POLICY PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL
As of March 5, 2003, the United States Authorities require carriers with flights from, to or through the United States of America, to provide the United States Bureau of Customs and Border Protection (CBP), for security reasons and to protect the United States of America, with electronic access to passenger data.
Carriers that do not fulfill these requirements could face heavy fines and even lose the right to land in the United States of America.
In turn, passengers on these carriers may be subject to more accurate and extended checks in United States airports, with all the possible inconveniences this may cause.
Alitalia, like all European carriers flying from, to or through the United States of America, sought to fulfill the abovementioned requirements.
The transfer of passenger data to the United States Authorities is in fact a condition of operating air transport services from, to or through the United States of America.
Any passengers who do not consent to their data being accessed will consequently not be permitted to fly from, to or through the United States of America. Alitalia therefore, in compliance with that required by said Authorities, reserves the right to cancel bookings where this data is missing the day before the deadline of 72 hours before departure.
The processing of PNR data is covered by the international agreement of July 26, 2007 between the European Union and the United States. The European Union will ensure that air carriers respect these obligations. Alitalia must comply with these requirements. For a more detailed explanation of PNR data processing collected by the United States Authorities (DHS - Department of Homeland Security) in relation to flights between the European Union (EU) and the United States, please refer to the international agreement and accompanying letter from the DHS, published in the Official Journal of the European Community L 204 of August 4, 2007, which you can see by clicking here.
Alitalia, therefore, considered it necessary to ensure that its passengers are aware of the following information relating to the processing and transfer methods of data contained in bookings (to which the United States of America is committed, pursuant to the agreement with the European Community), which are reported in the form of answers to specific questions.
- What type of passenger information can they access?
The United States Bureau of Customs and Border Protection (US CBP) has access to PNR (Passenger Name Record, or data from registered customers in the process of booking a flight) regarding flights from, to or through the United States of America.
This is in the form of electronic "files" created in the computer systems used by carriers for every itinerary booked by the passenger, containing various types of information, including: passenger name, telephone number, flight details (date, origin and destination, on-board seat number, number of bags, etc.), as well as other information such as: the name of any travel agency involved, payment method, etc.
The PNR therefore includes all the information provided by the passenger when booking. Immediately after takeoff, the passenger's passport details (surname, name, date of birth, nationality, passport number and gender) are also sent to the United States Customs and Immigration Authorities.
AUTHORITIES AND PURPOSES
- Who will have access to customer data, who will keep it and for what purposes will it be used?
The US CBP, which is part of the Department of Homeland Security, will have access to the data.
This entity will use it to prevent and combat terrorism and serious criminal acts.
The US CBP will not allow the public to access the data in question. According to United States law, data may still be transmitted to other US Authorities for combating terrorism or to comply with legal obligations and in the interests of justice. However, this must only occur after a case-by-case evaluation and always for the purposes of preventing and combating terrorism or serious criminal acts.
This data could also be made available, when necessary, for protecting the vital interests of passengers or third persons (especially in cases of significant health risks) or in criminal proceedings or other cases required by law.
- How will passenger data be used?
The data is intercepted by the US CBP within the booking system up to 48 hours before departure of the flight and is used to perform checks on passengers before they arrive in the United States of America, in order to facilitate the entry of most of the travelers, focusing the US CBP resources on a limited number of passengers who could be a real security threat.
The data is stored for a period of seven years, although, in cases where the data is accessed manually within this period, it could be stored for a further eight years.
Moreover, the United States Authorities will adopt all the appropriate technical and organizational measures to prevent unauthorized use of the data.
- What rights do passengers have and how can these be exercised?
The United States Authorities have undertaken, in principle, not to oppose requests from passengers to receive a copy of the data intercepted in the PNR and stored in their databases. Passengers may request that their data is amended and obtain it, where the US CBP or the Transport Security Agency (TSA) consider this request justified and adequately supported.
However, a negative decision may be subject to judicial appeal.
Passengers may address (directly or through the authorities in charge of data protection in the Member States) requests for amendments and complaints regarding PNR data processing to the DHS Privacy Office (Freedom of Information Act [FOIA] Program):
Department of Homeland Security
245 Murray Drive SW
Washington, DC 20528-0550
Toll-free number: +1 866 431 0486
Tel.: +1 703 235 0790
Fax: +1 703 235 0443
Passengers can also receive further information on the protection of privacy through the competent authorities in their own country. In Italy, please contact the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali, Piazza Montecitorio, 121 - 00186 Rome, tel. 06 69677713, fax 06 69677715.
Alitalia currently only allows the US Authorities access to PNR data.
However, in the near future, it cannot be ruled out that other countries could put similar systems in place for accessing bookings for air carriers flying from, to or through their country.