PNR/API System

The PNR/API System is an integrated system that processes:
     information provided by passengers and collected by airlines, in the normal course of their business, for enabling reservations and carrying out the check-in process, known as Passenger Name Record (PNR), and
     Advanced Passenger Information (API) data, which is sent by air carriers upon departure, operating inbound Extra-Schengen flights to Malta.
The Passenger Information Unit (PIU) within the Malta Police Force, under the wing of the International Relations Unit is the designated entity to operate the PNR/API System. It is mainly responsible to:
     Collect the API and PNR data from air carriers
     Carry out an assessment of passengers prior to their scheduled arrival in or departure from Malta, by comparing API and PNR data against relevant databases, such as the Schengen Information System (SIS) and the National Stop List (NSL), and process them against pre-determined criteria, in order to identify persons that may be involved in a terrorist offence or serious crime1, or that are hindered from entering the Schengen Area
     Inform and disseminate PNR and API data to the competent national authorities, Europol and PIUs of other Member States, as the case may be, either spontaneously or in response to duly reasoned requests.
The received data is compared against a watchlist implemented within the system with details of persons suspected of being involved in a terrorist offence or serious crime that has been provided by the competent authorities.
Risk based profiles have also been introduced, whereby upon matching with several selected criteria, passengers are automatically flagged.
Legal Basis
The processing of PNR data and API is conducted under an obligation imposed by different legislative instruments of the European Union. The relative two legal instruments are:
     The Passenger Name Record (PNR) Data Act (Chapter 584 of the Laws of Malta), which implements Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
     The Communication of Passenger Data by Air or Sea Carriers Order (Subsidiary Legislation 460.18), which implements Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data
Personal data processed in the PNR/API System
API data is collected by air carriers operating a flight to Malta from a third country and is transmitted electronically to the PNR/API System by the time of the closure of check-in in terms of Regulation 3 of Subsidiary Legislation 480.18.
Such data consists of:
(a) the number and type of travel document used;
(b) nationality;
(c) full names;
(d) the date of birth;
(e) the border crossing point of entry into the territory of Malta;
(f) code of transport;
(g) departure and arrival time of the transportation;
(h) total number of passengers carried on that transport; initial point of embarkation.
PNR Data
PNR data is more informative in comparison to API and is considered to be an investigative tool, whereas same is received from air carriers operating both Intra and Extra-Schengen and inbound and outbound flights. Same is automatically sent by air carriers upon two push methods:
     24 hours prior departure
     Upon departure
Such data consists of:
(a) PNR record locator
(b) Date of reservation/issue of ticket
(c) Date(s) of intended travel
(d) Name(s)
(e) Address and contact information (telephone number, e-mail address)
(f) All forms of payment information, including billing address
(g) Complete travel itinerary for specific PNR
(h) Frequent flyer information
(i) Travel agency/travel agent
(j) Travel status of passenger, including confirmations, check-in status, no-show or go-show information
(k) Split/divided PNR information
(l) General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent)
(m) Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, automated ticket fare quote fields
(n) Seat number and other seat information
(o) Code share information
(p) All baggage information
(q) Number and other names of travellers on the PNR
(r) Any Advance Passenger Information (API) data collected (including the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time)
(s) All historical changes to the PNR listed in numbers 1 to 18.
Disclosure of API and PNR data
API and PNR data may be requested by the following competent authorities for the prevention, investigation and prosecution of serious crimes:
     Malta Police Force
     Principal Immigration Officer
     Malta Security Services
     Financial Investigation and Analysis Unit
     Customs Department
     Judicial authorities
     PIUs in other Member States
     Competent authorities in Third countries
Retention Period
In terms of Article 13 of the Passenger Name Record (PNR) Data Act, all data in the PNR/API System are kept for period of five years. However, after six months from collection, all data are depersonalised by masking, and disclosure of such data to the competent authorities takes place only upon the approval of a judicial authority or of the Information and Data Protection Commissioner.
What are your rights in relation to your personal data processed in the PNR/API System?
Personal data processed within the context of the PNR and API framework is regulated by the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (Subsidiary Legislation 586.08) and the GDPR2 when the processing is conducted for other purposes.
Any person has the right to:
     request access to personal data relating to him/her stored in the PNR/API System
     request the correction of factually inaccurate personal data relating to him/her or the deletion of his/her personal data in the case of unlawfully stored information
     the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) or to request verification of lawfulness of the processing
In order to facilitate the exercise of your rights and to be able to handle request more efficiently, you are solicited to use the model letters found on the left side of this page.
For more information about your rights and how to exercise them click here.
1 The categories of serious crimes in relation of which PNR data may be disclosed is listed under Schedule C to  CAP.584, where such crimes are punished by a custodial sentence or a detention order for a maximum period of at least three years.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
 Indirizz tal-Kuntatt 
Pjazza San Kalċidonju
Floriana FRN 1530
2122 4001