Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726

REGULATION (EU) 2019/816 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 17 April 2019

establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726

CHAPTER I

General provisions

Article 1

Subject matter

This Regulation establishes:

(a) a system to identify the Member States holding information on previous convictions of third-country nationals (‘ECRIS-TCN’);

(b) the conditions under which ECRIS-TCN shall be used by the central authorities in order to obtain information on such previous convictions through the European Criminal Records Information System (ECRIS) established by Decision 2009/316/JHA, as well as the conditions under which Eurojust, Europol and the EPPO shall use ECRIS-TCN;

(c) the conditions under which ECRIS-TCN contributes to facilitating and assisting in the correct identification of persons registered in ECRIS-TCN under the conditions and for the purposes of Article 20 of Regulation (EU) 2019/818 of the European Parliament and of the Council (¹), by storing identity data, travel document data and biometric data in the CIR;

(e) the conditions under which data in ECRIS-TCN may be used by the ETIAS Central Unit, established within the European Border and Coast Guard Agency in accordance with Article 7 of Regulation (EU) 2018/1240 of the European Parliament and of the Council (²), for the purpose of supporting the ETIAS objective of contributing to a high level of security by providing for a thorough security risk assessment of applicants, prior to their arrival at external border crossing points, in order to determine whether there are factual indications or reasonable grounds based on factual indications to conclude that the presence of the person on the territory of the Member States poses a security risk.

Article 2

Scope

This Regulation applies to the processing of identity information of third-country nationals who have been subject to convictions in the Member States, for the purpose of identifying the Member States where such convictions were handed down. With the exception of point (b)(ii) of Article 5(1), the provisions of this Regulation that apply to third-country nationals also apply to citizens of the Union who also hold a nationality of a third country and who have been subject to convictions in the Member States.

This Regulation:

(a) supports the VIS objective of assessing whether the applicant for a visa, a long-stay visa or a residence permit could pose a threat to public policy or internal security, in accordance with Regulation (EC) No 767/2008;

(b) supports the ETIAS objective of contributing to a high level of security, in accordance with Regulation (EU) 2018/1240;

(c) facilitates and assists in the correct identification of persons in accordance with this Regulation and with Regulation (EU) 2019/818.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘conviction’ means any final decision of a criminal court against a natural person in respect of a criminal offence, to the extent that the decision is entered in the criminal records of the convicting Member State;

(2) ‘criminal proceedings’ means the pre-trial stage, the trial stage and the execution of the conviction;

(3) ‘criminal record’ means the national register or registers recording convictions in accordance with national law;

(4) ‘convicting Member State’ means the Member State in which a conviction is handed down;

(5) ‘central authority’ means an authority designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA;

(6) ‘competent authorities’ means the central authorities, Eurojust, Europol, the EPPO, the VIS designated authorities as referred to in Article 9d and Article 22b(13) of Regulation (EC) No 767/2008, and the ETIAS Central Unit, which are competent to access or query ECRIS-TCN in accordance with this Regulation;

(7) ‘third-country national’ means a person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, or who is a stateless person or a person whose nationality is unknown;

(9) ‘interface software’ means the software hosted by the competent authorities allowing them to access the central system through the communication infrastructure referred to in point (d) of Article 4(1);

(10) ‘identity information’ means alphanumeric data, fingerprint data and facial images that are used to establish a connection between these data and a natural person;

(11) ‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks;

(12) ‘fingerprint data’ means the data relating to plain and rolled impressions of the fingerprints of each of a person's fingers;

(13) ‘facial image’ means a digital image of a person's face;

(14) ‘hit’ means a match or matches established by comparison between identity information recorded in the central system and the identity information used for a search;

(15) ‘national central access point’ means the national connection point to the communication infrastructure referred to in point (d) of Article 4(1);

(16) ‘ECRIS reference implementation’ means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS;

(17) ‘national supervisory authority’ means an independent public authority which is established by a Member State pursuant to applicable Union data protection rules;

(18) ‘supervisory authorities’ means the European Data Protection Supervisor and the national supervisory authorities;

(19) ‘CIR’ means the common identity repository established by Article 17(1) of Regulation (EU) 2019/818;

(20) ‘ECRIS-TCN data’ means all data stored in the central system and in the CIR in accordance with Article 5;

(21) ‘ESP’ means the European search portal established by Article 6(1) of Regulation (EU) 2019/818.

Article 4

Technical architecture of ECRIS-TCN

ECRIS-TCN shall be composed of:

(a) a central system;

(aa) the CIR;

(b) a national central access point in each Member State;

(c) interface software enabling the connection of the competent authorities to the central system via the national central access points and the communication infrastructure referred to in point (d);

(d) a communication infrastructure between the central system and the national central access points;

(e) a communication infrastructure between the central system and the central infrastructures of the ESP and the CIR.

CHAPTER II

Entry and use of data by central authorities

Article 5

Data entry in ECRIS-TCN

For each convicted third-country national, the central authority of the convicting Member State shall create a data record in ECRIS-TCN. The data record shall include:

(a) as concerns alphanumeric data: (i) information to be included unless, in individual cases, such information is not known to the central authority (obligatory information): — surname (family name), — first names (given names), — date of birth, — place of birth (town and country), — nationality or nationalities, — gender, — previous names, if applicable, — the code of the convicting Member State, (ii) information to be included if it has been entered in the criminal record (optional information): — parents' names, (iii) information to be included if it is available to the central authority (additional information): — identity number, or the type and number of the person’s identification documents, including travel documents, as well as the name of the issuing authority, — pseudonyms or aliases;

(b) as concerns fingerprint data: (i) fingerprint data that have been collected in accordance with national law during criminal proceedings; (ii) as a minimum, fingerprint data collected on the basis of either of the following criteria: — where the third-country national has received a custodial sentence of at least 6 months; or — where the third-country national has been convicted of a criminal offence which is punishable under the law of the Member State by a custodial sentence of a maximum period of at least 12 months;

(c) a flag indicating, for the purpose of Regulations (EC) No 767/2008 and (EU) 2018/1240, that the third-country national concerned has been convicted in the previous 25 years of a terrorist offence or in the previous 15 years of any other criminal offence listed in the Annex to Regulation (EU) 2018/1240 if it is punishable by a custodial sentence or a detention order for a maximum period of at least three years under national law, including the code of the convicting Member State.

Flags and codes of convicting Member States as referred to in point (c) of paragraph 1 of this Article shall be accessible and searchable only by:

(a) the VIS Central System, as established by point (b) of Article 2a(1) of Regulation (EC) No 767/2008, for the purpose of the verifications pursuant to Article 7a of this Regulation in conjunction with point (e) of Article 9a(4) or point (e) of Article 22b(3) of Regulation (EC) No 767/2008;

(b) the ETIAS Central System, as defined in point (25) of Article 3(1) of Regulation (EU) 2018/1240, for the purpose of the verifications pursuant to Article 7b of this Regulation in conjunction with point (n) of Article 20(2) of Regulation (EU) 2018/1240 where hits are reported following the automated verifications pursuant to Article 20, point (c)(ii) of Article 24(6) and point (b) of Article 54(1) of that Regulation.

Without prejudice to the first subparagraph of this paragraph, the flags and the code of the convicting Member State referred to in point (c) of paragraph 1 shall not be visible to any authority other than the central authority of the convicting Member State that created the flagged data record.

Article 6

Facial images

Article 7

Use of ECRIS-TCN for identifying the Member States holding criminal records information

The central authorities shall use ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in order to obtain information on previous convictions through ECRIS, when criminal records information on that person is requested in the Member State concerned for the purposes of criminal proceedings against that person, or for any of the following purposes, if provided for under and in accordance with national law:

— checking a person's own criminal record at his or her request,

— security clearance,

— obtaining a licence or permit,

— employment vetting,

— vetting for voluntary activities involving direct and regular contacts with children or vulnerable persons,

— visa, acquisition of citizenship and migration procedures, including asylum procedures, and

— checks in relation with public contracts and public examinations.

However, in specific cases other than those in which a third-country national asks the central authority for information on his or her own criminal record, or where the request is made in order to obtain criminal records information pursuant to Article 10(2) of Directive 2011/93/EU, the authority requesting criminal records information may decide that such use of ECRIS-TCN is not appropriate.

In the event of a hit, the central system or the CIR shall automatically provide the competent authority with information on the Member States holding criminal record information on the third-country national, along with the associated reference numbers referred to in Article 5(1) and any corresponding identity information. Such identity information shall be used only for the purpose of verifying the identity of the third-country national concerned. The result of a search in the central system shall be used only for the purpose of:

(a) making a request pursuant to Article 6 of Framework Decision 2009/315/JHA;

(b) making a request as referred to in Article 17(3) of this Regulation;

(c) supporting the VIS objective of assessing whether the applicant for a visa, a long-stay visa or a residence permit could pose a threat to public policy or internal security, in accordance with Regulation (EC) No 767/2008; or

(d) supporting the ETIAS objective of contributing to a high level of security, in accordance with Regulation (EU) 2018/1240.

Article 7b

Use of ECRIS-TCN for ETIAS verifications

The data referred to in the first subparagraph shall be used only for the purpose of verification by:

(a) the ETIAS Central Unit pursuant to Article 22 of Regulation (EU) 2018/1240; or

(b) the ETIAS National Units pursuant to Article 25a(2) of Regulation (EU) 2018/1240 for the purpose of consulting national criminal records; national criminal records shall be consulted prior to the assessments and decisions referred to in Article 26 of that Regulation and, where applicable, prior to the assessments and opinions pursuant to in Article 28 of that Regulation.

For the purpose of proceeding with the verifications referred to in point (n) of Article 20(2) of Regulation (EU) 2018/1240, the ETIAS Central System shall use the ESP to compare the data in ETIAS with the ECRIS-TCN data to which a flag has been added pursuant to point (c) of Article 5(1) of this Regulation and Article 11(8) of Regulation (EU) 2018/1240, using the data listed in the correspondence table set out in Annex II to this Regulation.

CHAPTER III

Retention and modification of the data

Article 8

Retention period for data storage

Article 9

Modification and erasure of data

If a convicting Member State has reason to believe that the data it has recorded in  the central system and the CIR are inaccurate or that data were processed in  the central system and the CIR in contravention of this Regulation, it shall:

(a) immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate;

(b) if necessary, rectify the data or erase them from  the central system and the CIR without undue delay.

The convicting Member State shall:

(a) immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate;

(b) if necessary, rectify the data or erase them from  the central system and the CIR without undue delay;

(c) inform the other Member State that the data have been rectified or erased, or of the reasons why the data have not been rectified or erased, without undue delay.

CHAPTER IV

Development, operation and responsibilities

Article 10

Adoption of implementing acts by the Commission

The Commission shall adopt the implementing acts necessary for the technical development and implementation of ECRIS-TCN as soon as possible, and in particular acts concerning:

(a) the technical specifications for the processing of the alphanumeric data;

(b) the technical specifications for the quality, resolution and processing of fingerprint data;

(c) the technical specifications of the interface software;

(d) the technical specifications for the quality, resolution and processing of facial images for the purposes of and under the conditions set out in Article 6;

(e) data quality, including a mechanism for and procedures to carry out data quality checks;

(f) entering the data in accordance with Article 5;

(g) accessing and querying ECRIS-TCN in accordance with Article 7;

(h) modifying and erasing the data in accordance with Articles 8 and 9;

(i) keeping and accessing logs in accordance with Article 31;

(k) providing statistics in accordance with Article 32;

(l) performance and availability requirements of ECRIS-TCN, including minimal specifications and requirements on the biometric performance of ECRIS-TCN in particular in terms of the required false positive identification rate and false negative identification rate.

Article 11

Development and operational management of ECRIS — TCN

The Programme Management Board shall be composed of eight members appointed by the Management Board, the Chair of the Advisory Group referred to in Article 39 and one member appointed by the Commission. The members appointed by the Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing ECRIS and which will participate in ECRIS-TCN. The Management Board shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial and criminal records authorities.

eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of ECRIS-TCN and on any other related work and activities.

The Programme Management Board shall meet at least once every three months, and more often when necessary. It shall ensure the adequate management of the design and development phase of ECRIS-TCN and shall ensure consistency between central and national ECRIS-TCN projects, and national ECRIS implementation software. The Programme Management Board shall submit written reports regularly and if possible every month to the Management Board of eu-LISA on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the Management Board.

The Programme Management Board shall establish its rules of procedure which shall include in particular rules on:

(a) chairmanship;

(b) meeting venues;

(c) preparation of meetings;

(d) admission of experts to the meetings;

(e) communication plans ensuring that non-participating Members of the Management Board are kept fully informed.

eu-LISA shall be responsible for the following tasks related to the communication infrastructure referred to in point (d) of Article 4(1):

(a) supervision;

(b) security;

(c) the coordination of relations between the Member States and the provider of the communication infrastructure.

The Commission shall be responsible for all other tasks relating to the communication infrastructure referred to in point (d) of Article 4(1), in particular:

(a) tasks relating to the implementation of the budget;

(b) acquisition and renewal;

(c) contractual matters.

Article 12

Responsibilities of the Member States

Each Member State shall be responsible for:

(a) ensuring a secure connection between its national criminal records and fingerprints databases and the national central access point;

(b) the development, operation and maintenance of the connection referred to in point (a);