Like other EU member states, the Slovenian Police collect information on air passengers in order to prevent, detect, investigate and prosecute terrorist offences and other serious crimes. Focused only on persons posing a high risk to human safety, the system of processing passenger data ensures a high level of security for the remaining passengers, allowing them to continue to move freely and safely within the Schengen area.
What kind of information is collected?
The Slovenian Police collects and processes Advance Passenger Information (API) and Passenger Name Record (PNR) data. API data is information on passengers collected by air carriers during check-in, while PNR data is information on passengers generated during the booking of an air ticket.
API data elements: flight information; scheduled and actual departure date; initial point of embarkation; time and place of aircraft takeoff and landing; number of passengers on board; travel document number and type; issuing state and expiration date of the travel document; nationality; full name; date of birth; border crossing point of entry into the territory of an EU member state; unique passenger reference number.
PNR data elements: date of flight booking; date and place of ticket issuance and other ticket information; PNR record locator; address and other contact details; passenger false name; travel status of passenger, including confirmations, check-in status, no-show or go-show information; payment information, including billing address; seat number and baggage information; frequent flyer information; general remarks related to the passenger; date of intended travel; complete travel itinerary; flight information, including code share information; number and other names of travellers on the PNR; split/divided PNR information; travel agency/travel agent; all historical changes to the PNR; any advance passenger information (API) data collected.
Why is it useful?
API data is collected and processed by the Police for the purposes of combating irregular migration, improving border control, and tracing articles and persons sought.
PNR data is collected and processed by the Police for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crimes laid down by law.
How is API and PNR data processed?
Air carriers communicate data directly to the national API/PNR database of the Slovenian Police. The processing of data is carried out in two stages. The system automatically checks passengers against police records using pre-determined assessment criteria. Any positive matches are visible only to a small group of authorised officers of the national Passenger Information Unit and individually reviewed by non-automated means to ensure they are correct.
API data is compared against databases on persons sought, missing persons, articles sought or found, covert and targeted checks, and court-ordered measures.
PNR data is processed against pre-determined criteria and is compared against databases concerning criminal offences, intelligence, persons subject to covert investigative measures under the act governing criminal procedure, covert and targeted checks, and court-ordered measures.
Only the competent unit and its authorised staff have access to the list of passengers on a particular flight.
Data protection
As regards API and PNR data processing, air passengers are guaranteed all the rights provided for in the Personal Data Protection Act, and the right to judicial redress.
Upon expiry of a period of six months after the transfer of passenger data, all data is depersonalised through masking out those data elements which could serve to identify directly the passenger to whom they relate. Data is kept for five years and then deleted permanently from all databases.
Following the transfer of passenger data, sensitive data is not processed and is immediately permanently deleted.
Disclosure of and access to depersonalised data is possible only by a written order of the District State Prosecutor’s Office in Ljubljana upon a reasoned request in writing made by authorised officers. Such data is only accessible 24 hours following its disclosure, after which it is depersonalised again.
Personal data protection is also regulated in Article 13 of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crime.
Consultation of data
Every person has the right to access their API or PNR data as soon as it is generated. The consultation of data is carried out in accordance with the act governing personal data protection.
National Passenger Information Unit (PIU)
The national Passenger Information Unit was established within the Slovenia PNR project. It operates as part of the Security Risk Assessment and Operational Support Section of the International Police Cooperation Division.
The Unit is responsible for collecting, storing and processing passenger information and exchanging it with competent authorities as laid down by law.
The establishment of a national passenger information unit is governed by Article 4 of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crime.
Legal basis
Aviation Act (unofficial consolidated text)
Police Tasks and Powers Act (unofficial consolidated text)
Personal Data Protection Act (unofficial consolidated text)