P.N.R. Information System
Useful information for data subjects
(Art. 10 D. Lgs. May 18th 2018, n. 51)
The Information System for the processing of PNR and API data has been established with Legislative Decree No. 53, dated 21 May 2018, transposing into national law Directive 2016/681 (EU) of the European Parliament and of the Council on the use of PNR (Passenger Name Record) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
With particular regard to this system for the processing of personal data and in accordance with Art. 10 of Legislative Decree No. 51, dated 18 May 2018, implementing Directive 2016/680 (EU) of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, as well as the free movement of such data, the following information is provided to data subjects.
The data controller for the processing of PNR and API data is the Department of Public Security (see Art. 4 of Legislative Decree No. 53, dated 21 May 2018).
The Controller’s contact details are as follows:
Dipartimento della Pubblica Sicurezza
Piazza del Viminale, 1
2.Purpose of data processing
The purpose is set out in Art. 3 of Legislative Decree No. 53, dated 21 May 2018:
- PNR data are processed for the prevention and suppression of terrorist offences and serious crime;
- API data, collected and made available to offices responsible for border police checks, are processed in order to improve external border controls and prevent illegal immigration. Where checks at the internal borders are reintroduced, the processing of API data is also extended to intra-EU flights.
3.Right of access to personal data processed in the PNR Information System
The right to access personal data entered into the PNR Information System entitles any person to obtain confirmation of the existence of personal data concerning him/her and communication of such data [...]in an intelligible form and, where any processing of data has taken place in breach of laws or regulations in force, to request their erasure or transformation into anonymous form. This right is supplemented by a right to rectification of inaccurate data.
Any person who becomes aware of any personal data concerning him/her being processed also in a non-automated manner, in breach of laws or regulations, may request the court in the place of residence of the data controller to make the necessary inquiries and order the rectification, integration, erasure or transformation into anonymous form of such data.
The right of access of the data subject is provided for in Art. 23 of Legislative Decree No. 53 dated 21 May 2018.
Information is not provided on the basis of the conditions set out in Art. 10, paragraph 4 of Law No. 121, dated 1 April 1981, as referred to in Art. 23 of Legislative Decree No. 53, dated 21 May 2018.
The Data Protection Supervisor (Garante per la protezione dei dati personali), in its capacity as the national supervisory authority for the PNR Information System, ensures control over the processing of personal data carried out pursuant to Legislative Decree No. 53, dated 21 May 2018, in accordance with the procedure provided for in Legislative Decree No. 196, dated 30 June 2003 (Data Protection Law), and subsequent amendments and addenda, and in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation). At the request of the data subject, the Garante expresses opinions on the exercise of the rights to the protection of personal data under Legislative Decree No.53, dated 21 May 2018.
The right of access and the related rights can be exercised by sending the completed request form, along with a signed copy of a valid identity document, to:
Dipartimento della Pubblica Sicurezza
Direzione Centrale della Polizia Criminale
Via Torre di Mezzavia, 9
The holders of certified electronic (PEC) mailboxes may send their requests to the following e-mail address: firstname.lastname@example.org
If the answer to a request is considered to be unsatisfactory,[...] the data subject may lodge a complaint with the national supervisory authority for the protection of personal data to the following address:
Garante per la protezione dei dati personali
Piazza Venezia n. 11
Phone: (+39) 06.696771
Fax: (+39) 06.69677.3785
In order to facilitate a rapid reply, requests should be drawn up in one of the following languages: English, French, German or Italian. They should also be signed by the data subject or by another person with power of attorney and should include a summary description of the grounds on which the request is submitted.
Furthermore, documents sent should be fully readable and include a valid (postal or certified e-mail) address, so that the data subject may easily receive the answer.
4.Retention period for personal data
The data retention period is governed by Article 10 of Legislative Decree No.53, dated 21 May 2018.
The PNR data transferred by air carriers to the PNR Information System are retained for a period of five years after their transfer.
Upon expiry of a period of six months after their transfer, PNR data are subject to pseudonymisation (reversible anonymisation of certain relevant information). The possible removal of pseudonymisation and the consequent access to the full PNR data is permitted only under the specific conditions laid down in Article 10, paragraphs 3 and 4 of Legislative Decree No. 53, dated 21 May 2018.
The PNR data are deleted permanently five years after their transfer.
The deletion obligation is without prejudice to cases where specific PNR data have been transferred to a competent national authority and are used in the context of specific cases for the purposes of preventing and suppressing terrorist offences or serious crime, in which case such data are retained in compliance with the provisions of the criminal procedure code and the provisions regarding data processing for police purposes.
5.Categories of recipients of personal data
The recipients of the personal data processed under Legislative Decree No.53, dated 21 May 2018, are the following:
- The competent authorities of the EU Member States and the competent national authorities referred to in Article 2, paragraphs a) and b) of Legislative Decree No.53, dated 21 May 2018;
- Europol, according to the conditions laid down in Article 18 of Legislative Decree No.53, dated 21 May 2018;
- The competent authorities of third countries, under the conditions laid down in Article 19 of Legislative Decree No.53, dated 21 May 2018.
6.Data protection officer
A data protection officer (DPO) has been appointed at the Central Directorate of Criminal Police of the Public Security Department in accordance with Art. 20 of Legislative Decree No. 53, dated 21 May 2018.
The DPO can be contacted by certified email (PEC) at the following address:
7.Other relevant information
For additional information on data processing in the PNR Information System, please refer to the dedicated frequently asked question (FAQ) page.
(modificato il 13/02/2020)