Use of passenger data

Airlines are obliged to collect certain data of travellers and pass them on, for example to the police. We call these data passenger data. Strict statutory rules apply for the transmission and use of passenger data.

On this page

Purposes of the use of passenger data

Organisations such as the Royal Netherlands Marechaussee use passenger data for border control. And the customs use it to check the luggage of travellers. 

Passenger data for investigations

Passenger data are also increasingly requested by investigative services at home and abroad, including the police. They use the information to combat serious crime and terrorism.

So far, investigative services have only been able to request data from airlines. This is currently not possible for data of travellers by train or bus.

The investigative services are only allowed to view data after permission from a court or another independent administrative organisation.

Types of passenger data

There are 2 types of passenger data:

Use of PNR and API has been provided for by law

The collection and use of PNR and API data has been arranged in European directives. In the Netherlands, those directives have been elaborated in the Use of Passenger Name Record Data (Combating of Terrorist Offences and Serious Crime) Act(PNR Act). In addition, these processing operations have to meet the requirements of the GDPR and the Police Data Act (Wpol).

New legislation for API

There will be new legislation for API data, but so far, no final decision about this has been taken within Europe. The current API directive will then be replaced by 2 API regulations:

  • a regulation for border control;
  • a regulation for law enforcement.

Actions taken by the Dutch DPA with regard to the PNR Act

The Dutch Data Protection Authority (Dutch DPA) has issued an advice on the PNR Act. In addition, the Dutch DPA has called on the Dutch government to stop collecting more PNR data than strictly necessary. The Ministry of Justice and Security has taken measures in response, including:

  • collecting PNR data at fewer flights within the EU;
  • retaining PNR data for a period of 3 years instead of 5 years.

The Dutch DPA is of the opinion that these measures are still not enough. That is why the Dutch DPA continues to monitor actively that the collection of PNR data remains limited to what is strictly necessary.