor any central authority shall transfer or make available to a third country, an international organisation or a private party information obtained from ECRIS-TCN concerning a third-country national. This Article shall be without prejudice to Article 17(3).

1. eu-LISA shall take the necessary measures to ensure the security of ECRIS-TCN, without prejudice to the responsibilities of each Member State, taking the security measures specified in paragraph 3 into consideration.

2. As regards the operation of ECRIS-TCN, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 3, including the adoption of a security plan and a business continuity and disaster recovery plan, and to ensure that installed systems may, in case of interruption, be restored.

3. The Member States shall ensure the security of the data before and during the transmission to and receipt from the national central access point. In particular, each Member State shall:

(b) deny unauthorised persons access to national installations in which the Member State carries out operations related to ECRIS-TCN;

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data;

(e) prevent the unauthorised processing of data in ECRIS-TCN and any unauthorised modification or erasure of data processed in ECRIS-TCN;

(f) ensure that persons authorised to access ECRIS-TCN have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only;

(g) ensure that all authorities with a right of access to ECRIS-TCN create profiles describing the functions and responsibilities of persons who are authorised to enter, rectify, erase, consult and search the data and make their profiles available to the national supervisory authorities without undue delay at their request;

(h) ensure that it is possible to verify and establish to which Union bodies, offices and agencies personal data may be transmitted using data communication equipment;

(i) ensure that it is possible to verify and establish what data have been processed in ECRIS-TCN, when, by whom and for what purpose;

(j) prevent the unauthorised reading, copying, modification or erasure of personal data during the transmission of personal data to or from ECRIS-TCN or during the transport of data media, in particular by means of appropriate encryption techniques;

(k) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to self-monitoring and supervision to ensure compliance with this Regulation.

4. eu-LISA and the Member States shall cooperate in order to ensure a coherent data security approach based on a security risk management process encompassing the entire ECRIS-TCN.

1. Any person who, or any Member State which, has suffered material or non-material damage as a result of an unlawful processing operation or any other act incompatible with this Regulation shall be entitled to receive compensation from:

(b) eu-LISA, where eu-LISA has not complied with its obligations set out in this Regulation or in Regulation (EU) 2018/1725.

The Member State which is responsible for the damage suffered or eu-LISA, respectively, shall be exempted from liability, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.

2. If any failure of a Member State, Eurojust, Europol, or the EPPO to comply with its obligations under this Regulation causes damage to ECRIS-TCN, that Member State, Eurojust, Europol, or the EPPO, respectively, shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in ECRIS-TCN failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the law of the defendant Member State. Claims for compensation against eu-LISA, Eurojust, Europol and the EPPO for the damage referred to in paragraphs 1 and 2 shall be governed by their respective founding acts.

Member States shall ensure that each central authority takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authorities.

Any misuse of data entered in ECRIS-TCN shall be subject to penalties or disciplinary measures, in accordance with national or Union law, that are effective, proportionate and dissuasive.

1. Each central authority is to be considered as data controller in accordance with applicable Union data protection rules for the processing of the personal data by that central authority's Member State under this Regulation.

2. eu-LISA shall be considered as data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data entered into ►M1 the central system and the CIR ◄ by the Member States.

1. The data entered into the central system and the CIR shall only be processed for the purposes of the identification of the Member States holding the criminal records information of third-country nationals. The data entered into the CIR shall also be processed in accordance with Regulation (EU) 2019/818 for facilitating and assisting in the correct identification of persons registered in the ECRIS-TCN in accordance with this Regulation.

2. With the exception of duly authorised staff of Eurojust, Europol and the EPPO who have access to ECRIS-TCN for the purposes of this Regulation, access to ECRIS-TCN shall be reserved exclusively to duly authorised staff of the central authorities. Access shall be limited to the extent needed for the performance of the tasks in accordance with the purpose referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.

3. Without prejudice to paragraph 2, access for the purposes of consulting the data stored in the CIR shall also be reserved for the duly authorised staff of the national authorities of each Member State and for the duly authorised staff of the Union agencies that are competent for the purposes laid down in Articles 20 and 21 of Regulation (EU) 2019/818. Such access shall be limited according to the extent that the data are required for the performance of their tasks for those purposes, and proportionate to the objectives pursued.

1. The requests of third-country nationals concerning the rights of access to personal data, to rectification and erasure and to restriction of processing of personal data which are set out in the applicable Union data protection rules may be addressed to the central authority of any Member State.

2. Where a request is made to a Member State other than the convicting Member State, the Member State to which the request has been made shall forward it to the convicting Member State without undue delay and in any event within 10 working days of receiving the request. Upon receipt of the request, the convicting Member State shall:

(a) immediately launch a procedure for checking the accuracy of the data concerned and the lawfulness of its processing in ECRIS-TCN; and

3. In the event that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, the convicting Member State shall rectify or erase the data in accordance with Article 9. The convicting Member State or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without undue delay that action has been taken to rectify or erase data relating to that person. The convicting Member State shall also without undue delay inform any other Member State which has been a recipient of conviction information obtained as a result of a query of ECRIS-TCN of what action has been taken.

4. If the convicting Member State does not agree that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, that Member State shall adopt an administrative or judicial decision explaining in writing to the person concerned why it is not prepared to rectify or erase data relating to him or her. Such cases may, where appropriate, be communicated to the national supervisory authority.

5. The Member State which has adopted the decision pursuant to paragraph 4 shall also provide the person concerned with information explaining the steps which that person can take if the explanation given pursuant to paragraph 4 is not acceptable to him or her. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the national supervisory authorities, that is available in accordance with the national law of that Member State.

6. Any request made pursuant to paragraph 1 shall contain the information necessary to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 1 and shall be erased immediately afterwards.

7. Where paragraph 2 applies, the central authority to whom the request was addressed shall keep a written record that such a request was made and of how it was addressed and to which authority it was forwarded. Upon request from the national supervisory authority, the central authority shall make that record available to that national supervisory authority without delay. The central authority and the national supervisory authority shall erase such records three years after their creation.

1. The central authorities shall cooperate with each other in order to ensure respect for the rights laid down in Article 25.

2. In each Member State, the national supervisory authority shall, upon request, provide information to the person concerned on how to exercise his or her right to rectify or erase data relating to him or to her, in accordance with the applicable Union data protection rules.

3. For the purposes of this Article, the national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State to which the request has been made shall cooperate with each other.

Any person shall have the right to lodge a complaint and the right to a legal remedy in the convicting Member State which refused the right of access to or the right of rectification or erasure of data relating to him or to her, referred to in Article 25 in accordance with national or Union law.

1. Each Member State shall ensure that the national supervisory authorities designated pursuant to applicable Union data protection rules shall monitor the lawfulness of the processing of personal data referred to in Articles 5 and 6 by the Member State concerned, including their transmission to and from ECRIS-TCN.

2. The national supervisory authority shall ensure that an audit of the data processing operations in the national criminal records and fingerprints databases related to the data exchange between those systems and ECRIS-TCN is carried out in accordance with relevant international auditing standards at least every three years from the date of the start of operations of ECRIS-TCN.

3. Member States shall ensure that their national supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation.

4. Each Member State shall supply any information requested by its national supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 12, 13 and 19. Each Member State shall grant its national supervisory authorities access to its records pursuant to Article 25(7) and to its logs pursuant to Article 31(6) and allow them access at all times to all its ECRIS-TCN related premises.

1. The European Data Protection Supervisor shall monitor that the personal data processing activities of eu-LISA concerning ECRIS-TCN are carried out in accordance with this Regulation.

2. The European Data Protection Supervisor shall ensure that an audit of eu-LISA's personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, the Council, the Commission, eu-LISA and the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3. eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 31 and allow him or her access to all of its premises at any time.

Cooperation among national supervisory authorities and the European Data Protection Supervisor

Coordinated supervision of ECRIS-TCN shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

1. eu-LISA and the competent authorities shall ensure, in accordance with their respective responsibilities, that all data processing operations in ECRIS-TCN are logged in accordance with paragraph 2 for the purposes of checking the admissibility of requests, monitoring data integrity and security and the lawfulness of the data processing as well as for the purposes of self-monitoring.

3. The log of consultations and disclosures shall make it possible to establish the justification of such operations.

4. Logs shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 36. Those logs shall be protected by appropriate measures against unauthorised access and erased after three years, if they are no longer required for monitoring procedures which have already begun.

5. On request, eu-LISA shall make the logs of its processing operations available to the central authorities without undue delay.

6. The competent national supervisory authorities responsible for checking the admissibility of the requests and monitoring the lawfulness of the data processing and data integrity and security shall have access to logs at their request for the purpose of fulfilling their duties. On request, the central authorities shall make the logs of their processing operations available to the competent national supervisory authorities without undue delay.

1. The duly authorised staff of eu-LISA, of the competent authorities and of the Commission shall have access to the data processed within ECRIS-TCN solely for the purposes of reporting and providing statistics, without allowing for individual identification.

2. For the purpose of paragraph 1 of this Article, eu-LISA shall store the data referred to in that paragraph in the central repository for reporting and statistics referred to in Article 39 of Regulation (EU) 2019/818.

3. The procedures put in place by eu-LISA to monitor the functioning of ECRIS-TCN referred to in Article 36 as well as the ECRIS reference implementation shall include the possibility to produce regular statistics for monitoring purposes.

Every month eu-LISA shall submit to the Commission statistics relating to the recording, storage and exchange of information extracted from criminal records through ECRIS-TCN and the ECRIS reference implementation. eu-LISA shall ensure that it is not possible to identify individuals on the basis of those statistics. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation.

4. The Member States shall provide eu-LISA with the statistics necessary to fulfil its obligations referred to in this Article. They shall provide the Commission with statistics on the number of convicted third-country nationals, as well as the number of convictions of third-country nationals on their territory.

1. The costs incurred in connection with the establishment and operation of the ►M1 central system, the CIR and ◄ , the communication infrastructure referred to in point (d) of Article 4(1), the interface software and the ECRIS reference implementation shall be borne by the general budget of the Union.

2. The costs of connection of Eurojust, Europol and the EPPO to ECRIS-TCN shall be borne by their respective budgets.

3. Other costs shall be borne by the Member States, specifically the costs incurred by the connection of the existing national criminal records registers, fingerprints databases and the central authorities to ECRIS-TCN, as well as the costs of hosting the ECRIS reference implementation.

1. Each Member State shall notify eu-LISA of its central authority, or authorities, that has access to enter, rectify, erase, consult or search data, as well as of any change in this respect.

2. eu-LISA shall ensure publication of the list of central authorities notified by the Member States, both in the Official Journal of the European Union and on its website. When eu-LISA receives notification of a change to a Member State's central authority, it shall update the list without undue delay.

1. Once the Commission is satisfied that the following conditions are met, it shall determine the date from which the Member States shall start entering the data referred to in Article 5 into ECRIS-TCN:

(b) the Member States have validated the technical and legal arrangements to collect and transmit the data referred to in Article 5 to ECRIS-TCN and have notified them to the Commission;

(c) eu-LISA has carried out a comprehensive test of ECRIS-TCN, in cooperation with the Member States, using anonymous test data.

2. When the Commission has determined the date of start of entry of data in accordance with paragraph 1, it shall communicate that date to the Member States. Within a period of two months following that date, the Member States shall enter the data referred to in Article 5 into ECRIS-TCN, taking account of Article 41(2).

3. After the end of the period referred to in paragraph 2, eu-LISA shall carry out a final test of ECRIS-TCN, in cooperation with the Member States.

4. When the test referred to in paragraph 3 has been successfully completed and eu-LISA considers that ECRIS-TCN is ready to start operations, it shall notify the Commission. The Commission shall inform the European Parliament and the Council of the results of the test and shall decide on the date on which ECRIS-TCN is to start operations.

5. The decision of the Commission on the date of the start of operations of ECRIS-TCN, as referred to in paragraph 4, shall be published in the Official Journal of the European Union.

6. The Member States shall start using ECRIS-TCN from the date determined by the Commission in accordance with paragraph 4.

7. When taking the decisions referred to in this Article, the Commission may specify different dates for the entry into ECRIS-TCN of alphanumeric data and fingerprint data as referred to in Article 5, as well as for the start of operations with respect to those different categories of data.

1. eu-LISA shall ensure that procedures are in place to monitor the development of ECRIS-TCN in light of objectives relating to planning and costs and to monitor the functioning of ECRIS-TCN and the ECRIS reference implementation in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2. For the purposes of monitoring the functioning of ECRIS-TCN and its technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in ECRIS-TCN and in the ECRIS reference implementation.

3. By 12 December 2019 and every six months thereafter during the design and development phase, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of ECRIS-TCN and of the ECRIS reference implementation.

4. The report referred to in paragraph 3 shall include an overview of the current costs and the progress of the project, a financial impact assessment, and information on any technical problems and risks that may impact the overall costs of ECRIS-TCN to be borne by the general budget of the Union in accordance with Article 33.

5. In the event of substantial delays in the development process, eu-LISA shall inform the European Parliament and the Council as soon as possible of the reasons for these delays and of their impact in terms of time and finances.

6. Once the development of ECRIS-TCN and of the ECRIS reference implementation is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

7. In the event of a technical upgrade of ECRIS-TCN which could result in substantial costs, eu-LISA shall inform the European Parliament and the Council.

8. Two years after the start of operations of ECRIS-TCN and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of ECRIS-TCN and of the ECRIS reference implementation, including their security, based in particular on the statistics on the functioning and use of ECRIS-TCN and on the exchange, through the ECRIS reference implementation, of information extracted from the criminal records.

9. Four years after the start of operations of ECRIS-TCN and every four years thereafter, the Commission shall conduct an overall evaluation of ECRIS-TCN and of the ECRIS reference implementation. The overall evaluation report established on this basis shall include an assessment of the application of this Regulation and an examination of results that have been achieved relative to the objectives that were set and of the impact on fundamental rights. The report shall also include an assessment of whether the underlying rationale for operating ECRIS-TCN continues to hold, of the appropriateness of the use of biometric data for the purposes of ECRIS-TCN, of the security of ECRIS-TCN and of any security implications for future operations. The evaluation shall include any necessary recommendations. The Commission shall transmit the report to the European Parliament, the Council, the European Data Protection Supervisor and the European Union Agency for Fundamental Rights.

10. In addition, the first overall evaluation as referred to in paragraph 9 shall include an assessment of:

(a) the extent to which, on the basis of relevant statistical data and further information from the Member States, the inclusion in ECRIS-TCN of identity information of citizens of the Union who also hold the nationality of a third country has contributed to the achievement of the objectives of this Regulation;

(b) the possibility, for some Member States, to continue the use of national ECRIS implementation software, as referred to in Article 4;

(c) the entry of fingerprint data into ECRIS-TCN, in particular the application of the minimum criteria as referred to in point (b)(ii) of Article 5(1);

The assessment may be accompanied, if necessary, by legislative proposals. Subsequent overall evaluations may include an assessment of any or all of those aspects.

11. The Member States, Eurojust, Europol and the EPPO shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 8 and 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.

12. Where relevant, the supervisory authorities shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraph 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.

13. eu-LISA shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 9.

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 6(2) shall be conferred on the Commission for an indeterminate period of time from 11 June 2019.

3. The delegation of power referred to in Article 6(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Article 6(2) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

eu-LISA shall establish an Advisory Group in order to obtain expertise related to ECRIS-TCN and the ECRIS reference implementation, in particular in the context of preparation of its annual work programme and its annual activity report. During the design and development phase, Article 11(9) shall apply.

‘4. The Agency shall be responsible for the preparation, development or operational management of the Entry/Exit System (EES), DubliNet, the European Travel Information and Authorisation System (ETIAS), ECRIS-TCN and the ECRIS reference implementation.’;

In relation to ECRIS-TCN and the ECRIS reference implementation, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2019/816 of the European Parliament and of the Council ( *1 );

‘1. The Agency shall monitor developments in research relevant for the operational management of SIS II, VIS, Eurodac, the EES, ETIAS, DubliNet, ECRIS-TCN and other large-scale IT systems as referred to in Article 1(5).’;

‘(ee) adopt the reports on the development of the EES pursuant to Article 72(2) of Regulation (EU) 2017/2226, the reports on the development of ETIAS pursuant to Article 92(2) of Regulation (EU) 2018/1240 and the reports on the development of ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(3) of Regulation (EU) 2019/816;’;

‘(ff) adopt the reports on the technical functioning of SIS II pursuant to Article 50(4) of Regulation (EC) No 1987/2006 and Article 66(4) of Decision 2007/533/JHA respectively, of VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA, of the EES pursuant to Article 72(4) of Regulation (EU) 2017/2226, of ETIAS pursuant to Article 92(4) of Regulation (EU) 2018/1240, and of ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(8) of Regulation (EU) 2019/816;’;

‘(hh) adopt formal comments on the European Data Protection Supervisor's reports on the audits carried out pursuant to Article 45(2) of Regulation (EC) No 1987/2006, Article 42(2) of Regulation (EC) No 767/2008 and Article 31(2) of Regulation (EU) No 603/2013, Article 56(2) of Regulation (EU) 2017/2226, Article 67 of Regulation (EU) 2018/1240 and to Article 29(2) of Regulation (EU) 2019/816 and ensure appropriate follow-up of those audits;’;

‘(lla) submit to the Commission statistics related to ECRIS-TCN and to the ECRIS reference implementation pursuant to the second subparagraph of Article 32(3) of Regulation (EU) 2019/816;’;

‘(mm) ensure annual publication of the list of competent authorities authorised to search directly the data contained in SIS II pursuant to Article 31(8) of Regulation (EC) No 1987/2006 and Article 46(8) of Decision 2007/533/JHA, together with the list of Offices of the national systems of SIS II (N.SIS II Offices) and SIRENE Bureaux pursuant to Article 7(3) of Regulation (EC) No 1987/2006 and Article 7(3) of Decision 2007/533/JHA respectively as well as the list of competent authorities pursuant to Article 65(2) of Regulation (EU) 2017/2226, the list of competent authorities pursuant to Article 87(2) of Regulation (EU) 2018/1240 and the list of central authorities pursuant to Article 34(2) of Regulation (EU) 2019/816;’;

‘Eurojust, Europol and the EPPO may attend the meetings of the Management Board as observers when a question concerning ECRIS-TCN in relation to the application of Regulation (EU) 2019/816 is on the agenda.’;

‘(p) establishing, without prejudice to Article 17 of the Staff Regulations of Officials, confidentiality requirements in order to comply with Article 17 of Regulation (EC) No 1987/2006, Article 17 of Decision 2007/533/JHA, Article 26(9) of Regulation (EC) No 767/2008, Article 4(4) of Regulation (EU) No 603/2013, Article 37(4) of Regulation (EU) 2017/2226, Article 74(2) of Regulation (EU) No 2018/1240 and Article 11(16) of Regulation (EU) 2019/816;’;

1. Member States shall take the necessary measures to comply with this Regulation as soon as possible so as to ensure the proper functioning of ECRIS-TCN.

2. For convictions handed down prior to the date of start of entry of data in accordance with Article 35(1), the central authorities shall create the individual data records in the central system and the CIR as follows:

(a) alphanumeric data to be entered into the central system and the CIR by the end of the period referred to in Article 35(2);

(b) fingerprint data to be entered into the CIR within two years after the start of operations in accordance with Article 35(4).

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

STANDARD INFORMATION REQUEST FORM AS REFERRED TO IN ARTICLE 17(1) OF REGULATION (EU) 2019/816 IN ORDER TO OBTAIN INFORMATION ON WHICH MEMBER STATE, IF ANY, HOLDS CRIMINAL RECORDS INFORMATION OF A THIRD-COUNTRY NATIONAL

( 1 ) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85).

( *1 ) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System) and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).’;

		Official Journal
		No	page	date
►M1	REGULATION (EU) 2019/818 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 2019	L 135	85	22.5.2019