With the implementation of the ECRIS system, the role of the supervisory authority is increasing

The Personal Data Protection Office notes that, in connection with the entry into force of the Act amending the Act on the National Criminal Register and certain other acts implementing Regulation (EU) 2019/816, the scope of tasks of the supervisory authority is expanding in the context of the launch of the ECRIS‑TCN system.

The European Criminal Records Information System for Third‑Country Nationals (ECRIS‑TCN) is a centralised EU IT system used for the exchange of information on convictions of third‑country nationals (non‑EU citizens) and stateless persons. It enables the authorities of Member States to determine which other Member State holds data on a given person’s convictions. The purpose of this new tool is to combat cross‑border crime and eliminate the need to send enquiries to all EU countries.

Under EU law, the President of the Personal Data Protection Office acts in Poland as the supervisory authority responsible for monitoring compliance with personal data processing within ECRIS. This includes handling complaints, supporting the exercise of data subjects’ rights, conducting inspections, and cooperating with other authorities in the EU as well as with the European Data Protection Supervisor.

Regulation 2019/816 also provides for the obligation to carry out data‑processing audits (at least once every three years) and emphasises the need to ensure that supervisory authorities have the resources required to perform their assigned tasks.

The implementation of the system involves the processing of personal data, including biometric data, which requires a high level of protection of the rights of data subjects. Depending on the purpose of processing, the relevant provisions will be those of Directive (EU) 2016/680 or Regulation (EU) 2016/679.

The Personal Data Protection Office stresses that the effective functioning of the system requires not only efficient information exchange but also compliance of data processing with legal requirements.

The Act will enter into force 14 days after its publication, while the provisions concerning ECRIS will apply from the moment the system is launched (planned for the second quarter of 2026).