Document structure
View explanations
Referenced documents
Document Highlights
Consolidated publications
Return back | On the Approval of the Procedure for Transfer of the Advance Passenger Information and the Passenger Name Record Data by Air Carriers to the Authorised Body | |
|---|---|
| Document number | 174 |
| Document issuer | Government of Georgia |
| Date of issuing | 10/04/2018 |
| Document type | Ordinance of the Government of Georgia |
| Source and date of publishing | Website, 12/04/2018 |
| Activating Date | 01/06/2018 |
| Expiration Date | 07/08/2021 |
| Registration code | 420000000.10.003.020489 |
| Consolidated publications | |
Initial version (12/04/2018 - 19/11/2019)
Government of Georgia
Ordinance No 174
10 April 2018
Tbilisi
On the Approval of the Procedure for Transfer of the Advance Passenger Information and the Passenger Name Record Data by Air Carriers to the Authorised Body
Article 1
The procedure for transfer of the advance passenger information and the passenger name record data by air carriers to the authorised body shall be approved on the basis of Article 711 of the Air Code of Georgia.
Article 2
The Ordinance shall enter into force on 1 June 2018.
Prime Minister Giorgi Kvirikashvili
Procedure for Transfer of the Advance Passenger Information and the Passenger Name Record Data by Air Carriers to the Authorised Body
Article 1. Scope and purpose of regulation
1. The Procedure for Transfer of the Advance Passenger Information and the Passenger Name Record Data by Air Carriers to the Authorised Body (‘the Procedure’) shall define the rules, time frames and procedures for transferring the passenger name record data and the advance passenger information by air carriers to the authorised body and for receiving, processing, transferring to a relevant competent body, as well as deleting and depersonalising such information by the authorised body.
2. This Procedure shall aim at:
a) facilitating prevention, detection, investigation or criminal prosecution of terrorism, as well as other serious or particularly serious crimes;
b) improving border control and combating illegal migration.
Article 2. Definition of terms
The terms used in this Procedure have the following meaning:
a) air carrier/aircraft operator - a carrier registered in Georgia or a carrier of a foreign country that has the right to carry out commercial transportation by an aircraft on the basis of an appropriate document issued by a relevant state;
b) international flight - a scheduled or a non-scheduled flight carried out by an air carrier:
b.a) from any foreign country in the direction of Georgia (including, with stop-overs in the territory of the third country);
b.b) from Georgia in the direction of any foreign country (including, with stop-overs in the territory of the third country);
c) passenger - any person, including a person in transfer or transit, with the exception of crew members, who travels or will travel by an aircraft with the consent of an air carrier, which is reflected by registering the person in a passengers list by the air carrier;
d) reservation system - an internal system of an air carrier, in which passenger name records are collected for the purpose of providing reservation services;
e) departure control system (DCS) - a system for registering passengers on flights;
f) passenger name record (PNR) - a record of each passenger's travel requirements determined by Annex No 1 of the Procedure, which contains information provided in the reservation system, departure control system or any system with similar functions that is necessary for processing and controlling flight reservations by air carriers;
g) advance passenger information (API) - the data determined by paragraph 19 of the passenger name record data determined by Annex 1 of this Procedure;
h) authorised body - the Legal Entity under Public Law called the Operative-technical Agency of Georgia within the State Security Service of Georgia;
i) competent body - the bodies, within the competence of which fall prevention, detection, investigation or criminal prosecution of terrorism offences, as well as other serious or particularly serious crimes.
Article 3. Obligation to transfer the passenger name record data
1. An air carrier that carries out international flights shall be obligated to transfer the passenger name record data determined by Annex No 1 of this Procedure to the authorised body free of charge:
a) 48 hours before the scheduled flight departure time;
b) immediately after the take-off of the aircraft.
2. The obligation provided for by paragraph 1 of this article shall not apply to:
a) freight transportation;
b) search and rescue flights;
c) state aviation;
c) transfer of data that according to the applicable legislation of Georgia constitute a state secret.
3. Where the flight is code-shared, the obligation to transfer the passenger name record data to the authorised body is imposed on the air carried that operates the flight.
4. The transfer of the passenger name record data to the database of the authorised body shall be carried out electronically, using common protocols and formats, and in case of a technical error/hindrance, by any other means in compliance with appropriate safety standards.
5. The common protocols and formats for transferring the passenger name record data, as well as technical and organisational issues related to the transfer of such data shall be determined by Annex No 2 of this Procedure and shall be based on the internationally recognised protocols and formats for transferring the passenger name record data. If the air carrier does not have the technical capability to transfer the passenger name record data to the authorised body in accordance with the protocols and formats determined by Annex No 2 of this Procedure, other technical means and forms of transferring such data electronically shall be determined by the authorised body.
Article 4. Processing the passenger name record data
1. The passenger name record data transferred by an air carrier shall be received and processed by the authorised body. If the data provided by an air carrier is not given in Annex No 1 of this Procedure, the authorised body shall be obligated immediately destroy such data.
2. The passenger name record data may be processed by the authorised body for the following purposes:
a) preliminary assessment of passengers prior to their scheduled arrival or departure for the purpose of identifying the persons who require further examination by the competent bodies for the possible involvement in a terrorism offence, as well as other serious or particularly serious crimes;
b) preparing a response to the duly substantiated requests of the competent bodies regarding the transfer and processing of the passenger name record data, as well as the transfer to the competent bodies of the processed data and the results of the processing;
c) analysis of the passenger name record data for the purpose of updating or creating new criteria for identifying the persons involved in a terrorism offence or other serious or particularly serious crimes.
3. For the purpose of a preliminary assessment of passengers, an authorised body shall be entitled to:
a) automatically compare the data with the databases that are relevant to the purposes of preventing, detecting, investigating and criminally prosecuting terrorism offences or other serious or particularly serious crimes;
b) process the data according to the predefined criteria.
4. For the processing of the data by the authorised body for the purposes provided for by paragraph 2(b) of this article, a substantiated request of a competent body shall be accompanied by a court decision issued in accordance with the procedures established by Article 7(3)(a) of the Law of Georgia on Operative Investigatory Activities.
5. The processing determined by paragraph 3(b) of this article shall be carried out in a non-discriminatory manner. The criteria shall be targeted, specific and proportionate. The criteria shall be drawn up and periodically reviewed in joint cooperation between the authorised body and the competent bodies. The criteria shall not be based on race or ethnic origin, political opinions, religious or philosophical beliefs, labour union membership, health, sexual life and sexual orientation of a person.
6. The outcome of a positive match, resulting from the automatic processing provided for by paragraph 3(a) of this article, shall be reviewed by the authorised body using non-automatic means for the purpose of transferring it to the competent bodies.
7. The passenger name record data, the positive match of which has been revealed as a result of automatic processing and has been confirmed by using non-automatic means, shall immediately be transferred to the competent body.
8. Processing of special category data shall be prohibited.
Article 5. Passenger name record data retention period and depersonalisation
1. The passenger name record data shall be retained in the database of the authorised body for a period of 5 years from the moment of entry of the information provided by an air carrier in the database, after which the information shall be automatically deleted/destroyed by the authorised body.
2. Within 6 months after the transfer of the passenger name record data by air carrier to the database of the authorised body, the data shall be depersonalised by the authorised body so that to exclude identification of a passenger to whom the passenger name record data belong.
3. After the depersonalisation provided for by paragraph 2 of this article, the passenger name record data may become fully accessible only on the basis of a court decision, which is issued in accordance with the procedures established by Article 7(3)(a) of the Law of Georgia on Operative Investigatory Activities.
4. The passenger name record data transferred to the competent bodies shall be retained until the expiry of the period determined by paragraph 1 of this article and shall be destroyed in accordance with the procedure established by the legislation of Georgia.
5. The results of the processing carried out by the authorised body shall be retained by the authorised body only for the period necessary for informing the competent bodies and the authorised divisions of the third countries of a positive match. Data of a positive match obtained during an automatic processing, which was not confirmed as a result of a non-automatic review, may as well be retained for the purpose of preventing future false positive matches.
Article 6. Transfer of the advance passenger information and the passenger name record data to the Ministry of Internal Affairs of Georgia
1. The authorised body shall ensure that the data provided for by Annex No 1 of this Procedure is copied in real time and entered in the relevant database, provide access to the Ministry of Internal Affairs of Georgia to the Database, as well as the create and operate a management system of such data (for the purpose of processing, deleting, retaining and destroying the data).
2. The investigation units of the Ministry of Internal Affairs of Georgia shall process the passenger name record data for the purposes provided for by Article 1(2)(a) of this Procedure.
3. The bodies of the Ministry of Internal Affairs of Georgia, responsible for carrying out border control, shall process the advance passenger information for the purposes provided for by Article 1(2)(b) of this Procedure.
4. The divisions of the Ministry of Internal Affairs of Georgia shall delete the information from the database on the advance passenger information and the passenger name record data within 24 hours after the arrival/departure of the aircraft, except for the cases, where the further retention of the data is necessary for the relevant divisions to implement the functions and objectives provided for by law. Making a decision on the necessity of retention of the data for more than 24 hours and further processing of the data shall be carried out in accordance with the requirements of the legislation on personal data protection.
5. The divisions of the Ministry of Internal Affairs of Georgia authorised to process the advance passenger information and the passenger name record data, as well as the procedure for processing information by them shall be determined by the order of the Ministry of Internal Affairs of Georgia.
Article 7. Penalty sanctions
The violation by an air carrier of the obligation to transfer information provided for by the legislation and this Procedure shall result in a penalty imposed on the air carrier in accordance with the procedure established by the applicable legislation.
Article 8. Transfer of data to third countries
1. The third country shall be entitled to request from the authorised body the transfer of the passenger name record data, depersonalisation of which has not been carried out, and, if necessary, the transfer of the data received from processing such data. Such request shall be dully substantiated.
2. The passenger name records and the results of processing of such records, retained in accordance with Article 5 of this Procedure, may be transferred to other state, if:
a) the transfer of the data aims at prevention, detection, investigation or criminal prosecution of terrorism offences or other serious or particularly serious crimes;
b) the requirements for the transfer of data provided for by the Law of Georgia on Personal Data Protection to other states or international organisations are met;
c) the third country undertakes the obligation to transfer such information to another third country, only in the case of necessity, for the purpose of prevention, detection, investigation or criminal prosecution of terrorism offences, as well as other serious or particularly serious crimes, on the basis of the consent expressed by the authorised body.
3. The consent provided for by paragraph 2(c) of this article shall not be mandatory, if:
a) such transfer is necessary to respond to a specific and active threat of a terrorism offence, as well as other serious or particularly serious crime;
b) obtaining prior consent is not possible in required time.
4. The transfer of the passenger name record data to a third country after depersonalisation may be carried out in accordance with the procedure provided for by Article 5(3) of this Procedure.
Article 9. Control and personal data protection
1. The control of the processing of the personal data provided for by this Procedure shall be carried out by a personal data protection inspector, in accordance with the procedure established by the applicable legislation of Georgia.
2. The authorised body shall be obligated to retain complete documentation related to the data processing systems and procedures. The documentation shall at least include:
a) the requirements carried out by the competent bodies;
b) the request of the third country on the transfer of the passenger name records and the implemented transfer of such records.
3. The authorised body shall be obligated to transfer the documentation provided for by paragraph 2 of this article to a controlling body upon its request.
4. The authorised body shall be obligated to keep the records related to the operational actions of the data collection, disclosure and deletion. The records on the disclosure shall contain the information regarding the date, time and grounds and as far as possible, provide information on the persons disclosing and receiving the passenger name record data. Such records shall be accessible to the controlling body.
Annex No 1
Passenger name record data
1. PNR record locator (record indicator, confirmation number, reservation number or any other identifier).
2. Date of reservation/issue of ticket.
3. Dates of intended travel.
4. Name/names.
5. Address and contact information (e-mail address; telephone number).
6. Complete travel itinerary for specific PNR.
7. Frequent flyer information.
8. Information on the travel agency/travel agent.
9. Split/divided PNR information.
10. Number of passengers and their names in the PNR.
11. Travel status of a passenger (check-in time of a passenger, no-show or go-show information).
12. General remarks (including all available information on unaccompanied minors under 18 years, such as his/her name, age, language spoken, details of a contact person (his/her name, contact details, etc.)).
13. Ticketing field information, including ticket number, date of ticket issuance and one-way tickets.
14. Seat number and other seat information.
15. Code share information.
16. All baggage information (number, quantity, weight, special baggage, excess baggage, etc.)
17. Name and last name of the person who made the reservation.
18. Payment information, in particular:
a) payment method (cash, bank transfer or credit card);
b) cost, specifying the corresponding currency (Euro, USD, GEL);
c) data of the person who made the payment (name, last name, contact details);
d) credit card data (type, number, expiration date, name and last name of the owner, name on card).
19. Advance passenger information, in particular:
a) number, type and validity period of the travel document;
b) citizenship;
c) full name;
d) date of birth;
e) gender;
f) airline;
g) flight number;
h) departure date and arrival date and respective times;
i) departure port and arrival port;
j) border checkpoint of entry into the territory of the country;
k) total number of the passengers on board;
l) initial place of boarding.
20. All historical changes to the data listed in numbers 1 to 19 of this Annex.
Annex No 2
Formats and protocols for transferring the passenger name record data
a) formats for transferring the passenger name record data:
− EDIFACT PNRGOV, as described in the EDIFACT Implementation Guide; The passenger name record data transferred to state or other bodies; PNRGOV message version 11.1 or the next version;
− XML PNRGOV, as described in the XML Implementation Guide; The passenger name record data transferred to state or other bodies; PNRGOV message version 13.1 or the next version;
b) protocols for transferring the passenger name record data:
IBM MQ;
IATA, type B;
AS4 Profile of ebMS 3.0 Version 1.0, OASIS Standard, published on 23 January 2013.
Document comments