Passenger name record (PNR) data are information provided by passengers and collected by airlines operators as part of their normal course of business and includes information required to complete and process a booking.
This may include information such as:
- dates of travel and travel itinerary
- ticket information
- contact details like address and phone number
- travel agent
- payment information
- seat number and baggage information
- PNR acquisition and the legislation that authorises the collection of PNR data
PNR data is transferred to the Immigration Officer by aircraft operators using the ‘push’ method.
The Immigration Regulations 2021 – Advance Passenger Information and Passenger Name Record Data, hereafter referred to as the ‘API and PNR Regulations’, provides the legal basis for the collection and processing of PNR data by the Immigration Officer. The Regulations are aligned to Directive 2016/681 of the European Parliament on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime into Mauritian laws.
- Use of PNR data
PNR data is used by Immigration Officer for the purposes of preventing, detecting, investigating or prosecuting a specific offence as stipulated in the API and PNR Regulations.
- Protection of PNR data
Under the API and PNR Regulations, PNR data is protected by specific safeguards, including:
- Sensitive data must not be processed
- PNR data must be depersonalised after 6 months
- PNR data may be re-personalised only under specific conditions
- PNR data must be retained, in a depersonalised manner, no longer than 5 years
- The Immigration Officer has appointed a Data Protection Officer (DPO) responsible to conduct independent oversight of the protection of PNR data and determine whether PNR data are being collected, used, processed and protected with full respect for human rights and fundamental freedoms.
The Data Protection Act 2017 (DPA) provides that everyone responsible for handling personal data has to follow strict rules. They must make sure personal data is:
- Used fairly, lawfully and transparently
- Used for explicit, specified and legitimate purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay
- Kept for no longer than necessary
- Processed in accordance with the rights of the data subject.
- Handled in a way that ensure appropriate security, including protection against unauthorised, access, alteration, disclosure, accidental loss and destruction.
Read the Data Protection Act 2017 for further information about the processing of personal data.
- Sharing of PNR data
The Immigration Officer can share PNR data of persons requiring further examination by other Control Agencies listed below only for the purpose of prevention, detection, investigation and prosecution of list of offences listed in the API and PNR Regulations.
- Anti-Drug and Smuggling Unit
- Counter Terrorism Unit
- Criminal Investigation Division
- National Security Service
- Mauritius Revenue Authority – Customs
- Transfer of PNR data to third countries
The Immigration Officer may transfer PNR data or the results of processing of PNR data to from a competent authority of a third country or from INTERPOL where it is strictly necessary to do so for the prevention, detection, investigation, or prosecution of list of offences listed in the API and PNR Regulations.
Any transfers of PNR data to third country are determined on a case by case basis and are subject to the obligations set out in the API and PNR Regulations and the Data Protection Act 2017.
- Your rights under the Data Protection Act 2017
Under the Data Protection Act 2017, you have the right to find out what information, including PNR data, the Immigration Officer store about you.
These include the right to obtain the following:
- Information about the purposes of the processing;
- Information about the categories of recipients with whom the data may be shared;
- Information about the categories of data being processed;
- Information about the period for which the data will be stored (or the criteria used to determine that period);
- Information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
- Information about the existence of the right to complain to the Data Protection Commissioner;
- Where the data were not collected from you, information as to the source of the data; and
- Information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on you.
If you think PNR data about you has been misused or that Immigration Officer or Control Agencies have not kept it secure, you should contact them on email@example.com or call on +230 6600777 or +230 6374108.
If you are unhappy with their response, you have the right to lodge a complain with the Data Protection Commissioner at the address below:
The Data Protection Commissioner
Data Protection Office,
Please consult the Data Protection Office website for further information on dataprotection.govmu.org