Passenger Name Records
Airlines store various information about passengers. This concerns information collected in an airline’s or travel agent’s reservation systems when booking a journey. These records are stored as Passenger Name Records (PNR).
These include, for example, the following data:
- duration and destination of the journey,
- credit card numbers,
- contact details,
- as the case may be, also special meal preferences
- information on special aids in the event of a disability
The storage potentially affects all flights arriving in Germany and departing from Germany across the Schengen borders and over intra-European national borders.
Who uses PNR?
PNR are collected and processed by airlines for their business purposes. This means that the data will be used to implement the transport contract – e.g. for the execution and handling of a flight. If these data are to be also used or transferred for another purpose, such as law enforcement, a special legal basis is required.
The EU-PNR Directive obliges all Member States to operate so –called passenger information units (PIU). The PIU shall receive and collect the passenger name data from air carriers. The PIU also evaluate these data and store them for five years.
The transferred PNR are stored in the PNR information system and matched with databases of wanted persons and so-called patterns. This serves to identify wanted persons and potentially dangerous persons. Moreover, a retroactive search is permitted for the prevention and prosecution of terrorist acts and other serious offences.
The German PIU is established at the Federal Criminal Police Office (BKA). In order to implement the requirements of the PNR Directive for Germany and to create the necessary legal bases, the Passenger Name Record Act was enacted.
I have already criticised the implementation on several occasions. For example, you can find the points of criticisms in the opinion on the draft act. I also criticised the data processing of passenger name records as a whole, most recently, for example, in the 28th Activity report (No 6.4.).
The European Union has also concluded agreements with the USA and Australia. These require airlines to transfer PNR from their booking and reservation systems to the customs and border authorities of those states. The data are then used for border control purposes, for averting dangers and for prosecuting crimes. Furthermore, they are stored for several years.
Where can I get information about stored data?
In order to find out what is stored about you in the Passenger Name Records Information System, you can write to the BKA. The contact details of the BKA are as follows:
Who is competent for matters relating to data breaches?
Are you not sure whether you have received complete information?
Do you presume that data protection violations have occurred in the procedure? Do you have further questions about the procedure or about data protection?
If so, then please contact us: You can contact us via our general contact channels.
Please send us a copy of your ID document along with the request. On this copy, please include your own handwritten signature. You can blacken your passport photograph and ID number. Please also provide a valid postal address, as the answer can only be sent by post. This ensures that only you receive information about your personal data.
Please note, however, that the Federal Commissioner for Data Protection and Freedom of Information is not competent for controlling data transfers by air carriers. The competent data protection commissioners of the federal states (“Länder”) are entrusted with this task. The competence is determined by the location of the company’s registered office. You can find the contact details of the data protection commissioners of the federal states here.