g-docweb-display Portlet

Authorisation for the Transfer of Personal Data from the State's Territory to the US CBP Office of the Department of Homeland Security ' July 14, ...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1214157]

[ doc. web n.  1149808]

Authorisation for the Transfer of Personal Data from the State´s Territory to the US CBP Office of the Department of Homeland Security – July 14, 2005
(published in the Official Journal no. 171 of July 25, 2005)


THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General, having convened today,

Having regard to Article 25(1) and (2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, providing that personal data may be transferred to a country outside the European Union if the third country in question ensures an adequate level of protection, as set forth in paragraph 2 of the aforementioned Article,

Having regard to Article 25(6) of the said Directive, providing that the European Commission may find that a third country ensures an adequate level of protection within the meaning of paragraph (2) above for the protection of the private lives and the rights and fundamental freedoms of individuals,

Having regard to the European Commission´s Decision no. 2004/535/EC of May 14, 2004, as published in the Official Journal of the EU L235/11 of July 6, 2004, in which it is found that the US Customs and Border Protection Office (hereinafter "CBP") can afford an adequate protection level to the personal data contained in the passenger name records (hereinafter "PNR") transferred from the Community as for the flights to or from the United States pursuant to the "Undertakings of the Department for Homeland Security – Bureau of Customs and Border Protection" of May 11, 2004 which are annexed to the said Decision;

Having regard to the Decision no. 2004/497/EC by the Council of the European Communities of May 17, 2004, as published in the Official Journal of the EU L183/83 of May 20, 2004, on the conclusion of an agreement between the European Community and the United States of America on the processing and transfer of PNR data by air carriers to the Bureau of Customs and Border Protection of the US Department of Homeland Security;

Having regard to the Agreement subsequently signed in Washington on May 28, 2004, whereby a) the CBP may electronically access the PNR data from air carriers´ reservation/departure control systems (hereinafter "reservation systems") located within the territory of the Member States of the European Community in accordance with the Decision and for so long as the Decision is applicable and until a satisfactory system is in place allowing for transmission of such data by air carriers; b) each air carrier operating passenger flights to and/or from the United States in foreign air transportation shall process PNR data contained in its automated reservation systems as required by CBP pursuant to U.S. law and in accordance with the Decision for so long as the Decision is applicable;

Whereas Member States are required to take the necessary measures to comply with the Commission´s Decision in pursuance of the said Article 25(6) of the directive;

Having regard to Sections 43, 44 and 45 of the Personal Data Protection Code, whereby the transfer of personal data to third countries may take place under any of the circumstances referred to in Section 43, or if it is authorised by the Garante pursuant to Section 44(1) and Section 45 on the basis of adequate safeguards for the data subject´s rights, which (a) may be found by the Garante also with regard to contractual safeguards, or (b) may be set out in decisions adopted by the EU Commission pursuant to Section 25(6) and Section 26(4) of Directive 95/46/EC; apart from the cases referred to in Sections 43 and 44, the transfer may take place (c) if the laws of the country of destination or transit of the data ensure an adequate level of protection of individuals within the meaning of Section 45 of the Personal Data Protection Code;

Whereas the assessment carried out by the European Commission has found that the criteria implemented by the CBP in processing PNR data pursuant to both U.S. law and the CBP´s Undertakings include the fundamental principles that are necessary to afford an adequate protection level of natural persons;

Whereas it is necessary to take the measures required to implement the Commission´s Decision, in accordance with the aforementioned Section 44(1), letter b);

Having regard to Articles 2 and 3 in the Commission´s Decision concerning controls and measures by data protection authorities of Member States on lawfulness and fairness of data transfers and data processing operations preceding said transfers, also in the light of the provisions made in Article 4 of Directive 95/46/EC on the national law applicable;

Whereas it is necessary to publicise the aforementioned Decision further by having it published in the Official Journal of the Italian Republic as an Annex to this authorisation;

Having regard to official records;

Having regard to the considerations made by the Secretary General on behalf of the Office in pursuance of Article 15 of the Garante´s Regulations no. 1/2000;

Acting on the report submitted by Mr. Giuseppe Chiaravalloti;

BASED ON THE ABOVE PREMISES:

  1. Subject to application of the additional measures set out in the Personal Data Protection Code, hereby authorise the transfer of the personal data contained in Passenger Name Records from the State´s territory to the U.S. Bureau of Customs and Border Protection of the Department of Homeland Security as performed by air carriers operating passenger flights to or from the United States, insofar as the said data have been collected and stored in the respective computer reservation systems, in accordance with the prerequisites and in pursuance of the requirements set out in the European Commission´s Decision no. 2004/535/EC of May 14, 2004 as well as in the Undertakings annexed thereto, as of the date referred to in Article 6 of the aforementioned Decision;
  2. Reserve the right to perform the necessary controls on lawfulness and fairness of data transfers and processing operations preceding the said transfers in pursuance of Community law, the Personal Data Protection Code, and Article 3 of the Commission´s Decision, and to issue provisions  blocking or  prohibiting the transfer, as the case may be;
  3. Order that this authorisation and the Commission´s Decision annexed hereto be sent to the Publishing Department of the Ministry of Justice for them to be published in the Official Journal of the Italian Republic.

Done in Rome, this 14th day of July 2004

THE CHAIRMAN
Pizzetti

THE RAPPORTEUR
Chiaravalloti

THE SECRETARY GENERAL
Buttarelli

ANNEX
Decision by the European Commission of May 14, 2004