Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Summaries of EU Legislation

European criminal records information system – conviction information on third-country nationals (ECRIS-TCN)

 

SUMMARY OF:

Regulation (EU) 2019/816 setting up a centralised system for the identification of Member States holding conviction information on non-EU nationals and stateless persons (ECRIS-TCN)

WHAT IS THE AIM OF THE REGULATION?

  • It establishes:
    • ECRIS-TCN (European criminal records information system – third country nationals) – a system to identify the European Union (EU) Member States that hold information on previous convictions of ‘third-country’ (non-EU) nationals and stateless persons;
    • the conditions under which national authorities may access ECRIS-TCN in order to obtain information on previous convictions through the European criminal records information system (ECRIS) (Framework Decision 2009/315/JHA – see summary), and the conditions under which the European Public Prosecutor’s Office (EPPO), the European Union Agency for Criminal Justice Cooperation (Eurojust) and the European Union Agency for Law Enforcement Cooperation (Europol) may use the system;
    • the terms under which ECRIS-TCN helps to facilitate and assist in the correct identification of people registered in ECRIS-TCN (under amending Regulation (EU) 2019/818, which sets up a framework for interoperability between EU information systems in the fields of police and judicial cooperation, asylum and migration – see summary);
    • the conditions under which data in ECRIS-TCN may be used by the visa information system (VIS) designated authorities under Regulation (EC) No 767/2008 (see summary) to assess whether an applicant for a visa, a long-stay visa or a residence permit could pose a threat to public policy or internal security (amending Regulation (EU) 2021/1133);
    • the conditions under which data in ECRIS-TCN may be used by the European Travel Information and Authorisation System (ETIAS) Central Unit, set up within the European Border and Coast Guard Agency under Regulation (EU) 2018/1240 to support the ETIAS objective of contributing to a high level of security by providing for a thorough security risk assessment of applicants, prior to their arrival at external border crossing points, in order to determine whether there are factual indications, or reasonable grounds based on factual indications, to conclude that the presence of the person on the territory of the Member States poses a security risk (amending Regulation (EU) 2021/1151).

KEY POINTS

The legislation applies to the processing of identity information of non-EU nationals with previous convictions* in one of the Member States, in order to determine which Member State handed down the sentence. It applies equally to EU citizens who also hold non-EU nationality. Information on the conviction itself can only be obtained from the convicting Member State.

The technical architecture of ECRIS-TCN consists of:

An implementing act, Commission Implementing Decision (EU) 2022/2470, lays down measures necessary for the technical development and implementation of ECRIS-TCN. It sets out the specifications for processing alphanumeric and fingerprint data, data quality, entering the data, accessing and querying ECRIS-TCN, keeping and accessing logs and providing statistics, along with performance and availability requirements of ECRIS-TCN.

National central authorities* must create a data record in ECRIS-TCN as quickly as possible for each non-EU national they convict. This contains:

  • family and first names, date and place of birth, nationality (or nationalities), gender, previous names if applicable and the code of the convicting Member State;
  • if available, parents’ names, details of the individual’s identity documents and pseudonyms or aliases;
  • fingerprint data collected according to national law and satisfying certain technical specifications;
  • facial images, if allowed under the national law of the convicting Member State;
  • a flag indicating that the non-EU national concerned has been convicted in the previous 25 years of a terrorist offence, or in the previous 15 years of any other criminal offence listed in the Annex to Regulation (EU) 2018/1240 if it is punishable by a custodial sentence or a detention order for a maximum period of at least 3 years under national law, including the code of the convicting Member State.

National central authorities can use ECRIS-TCN to identify the Member State holding criminal record information on a non-EU national, in order to subsequently obtain information on an individual’s previous convictions via ECRIS, when this is required for the purposes of criminal proceedings against that individual or for:

  • checking a person’s own criminal record at their request;
  • obtaining a security clearance;
  • obtaining a licence or permit;
  • employment vetting;
  • voluntary activities involving direct and regular contact with children or vulnerable people;
  • visa, citizenship, migration and asylum procedures;
  • checks linked to public contracts and public examinations.

The EPPO, Eurojust and Europol:

  • may access ECRIS-TCN directly to identify the Member State holding criminal record information on a non-EU national;
  • may not enter, correct or erase any data in ECRIS-TCN;
  • may request criminal records information from the Member State concerned when a hit* occurs via their own channels;
  • are responsible for their technical connections to ECRIS-TCN;
  • must provide staff with appropriate training, especially on data security, data protection and fundamental rights.

Non-EU countries and international organisations may ask Eurojust for information as to which Member States may hold criminal records of a non-EU national concerned, only for the purposes of criminal proceedings. If there is a hit, and the Member State concerned consents, Eurojust informs the non-EU country or international organisation which Member State is concerned, so that they may ask that Member State for the relevant extracts from the criminal records.

Data:

  • are stored in the central system for as long as they are kept in the national criminal records;
  • are erased by national authorities when the national retention period expires;
  • may be modified or erased by the Member States that entered them in the central system or common identity repository;
  • may only be processed to identify the Member States holding criminal record information of non-EU nationals.

eu-LISA is responsible for:

  • developing ECRIS-TCN, its operational management and maintaining the ECRIS reference implementation*;
  • supervising the communication infrastructure, including its security;
  • maintaining procedures for carrying out quality checks on data stored in ECRIS-TCN and monitoring its functioning and technical maintenance;
  • submitting regular reports to the European Parliament, the Council of the European Union and the European Commission;
  • providing the necessary technical training;
  • applying appropriate rules on professional secrecy and confidentiality;
  • taking the necessary measures to ensure ECRIS-TCN’s security;
  • logging all data processing operations in ECRIS-TCN;
  • providing the Commission with monthly statistics on the recording, storage and exchange of information extracted from criminal records through ECRIS-TCN and the ECRIS reference implementation.

Member States are responsible for:

  • a secure connection between their national criminal records, fingerprint databases and national central access point;
  • management of duly authorised staff of the central authorities and their training;
  • lawful processing of data recorded in ECRIS-TCN and, in particular, making sure that:
    • only authorised staff have access to the data,
    • the data are collected and entered into ECRIS-TCN lawfully, respecting non-EU nationals’ human dignity and fundamental rights, and
    • the information is accurate and up to date when entered into ECRIS-TCN;
  • each central authority taking the necessary measures to comply with the legislation;
  • national supervisory authorities monitoring the legality of the processing of personal data.

An individual or a Member State suffering damage from behaviour incompatible with the regulation may receive compensation from:

  • the Member State responsible for the damage;
  • eu-LISA if the agency has not complied with its obligations.

Non-EU nationals may contact a Member State’s central authority to request access to their personal data, its correction, erasure or restriction on its use.

Penalties or disciplinary measures apply with respect to any misuse of data entered in ECRIS-TCN.

The European Data Protection Supervisor monitors eu-LISA’s personal data-processing activities and produces an audit at least every 3 years for the Parliament, the Council and the Commission.

FROM WHEN DOES THE REGULATION APPLY?

  • Regulation (EU) 2019/816 has applied since 11 June 2019.
  • Amending Regulation (EU) 2021/1151 has applied since 3 August 2021.
  • Amending Regulation (EU) 2021/1133 will apply from the date of the start of operation of VIS pursuant to Article 11 of Regulation (EU) 2021/1134. This article states that no later than 31 December 2023, the Commission will adopt a decision by means of an implementing act setting the date on which VIS operations start.
  • Member States have to take the necessary measures to comply as soon as possible so as to ensure the proper functioning of ECRIS-TCN.
  • The Commission must be satisfied that certain conditions are met before determining the date from which Member States may start entering data into the ECRIS-TCN. After the final technical tests have been conducted by eu-LISA, the Commission will decide when the system is to start operation.

BACKGROUND

For further information, see:

KEY TERMS

Conviction. Any final decision by a criminal court against an individual and entered in the criminal records.
Central authority. A national criminal records authority designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA.
Hit. A match between the identity information recorded in the central system and that used for a search.
ECRIS reference implementation. Software developed by the Commission and made available to Member States for the exchange of criminal records data through ECRIS.

MAIN DOCUMENT

Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, pp. 1–26).

Successive amendments to Regulation (EU) 2019/816 have been incorporated into the original text. This consolidated version is of documentary value only.

RELATED DOCUMENTS

Commission Implementing Decision (EU) 2022/2470 of 14 December 2022 laying down measures necessary for the technical development and implementation of the centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) (OJ L 322, 16.12.2022, pp. 107–121).

Regulation (EU) 2021/1133 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EU) No 603/2013, (EU) 2016/794, (EU) 2018/1862, (EU) 2019/816 and (EU) 2019/818 as regards the establishment of the conditions for accessing other EU information systems for the purposes of the Visa Information System (OJ L 248, 13.7.2021, pp. 1–10).

Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, pp. 85–135).

See consolidated version.

Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, pp. 138–183).

See consolidated version.

Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, pp. 99–137).

See consolidated version.

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).

Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, pp. 1–71).

See consolidated version.

Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, pp. 1–71).

See consolidated version.

Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, pp. 53–114).

See consolidated version.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).

See consolidated version.

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).

See consolidated version.

Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, pp. 23–32).

See consolidated version.

Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, pp. 60–81).

See consolidated version.

last update 10.05.2023

Top