Regulation (EU) 2019/816 of the European Parliament and of the CouncilShow full title

CHAPTER V Data protection rights and supervision

Article 23Data controller and data processor

1.Each central authority is to be considered as data controller in accordance with applicable Union data protection rules for the processing of the personal data by that central authority's Member State under this Regulation.

2.eu-LISA shall be considered as data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data entered into the central system by the Member States.

Article 24Purpose of the processing of personal data

1.The data entered into the central system shall only be processed for the purpose of the identification of the Member States holding the criminal records information on third-country nationals.

2.With the exception of duly authorised staff of Eurojust, Europol and the EPPO who have access to ECRIS-TCN for the purposes of this Regulation, access to ECRIS-TCN shall be reserved exclusively to duly authorised staff of the central authorities. Access shall be limited to the extent needed for the performance of the tasks in accordance with the purpose referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.

Article 25Right of access, rectification, erasure and restriction of processing

1.The requests of third-country nationals concerning the rights of access to personal data, to rectification and erasure and to restriction of processing of personal data which are set out in the applicable Union data protection rules may be addressed to the central authority of any Member State.

2.Where a request is made to a Member State other than the convicting Member State, the Member State to which the request has been made shall forward it to the convicting Member State without undue delay and in any event within 10 working days of receiving the request. Upon receipt of the request, the convicting Member State shall:

(a)immediately launch a procedure for checking the accuracy of the data concerned and the lawfulness of its processing in ECRIS-TCN; and

(b)respond to the Member State that forwarded the request without undue delay.

3.In the event that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, the convicting Member State shall rectify or erase the data in accordance with Article 9. The convicting Member State or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without undue delay that action has been taken to rectify or erase data relating to that person. The convicting Member State shall also without undue delay inform any other Member State which has been a recipient of conviction information obtained as a result of a query of ECRIS-TCN of what action has been taken.

4.If the convicting Member State does not agree that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, that Member State shall adopt an administrative or judicial decision explaining in writing to the person concerned why it is not prepared to rectify or erase data relating to him or her. Such cases may, where appropriate, be communicated to the national supervisory authority.

5.The Member State which has adopted the decision pursuant to paragraph 4 shall also provide the person concerned with information explaining the steps which that person can take if the explanation given pursuant to paragraph 4 is not acceptable to him or her. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the national supervisory authorities, that is available in accordance with the national law of that Member State.

6.Any request made pursuant to paragraph 1 shall contain the information necessary to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 1 and shall be erased immediately afterwards.

7.Where paragraph 2 applies, the central authority to whom the request was addressed shall keep a written record that such a request was made and of how it was addressed and to which authority it was forwarded. Upon request from the national supervisory authority, the central authority shall make that record available to that national supervisory authority without delay. The central authority and the national supervisory authority shall erase such records three years after their creation.

Article 26Cooperation to ensure respect for data protection rights

1.The central authorities shall cooperate with each other in order to ensure respect for the rights laid down in Article 25.

2.In each Member State, the national supervisory authority shall, upon request, provide information to the person concerned on how to exercise his or her right to rectify or erase data relating to him or to her, in accordance with the applicable Union data protection rules.

3.For the purposes of this Article, the national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State to which the request has been made shall cooperate with each other.

Article 27Remedies

Any person shall have the right to lodge a complaint and the right to a legal remedy in the convicting Member State which refused the right of access to or the right of rectification or erasure of data relating to him or to her, referred to in Article 25 in accordance with national or Union law.

Article 28Supervision by the national supervisory authorities

1.Each Member State shall ensure that the national supervisory authorities designated pursuant to applicable Union data protection rules shall monitor the lawfulness of the processing of personal data referred to in Articles 5 and 6 by the Member State concerned, including their transmission to and from ECRIS-TCN.

2.The national supervisory authority shall ensure that an audit of the data processing operations in the national criminal records and fingerprints databases related to the data exchange between those systems and ECRIS-TCN is carried out in accordance with relevant international auditing standards at least every three years from the date of the start of operations of ECRIS-TCN.

3.Member States shall ensure that their national supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation.

4.Each Member State shall supply any information requested by its national supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 12, 13 and 19. Each Member State shall grant its national supervisory authorities access to its records pursuant to Article 25(7) and to its logs pursuant to Article 31(6) and allow them access at all times to all its ECRIS-TCN related premises.

Article 29Supervision by the European Data Protection Supervisor

1.The European Data Protection Supervisor shall monitor that the personal data processing activities of eu-LISA concerning ECRIS-TCN are carried out in accordance with this Regulation.

2.The European Data Protection Supervisor shall ensure that an audit of eu-LISA's personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, the Council, the Commission, eu-LISA and the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3.eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 31 and allow him or her access to all of its premises at any time.

Article 30Cooperation among national supervisory authorities and the European Data Protection Supervisor

Coordinated supervision of ECRIS-TCN shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

Article 31Keeping of logs

1.eu-LISA and the competent authorities shall ensure, in accordance with their respective responsibilities, that all data processing operations in ECRIS-TCN are logged in accordance with paragraph 2 for the purposes of checking the admissibility of requests, monitoring data integrity and security and the lawfulness of the data processing as well as for the purposes of self-monitoring.

2.The log shall show:

(a)the purpose of the request for access to ECRIS-TCN data;

(b)the data transmitted as referred to in Article 5;

(c)the national file reference;

(d)the date and exact time of the operation;

(e)the data used for a query;

(f)the identifying mark of the official who carried out the search.

3.The log of consultations and disclosures shall make it possible to establish the justification of such operations.

4.Logs shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 36. Those logs shall be protected by appropriate measures against unauthorised access and erased after three years, if they are no longer required for monitoring procedures which have already begun.

5.On request, eu-LISA shall make the logs of its processing operations available to the central authorities without undue delay.

6.The competent national supervisory authorities responsible for checking the admissibility of the requests and monitoring the lawfulness of the data processing and data integrity and security shall have access to logs at their request for the purpose of fulfilling their duties. On request, the central authorities shall make the logs of their processing operations available to the competent national supervisory authorities without undue delay.