Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726

CHAPTER I

General provisions

Article 1

Subject matter

This Regulation establishes:

(a) a system to identify the Member States holding information on previous convictions of third-country nationals (‘ECRIS-TCN’);

(b) the conditions under which ECRIS-TCN shall be used by the central authorities in order to obtain information on such previous convictions through the European Criminal Records Information System (ECRIS) established by Decision 2009/316/JHA, as well as the conditions under which Eurojust, Europol and the EPPO shall use ECRIS-TCN;

(c) the conditions under which ECRIS-TCN contributes to facilitating and assisting in the correct identification of persons registered in ECRIS-TCN under the conditions and for the purposes of Article 20 of Regulation (EU) 2019/818 of the European Parliament and of the Council (¹), by storing identity data, travel document data and biometric data in the CIR;

(d) the conditions under which data in ECRIS-TCN may be used by the VIS designated authorities as referred to in Article 9d and Article 22b(13) of Regulation (EC) No 767/2008 of the European Parliament and of the Council (²) for the purpose of assessing whether an applicant for a visa, a long-stay visa or a residence permit could pose a threat to public policy or internal security as referred to in point (i) of Article 2(1) and point (a) of Article 2(2) of that Regulation;

(e) the conditions under which data in ECRIS-TCN may be used by the ETIAS Central Unit, established within the European Border and Coast Guard Agency in accordance with Article 7 of Regulation (EU) 2018/1240 of the European Parliament and of the Council (³), for the purpose of supporting the ETIAS objective of contributing to a high level of security by providing for a thorough security risk assessment of applicants, prior to their arrival at external border crossing points, in order to determine whether there are factual indications or reasonable grounds based on factual indications to conclude that the presence of the person on the territory of the Member States poses a security risk;

(f) the conditions under which data in ECRIS-TCN may be used by the screening authorities as defined in Article 2, point (10), of Regulation (EU) 2024/1356 of the European Parliament and of the Council (⁴) for the purpose of performing a security check in order to assess whether a third-country national might pose a threat to internal security as referred to in Article 15 of that Regulation (EU).

Article 2

Scope

This Regulation applies to the processing of identity information of third-country nationals who have been subject to convictions in the Member States, for the purpose of identifying the Member States where such convictions were handed down. With the exception of point (b)(ii) of Article 5(1), the provisions of this Regulation that apply to third-country nationals also apply to citizens of the Union who also hold a nationality of a third country and who have been subject to convictions in the Member States.

This Regulation:

(a) supports the VIS objective of assessing whether the applicant for a visa, a long-stay visa or a residence permit could pose a threat to public policy or internal security, in accordance with Regulation (EC) No 767/2008;

(b) supports the ETIAS objective of contributing to a high level of security, in accordance with Regulation (EU) 2018/1240;

(c) facilitates and assists in the correct identification of persons in accordance with this Regulation and with Regulation (EU) 2019/818;

(d) enables access to ECRIS-TCN for the purpose of supporting the performance of a security check established by Regulation (EU) 2024/1356.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘conviction’ means any final decision of a criminal court against a natural person in respect of a criminal offence, to the extent that the decision is entered in the criminal records of the convicting Member State;

(2) ‘criminal proceedings’ means the pre-trial stage, the trial stage and the execution of the conviction;

(3) ‘criminal record’ means the national register or registers recording convictions in accordance with national law;

(4) ‘convicting Member State’ means the Member State in which a conviction is handed down;

(5) ‘central authority’ means an authority designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA;

(6) ‘competent authorities’ means the central authorities, Eurojust, Europol, the EPPO, the VIS designated authorities as referred to in Article 9d and Article 22b(13) of Regulation (EC) No 767/2008, the ETIAS Central Unit and the screening authorities as defined in Article 2, point (10), of Regulation (EU) 2024/1356, which are competent to access or query ECRIS-TCN in accordance with this Regulation;

(7) ‘third-country national’ means a person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, or who is a stateless person or a person whose nationality is unknown;

(9) ‘interface software’ means the software hosted by the competent authorities allowing them to access the central system through the communication infrastructure referred to in point (d) of Article 4(1);

(10) ‘identity information’ means alphanumeric data, fingerprint data and facial images that are used to establish a connection between these data and a natural person;

(11) ‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks;

(12) ‘fingerprint data’ means the data relating to plain and rolled impressions of the fingerprints of each of a person's fingers;

(13) ‘facial image’ means a digital image of a person's face;

(14) ‘hit’ means a match or matches established by comparison between identity information recorded in the central system and the identity information used for a search;

(15) ‘national central access point’ means the national connection point to the communication infrastructure referred to in point (d) of Article 4(1);

(16) ‘ECRIS reference implementation’ means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS;

(17) ‘national supervisory authority’ means an independent public authority which is established by a Member State pursuant to applicable Union data protection rules;

(18) ‘supervisory authorities’ means the European Data Protection Supervisor and the national supervisory authorities;

(19) ‘CIR’ means the common identity repository established by Article 17(1) of Regulation (EU) 2019/818;

(20) ‘ECRIS-TCN data’ means all data stored in the central system and in the CIR in accordance with Article 5;

(21) ‘ESP’ means the European search portal established by Article 6(1) of Regulation (EU) 2019/818.

Article 4

Technical architecture of ECRIS-TCN

ECRIS-TCN shall be composed of:

(a) a central system;

(aa) the CIR;

(b) a national central access point in each Member State;

(c) interface software enabling the connection of the competent authorities to the central system via the national central access points and the communication infrastructure referred to in point (d);

(d) a communication infrastructure between the central system and the national central access points;

(e) a communication infrastructure between the central system and the central infrastructures of the ESP and the CIR.

CHAPTER II

Entry and use of data by central authorities

Article 5

Data entry in ECRIS-TCN

For each convicted third-country national, the central authority of the convicting Member State shall create a data record in ECRIS-TCN. The data record shall include:

(a) as concerns alphanumeric data: (i) information to be included unless, in individual cases, such information is not known to the central authority (obligatory information): — surname (family name), — first names (given names), — date of birth, — place of birth (town and country), — nationality or nationalities, — gender, — previous names, if applicable, — the code of the convicting Member State, (ii) information to be included if it has been entered in the criminal record (optional information): — parents' names, (iii) information to be included if it is available to the central authority (additional information): — identity number, or the type and number of the person’s identification documents, including travel documents, as well as the name of the issuing authority, — pseudonyms or aliases;

(b) as concerns fingerprint data: (i) fingerprint data that have been collected in accordance with national law during criminal proceedings; (ii) as a minimum, fingerprint data collected on the basis of either of the following criteria: — where the third-country national has received a custodial sentence of at least 6 months; or — where the third-country national has been convicted of a criminal offence which is punishable under the law of the Member State by a custodial sentence of a maximum period of at least 12 months;

(c) a flag indicating, for the purpose of Regulations (EC) No 767/2008 and (EU) 2018/1240 and of Articles 15 and 16 of Regulation (EU) 2024/1356, that the third-country national concerned has been convicted in the previous 25 years of a terrorist offence or in the previous 15 years of any other criminal offence listed in the Annex to Regulation (EU) 2018/1240 if it is punishable by a custodial sentence or a detention order for a maximum period of at least three years under national law, including the code of the convicting Member State.

The CIR may contain the data referred to in paragraph 3 as well as, in the cases referred to in point (c) of paragraph 1, the code of the convicting Member State. The remaining ECRIS-TCN data shall be stored in the central system.

Flags and codes of convicting Member States as referred to in point (c) of paragraph 1 of this Article shall be accessible and searchable only by:

(a) the VIS Central System, as established by point (b) of Article 2a(1) of Regulation (EC) No 767/2008, for the purpose of the verifications pursuant to Article 7a of this Regulation in conjunction with point (e) of Article 9a(4) or point (e) of Article 22b(3) of Regulation (EC) No 767/2008;

(b) the ETIAS Central System, as defined in point (25) of Article 3(1) of Regulation (EU) 2018/1240, for the purpose of the verifications pursuant to Article 7b of this Regulation in conjunction with point (n) of Article 20(2) of Regulation (EU) 2018/1240 where hits are reported following the automated verifications pursuant to Article 20, point (c)(ii) of Article 24(6) and point (b) of Article 54(1) of that Regulation;

(c) the screening authorities, as defined in Article 2, point (10), of Regulation (EU) 2024/1356, for the purpose of assessing whether a third-country national might pose a threat to internal security where hits are reported following the security check referred to in Articles 15 and 16 of that Regulation.

Without prejudice to the first subparagraph of this paragraph, the flags and the code of the convicting Member State referred to in point (c) of paragraph 1 shall not be visible to any authority other than the central authority of the convicting Member State that created the flagged data record.

Article 6

Facial images

Article 7

Use of ECRIS-TCN for identifying the Member States holding criminal records information

The central authorities shall use ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in order to obtain information on previous convictions through ECRIS, when criminal records information on that person is requested in the Member State concerned for the purposes of criminal proceedings against that person, or for any of the following purposes, if provided for under and in accordance with national law:

— checking a person's own criminal record at his or her request,

— security clearance,

— obtaining a licence or permit,

— employment vetting,

— vetting for voluntary activities involving direct and regular contacts with children or vulnerable persons,

— visa, acquisition of citizenship and migration procedures, including asylum procedures, and

— checks in relation with public contracts and public examinations.

However, in specific cases other than those in which a third-country national asks the central authority for information on his or her own criminal record, or where the request is made in order to obtain criminal records information pursuant to Article 10(2) of Directive 2011/93/EU, the authority requesting criminal records information may decide that such use of ECRIS-TCN is not appropriate.

In the event of a hit, the central system or the CIR shall automatically provide the competent authority with information on the Member States holding criminal record information on the third-country national, along with the associated reference numbers referred to in Article 5(1) and any corresponding identity information. Such identity information shall be used only for the purpose of verifying the identity of the third-country national concerned. The result of a search in the central system shall be used only for the purpose of:

(a) making a request pursuant to Article 6 of Framework Decision 2009/315/JHA;

(b) making a request as referred to in Article 17(3) of this Regulation;

(c) supporting the VIS objective of assessing whether the applicant for a visa, a long-stay visa or a residence permit could pose a threat to public policy or internal security, in accordance with Regulation (EC) No 767/2008; or

(d) supporting the ETIAS objective of contributing to a high level of security, in accordance with Regulation (EU) 2018/1240; or

(e) supporting the objective of assessing whether a third-country national subject to a security check might pose a threat to internal security, in accordance with Regulation (EU) 2024/1356.

Article 7a

Use of ECRIS-TCN for VIS verifications

For the purpose of performing the tasks pursuant to Regulation (EC) No 767/2008, the VIS designated authorities as referred to in Article 9d and Article 22b(13) of that Regulation shall have the right to access only those ECRIS-TCN data in the CIR to which a flag has been added pursuant to point (c) of Article 5(1) of this Regulation.

Article 7b

Use of ECRIS-TCN for ETIAS verifications

The data referred to in the first subparagraph shall be used only for the purpose of verification by:

(a) the ETIAS Central Unit pursuant to Article 22 of Regulation (EU) 2018/1240; or

(b) the ETIAS National Units pursuant to Article 25a(2) of Regulation (EU) 2018/1240 for the purpose of consulting national criminal records; national criminal records shall be consulted prior to the assessments and decisions referred to in Article 26 of that Regulation and, where applicable, prior to the assessments and opinions pursuant to in Article 28 of that Regulation.

For the purpose of proceeding with the verifications referred to in point (n) of Article 20(2) of Regulation (EU) 2018/1240, the ETIAS Central System shall use the ESP to compare the data in ETIAS with the ECRIS-TCN data to which a flag has been added pursuant to point (c) of Article 5(1) of this Regulation and Article 11(8) of Regulation (EU) 2018/1240, using the data listed in the correspondence table set out in Annex II to this Regulation.

Article 7c

Use of ECRIS-TCN for the purposes of the screening

The screening authorities, as defined in Article 2, point (10), of Regulation (EU) 2024/1356, shall have the right to access and search ECRIS-TCN data using the European Search Portal provided for in Article 6 of Regulation (EU) 2019/818, for the purpose of performing the tasks conferred upon them by Articles 15 and 16 of Regulation (EU) 2024/1356.

For the purpose of performing such tasks, the screening authorities, as defined in Article 2, point (10), of Regulation (EU) 2024/1356, shall have the right to access only those ECRIS-TCN data records in the CIR to which a flag has been added in accordance with Article 5(1), point (c), of this Regulation.

In the event of a hit, the consultation of national criminal records based on the flagged ECRIS-TCN data shall take place in accordance with national law and using national channels of communication. The relevant national authorities of the convicting Member State shall provide an opinion to the screening authorities, as defined in Article 2, point (10), of Regulation (EU) 2024/1356, on whether the presence of that person on the territory of the Member States might pose a threat to internal security, within two days where the screening takes place on the territory of the Member State or within three days where the screening takes place at external borders. Where the relevant national authorities of the convicting Member State do not provide such an opinion within those deadlines, it shall be understood that there are no security grounds to be taken into account. National criminal records shall be consulted by the relevant national authorities of the convicting Member State prior to providing an opinion to the screening authorities, as defined in Article 2, point (10), of Regulation (EU) 2024/1356. Where, following a hit, no opinion has been provided and there are no security grounds to be taken into account, that absence of opinion and security grounds shall be recorded in the screening form as referred to in Article 17(1), point (h), of Regulation (EU) 2024/1356.

CHAPTER III

Retention and modification of the data

Article 8

Retention period for data storage

Upon expiry of the retention period referred to in paragraph 1, the central authority of the convicting Member State shall erase the data record, including any fingerprint data, facial images or flags as referred to in point (c) of Article 5(1), from the central system and the CIR. In cases where the data related to a conviction for a terrorist offence or any other criminal offence as referred to in point (c) of Article 5(1) are erased from the national criminal record, but information on other convictions of the same person is retained, only the flag referred to in point (c) of Article 5(1) shall be removed from the data record. Where possible the erasure shall be done automatically, and in any event no later than one month after the expiry of the retention period.

Article 9

Modification and erasure of data

If a convicting Member State has reason to believe that the data it has recorded in  the central system and the CIR are inaccurate or that data were processed in  the central system and the CIR in contravention of this Regulation, it shall: