Legal provisions of COM(2017)344 - Centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (ECRIS-TCN system) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2017)344 - Centralised system for the identification of Member States holding conviction information on third country nationals and ... |
---|---|
document | COM(2017)344 |
date | April 17, 2019 |
Contents
- CHAPTER I - General provisions
- Article 1 - Subject matter
- Article 2 - Scope
- Article 3 - Definitions
- Article 4 - Technical architecture of ECRIS-TCN
- CHAPTER II - Entry and use of data by central authorities
- Article 5 - Data entry in ECRIS-TCN
- Article 6 - Facial images
- Article 7 - Use of ECRIS-TCN for identifying the Member States holding criminal records information
- CHAPTER III - Retention and modification of the data
- Article 8 - Retention period for data storage
- Article 9 - Modification and erasure of data
- CHAPTER IV - Development, operation and responsibilities
- Article 10 - Adoption of implementing acts by the Commission
- Article 11 - Development and operational management of ECRIS — TCN
- Article 12 - Responsibilities of the Member States
- Article 13 - Responsibility for the use of data
- Article 14 - Access for Eurojust, Europol, and the EPPO
- Article 15 - Access by authorised staff of Eurojust, Europol and the EPPO
- Article 16 - Responsibilities of Eurojust, Europol and the EPPO
- Article 17 - Contact point for third countries and international organisations
- Article 18 - Providing information to a third country, international organisation or private party
- Article 19 - Data Security
- Article 20 - Liability
- Article 21 - Self-monitoring
- Article 22 - Penalties
- CHAPTER V - Data protection rights and supervision
- Article 23 - Data controller and data processor
- Article 24 - Purpose of the processing of personal data
- Article 25 - Right of access, rectification, erasure and restriction of processing
- Article 26 - Cooperation to ensure respect for data protection rights
- Article 27 - Remedies
- Article 28 - Supervision by the national supervisory authorities
- Article 29 - Supervision by the European Data Protection Supervisor
- Article 30 - Cooperation among national supervisory authorities and the European Data Protection Supervisor
- Article 31 - Keeping of logs
- CHAPTER VI - Final provisions
- Article 32 - Use of data for reporting and statistics
- Article 33 - Costs
- Article 34 - Notifications
- Article 35 - Entry of data and start of operations
- Article 36 - Monitoring and evaluation
- Article 37 - Exercise of the delegation
- Article 38 - Committee procedure
- Article 39 - Advisory Group
- Article 40 - Amendments to Regulation (EU) 2018/1726
- Article 41 - Implementation and transitional provisions
- Article 42 - Entry into force
CHAPTER I - General provisions
Article 1 - Subject matter
(a) | a system to identify the Member States holding information on previous convictions of third-country nationals (‘ECRIS-TCN’); |
(b) | the conditions under which ECRIS-TCN shall be used by the central authorities in order to obtain information on such previous convictions through the European Criminal Records Information System (ECRIS) established by Decision 2009/316/JHA, as well as the conditions under which Eurojust, Europol and the EPPO shall use ECRIS-TCN. |
Article 2 - Scope
Article 3 - Definitions
(1) | ‘conviction’ means any final decision of a criminal court against a natural person in respect of a criminal offence, to the extent that the decision is entered in the criminal records of the convicting Member State; |
(2) | ‘criminal proceedings’ means the pre-trial stage, the trial stage and the execution of the conviction; |
(3) | ‘criminal record’ means the national register or registers recording convictions in accordance with national law; |
(4) | ‘convicting Member State’ means the Member State in which a conviction is handed down; |
(5) | ‘central authority’ means an authority designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA; |
(6) | ‘competent authorities’ means the central authorities and Eurojust, Europol and the EPPO, which are competent to access or query ECRIS-TCN in accordance with this Regulation; |
(7) | ‘third-country national’ means a person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, or who is a stateless person or a person whose nationality is unknown; |
(8) | ‘central system’ means the database or databases developed and maintained by eu-LISA which hold identity information on third-country nationals who have been subject to convictions in the Member States; |
(9) | ‘interface software’ means the software hosted by the competent authorities allowing them to access the central system through the communication infrastructure referred to in point (d) of Article 4(1); |
(10) | ‘identity information’ means alphanumeric data, fingerprint data and facial images that are used to establish a connection between these data and a natural person; |
(11) | ‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks; |
(12) | ‘fingerprint data’ means the data relating to plain and rolled impressions of the fingerprints of each of a person's fingers; |
(13) | ‘facial image’ means a digital image of a person's face; |
(14) | ‘hit’ means a match or matches established by comparison between identity information recorded in the central system and the identity information used for a search; |
(15) | ‘national central access point’ means the national connection point to the communication infrastructure referred to in point (d) of Article 4(1); |
(16) | ‘ECRIS reference implementation’ means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS; |
(17) | ‘national supervisory authority’ means an independent public authority which is established by a Member State pursuant to applicable Union data protection rules; |
(18) | ‘supervisory authorities’ means the European Data Protection Supervisor and the national supervisory authorities. |
Article 4 - Technical architecture of ECRIS-TCN
(a) | a central system in which identity information on convicted third-country nationals is stored; |
(b) | a national central access point in each Member State; |
(c) | interface software enabling the connection of the competent authorities to the central system via the national central access points and the communication infrastructure referred to in point (d); |
(d) | a communication infrastructure between the central system and the national central access points. |
2. The central system shall be hosted by eu-LISA at its technical sites.
3. The interface software shall be integrated with the ECRIS reference implementation. The Member States shall use the ECRIS reference implementation or, in the situation and under the conditions set out in paragraphs 4 to 8, the national ECRIS implementation software to query ECRIS-TCN and to send subsequent requests for criminal records information.
4. The Member States which use their national ECRIS implementation software shall be responsible for ensuring that their national ECRIS implementation software allows their national criminal records authorities to use ECRIS-TCN, with the exception of the Interface Software, in accordance with this Regulation. For that purpose, they shall, before the date of start of operations of ECRIS-TCN in accordance with Article 35(4), ensure that their national ECRIS implementation software functions in accordance with the protocols and technical specifications established in the implementing acts referred to in Article 10, and with any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts.
5. For as long as they do not use the ECRIS reference implementation, Member States which use their national ECRIS implementation software shall also ensure the implementation of any subsequent technical adaptations to their national ECRIS implementation software required by any changes to the technical specifications established in the implementing acts referred to in Article 10, or changes to any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts, without undue delay.
6. The Member States which use their national ECRIS implementation software shall bear all the costs associated with the implementation, maintenance and further development of their national ECRIS implementation software and its interconnection with ECRIS-TCN, with the exception of the interface software.
7. If a Member State which uses its national ECRIS implementation software is unable to comply with its obligations under this Article, it shall be obliged to use the ECRIS reference implementation, including the integrated interface software, to make use of ECRIS-TCN.
8. In view of the assessment to be carried out by the Commission pursuant to point (b) of Article 36(10), the Member States concerned shall provide the Commission with all necessary information.
CHAPTER II - Entry and use of data by central authorities
Article 5 - Data entry in ECRIS-TCN
(a) | as concerns alphanumeric data:
|
(b) | as concerns fingerprint data:
|
2. The fingerprint data referred to in point (b) of paragraph 1 of this Article shall have the technical specifications for the quality, resolution and processing of fingerprint data provided for in the implementing act referred to in point (b) of Article 10(1). The reference number of the fingerprint data of the convicted person shall include the code of the convicting Member State.
3. The data record may also contain facial images of the convicted third-country national, if the law of the convicting Member State allows for the collection and storage of facial images of convicted persons.
4. The convicting Member State shall create the data record automatically, where possible, and without undue delay after the conviction has been entered into the criminal records.
5. The convicting Member States shall also create data records for convictions handed down prior to the date of start of entry of data in accordance with Article 35(1) to the extent that data related to convicted persons are stored in their national databases. In those cases, fingerprint data shall be included only where they have been collected during criminal proceedings in accordance with national law, and where they can be clearly matched with other identity information in criminal records.
6. In order to comply with the obligations set out in points (b)(i) and (ii) of paragraph 1, and in paragraph 5, Member States may use fingerprint data collected for purposes other than criminal proceedings, where such use is permitted under national law.
Article 6 - Facial images
2. The Commission is empowered to adopt delegated acts in accordance with Article 37 supplementing this Regulation concerning the use of facial images for the purpose of identifying third-country nationals in order to identify the Member States holding information on previous convictions concerning such persons, when it becomes technically possible. Before exercising this empowerment, the Commission, taking into account necessity and proportionality, as well as technical developments in the field of facial recognition software, shall assess the availability and readiness of the required technology.
Article 7 - Use of ECRIS-TCN for identifying the Member States holding criminal records information
— | checking a person's own criminal record at his or her request, |
— | security clearance, |
— | obtaining a licence or permit, |
— | employment vetting, |
— | vetting for voluntary activities involving direct and regular contacts with children or vulnerable persons, |
— | visa, acquisition of citizenship and migration procedures, including asylum procedures, and |
— | checks in relation with public contracts and public examinations. |
However, in specific cases other than those in which a third-country national asks the central authority for information on his or her own criminal record, or where the request is made in order to obtain criminal records information pursuant to Article 10(2) of Directive 2011/93/EU, the authority requesting criminal records information may decide that such use of ECRIS-TCN is not appropriate.
2. Any Member State which decides, if provided for under and in accordance with national law, to use ECRIS-TCN for purposes other than those set out in paragraph 1 in order to obtain information on previous convictions through ECRIS, shall, by the date of start of operations as referred to in Article 35(4), or any time thereafter, notify the Commission of such other purposes and any changes to such purposes. The Commission shall publish such notifications in the Official Journal of the European Union within 30 days of receipt of the notifications.
3. Eurojust, Europol and the EPPO are entitled to query ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in accordance with Articles 14 to 18. However, they shall not enter, rectify or erase any data in ECRIS-TCN.
4. For the purposes referred to in paragraphs 1, 2 and 3, the competent authorities may also query ECRIS-TCN to verify whether, in respect of a citizen of the Union, any Member State holds criminal records information concerning this person as a third-country national.
5. When querying ECRIS-TCN, the competent authorities may use all or only some of the data referred to in Article 5(1). The minimum set of data that is required to query the system shall be specified in an implementing act adopted in accordance with point (g) of Article 10(1).
6. The competent authorities may also query ECRIS-TCN using facial images, provided that such functionality has been implemented in accordance with Article 6(2).
7. In the event of a hit, the central system shall automatically provide the competent authority with information on the Member States holding criminal records information on the third-country national, along with the associated reference numbers and any corresponding identity information. Such identity information shall only be used for the purpose of verifying the identity of the third-country national concerned. The result of a search in the central system may only be used for the purpose of making a request according to Article 6 of Framework Decision 2009/315/JHA or a request referred to in Article 17(3) of this Regulation.
8. In the event that there is no hit, the central system shall automatically inform the competent authority.
CHAPTER III - Retention and modification of the data
Article 8 - Retention period for data storage
2. Upon expiry of the retention period referred to in paragraph 1, the central authority of the convicting Member State shall erase the data record, including any fingerprint data or facial images, from the central system. The erasure shall be done automatically, where possible, and in any event no later than one month after the expiry of the retention period.
Article 9 - Modification and erasure of data
2. Any modification of the information in the criminal records which led to the creation of a data record in accordance with Article 5 shall include identical modification of the information stored in that data record in the central system by the convicting Member State without undue delay.
3. If a convicting Member State has reason to believe that the data it has recorded in the central system are inaccurate or that data were processed in the central system in contravention of this Regulation, it shall:
(a) | immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate; |
(b) | if necessary, rectify the data or erase them from the central system without undue delay. |
4. If a Member State other than the convicting Member State which entered the data has reason to believe that data recorded in the central system are inaccurate or that data were processed in the central system in contravention of this Regulation, it shall contact the central authority of the convicting Member State without undue delay.
The convicting Member State shall:
(a) | immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate; |
(b) | if necessary, rectify the data or erase them from the central system without undue delay; |
(c) | inform the other Member State that the data have been rectified or erased, or of the reasons why the data have not been rectified or erased, without undue delay. |
CHAPTER IV - Development, operation and responsibilities
Article 10 - Adoption of implementing acts by the Commission
(a) | the technical specifications for the processing of the alphanumeric data; |
(b) | the technical specifications for the quality, resolution and processing of fingerprint data; |
(c) | the technical specifications of the interface software; |
(d) | the technical specifications for the quality, resolution and processing of facial images for the purposes of and under the conditions set out in Article 6; |
(e) | data quality, including a mechanism for and procedures to carry out data quality checks; |
(f) | entering the data in accordance with Article 5; |
(g) | accessing and querying ECRIS-TCN in accordance with Article 7; |
(h) | modifying and erasing the data in accordance with Articles 8 and 9; |
(i) | keeping and accessing logs in accordance with Article 31; |
(j) | operation of the central repository and the data security and data protection rules applicable to the repository, in accordance with Article 32; |
(k) | providing statistics in accordance with Article 32; |
(l) | performance and availability requirements of ECRIS-TCN, including minimal specifications and requirements on the biometric performance of ECRIS-TCN in particular in terms of the required false positive identification rate and false negative identification rate. |
2. The implementing acts referred to in paragraph 1 shall be adopted in accordance with the examination procedure referred to in Article 38(2).
Article 11 - Development and operational management of ECRIS — TCN
2. eu-LISA shall also be responsible for the further development and maintenance of the ECRIS reference implementation.
3. eu-LISA shall define the design of the physical architecture of ECRIS-TCN including its technical specifications and evolution as regards the central system, the national central access point and the interface software. That design shall be adopted by its Management Board, subject to a favourable opinion of the Commission.
4. eu-LISA shall develop and implement ECRIS-TCN as soon as possible after the entry into force of this Regulation and following the adoption by the Commission of the implementing acts provided for in Article 10.
5. Prior to the design and development phase of ECRIS-TCN, the Management Board of eu-LISA shall establish a Programme Management Board composed of ten members.
The Programme Management Board shall be composed of eight members appointed by the Management Board, the Chair of the Advisory Group referred to in Article 39 and one member appointed by the Commission. The members appointed by the Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing ECRIS and which will participate in ECRIS-TCN. The Management Board shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial and criminal records authorities.
eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of ECRIS-TCN and on any other related work and activities.
The Programme Management Board shall meet at least once every three months, and more often when necessary. It shall ensure the adequate management of the design and development phase of ECRIS-TCN and shall ensure consistency between central and national ECRIS-TCN projects, and national ECRIS implementation software. The Programme Management Board shall submit written reports regularly and if possible every month to the Management Board of eu-LISA on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the Management Board.
6. The Programme Management Board shall establish its rules of procedure which shall include in particular rules on:
(a) | chairmanship; |
(b) | meeting venues; |
(c) | preparation of meetings; |
(d) | admission of experts to the meetings; |
(e) | communication plans ensuring that non-participating Members of the Management Board are kept fully informed. |
7. The chairmanship of the Programme Management Board shall be held by a Member State which is fully bound under Union law by the legislative instruments governing ECRIS and the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA.
8. All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA. Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. The Programme Management Board's secretariat shall be ensured by eu-LISA.
9. During the design and development phase, the Advisory Group referred to in Article 39 shall be composed of the national ECRIS-TCN project managers and chaired by eu-LISA. During the design and development phase it shall meet regularly, if possible at least once a month, until the start of operations of ECRIS-TCN. It shall report after each meeting to the Programme Management Board. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow up on the state of preparation of the Member States.
10. In order to ensure the confidentiality and integrity of data stored in ECRIS-TCN at all times, eu-LISA shall, in cooperation with the Member States, provide for appropriate technical and organisational measures, taking into account the state of the art, the cost of implementation and the risks posed by the processing.
11. eu-LISA shall be responsible for the following tasks related to the communication infrastructure referred to in point (d) of Article 4(1):
(a) | supervision; |
(b) | security; |
(c) | the coordination of relations between the Member States and the provider of the communication infrastructure. |
12. The Commission shall be responsible for all other tasks relating to the communication infrastructure referred to in point (d) of Article 4(1), in particular:
(a) | tasks relating to the implementation of the budget; |
(b) | acquisition and renewal; |
(c) | contractual matters. |
13. eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data stored in ECRIS-TCN and shall provide regular reports to the Member States. eu-LISA shall provide regular reports to the Commission covering the issues encountered and the Member States concerned.
14. The operational management of ECRIS-TCN shall consist of all the tasks necessary to keep ECRIS-TCN operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that ECRIS-TCN functions at a satisfactory level in accordance with the technical specifications.
15. eu-LISA shall perform tasks related to providing training on the technical use of ECRIS-TCN and the ECRIS reference implementation.
16. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (17), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the central system. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.
Article 12 - Responsibilities of the Member States
(a) | ensuring a secure connection between its national criminal records and fingerprints databases and the national central access point; |
(b) | the development, operation and maintenance of the connection referred to in point (a); |
(c) | ensuring a connection between its national systems and the ECRIS reference implementation; |
(d) | the management of and arrangements for access of duly authorised staff of the central authorities to ECRIS-TCN in accordance with this Regulation and for establishing and regularly updating a list of such staff and the profiles referred to in point (g) of Article 19(3). |
2. Each Member State shall give the staff of its central authority who have a right to access ECRIS-TCN appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights, before authorising them to process data stored in the central system.
Article 13 - Responsibility for the use of data
(a) | only duly authorised staff have access to the data for the performance of their tasks; |
(b) | the data are collected lawfully in a manner that fully respects the human dignity and fundamental rights of the third-country national; |
(c) | the data are entered into ECRIS-TCN lawfully; |
(d) | the data are accurate and up-to-date when they are entered into ECRIS-TCN. |
2. eu-LISA shall ensure that ECRIS-TCN is operated in accordance with this Regulation, with the delegated act referred to in Article 6(2) and with the implementing acts referred to in Article 10, as well as in accordance with Regulation (EU) 2018/1725. In particular, eu-LISA shall take the necessary measures to ensure the security of the central system and the communication infrastructure referred to in point (d) of Article 4(1), without prejudice to the responsibilities of each Member State.
3. eu-LISA shall inform the European Parliament, the Council and the Commission as well as the European Data Protection Supervisor as soon as possible of the measures it takes pursuant to paragraph 2 in view of the start of operations of ECRIS-TCN.
4. The Commission shall make the information referred to in paragraph 3 available to the Member States and to the public through a regularly updated public website.
Article 14 - Access for Eurojust, Europol, and the EPPO
2. Europol shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under points (a) to (e) and (h) of Article 4(1) of Regulation (EU) 2016/794, in order to identify the Member States holding information on previous convictions of third-country nationals.
3. The EPPO shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under Article 4 of Regulation (EU) 2017/1939, in order to identify the Member States holding information on previous convictions of third-country nationals.
4. Following a hit indicating the Member States holding criminal records information on a third-country national, Eurojust, Europol, and the EPPO may use their respective contacts with the national authorities of those Member States to request the criminal records information in the manner provided for in their respective founding acts.
Article 15 - Access by authorised staff of Eurojust, Europol and the EPPO
Article 16 - Responsibilities of Eurojust, Europol and the EPPO
(a) | establish the technical means to connect to ECRIS-TCN and be responsible for maintaining that connection; |
(b) | provide appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights to those members of their staff who have a right to access ECRIS-TCN before authorising them to process data stored in the central system; |
(c) | ensure that the personal data processed by them under this Regulation is protected in accordance with the applicable data protection rules. |
Article 17 - Contact point for third countries and international organisations
2. When Eurojust receives a request under paragraph 1, it shall use ECRIS-TCN to identify which Member States, if any, hold criminal records information on the third-country national concerned.
3. If there is a hit, Eurojust shall ask the Member State that holds criminal records information on the third-country national concerned whether it consents to Eurojust informing the third country or the international organisation of the name of the Member State concerned. Where that Member State gives its consent, Eurojust shall inform the third country or the international organisation of the name of that Member State, and of how it can introduce a request for extracts from the criminal records with that Member State in accordance with the applicable procedures.
4. In cases where there is no hit or where Eurojust cannot provide an answer in accordance with paragraph 3 to requests made under this Article, it shall inform the third country or international organisation concerned that it has completed the procedure, without providing any indication of whether criminal records information on the person concerned is held by one of the Member States.
Article 18 - Providing information to a third country, international organisation or private party
Article 19 - Data Security
2. As regards the operation of ECRIS-TCN, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 3, including the adoption of a security plan and a business continuity and disaster recovery plan, and to ensure that installed systems may, in case of interruption, be restored.
3. The Member States shall ensure the security of the data before and during the transmission to and receipt from the national central access point. In particular, each Member State shall:
(a) | physically protect data, including by making contingency plans for the protection of infrastructure; |
(b) | deny unauthorised persons access to national installations in which the Member State carries out operations related to ECRIS-TCN; |
(c) | prevent the unauthorised reading, copying, modification or removal of data media; |
(d) | prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data; |
(e) | prevent the unauthorised processing of data in ECRIS-TCN and any unauthorised modification or erasure of data processed in ECRIS-TCN; |
(f) | ensure that persons authorised to access ECRIS-TCN have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only; |
(g) | ensure that all authorities with a right of access to ECRIS-TCN create profiles describing the functions and responsibilities of persons who are authorised to enter, rectify, erase, consult and search the data and make their profiles available to the national supervisory authorities without undue delay at their request; |
(h) | ensure that it is possible to verify and establish to which Union bodies, offices and agencies personal data may be transmitted using data communication equipment; |
(i) | ensure that it is possible to verify and establish what data have been processed in ECRIS-TCN, when, by whom and for what purpose; |
(j) | prevent the unauthorised reading, copying, modification or erasure of personal data during the transmission of personal data to or from ECRIS-TCN or during the transport of data media, in particular by means of appropriate encryption techniques; |
(k) | monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to self-monitoring and supervision to ensure compliance with this Regulation. |
4. eu-LISA and the Member States shall cooperate in order to ensure a coherent data security approach based on a security risk management process encompassing the entire ECRIS-TCN.
Article 20 - Liability
(a) | the Member State which is responsible for the damage suffered; or |
(b) | eu-LISA, where eu-LISA has not complied with its obligations set out in this Regulation or in Regulation (EU) 2018/1725. |
The Member State which is responsible for the damage suffered or eu-LISA, respectively, shall be exempted from liability, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.
2. If any failure of a Member State, Eurojust, Europol, or the EPPO to comply with its obligations under this Regulation causes damage to ECRIS-TCN, that Member State, Eurojust, Europol, or the EPPO, respectively, shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in ECRIS-TCN failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.
3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the law of the defendant Member State. Claims for compensation against eu-LISA, Eurojust, Europol and the EPPO for the damage referred to in paragraphs 1 and 2 shall be governed by their respective founding acts.
Article 21 - Self-monitoring
Article 22 - Penalties
CHAPTER V - Data protection rights and supervision
Article 23 - Data controller and data processor
2. eu-LISA shall be considered as data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data entered into the central system by the Member States.
Article 24 - Purpose of the processing of personal data
2. With the exception of duly authorised staff of Eurojust, Europol and the EPPO who have access to ECRIS-TCN for the purposes of this Regulation, access to ECRIS-TCN shall be reserved exclusively to duly authorised staff of the central authorities. Access shall be limited to the extent needed for the performance of the tasks in accordance with the purpose referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.
Article 25 - Right of access, rectification, erasure and restriction of processing
2. Where a request is made to a Member State other than the convicting Member State, the Member State to which the request has been made shall forward it to the convicting Member State without undue delay and in any event within 10 working days of receiving the request. Upon receipt of the request, the convicting Member State shall:
(a) | immediately launch a procedure for checking the accuracy of the data concerned and the lawfulness of its processing in ECRIS-TCN; and |
(b) | respond to the Member State that forwarded the request without undue delay. |
3. In the event that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, the convicting Member State shall rectify or erase the data in accordance with Article 9. The convicting Member State or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without undue delay that action has been taken to rectify or erase data relating to that person. The convicting Member State shall also without undue delay inform any other Member State which has been a recipient of conviction information obtained as a result of a query of ECRIS-TCN of what action has been taken.
4. If the convicting Member State does not agree that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, that Member State shall adopt an administrative or judicial decision explaining in writing to the person concerned why it is not prepared to rectify or erase data relating to him or her. Such cases may, where appropriate, be communicated to the national supervisory authority.
5. The Member State which has adopted the decision pursuant to paragraph 4 shall also provide the person concerned with information explaining the steps which that person can take if the explanation given pursuant to paragraph 4 is not acceptable to him or her. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the national supervisory authorities, that is available in accordance with the national law of that Member State.
6. Any request made pursuant to paragraph 1 shall contain the information necessary to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 1 and shall be erased immediately afterwards.
7. Where paragraph 2 applies, the central authority to whom the request was addressed shall keep a written record that such a request was made and of how it was addressed and to which authority it was forwarded. Upon request from the national supervisory authority, the central authority shall make that record available to that national supervisory authority without delay. The central authority and the national supervisory authority shall erase such records three years after their creation.
Article 26 - Cooperation to ensure respect for data protection rights
2. In each Member State, the national supervisory authority shall, upon request, provide information to the person concerned on how to exercise his or her right to rectify or erase data relating to him or to her, in accordance with the applicable Union data protection rules.
3. For the purposes of this Article, the national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State to which the request has been made shall cooperate with each other.
Article 27 - Remedies
Article 28 - Supervision by the national supervisory authorities
2. The national supervisory authority shall ensure that an audit of the data processing operations in the national criminal records and fingerprints databases related to the data exchange between those systems and ECRIS-TCN is carried out in accordance with relevant international auditing standards at least every three years from the date of the start of operations of ECRIS-TCN.
3. Member States shall ensure that their national supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation.
4. Each Member State shall supply any information requested by its national supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 12, 13 and 19. Each Member State shall grant its national supervisory authorities access to its records pursuant to Article 25(7) and to its logs pursuant to Article 31(6) and allow them access at all times to all its ECRIS-TCN related premises.
Article 29 - Supervision by the European Data Protection Supervisor
2. The European Data Protection Supervisor shall ensure that an audit of eu-LISA's personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, the Council, the Commission, eu-LISA and the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.
3. eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 31 and allow him or her access to all of its premises at any time.
Article 30 - Cooperation among national supervisory authorities and the European Data Protection Supervisor
Article 31 - Keeping of logs
2. The log shall show:
(a) | the purpose of the request for access to ECRIS-TCN data; |
(b) | the data transmitted as referred to in Article 5; |
(c) | the national file reference; |
(d) | the date and exact time of the operation; |
(e) | the data used for a query; |
(f) | the identifying mark of the official who carried out the search. |
3. The log of consultations and disclosures shall make it possible to establish the justification of such operations.
4. Logs shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 36. Those logs shall be protected by appropriate measures against unauthorised access and erased after three years, if they are no longer required for monitoring procedures which have already begun.
5. On request, eu-LISA shall make the logs of its processing operations available to the central authorities without undue delay.
6. The competent national supervisory authorities responsible for checking the admissibility of the requests and monitoring the lawfulness of the data processing and data integrity and security shall have access to logs at their request for the purpose of fulfilling their duties. On request, the central authorities shall make the logs of their processing operations available to the competent national supervisory authorities without undue delay.
CHAPTER VI - Final provisions
Article 32 - Use of data for reporting and statistics
2. For the purpose of paragraph 1, eu-LISA shall establish, implement and host a central repository at its technical sites containing the data referred to in paragraph 1 which, without allowing for individual identification, enables customisable reports and statistics to be obtained. Access to the central repository shall be granted by means of secured access with control of access and specific user profiles, solely for the purpose of reporting and statistics.
3. The procedures put in place by eu-LISA to monitor the functioning of ECRIS-TCN referred to in Article 36 as well as the ECRIS reference implementation shall include the possibility to produce regular statistics for monitoring purposes.
Every month eu-LISA shall submit to the Commission statistics relating to the recording, storage and exchange of information extracted from criminal records through ECRIS-TCN and the ECRIS reference implementation. eu-LISA shall ensure that it is not possible to identify individuals on the basis of those statistics. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation.
4. The Member States shall provide eu-LISA with the statistics necessary to fulfil its obligations referred to in this Article. They shall provide the Commission with statistics on the number of convicted third-country nationals, as well as the number of convictions of third-country nationals on their territory.
Article 33 - Costs
2. The costs of connection of Eurojust, Europol and the EPPO to ECRIS-TCN shall be borne by their respective budgets.
3. Other costs shall be borne by the Member States, specifically the costs incurred by the connection of the existing national criminal records registers, fingerprints databases and the central authorities to ECRIS-TCN, as well as the costs of hosting the ECRIS reference implementation.
Article 34 - Notifications
2. eu-LISA shall ensure publication of the list of central authorities notified by the Member States, both in the Official Journal of the European Union and on its website. When eu-LISA receives notification of a change to a Member State's central authority, it shall update the list without undue delay.
Article 35 - Entry of data and start of operations
(a) | the relevant implementing acts referred to in Article 10 have been adopted; |
(b) | the Member States have validated the technical and legal arrangements to collect and transmit the data referred to in Article 5 to ECRIS-TCN and have notified them to the Commission; |
(c) | eu-LISA has carried out a comprehensive test of ECRIS-TCN, in cooperation with the Member States, using anonymous test data. |
2. When the Commission has determined the date of start of entry of data in accordance with paragraph 1, it shall communicate that date to the Member States. Within a period of two months following that date, the Member States shall enter the data referred to in Article 5 into ECRIS-TCN, taking account of Article 41(2).
3. After the end of the period referred to in paragraph 2, eu-LISA shall carry out a final test of ECRIS-TCN, in cooperation with the Member States.
4. When the test referred to in paragraph 3 has been successfully completed and eu-LISA considers that ECRIS-TCN is ready to start operations, it shall notify the Commission. The Commission shall inform the European Parliament and the Council of the results of the test and shall decide on the date on which ECRIS-TCN is to start operations.
5. The decision of the Commission on the date of the start of operations of ECRIS-TCN, as referred to in paragraph 4, shall be published in the Official Journal of the European Union.
6. The Member States shall start using ECRIS-TCN from the date determined by the Commission in accordance with paragraph 4.
7. When taking the decisions referred to in this Article, the Commission may specify different dates for the entry into ECRIS-TCN of alphanumeric data and fingerprint data as referred to in Article 5, as well as for the start of operations with respect to those different categories of data.
Article 36 - Monitoring and evaluation
2. For the purposes of monitoring the functioning of ECRIS-TCN and its technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in ECRIS-TCN and in the ECRIS reference implementation.
3. By 12 December 2019 and every six months thereafter during the design and development phase, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of ECRIS-TCN and of the ECRIS reference implementation.
4. The report referred to in paragraph 3 shall include an overview of the current costs and the progress of the project, a financial impact assessment, and information on any technical problems and risks that may impact the overall costs of ECRIS-TCN to be borne by the general budget of the Union in accordance with Article 33.
5. In the event of substantial delays in the development process, eu-LISA shall inform the European Parliament and the Council as soon as possible of the reasons for these delays and of their impact in terms of time and finances.
6. Once the development of ECRIS-TCN and of the ECRIS reference implementation is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.
7. In the event of a technical upgrade of ECRIS-TCN which could result in substantial costs, eu-LISA shall inform the European Parliament and the Council.
8. Two years after the start of operations of ECRIS-TCN and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of ECRIS-TCN and of the ECRIS reference implementation, including their security, based in particular on the statistics on the functioning and use of ECRIS-TCN and on the exchange, through the ECRIS reference implementation, of information extracted from the criminal records.
9. Four years after the start of operations of ECRIS-TCN and every four years thereafter, the Commission shall conduct an overall evaluation of ECRIS-TCN and of the ECRIS reference implementation. The overall evaluation report established on this basis shall include an assessment of the application of this Regulation and an examination of results that have been achieved relative to the objectives that were set and of the impact on fundamental rights. The report shall also include an assessment of whether the underlying rationale for operating ECRIS-TCN continues to hold, of the appropriateness of the use of biometric data for the purposes of ECRIS-TCN, of the security of ECRIS-TCN and of any security implications for future operations. The evaluation shall include any necessary recommendations. The Commission shall transmit the report to the European Parliament, the Council, the European Data Protection Supervisor and the European Union Agency for Fundamental Rights.
10. In addition, the first overall evaluation as referred to in paragraph 9 shall include an assessment of:
(a) | the extent to which, on the basis of relevant statistical data and further information from the Member States, the inclusion in ECRIS-TCN of identity information of citizens of the Union who also hold the nationality of a third country has contributed to the achievement of the objectives of this Regulation; |
(b) | the possibility, for some Member States, to continue the use of national ECRIS implementation software, as referred to in Article 4; |
(c) | the entry of fingerprint data into ECRIS-TCN, in particular the application of the minimum criteria as referred to in point (b)(ii) of Article 5(1); |
(d) | the impact of ECRIS and of ECRIS-TCN on the protection of personal data. |
The assessment may be accompanied, if necessary, by legislative proposals. Subsequent overall evaluations may include an assessment of any or all of those aspects.
11. The Member States, Eurojust, Europol and the EPPO shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 8 and 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.
12. Where relevant, the supervisory authorities shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraph 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.
13. eu-LISA shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 9.
Article 37 - Exercise of the delegation
2. The power to adopt delegated acts referred to in Article 6(2) shall be conferred on the Commission for an indeterminate period of time from 11 June 2019.
3. The delegation of power referred to in Article 6(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 6(2) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.
Article 38 - Committee procedure
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.
Article 39 - Advisory Group
Article 40 - Amendments to Regulation (EU) 2018/1726
(1) | In Article 1, paragraph 4 is replaced by the following: ‘4. The Agency shall be responsible for the preparation, development or operational management of the Entry/Exit System (EES), DubliNet, the European Travel Information and Authorisation System (ETIAS), ECRIS-TCN and the ECRIS reference implementation.’; |
(2) | The following Article is inserted: ‘Article 8a Tasks related to ECRIS-TCN and the ECRIS reference implementation In relation to ECRIS-TCN and the ECRIS reference implementation, the Agency shall perform:
(*1) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System) and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).’;" |
(3) | In Article 14, paragraph 1 is replaced by the following: ‘1. The Agency shall monitor developments in research relevant for the operational management of SIS II, VIS, Eurodac, the EES, ETIAS, DubliNet, ECRIS-TCN and other large-scale IT systems as referred to in Article 1(5).’; |
(4) | In Article 19, paragraph 1 is amended as follows:
|
(5) | In Article 22(4), the following subparagraph is inserted after the third subparagraph: ‘Eurojust, Europol and the EPPO may attend the meetings of the Management Board as observers when a question concerning ECRIS-TCN in relation to the application of Regulation (EU) 2019/816 is on the agenda.’; |
(6) | In Article 24(3), point (p) is replaced by the following:
|
(7) | In Article 27(1), the following point is inserted:
|
Article 41 - Implementation and transitional provisions
2. For convictions handed down prior to the date of start of entry of data in accordance with Article 35(1), the central authorities shall create the individual data records in the central system as follows:
(a) | alphanumeric data to be entered into the central system by the end of the period referred to in Article 35(2); |
(b) | fingerprint data to be entered into the central system within two years after the start of operations in accordance with Article 35(4). |
Article 42 - Entry into force
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.