The Saeima1 has adopted and
the President has proclaimed the following law:
Aircraft
Passenger Data Processing Law
Chapter I
General Provisions
Section 1. Terms Used in this
Law
The following terms are used in this Law:
1) extra-EU flight - an international flight the origin
or stop-over of which is in a state which is not a European Union
Member State and the stop-over or destination of which is planned
in the territory of Latvia, or the origin or stop-over of which
is in the territory of Latvia and the stop-over or destination of
which is in a state which is not a European Union Member
State;
2) intra-EU flight- an international flight the origin
or stop-over of which is in another European Union Member State
and the stop-over or destination of which is planned in the
territory of Latvia, or the origin or stop-over of which is in
the territory of Latvia and the stop-over or destination of which
is in a European Union Member State;
3) air carrier - a person with a valid operating
licence or an equivalent document permitting it to carry out
commercial flight of passengers by air;
4) passenger - any person, excluding members of the
aircrew, carried or to be carried in an aircraft with the consent
of the air carrier, which is manifested by that person's
registration in the passengers list;
5) passenger data - information which is processed by
reservation systems, departure control systems used to check
passengers onto flights, or equivalent systems to ensure the
processing and control of reservations booked by a person or on
his or her behalf;
6) Passenger information unit - a structural unit
assigned for the processing of passenger data by the Security
Police.
Section 2. Purpose of the Law
The purpose of this Law is to ensure the processing of
passenger data which are necessary to perform analysis for the
prevention and detection of terrorism and serious or especially
serious crimes, and also for the prevention of threats to
national security.
Section 3. Controller and Keeper of
the Register and Tasks Thereof
(1) Aircraft passenger data register (hereinafter - the
Register) is a State information system the controller and keeper
of which is the Security Police. The Information Centre of the
Ministry of the Interior shall ensure the functionality of the
technical resources of the Register.
(2) The Register shall ensure the possibility for the
authorities to receive the passenger data included therein which
are necessary for the prevention and detection of terrorism and
serious or especially serious crimes, and also for the prevention
of threats to national security.
Chapter
II
Information to be Included in the Register, Procedure for the
Inclusion Thereof and its Storage
Section 4. Information to be
Included in the Register
The following information shall be included in the
Register:
1) passenger name record locator;
2) date of reservation and issue of ticket;
3) date of the intended travel;
4) name, surname, sex, date of birth and citizenship of the
passenger;
5) address and contact information of the passenger (telephone
number, e-mail address);
6) payment information and also billing address;
7) flight number, air carrier and information on the route of
the corresponding flight, time of departure and arrival of the
aircraft;
8) type, number and owner of the loyalty card (frequent flyer
information);
9) travel agency and travel agent;
10) status of the passenger during the travel, including, the
check-in status, information on the no-show or go-show;
11) information on split/divided reservations;
12) general remarks which do not contain sensitive personal
data (for example, a note that the child travels unaccompanied,
the language in which he or she speaks, name and contact details
of guardian on departure and relationship thereof to the minor,
name and contact details of guardian on arrival and relationship
thereof to the minor, departure and arrival agent);
13) ticket number, date of ticket issuance and one-way
tickets, automated ticket fare quote fields;
14) seat number;
15) code share information;
16) information on the checked baggage of the passenger which
is available in the departure control system - number of units
and weight, identification number, code of the baggage carriers,
baggage status (for example, checked in, delivered, stolen,
damaged, confiscated), place of baggage delivery;
17) number, names and surnames of passengers of other
aircrafts of the same passenger name record locator;
18) border crossing point of entry into the territory of the
state through which the passenger shall enter Latvia;
19) type, number, country of issuance and expiry date of the
travel document of a passenger;
20) all historical changes to the data laid down in this
Section.
Section 5. Obligation of Air
Carriers to Transfer Passenger Data for the Automated Inclusion
Thereof in the Register
(1) In relation to extra-EU flight an air carrier has an
obligation to transfer the passenger data referred to in Section
4 of this Law to the extent that the air carrier processes them
in the context of its commercial operations in order to provide
air transport services for the automated inclusion (hereinafter -
the inclusion) thereof in the Register not sooner than 48 hours
and not later than 24 hours before the scheduled time for flight
departure and immediately after the flight closure, when the
boarding and alighting of passengers is not possible anymore.
(2) In relation to intra-EU flight an air carrier has an
obligation to transfer the passenger data referred to in Section
4 of this Law to the extent that the air carrier processes them
in the context of its commercial operations in order to provide
air transport services for the inclusion thereof in the Register
not sooner than 48 hours and not later than 24 hours before the
scheduled time Ffor flight departure and immediately after the
flight closure, when the boarding and alighting of passengers is
not possible anymore, if a request of the Passenger information
unit to provide passenger data for the specific route has been
received.
(3) If changes are made to the passenger data which have been
transferred for the inclusion in the Register in accordance with
Paragraphs one and two of this Section, the air carrier shall
transfer the relevant data after the flight closure, when the
boarding and alighting of passengers is not possible anymore.
(4) In urgent cases, when a request of the Passenger
information unit to provide passenger data has been received, the
air carrier shall transfer the requested passenger data for the
inclusion thereof in the Register within the specified time
period, which shall not be shorter than four hours.
(5) Where the flight is code-shared between one or more air
carriers, the obligation to transfer the data of all passengers
on the flight for the inclusion thereof in the Register shall be
on the air carrier that operates the flight.
(6) The Cabinet shall lay down requirements regarding the
transferring of passenger data and inclusion thereof in the
Register.
Section 6. Right of the Passenger
Information Unit to Request the Transferring of Passenger Data
for the Inclusion Thereof in the Register
(1) The Passenger information unit has the right to request
that an air carrier transfers passenger data on intra-EU flight
for the inclusion in the Register, if the Passenger information
unit or the authority referred to in Section 10 of this Law has
grounds to believe that the requested passenger data may help to
prevent or detect terrorism or serious or especially serious
crimes, or to prevent threats to national security.
(2) When the Passenger information unit requests that air
carriers transfer the passenger data on intra-EU flight for the
inclusion in the Register, it shall specify the time period for
their provision which shall not exceed the following six
months.
(3) In cases where immediate action is required to prevent
terrorist attacks or a real threat to the life or health of a
person the Passenger information unit has the right to request
that an air carrier provides passenger data for the inclusion in
the Register within another time period which shall not be
shorter than four hours.
Section 7. Depersonalisation of
Passenger Data
(1) The passenger data which have been retained in the
Register for six months after their inclusion therein shall be
depersonalised by masking out (not by deleting, but by making
invisible) the following personal identification information:
1) name, surname, date of birth;
2) type and number of the used travel document;
3) address and contact information;
4) payment information and billing address, if such
information can be used to identify the person;
5) type, number and owner of the loyalty card (frequent flyer
information);
6) general remarks indicated in Section 4, Paragraph 12 of
this Law;
7) bag identification number.
(2) If the acquisition of passenger data included in the
Register is necessary for the prevention and detection of
terrorism or serious or especially serious crimes, or prevention
of threats to national security, the Passenger information unit
shall, after the consent of a judge to a request of an authority
to issue passenger data has been received, have the right to
personalise the depersonalised passenger data and to issue them
in the requested amount to the competent authority.
Section 8. Passenger Data Retention
Period
The passenger data shall be retained in the Register for five
years from the day of their inclusion, but after the
aforementioned period they shall be automatically deleted.
Chapter
III
Issuance of Passenger Data
Section 9. Automated Processing of
Passenger Data in the Register
(1) The data included in the Register on a person (name,
surname, sex, date of birth, citizenship), travel document (type,
number, country of issuance and expiry date of the document) and
means of payment (type of the means of payment, number and expiry
date of the payment card) are examined automatically by comparing
them against the relevant data on persons, travel documents and
means of payment included in the following information
systems:
1) Register of Ascertaining the Location of a Person, Property
or Document of the Integrated Interior Information System;
2) the sub-system "Invalid Document Register" of the
Integrated Information System of the Interior;
3) Schengen Information System;
4) International Criminal Police Organisation (Interpol)
database of Stolen and Lost Travel Documents (SLTD);
5) databases of the International Criminal Police Organisation
(Interpol) in relation to wanted persons.
(2) The Register shall transfer to the Passenger information
unit an automatic notification of a match established in an
automated data processing by indicating the passenger data that
are included in the Register in relation to the relevant
entry.
(3) In the processing of data included in the automatic
notification of the Register the Passenger information unit shall
ascertain the accuracy of the automated processing in the
relevant information system. When the Passenger information unit
has ascertained the conformity of data, it shall act by complying
with the laws and regulations governing the operation of
information systems referred to in Paragraph one of this
Section.
Section 10. Right to Request
Passenger Data
If there are grounds to believe that the passenger data may
help to prevent or detect terrorism or serious or especially
serious crimes, or to prevent threats to national security, the
following authorities according to their competence shall have
the right to request the issuance of passenger data included in
the Register after the consent of a judge has been received:
1) the Security Police;
2) the State Police;
3) the State Border Guard;
4) the Internal Security Office;
5) the Corruption Prevention and Combating Bureau;
6) the Military Police;
7) the Military Intelligence and Security Service;
8) the Constitution Protection Bureau;
9) the Financial Police and Customs Police Department of the
State Revenue Service;
10) the Prosecutor's Office.
Section 11. Request of an Authority
to Issue the Passenger Data
To receive the passenger data from the Register the
authorities referred to in Section 10 of this Law shall turn to a
district (city) court based on the location of the authority with
a written request. The following shall be indicated in the
request:
1) the name, surname and position of the official making the
request. National security authorities for which indication of
the information referred to in this Clause would constitute a
disclosure of an official secret shall indicate their name in the
request;
2) the time period (not longer than six months) for which the
passenger data which are already included or will be included in
the Register is to be received;
3) justification of the need for passenger data;
4) the objective to be achieved;
5) the reason which prevents the achievement of the objective
or significantly hinders it, if the passenger data will not be
issued;
6) selection criteria for the acquisition of the required
information referred to in Section 4 of this Law.
Section 12. Consent of a Judge to
the Issuance of Passenger Data
(1) In order to give the consent to the issuance of passenger
data from the Register a judge shall become acquainted with the
request referred to in Section 11 of this Law and, if necessary,
other materials on the basis of which the request is
justified.
(2) A judge shall draw up the consent to the issuance of
passenger data and also the refusal as a separate document or
resolution. The decision of a judge may not be appealed.
(3) A judge may extend the given consent for six months if the
grounds indicated for the receipt of passenger data from the
Register have not ceased to exist. A judge has the right to
extend the time period for the receipt of passenger data
unlimited times.
Section 13. Execution of a Request
for the Issuance of Passenger Data
(1) The authority referred to in Section 10 of this law shall,
within 10 working days after the day when the consent of a judge
has been received, submit to the Passenger information unit a
request to issue passenger data. If the authority has not
complied with the laid down time period, the Passenger
information unit shall refuse to issue the requested passenger
data.
(2) The passenger information unit shall, within 30 days after
the day of the receipt of the request submitted in the time
period which is laid down in Paragraph one of this Section, issue
the requested passenger data to the authority or include in the
Register the information selection criteria indicated in the
request, if passenger data which are not yet included in the
Register are requested.
(3) If the grounds to request and receive passenger data have
ceased to exist, the authority which requested them shall
immediately inform the Passenger information unit.
(4) If the grounds to request and receive passenger data have
ceased to exist, the Passenger information unit shall immediately
terminate issuance thereof to the competent authority.
Section 14. Issuance of Passenger
Data in Urgent Cases
(1) In cases where immediate action is required to prevent
terrorist attacks or a real threat to the life or health of a
person the Passenger information unit has the right to issue
passenger data from the Register without the consent of a
judge.
(2) To receive passenger data from the Register in accordance
with Paragraph one of this Section the authorities referred to in
Paragraph 10 of this Law shall turn to the Passenger information
unit with a request. The following shall be indicated in the
request:
1) the name, surname and position of the official making the
request. National security authorities for which indication of
the information referred to in this Clause would constitute a
disclosure of an official secret shall indicate their name in the
request;
2) the justification of the urgency for the receipt of the
requested passenger data and time period for which the requested
passenger data is to be received;
3) selection criteria for the acquisition of the required
information referred to in Section 4 of this Law.
(3) The Passenger information unit shall refuse to issue the
requested passenger data, if the information referred to in
Paragraph two of this Section has not been included in the
request.
(4) The authority which submitted the request shall inform a
district (city) court based on the location of the authority
regarding the issue of passenger data from the Register not later
than within 72 hours, by indicating the justification of the
urgency for the receipt of passenger data and also the
information referred to in Section 11 of this Law.
(5) A judge shall evaluate the justification of a request of
an authority and data issuance and draw up the decision as a
separate document or resolution. The decision of a judge may not
be appealed.
(6) If the judge has determined that a request of an authority
and issuance of passenger data is unjustified, the competent
authority shall inform the Passenger information unit thereof and
immediately delete the received passenger data.
(7) The Passenger information unit shall terminate the
issuance of passenger data from the Register if the consent of a
judge has not been received within 72 hours.
Chapter
IV
Issuance of Data to Foreign Countries
Section 15. Grounds for the Issuance
of Passenger Data
The Passenger information unit may issue passenger data from
the Register to a foreign state if there are grounds to believe
that they may help the foreign state to prevent or detect
terrorism or serious or especially serious crimes, or prevent
threats to national security. Passenger data may be issued from
the Register upon a request of a competent authority of a foreign
state with the consent of a judge, except in the case referred to
in Section 14, Paragraph one of this Law.
Section 16. Procedure for the
Examination of a Request
(1) The Passenger information unit shall submit the request of
a foreign country referred to in Section 15 of this Law to issue
passenger data from the Register for examination to a district
(city) court based on the location of the authority.
(2) A judge shall ascertain that the information referred to
in Section 11 of this Law is indicated in the request, evaluate
the justification provided therein and decide on giving the
consent to the issuance of data.
(3) In addition a judge shall evaluate the following
circumstances and will not give the consent to the issuance of
the requested passenger data if:
1) it may jeopardise the national sovereignty or security of
Latvia;
2) it may compromise the achievement of the objective of an
operational activities procedure or criminal procedure carried
out in Latvia;
3) it may endanger the life, health or other legitimate
interests of a person;
4) the issuance of the requested passenger data from the
Register is clearly disproportionate compared to the indicated
objective or inappropriate for its achievement;
5) the institution which submitted the request is not the
competent authority of a foreign state in the field of
information exchange;
6) the issuance of passenger data from the Register does not
comply with the requirements for personal data protection
regarding the transfer of data to other states.
(4) If a judge lacks information which is necessary to decide
on the issue of giving the consent, he shall request that the
Passenger information unit requests additional information from
the relevant foreign state.
(5) A judge shall draw up the consent to the issuance of
passenger data and also the refusal as a separate document or
resolution. The decision of a judge may not be appealed.
(6) When issuing the requested passenger data from the
Register the Passenger information unit shall comply with the
time periods laid down in Section 13 of this Law. In urgent cases
the Passenger information unit shall issue the requested
passenger data from the Register in compliance with the
conditions of Section 14 of this Law.
(7) If a judge has determined that the issuance of passenger
data from the Register as a matter of urgency is unjustified, the
Passenger information unit shall immediately terminate its
issuance and also inform the foreign state, which requested the
assistance, by calling on it to immediately delete the received
passenger data.
Section 17. Reply to a Foreign
Request
Reply to a request of a competent authority of another state
to issue passenger data from the Register shall be transferred in
the same way as the request was received.
Section 18. Issuance of Passenger
Data from the Register within the International Co-operation in
the Field of Criminal Law
A request to issue passenger data from the Register made
within the international co-operation in the field of criminal
law shall be examined in accordance with the requirements of laws
and regulations governing international co-operation in the field
of criminal law by taking into account the conditions for the
issuance of passenger data laid down in this Law.
Chapter V
Additional Requirements for Personal Data Protection
Section 19. Passenger Data
Processing Requirements
(1) The Passenger information unit shall process passenger
data in accordance with the general requirements for personal
data protection.
(2) Processing of such passenger data that reveals race,
ethnic or social origin, political opinions, religious or other
beliefs, trade union membership, genetic peculiarities,
information on the health, sex life or sexual orientation of a
person, and also other sensitive personal data is prohibited.
(3) If an air carrier has transferred for the inclusion in the
Register passenger data which are not referred to in Section 4 of
this Law and also information containing sensitive personal data,
such data shall be automatically and permanently deleted
immediately after receipt thereof.
Section 20. Obligation to Inform
Passengers
Air carriers shall ensure that the information on the
transferring of data for the inclusion thereof in the Register
shall be provided to passengers of aircrafts serviced by them in
an easily accessible and understandable form.
Section 21. Recording of Passenger
Data Processing
(1) Each processing of passenger data is accounted for in the
Register.
(2) The Passenger information unit records requests for the
issuance of passenger data and the given replies.
(3) The information on the recording of passenger data
processing referred to in Paragraphs one and two of this Section
shall be retained for five years.
Transitional
Provision
Air carriers shall start to fulfil the obligation laid down in
Section 5 of this Law to transfer passenger data for the
inclusion thereof in the Register not later than on 1 September
2017.
The Law shall come into force on 3 April 2017.
The Saeima has adopted this Law on 19 January 2017.
President R. Vējonis
Rīga, 07 February 2017
1 The Parliament of the Republic of
Latvia
Translation © 2017 Valsts valodas centrs (State
Language Centre)