Български English Français
Home » Data transfers to third countries » Arrangements for the processing and transfer of passenger name records (PNR)

Arrangements for the processing and transfer of passenger name records (PNR)

Agreements on the processing and transfer of Passenger Name Record data by air carriers
Passenger Name Record (PNR) data are unverified information provided by passengers and collected by air carriers to enable the reservation and check-in process.
The content of PNR data varies depending on the situation and may include:
- dates of travel and travel itinerary;
- ticket information;
- contact details like address and phone number;
- travel agent;
- ticket-purchase payment information;
- seat number and baggage information.
The analysis of PNR data can provide the law enforcement authorities with important information allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement. Accordingly, the processing of PNR data has become a widely used essential law enforcement tool, in the EU and beyond, to prevent and fight terrorism and other forms of serious crime, such as drugs-related offences, human trafficking, and child sexual exploitation.
In 2016 the European Parliament and the Council of the European Union adopted Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crimes.
The Directive defines the responsibilities of EU countries regarding the collection of PNR data, requiring them to establish specific entities responsible for the collection, storage, and processing of PNR data – the so-called passenger information units (PIUs) and adopt a list of competent authorities entitled to request or receive PNR data. The rules apply to flights arriving from third countries to the EU countries, but EU countries can decide to apply them to flights departing from or arriving to another EU country (intra-EU flights). Bulgaria, alongside Belgium, Czech Republic, Germany, Estonia, Greece, Spain, France, Croatia, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Finland, Sweden and the United Kingdom, has notified the European Commission of its decision to apply these rules to intra-EU flights.
The Passenger Information Unit of the Republic of Bulgaria (PIU BG) is part of the State Agency for National Security. Information on its operation is available from the expressly designed portal: https://portal.piu.bg. Any questions about the information published on the portal can be asked at: bgpiu@piu.bg.
Passenger Information Units are in charge of:
- collecting PNR data from airlines;
- comparing PNR data against relevant law enforcement databases and processing them against pre-determined criteria, to identify persons potentially involved in a terrorist offence or serious crime;
- disseminating PNR data to national competent authorities, Europol, and PIUs of other EU countries, either spontaneously or in response to duly reasoned requests.
The PNR Directive provides data protection safeguards, such as:
- sensitive data must not be processed;
- data must be depersonalised after 6 months;
- data may be re-personalised only under strict conditions;
- data must be deleted after 5 years;
- a data protection officer is appointed in each PIU;
- an independent national supervisory authority must oversee the processing activities. For Bulgaria, these functions are performed by the Commission for Personal Data Protection.
Regarding the transfer of PNR to third countries, agreements on the processing and transfer of PNR data exist at this stage with Australia and the US.
Negotiations for PNR Agreements are ongoing with Canada (launched in June 2018) and with Japan (launched in February 2020).
The European Commission intends to update and streamline this approach with the aim to adapt it to today’s realities and take into consideration developments that have occurred since 2010. For this purpose, the Commission published a Roadmap in July 2020. This initiative will aim at setting out the policy objectives and key challenges of both legal and operational nature that a future revised strategy should aim to tackle.


Commission for Personal Data Protection, Sofia, 2 Prof. Tsvetan Lazarov Blvd.