TITLE II: EXCHANGES OF DNA, FINGERPRINTS AND VEHICLE REGISTRATION DATA
Article LAW.PRUM.5: Objective
The objective of this Title is to establish reciprocal cooperation between the competent law enforcement authorities of the United Kingdom, on the one side, and the Member States, on the other side, on the automated transfer of DNA profiles, dactyloscopic data and certain domestic vehicle registration data.
Article LAW.PRUM.6: Definitions For the purposes of this Title, the following definitions apply:
(a) “competent law enforcement authority” means a domestic police, customs or other authority that is authorised by domestic law to detect, prevent and investigate offences or criminal activities and to exercise authority and take coercive measures in the context of such activities; agencies, bodies or other units dealing especially with national security issues are not competent law enforcement authorities for the purposes of this Title;
(b) “search” and “comparison”, as referred to in Articles LAW.PRUM.8 [Automated searching of DNA profiles], LAW.PRUM.9 [Automated comparison of DNA profiles], LAW.PRUM.12 [Automated searching of dactyloscopic data], and LAW.PRUM.17 [Implementing measures] mean the procedures by which it is established whether there is a match between, respectively, DNA data or dactyloscopic data which have been communicated by one State and DNA data or dactyloscopic data stored in the databases of one, several, or all of the other States;
(c) “automated searching”, as referred to in Article LAW.PRUM.15 [Automated searching of vehicle registration data], means an online access procedure for consulting the databases of one, several, or all of the other States;
(d) “non-coding part of DNA” means chromosome regions not genetically expressed, i.e. not known to provide for any functional properties of an organism;
(e) “DNA profile” means a letter or numeric code which represents a set of identification characteristics of the non-coding part of an analysed human DNA sample, i.e. the particular molecular structure at the various DNA locations (loci);
(f) “DNA reference data” means DNA profile and reference number; DNA reference data shall only include DNA profiles established from the non-coding part of DNA and a reference number; DNA reference data shall not contain any data from which the data subject can be directly identified; DNA reference data which is not attributed to any natural person (unidentified DNA profiles) shall be recognisable as such;
(g) “reference DNA profile” means the DNA profile of an identified person;
(h) “unidentified DNA profile” means the DNA profile obtained from traces collected during the investigation of criminal offences and belonging to a person not yet identified;
(i) “note” means a State’s marking on a DNA profile in its domestic database indicating that there has already been a match for that DNA profile on another State’s search or comparison;
(j) “dactyloscopic data” means fingerprint images, images of fingerprint latents, palm prints, palm print latents and templates of such images (coded minutiae), when they are stored and dealt with in an automated database;
(k) “dactyloscopic reference data” means dactyloscopic data and reference number; dactyloscopic reference data shall not contain any data from which the data subject can be directly identified; dactyloscopic reference data which is not attributed to any natural person (unidentified dactyloscopic data) shall be recognisable as such;
(l) “vehicle registration data” means the data-set as specified in Chapter 3 of ANNEX LAW-1;
(m) “individual case”, as referred to in Article LAW.PRUM.8(1) [Automated searching of DNA profiles], second sentence, Article LAW.PRUM.12(1) [Automated searching of dactyloscopic data], second sentence and Article LAW.PRUM.15(1) [Automated searching of vehicle registration data], means a single investigation or prosecution file; if such a file contains more than one DNA profile, or one piece of dactyloscopic data or vehicle registration data, they may be transmitted together as one request;
(n) “laboratory activity” means any measure taken in a laboratory when locating and recovering traces on items, as well as developing, analysing and interpreting forensic evidence regarding DNA profiles and dactyloscopic data, with a view to providing expert opinions or exchanging forensic evidence;
(o) “results of laboratory activities” means any analytical outputs and directly associated interpretation;
(p) “forensic service provider” means any organisation, public or private, that carries out laboratory activities at the request of competent law enforcement or judicial authorities;
(q) “domestic accreditation body” means the sole body in a State that performs accreditation with authority derived from the State.
Article LAW.PRUM.7: Establishment of domestic DNA analysis files
1. The States shall open and keep domestic DNA analysis files for the investigation of criminal offences.
2. For the purpose of implementing this Title, the States shall ensure the availability of DNA reference data from their domestic DNA analysis files as referred to in paragraph 1.
3. The States shall declare the domestic DNA analysis files to which Articles LAW.PRUM.7 [Establishment of domestic DNA analysis files] to LAW.PRUM.10 [Collection of cellular material and supply of DNA profiles] and Articles LAW.PRUM.13 [National contact points], LAW.PRUM.14 [Supply of further personal data and other information] and LAW.PRUM. 17 [Implementing measures] apply and the conditions for automated searching as referred to in Article LAW.PRUM.8(1) [Automated searching of DNA profiles].
Article LAW.PRUM.8: Automated searching of DNA profiles
1. For the investigation of criminal offences, States shall allow other States’ national contact points as referred to in Article LAW.PRUM.13 [National contact points] access to the DNA reference data in their DNA analysis files, with the power to conduct automated searches by comparing DNA
profiles. Searches may be conducted only in individual cases and in compliance with the requesting State’s domestic law.
2. If an automated search shows that a DNA profile supplied matches DNA profiles entered in the requested State’s searched file, the requested State shall send to the national contact point of the requesting State in an automated way the DNA reference data with which a match has been found. If no match can be found, this shall be notified automatically.
Article LAW.PRUM.9: Automated comparison of DNA profiles
1. For the investigation of criminal offences, the States, via their national contact points, shall compare the DNA profiles of their unidentified DNA profiles with all DNA profiles from other domestic DNA analysis files’ reference data in accordance with mutually accepted practical arrangements between the States concerned. DNA profiles shall be supplied and compared in automated form. Unidentified DNA profiles shall be supplied for comparison only where provided for under the requesting State’s domestic law.
2. If a State, as a result of the comparison referred to in paragraph 1, finds that any DNA profiles supplied by another State match any of those in its DNA analysis files, it shall supply that other State’s national contact point with the DNA reference data with which a match has been found without delay.
Article LAW.PRUM.10: Collection of cellular material and supply of DNA profiles
Where, in ongoing investigations or criminal proceedings, there is no DNA profile available for a particular individual present within a requested State’s territory, the requested State shall provide legal assistance by collecting and examining cellular material from that individual and by supplying the DNA profile obtained to the requesting State, if:
(a) the requesting State specifies the purpose for which it is required;
(b) the requesting State produces an investigation warrant or statement issued by the competent authority, as required under that State’s domestic law, showing that the requirements for collecting and examining cellular material would be fulfilled if the individual concerned were present within the requesting State’s territory; and
(c) under the requested State’s law, the requirements for collecting and examining cellular material and for supplying the DNA profile obtained are fulfilled.
Article LAW.PRUM.11: Dactyloscopic data
For the purpose of implementing this Title, the States shall ensure the availability of dactyloscopic reference data from the file for the domestic automated fingerprint identification systems established for the prevention and investigation of criminal offences.
Article LAW.PRUM.12: Automated searching of dactyloscopic data
1. For the prevention and investigation of criminal offences, States shall allow other States’ national contact points, as referred to in Article LAW.PRUM.13 [National contact points], access to the reference data in the automated fingerprint identification systems which they have established for that purpose, with the power to conduct automated searches by comparing dactyloscopic data. Searches may be conducted only in individual cases and in compliance with the requesting State’s domestic law.
2. The confirmation of a match of dactyloscopic data with reference data held by the requested State shall be carried out by the national contact point of the requesting State by means of the automated supply of the reference data required for a clear match.
Article LAW.PRUM.13: National contact points
1. For the purposes of the supply of data as referred to in Articles LAW.PRUM.8 [Automated searching of DNA profiles], LAW.PRUM.9 [Automated comparison of DNA profiles] and LAW.PRUM.12 [Automated searching of dactyloscopic data], the States shall designate national contact points.
2. In respect of the Member States, national contact points designated for an analogous exchange of data within the Union shall be considered as national contact points for the purpose of this Title.
3. The powers of the national contact points shall be governed by the applicable domestic law. Article LAW.PRUM.14: Supply of further personal data and other information
If the procedure referred to in Articles LAW.PRUM.8 [Automated searching of DNA profiles], LAW.PRUM.9 [Automated comparison of DNA profiles] and LAW.PRUM.12 [Automated searching of dactyloscopic data] show a match between DNA profiles or dactyloscopic data, the supply of further available personal data and other information relating to the reference data shall be governed by the domestic law, including the legal assistance rules, of the requested State, without prejudice to Article LAW.PRUM.17(1) [Implementing measures].
Article LAW.PRUM.15: Automated searching of vehicle registration data
1. For the prevention and investigation of criminal offences and in dealing with other offences within the jurisdiction of the courts or a public prosecutor in the requesting State, as well as in maintaining public security, States shall allow other States’ national contact points, as referred to in paragraph 2, access to the following domestic vehicle registration data, with the power to conduct automated searches in individual cases:
(a) data relating to owners or operators; and
(b) data relating to vehicles.
2. Searches may be conducted under paragraph 1 only with a full chassis number or a full registration number and in compliance with the requesting State’s domestic law.
3. For the purposes of the supply of data as referred to in paragraph 1, the States shall designate a national contact point for incoming requests from other States. The powers of the national contact points shall be governed by the applicable domestic law.
Article LAW.PRUM.16: Accreditation of forensic service providers carrying out laboratory activities
1. The States shall ensure that their forensic service providers carrying out laboratory activities are accredited by a domestic accreditation body as complying with EN ISO/IEC 17025.
2. Each State shall ensure that the results of accredited forensic service providers carrying out laboratory activities in other States are recognised by its authorities responsible for the prevention,
detection, and investigation of criminal offences as being equally reliable as the results of domestic forensic service providers carrying out laboratory activities accredited to EN ISO/IEC 17025.
3. The competent law enforcement authorities of the United Kingdom shall not carry out searches and automated comparison in accordance with Articles LAW.PRUM.8 [Automated searching of DNA profiles], LAW.PRUM.9 [Automated comparison of DNA profiles] and LAW.PRUM.12 [Automated searching of dactyloscopic data] before the United Kingdom has implemented and applied the measures referred to in paragraph 1 of this Article.
4. Paragraphs 1 and 2 do not affect domestic rules on the judicial assessment of evidence.
5. The United Kingdom shall communicate to the Specialised Committee on Law Enforcement and Judicial Cooperation the text of the main provisions adopted to implement and apply the provisions of this Article.
Article LAW.PRUM.17: Implementing measures
1. For the purposes of this Title, States shall make all categories of data available for searching and comparison to the competent law enforcement authorities of other States under conditions equal to those under which they are available for searching and comparison by domestic competent law enforcement authorities. States shall supply further available personal data and other information relating to the reference data as referred to in Article LAW.PRUM.14 [Supply of further personal data and other information] to the competent law enforcement authorities of other States for the purposes of this Title under conditions equal to those under which they would be supplied to domestic authorities.
2. For the purpose of implementing the procedures referred to in Articles LAW.PRUM.8 [Automated searching of DNA profiles], LAW.PRUM.9 [Automated comparison of DNA profiles], LAW.PRUM.12 [Automated searching of dactyloscopic data] and LAW.PRUM.15 [Automated searching of vehicle registration data], technical and procedural specifications are laid down in ANNEX LAW-1.
3. The declarations made by Member States in accordance with Council Decisions 2008/615/JHA77 and 2008/616/JHA78 shall also apply in their relations with the United Kingdom.
Article LAW.PRUM.18: Ex ante evaluation
1. In order to verify whether the United Kingdom has fulfilled the conditions set out in Article LAW.PRUM.17 [Implementing measures] and ANNEX LAW-1, an evaluation visit and a pilot run, to the extent required by ANNEX LAW-1, shall be carried out in respect of, and under conditions and arrangements acceptable to, the United Kingdom. In any event, a pilot run shall be carried out in
77 Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ EU L 210, 6.8.2008, p. 1).
78 Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ EU L 210, 6.8.2008, p. 12).
relation to the searching of data under Article LAW.PRUM.15 [Automated searching of vehicle registration data].
2. On the basis of an overall evaluation report on the evaluation visit and, where applicable, the pilot run, as referred to in paragraph 1, the Union shall determine the date or dates from which personal data may be supplied by Member States to the United Kingdom pursuant to this Title.
3. Pending the outcome of the evaluation referred to in paragraph 1, from the date of the entry into force of this Agreement, Member States may supply to the United Kingdom personal data as referred to in Articles LAW.PRUM.8 [Automated searching of DNA profiles], LAW.PRUM.9 [Automated comparison of DNA profiles], LAW.PRUM.12 [Automated searching of dactyloscopic data] and LAW.PRUM.14 [Supply of further personal data and other information] until the date or dates determined by the Union in accordance with paragraph 2 of this Article, but not longer than nine months after the entry into force of this Agreement. The Specialised Committee on Law Enforcement and Judicial Cooperation may extend this period once by a maximum of nine months.
Article LAW.PRUM.19: Suspension and disapplication
1. In the event that the Union considers it necessary to amend this Title because Union law relating to the subject matter governed by this Title is amended substantially, or is in the process of being amended substantially, it may notify the United Kingdom accordingly with a view to agreeing on a formal amendment of this Agreement in relation to this Title. Following such notification, the Parties shall engage in consultations.
2. Where within nine months of that notification the Parties have not reached an agreement amending this Title, the Union may decide to suspend the application of this Title or any provisions of this Title for a period of up to nine months. Before the end of that period, the Parties may agree on an extension of the suspension for an additional period of up to nine months. If by the end of the suspension period the Parties have not reached an agreement amending this Title, the suspended provisions shall cease to apply on the first day of the month following the expiry of the suspension period, unless the Union informs the United Kingdom that it no longer seeks any amendment to this Title. In that case, the suspended provisions of this Title shall be reinstated.
3. If any of the provisions of this Title are suspended under this Article, the Specialised Committee on Law Enforcement and Judicial Cooperation shall meet to decide what steps are needed to ensure that any cooperation initiated under this Title and affected by the suspension is concluded in an appropriate manner. In any event, with regard to all personal data obtained through cooperation under this Title before the provisions concerned by the suspension provisionally cease to apply, the Parties shall ensure that the level of protection under which the personal data were transferred is maintained after the suspension takes effect.
TITLE III: TRANSFER AND PROCESSING OF PASSENGER NAME RECORD DATA
Article LAW.PNR.18: Scope
1. This Title lays down rules under which passenger name record data may be transferred to, processed and used by the United Kingdom competent authority for flights between the Union and the United Kingdom, and establishes specific safeguards in that regard.
2. This Title applies to air carriers operating passenger flights between the Union and the United Kingdom.
3. This Title also applies to air carriers incorporated, or storing data, in the Union and operating passenger flights to or from the United Kingdom.
4. This Title also provides for police and judicial cooperation in criminal matters between the United Kingdom and the Union in respect of PNR data.
Article LAW.PNR.19: Definitions For the purposes of this Title, the following definitions apply:
(a) “air carrier” means an air transport undertaking with a valid operating licence or equivalent permitting it to carry out carriage of passengers by air between the United Kingdom and the Union;
(b) “passenger name record” (“PNR”) means a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers into flights, or equivalent systems providing the same functionalities; specifically, as used in this Title, PNR data consists of the elements set out in ANNEX LAW-2;
(c) “United Kingdom competent authority” means the United Kingdom authority responsible for receiving and processing PNR data under this Agreement; if the United Kingdom has more than one competent authority it shall provide a passenger data single window facility that allows air carriers to transfer PNR data to a single data transmission entry point and shall designate a single point of contact for the purpose of receiving and making requests under Article LAW.PNR.22 [Police and judicial Cooperation];
(d) “Passenger Information Units” (“PIUs”) means the Units established or designated by Member States that are responsible for receiving and processing PNR data;
(e) “terrorism” means any offence listed in ANNEX LAW-7;
(f) “serious crime” means any offence punishable by a custodial sentence or detention order for a maximum period of at least three years under the domestic law of the United Kingdom.
Article LAW.PNR.20: Purposes of the use of PNR data
1. The United Kingdom shall ensure that PNR data received pursuant to this Title is processed strictly for the purposes of preventing, detecting, investigating or prosecuting terrorism or serious crime and for the purposes of overseeing the processing of PNR data within the terms set out in this Agreement.
2. In exceptional cases, the United Kingdom competent authority may process PNR data where necessary to protect the vital interests of any natural person, such as:
(a) a risk of death or serious injury; or
(b) a significant public health risk, in particular as identified under internationally recognised standards.
3. The United Kingdom competent authority may also process PNR data on a case-by-case basis where the disclosure of relevant PNR data is compelled by a United Kingdom court or administrative tribunal in a proceeding directly related to any of the purposes referred to in paragraph 1.
Article LAW.PNR.21: Ensuring PNR data is provided
1. The Union shall ensure that air carriers are not prevented from transferring PNR data to the United Kingdom competent authority pursuant to this Title.
2. The Union shall ensure that air carriers may transfer PNR data to the United Kingdom competent authority through authorised agents, who act on behalf of and under the responsibility of an air carrier, pursuant to this Title.
3. The United Kingdom shall not require an air carrier to provide elements of PNR data which are not already collected or held by the air carrier for reservation purposes.
4. The United Kingdom shall delete any data transferred to it by an air carrier pursuant to this Title upon receipt of that data, if that data element is not listed in ANNEX LAW-2.
Article LAW.PNR.22: Police and judicial cooperation
1. The United Kingdom competent authority shall share with Europol or Eurojust, within the scope of their respective mandates, or with the PIUs of the Member States all relevant and appropriate analytical information containing PNR data as soon as possible in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
2. At the request of Europol or Eurojust, within the scope of their respective mandates, or of the PIU of a Member State, the United Kingdom competent authority shall share PNR data, the results of processing those data, or analytical information containing PNR data, in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
3. The PIUs of the Member States shall share with the United Kingdom competent authority all relevant and appropriate analytical information containing PNR data as soon as possible in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
4. At the request of the United Kingdom competent authority, the PIUs of the Member States shall share PNR data, the results of processing those data, or analytical information containing PNR data, in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
5. The Parties shall ensure that the information referred to in paragraphs 1 to 4 is shared in accordance with agreements and arrangements on law enforcement or information sharing between the United Kingdom and Europol, Eurojust, or the relevant Member State. In particular, the exchange of information with Europol under this Article shall take place through the secure communication line established for the exchange of information through Europol.
6. The United Kingdom competent authority and the PIUs of the Member States shall ensure that only the minimum amount of PNR data necessary is shared under paragraphs 1 to 4.
Article LAW.PNR.23: Non-discrimination
The United Kingdom shall ensure that the safeguards applicable to the processing of PNR data apply to all natural persons on an equal basis without unlawful discrimination.
Article LAW.PNR.24: Use of special categories of personal data
Any processing of special categories of personal data shall be prohibited under this Title. To the extent that any PNR data which is transferred to the United Kingdom competent authority includes special categories of personal data, the United Kingdom competent authority shall delete such data.
Article LAW.PNR.25: Data security and integrity
1. The United Kingdom shall implement regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss.
2. The United Kingdom shall ensure compliance verification and the protection, security, confidentiality, and integrity of the data. In that regard, the United Kingdom shall:
(a) apply encryption, authorisation, and documentation procedures to the PNR data;
(b) limit access to PNR data to authorised officials;
(c) hold PNR data in a secure physical environment that is protected with access controls; and
(d) establish a mechanism that ensures that PNR data queries are conducted in a manner consistent with Article LAW.PNR.20 [Purposes of the use of PNR data].
3. If a natural person’s PNR data is accessed or disclosed without authorisation, the United Kingdom shall take measures to notify that natural person, to mitigate the risk of harm, and to take remedial action.
4. The United Kingdom competent authority shall promptly inform the Specialised Committee on Law Enforcement and Judicial Cooperation of any significant incident of accidental, unlawful or unauthorised access, processing or loss of PNR data.
5. The United Kingdom shall ensure that any breach of data security, in particular any breach leading to accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any unlawful forms of processing, are subject to effective and dissuasive corrective measures which may include sanctions.
Article LAW.PNR.26: Transparency and notification of passengers
1. The United Kingdom competent authority shall make the following available on its website:
(a) a list of the legislation authorising the collection of PNR data;
(b) the purposes for the collection of PNR data;
(c) the manner of protecting PNR data;
(d) the manner and extent to which PNR data may be disclosed;
(e) information regarding the rights of access, correction, notation and redress; and
(f) contact information for inquiries.
2. The Parties shall work with interested third parties, such as the aviation and air travel industry, to promote transparency at the time of booking regarding the purpose of the collection, processing and use of PNR data, and regarding how to request access, correction and redress. Air carriers shall provide passengers with clear and meaningful information in relation to the transfer of PNR data under this Title, including the details of the recipient authority, the purpose of the transfer and the right to request from the recipient authority, access to and correction of the personal data of the passenger that has been transferred.
3. Where PNR data retained in accordance with Article LAW.PNR.28 [Retention of PNR data] has been used subject to the conditions set out in Article LAW.PNR.29 [Conditions for the use of PNR data] or has been disclosed in accordance with Article LAW.PNR.31 [Disclosure within the United Kingdom] or Article LAW.PNR.32 [Disclosure outside the United Kingdom], the United Kingdom shall notify the passengers concerned in writing, individually and within a reasonable time once such notification is no longer liable to jeopardise the investigations by the public authorities concerned to the extent that the relevant contact information of the passengers is available or can be retrieved, taking into account reasonable efforts. The notification shall include information on how the natural person concerned can seek administrative or judicial redress.
Article LAW.PNR.27: Automated processing of PNR data
1. The United Kingdom competent authority shall ensure that any automated processing of PNR data is based on non-discriminatory, specific and reliable pre-established models and criteria to enable it to:
(a) arrive at results targeting natural persons who might be under a reasonable suspicion of involvement or participation in terrorism or serious crime; or
(b) in exceptional circumstances, protect the vital interests of any natural person as set out in Article LAW.PNR.20(2) [Purposes of the use of PNR data].
2. The United Kingdom competent authority shall ensure that the databases against which PNR data are compared are reliable, up to date and limited to those databases it uses in relation to the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data].
3. The United Kingdom shall not take any decision adversely affecting a natural person in a significant manner solely on the basis of automated processing of PNR data.
Article LAW.PNR.28: Retention of PNR data
1. The United Kingdom shall not retain PNR data for more than five years from the date that it receives the PNR data.
2. No later than six months after the transfer of the PNR data referred to in paragraph 1, all PNR data shall be depersonalised by masking out the following data elements which could serve to identify directly the passenger to whom the PNR data relate or any other natural person:
(a) names, including the names of other passengers on the PNR and number of passengers on the PNR travelling together;
(b) addresses, telephone numbers and electronic contact information of the passenger, the persons who made the flight reservation for the passenger, persons through whom the air passenger may be contacted and persons who are to be informed in the event of an emergency;
(c) all available payment and billing information, to the extent that it contains any information which could serve to identify a natural person;
(d) frequent flyer information;
(e) other supplementary information (OSI), special service information (SSI) and special service request (SSR) information, to the extent that they contain any information which could serve to identify a natural person; and
(f) any advance passenger information (API) data that have been collected.
3. The United Kingdom competent authority may unmask PNR data only if it is necessary to carry out investigations for the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data]. Such unmasked PNR data shall be accessible only to a limited number of specifically authorised officials.
4. Notwithstanding paragraph 1, the United Kingdom shall delete the PNR data of passengers after their departure from the country unless a risk assessment indicates the need to retain such PNR data. In order to establish that need, the United Kingdom shall identify objective evidence from which it may be inferred that certain passengers present the existence of a risk in terms of the fight against terrorism and serious crime.
5. For the purposes of paragraph 4, unless information is available on the exact date of departure, the date of departure should be considered as the last day of the period of maximum lawful stay in the United Kingdom of the passenger concerned.
6. The use of the data retained under this Article is subject to the conditions laid down in Article LAW.PNR.29 [Conditions for the use of PNR].
7. An independent administrative body in the United Kingdom shall assess on a yearly basis the approach applied by the United Kingdom competent authority as regards the need to retain PNR data pursuant to paragraph 4.
8. Notwithstanding paragraphs 1, 2 and 4, the United Kingdom may retain PNR data required for any specific action, review, investigation, enforcement action, judicial proceeding, prosecution, or enforcement of penalties, until concluded.
9. The United Kingdom shall delete the PNR data at the end of the PNR data retention period.
10. Paragraph 11 applies due to the special circumstances that prevent the United Kingdom from making the technical adjustments necessary to transform the PNR processing systems which the United Kingdom operated whilst Union law applied to it into systems which would enable PNR data to be deleted in accordance with paragraph 4.
11. The United Kingdom may derogate from paragraph 4 on a temporary basis for an interim period, the duration of which is provided for in paragraph 13, pending the implementation by the United Kingdom of technical adjustments as soon as possible. During the interim period, the United
Kingdom competent authority shall prevent the use of the PNR data that is to be deleted in accordance with paragraph 4 by applying the following additional safeguards to that PNR data:
(a) the PNR data shall be accessible only to a limited number of authorised officials and only where necessary to determine whether the PNR data should be deleted in accordance with paragraph 4;
(b) the request to use the PNR data shall be refused in cases where the data is to be deleted in accordance with paragraph 4, and no further access shall be granted to that data where the documentation referred to in point (d) of this paragraph indicates that an earlier request for use has been refused;
(c) deletion of the PNR data shall be ensured as soon as possible using best efforts, taking into account the special circumstances referred to in paragraph 10; and
(d) the following shall be documented in accordance with Article LAW.PNR.30 [Logging and documenting of PNR data processing], and such documentation shall be made available to the independent administrative body referred to in paragraph 7 of this Article:
(i) any requests to use the PNR data;
(ii) the date and time of the access to the PNR data for the purpose of assessing whether deletion of the PNR data was required;
(iii) that the request to use the PNR data was refused on the basis that the PNR data should have been deleted under paragraph 4, including the date and time of the refusal; and
(iv) the date and time of the deletion of the PNR data in accordance with point (c) of this paragraph.
12. The United Kingdom shall provide to the Specialised Committee on Law Enforcement and Judicial Cooperation, nine months after the entry into force of this Agreement and again a year later if the interim period is extended for a further year:
(a) a report from the independent administrative body referred to in paragraph 7 of this Article, which shall include the opinion of the United Kingdom supervisory authority referred to in Article LAW.GEN.4(3) [Protection of personal data] as to whether the safeguards provided for in paragraph 11 of this Article have been effectively applied; and
(b) the assessment of the United Kingdom of whether the special circumstances referred to in paragraph 10 of this Article persist, together with a description of the efforts made to transform the PNR processing systems of the United Kingdom into systems which would enable PNR data to be deleted in accordance with paragraph 4 of this Article.
13. The Specialised Committee on Law Enforcement and Judicial Cooperation shall meet within one year of the entry into force of this Agreement to consider the report and assessment provided under paragraph 12. Where the special circumstances referred to in paragraph 10 persist, the Partnership Council shall extend the interim period referred to in paragraph 11 for one year. The Partnership Council shall extend the interim period for one further final year, under the same conditions and following the same procedure as for the first extension where, in addition, substantial progress has been made, although it has not yet been possible to transform the United Kingdom PNR
processing systems into systems which would enable PNR data to be deleted in accordance with paragraph 4.
14. If the United Kingdom considers that a refusal by the Partnership Council to grant either of those extensions was not justified, it may suspend this Title with one month’s notice.
15. On the third anniversary of the date of entry into force of this Agreement, paragraphs 10 to 14 shall cease to apply.
Article LAW.PNR.29: Conditions for the use of PNR data
1. The United Kingdom competent authority may use PNR data retained in accordance with Article LAW.PNR.28 [Retention of PNR data] for purposes other than security and border control checks, including any disclosure under Article LAW.PNR.31 [Disclosure within the United Kingdom] and Article LAW.PNR.32 [Disclosure outside the United Kingdom], only where new circumstances based on objective grounds indicate that the PNR data of one or more passengers might make an effective contribution to the attainment of the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data].
2. Use of PNR data by the United Kingdom competent authority in accordance with paragraph 1 shall be subject to prior review by a court or by an independent administrative body in the United Kingdom based on a reasoned request by the United Kingdom competent authority submitted within the domestic legal framework of procedures for the prevention, detection or prosecution of crime, except:
(a) in cases of validly established urgency; or
(b) for the purpose of verifying the reliability and currency of the pre-established models and criteria on which the automated processing of PNR data is based, or of defining new models and criteria for such processing.
Article LAW.PNR.30: Logging and documenting of PNR data processing
The United Kingdom competent authority shall log and document all processing of PNR data. It shall only use such logging or documentation to:
(a) self-monitor and to verify the lawfulness of data processing;
(b) ensure proper data integrity;
(c) ensure the security of data processing; and
(d) ensure oversight.
Article LAW.PNR.31: Disclosure within the United Kingdom
1. The United Kingdom competent authority shall not disclose PNR data to other public authorities in the United Kingdom unless the following conditions are met:
(a) the PNR data is disclosed to public authorities whose functions are directly related to the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data];
(b) the PNR data is disclosed only on a case-by-case basis;
(c) the disclosure is necessary, in the particular circumstances, for the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data];
(d) only the minimum amount of PNR data necessary is disclosed;
(e) the receiving public authority affords protection equivalent to the safeguards described in this Title; and
(f) the receiving public authority does not disclose the PNR data to another entity unless the disclosure is authorised by the United Kingdom competent authority in accordance with the conditions laid down in this paragraph.
2. When transferring analytical information containing PNR data obtained under this Title, the safeguards set out in this Article shall apply.
Article LAW.PNR.32: Disclosure outside the United Kingdom
1. The United Kingdom shall ensure that the United Kingdom competent authority does not disclose PNR data to public authorities in third countries unless all the following conditions are met:
(a) the PNR data is disclosed to public authorities whose functions are directly related to the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data];
(b) the PNR data is disclosed only on a case-by-case basis;
(c) the PNR data is disclosed only if necessary for the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data];
(d) only the minimum amount of PNR data necessary is disclosed; and
(e) the third country to which the PNR data is disclosed has either concluded an agreement with the Union that provides for the protection of personal data comparable to this Agreement or is subject to a decision of the European Commission pursuant to Union law that finds that the third country ensures an adequate level of data protection within the meaning of Union law.
2. As an exception to point (e) of paragraph 1, the United Kingdom competent authority may transfer PNR data to a third country if:
(a) the head of that authority, or a senior official specifically mandated by the head, considers that the disclosure is necessary for the prevention and investigation of a serious and imminent threat to public security or to protect the vital interests of any natural person; and
(b) the third country provides a written assurance, pursuant to an arrangement, agreement or otherwise, that the information shall be protected in line with the safeguards applicable under United Kingdom law to the processing of PNR data received from the Union, including those set out in this Title.
3. A transfer in accordance with paragraph 2 of this Article shall be documented. Such documentation shall be made available to the supervisory authority referred to in Article LAW.GEN.4(3) [Protection of personal data] on request, including the date and time of the transfer,
information about the receiving authority, the justification for the transfer and the PNR data transferred.
4. If, in accordance with paragraph 1 or 2, the United Kingdom competent authority discloses PNR data collected under this Title that originates in a Member State, the United Kingdom competent authority shall notify the authorities of that Member State of the disclosure at the earliest appropriate opportunity. The United Kingdom shall make that notification in accordance with agreements or arrangements on law enforcement or information sharing between the United Kingdom and that Member State.
5. When transferring analytical information containing PNR data obtained under this Title, the safeguards set out in this Article shall apply.
Article LAW.PNR.33: Method of transfer
Air carriers shall transfer PNR data to the United Kingdom competent authority exclusively on the basis of the ‘push method’, a method by which air carriers transfer PNR data into the database of the United Kingdom competent authority, and in accordance with the following procedures to be observed by air carriers, by which they:
(a) transfer PNR data by electronic means in compliance with the technical requirements of the United Kingdom competent authority or, in the case of a technical failure, by any other appropriate means ensuring an appropriate level of data security;
(b) transfer PNR data using a mutually accepted messaging format; and
(c) transfer PNR data in a secure manner using common protocols as required by the United Kingdom competent authority.
Article LAW.PNR.34: Frequency of transfer
1. The United Kingdom competent authority shall require air carriers to transfer the PNR data:
(a) initially from no earlier than 96 hours before the scheduled flight service departure time; and
(b) a maximum number of five times as specified by the United Kingdom competent authority.
2. The United Kingdom competent authority shall permit air carriers to limit the transfer referred to in point (b) of paragraph 1 to updates of the PNR data transferred as referred to in point (a) of that paragraph.
3. The United Kingdom competent authority shall inform air carriers of the specified times for the transfers.
4. In specific cases where there is an indication that additional access to PNR data is necessary to respond to a specific threat related to the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data], the United Kingdom competent authority may require an air carrier to provide PNR data prior to, between or after the scheduled transfers. In exercising that discretion, the United Kingdom competent authority shall act judiciously and proportionately, and shall use the method of transfer described in Article LAW.PNR.33 [Method of transfer].
Article LAW.PNR.35: Cooperation
The United Kingdom competent authority and the PIUs of the Member States shall cooperate to pursue the coherence of their PNR data processing regimes in a manner that further enhances the security of individuals in the United Kingdom, the Union and elsewhere.
Article LAW.PNR.36: Non-derogation
This Title shall not be construed as derogating from any obligation between the United Kingdom and Member States or third countries to make or respond to a request under a mutual assistance instrument.
Article LAW.PNR.37: Consultation and review
1. The Parties shall advise each other of any measure that is to be enacted that may affect this Title.
2. When carrying out joint reviews of this Title as referred to in Article LAW.OTHER.135(1) [Review and evaluation], the Parties shall pay particular attention to the necessity and proportionality of processing and retaining PNR data for each of the purposes set out in Article LAW.PNR.20 [Purposes of the use of PNR data]. The joint reviews shall also include an examination of how the United Kingdom competent authority has ensured that the pre-established models, criteria and databases referred to in Article LAW.PNR.27 [Automated processing of PNR data] are reliable, relevant and current, taking into account statistical data.
Article LAW.PNR 38: Suspension of cooperation under this Title
1. In the event that either Party considers that the continued operation of this Title is no longer appropriate, it may notify the other Party accordingly of its intention to suspend the application of this Title. Following such notification, the Parties shall engage in consultations.
2. Where within 6 months of that notification the Parties have not reached a resolution, either Party may decide to suspend the application of this Title for a period of up to 6 months. Before the end of that period, the Parties may agree an extension of the suspension for an additional period of up to 6 months. If by the end of the suspension period the Parties have not reached a resolution with respect to this Title, this Title shall cease to apply on the first day of the month following the expiry of the suspension period, unless the notifying Party informs the other Party that it wishes to withdraw the notification. In that case, the provisions of this Title shall be reinstated.
3. If this Title is suspended under this Article, the Specialised Committee on Law Enforcement and Judicial Cooperation shall meet to decide what steps are needed to ensure that any cooperation initiated under this Title that is affected by the suspension is concluded in an appropriate manner. In any event, with regard to all personal data obtained through cooperation under this Title before the provisions concerned by the suspension provisionally cease to apply, the Parties shall ensure that the level of protection under which the personal data were transferred is maintained after the suspension takes effect.