Image source Unsplash
Collection of passengers’ reservation, check-in and boarding data
In order to prevent, detect and prosecute terrorism offences and serious crime, air carriers must transmit to the French administration information on passengers on flights to and from French territory, under the conditions and within the limits set by French and European regulations.
The transmitted information concerns two types of data:
(Passenger Name Record)
Are the data collected by air carriers on the reservation and itinerary of one’s trip (type of ticket, travel date, number of luggage, seat number, etc.).
(Advanced Passenger Information)
Are one’s check-in and boarding data for a flight (name, birthdate, gender, nationality, data related to the travel documents, etc.).
The exhaustive list of concerned data is mentioned in Article R.232-14 of the Internal Security Code.
Personal data protection and minimisation measures
Passengers’ data are communicated by air carriers to the ANDV, which constitutes a filter before its communication to the competent authorities (police services, gendarmerie, customs and intelligence services). Therefore, when it receives a request from one of these departments, the ANDV checks its legitimacy based on the legal framework, then validates or rejects the request. If the request is validated, the ANDV carries out the exploitation of the API and PNR data and performs filtering to ensure the conformity of the provided results, in addition to the simple automated processing of the data. In this respect, it contributes to the protection of personal data.
No sensitive data in the sense of Article 6 of the modified Law of the 6th January 1978 is collected: are excluded from the automated processing any data that could reveal the ethnic or racial origin of a moral person, their political, religious or philosophical opinions, their membership to a trade-union or not, their health condition or their sexual life.
After a six-month period, data that might directly reveal the identity of a passenger are masked in the system and require a specific and legitimate unmasking request by the competent authorities. Every personal data and registered information are deleted after a period of five years from the moment they are collected into the system.
The data that are transmitted by air carriers to the ANDV must meet the requirements of the GDPR (General Data Protection Regulation). As soon as they are registered in the database and transmitted to the competent authorities following a justified request, they are regulated under the dispositions of the European Directives 2016/680 and 2016/681. Therefore, Article 13 of the Directive 2016/681 recalls that passengers have “rights of access, rectification, erasure and restriction” of their personal data.
To do so, passengers must send a request to: firstname.lastname@example.org. Once the request is made, it is transmitted to the director of the ANDV or his deputy. They must ensure that the person requesting is informed of the status of their request as well as the outcome of their request within a reasonable timeframe.
Nevertheless, in so far as the retention of the data has proven to be necessary to answer to the purposes mentioned above, the right to access this data may be limited or refused.
Furthermore, the ANDV is not responsible for the content, processing or retention of the data collected by air carriers.
To learn more:
- Directive (EU) 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
- Directive (EU) 2016/681 of the European Parliament and of the Council of 27 april 2016 on the use of passenger name record (pnr) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
- Code de la sécurité intérieure, Article R232-22