Passenger Name Record (PNR)

pnr img

On 27 April 2016, the European Parliament and the Council adopted Directive 2016/681 on the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, known as the PNR Directive.

Most EU Member States were already processing PNR data before April 2016, to which police and other authorities have access under national law, and air carriers have also collected passenger data for their own commercial purposes. The EU PNR system has harmonised the legal provisions of Member States while guaranteeing data protection. The Directive applies primarily to flights outside the EU, but Member States may choose to provide for its application to flights within the EU in national legislation. It is also worth noting that Hungary extended data processing to river passenger data in 2021, which are collected and analysed by the Hungarian authorities in a similar way to air passenger data.

What data are processed in the Passenger Name Record?

The Passenger Name Record contains personal data provided by passengers and collected and stored by air carriers. Examples of such data include;

  • the date of reservation,
  • the passenger's name,
  • the date of the planned journey and the full itinerary,
  • the seat number,
  • baggage information,
  • passenger's telephone number, e-mail address,
  • name of the travel agency.

Under the PNR Directive, each Member State is required to adopt a list of authorities that are authorised to retrieve PNR data from the Passenger Information Unit for the purposes of the prevention, detection, investigation and prosecution of terrorist offences and other serious criminal offences. In Hungary, according to Article 8/A (4) of Act CXXV of 1995 on National Security Services, the functions of the Passenger Information Unit are performed by the National Information Centre.

What is the purpose of collecting and analysing passenger data?

Travelling to other countries is a common feature of organised crime and terrorist activities. Since the Schengen Convention has abolished internal border controls, the EU requires the exchange of personal data between law enforcement authorities. The PNR system complements the existing tools needed to successfully fight cross-border crime. The management of PNR data will allow law enforcement authorities to identify individuals who have not previously been suspected of criminal or terrorist activity and to confirm or refute these suspicions through concrete data analysis.

Under the PNR Directive, PNR data collected should only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

In this context, PNR data can be used for several purposes, namely:

  • for the pre-arrival or pre-departure risk assessment of passengers on the basis of specific risk criteria, or for the identification of specific persons,
  • to develop those risk criteria,
  • specific investigations or prosecutions.

In order to protect the fundamental rights to the protection of personal data and privacy and to non-discrimination, the Directive contains a number of restrictions on the transfer, processing and retention of PNR data:

  • the Directive prohibits the collection and use of sensitive data;
  • PNR data may be kept for a maximum of 5 years and after 6 months must be rendered unsuitable for direct identification of the data subjects;
  • Member States should set up a Passenger Information Unit responsible for data management and protection, which should include a Data Protection Officer;
  • Member States should ensure that passengers are clearly informed about the collection of PNR data and their rights;
  • decisions having an adverse legal effect or seriously affecting an individual should not be based solely on the automated processing of PNR data;
  • transfers of PNR data to third countries should only take place in very limited circumstances and on a case-by-case basis.

Data Subject's rights

In accordance with EU and Hungarian data protection legislation, individuals have the right to obtain, upon request, information about the data processed in the Passenger Name Record, to request the correction or rectification of inaccurate data, to request the erasure of data processed unlawfully, to apply to the courts or the data protection authority for the protection of their personal data and for compensation for damages resulting from the infringement of their rights.

Such a request may be submitted to the National Information Centre in Hungary:

 

Nemzeti Információs Központ

Address: Bp. 1117 Fehérvári str. 70.

nik pnr

The authority may refuse to provide the requested information in justified cases, but must inform the applicant of the fact and the legal basis for the refusal. An appeal against the decision of the authority may be lodged with the National Authority for Data Protection and Freedom of Information.