Brussels, 14 March - During its March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the Court of Justice of the EU (CJEU) judgment C-817/19*. 

In its second statement on the implementation of the PNR Directive, which follows the one of 15 December 2022, the Board gives further guidance to the Passenger Information  Units (PIUs)** on the necessary adaptions and limitations to the processing of PNR data, following the PNR judgment. PNR data is personal information provided by passengers, and collected and held by air carriers that includes the names of the passengers, travel dates, itineraries, seats, baggage, contact details and means of payment.

The statement includes practical recommendations for the national laws transposing the PNR Directive in order to give effect to the findings of the CJEU in the PNR judgment. The recommendations cover some of the key aspects of the PNR judgement such as how European countries should select the flights from which PNR data is collected, or how long PNR data should be retained. According to the Board, the retention period of all PNR data should not exceed an initial period of six months. After this period, European countries may only store PNR data as long as needed and proportionate to the objectives of the PNR Directive.

EDPB Chair Anu Talus said: “The EDPB recognises the importance of the PNR Directive in improving the security of passengers across Europe and in helping prevent, detect and prosecute terrorist offences and serious crime. The transfer of PNR data in Europe should take place in a harmonised way and in full respect of data protection principles.”

The Board is aware that some European countries have already started the adaptation process, but there is still a substantial lack of implementation efforts throughout the Member States. Therefore, in its statement, the EDPB outlines the urgent need to implement the necessary changes and to amend national laws by taking into account the PNR judgment as soon as possible.

Note to editors
* On 21 June 2022, on a referral from the Belgian Constitutional Court, the CJEU rendered its judgment C-817/19 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. While the Court found that the validity of the PNR Directive was not affected, it ruled that, in order to ensure compliance with the EU Charter of Fundamental Rights (the Charter), the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. Some of these limitations are the application of the PNR system only to terrorist offences and serious crime, having an objective link with the carriage of passengers by air, and the non-indiscriminate application of the general retention period of five years to all passengers’ personal data.
** The PIUs are specific entities in European countries which are responsible for the collection, storage, and processing of PNR data.
 

The EDPS mandate has been synonymous with adaptability and resilience, with challenges and opportunities in a fast-paced digital landscape. 

• Supervision & Enforcement of data protection laws within EUIs
• Policy & Consultations to the EU Legislator
• Technology & Privacy benefits and risks for now and in the future
• Preparing ourselves for AI... and more.

Read EDPS Mandate Review on key actions to protect people’s privacy.

Brussels, 05 March - The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2025. Following a year-long coordinated action on the right of access in 2024, the CEF's focus this year will shift to the implementation of another data protection right, namely the right to erasure or the “right to be forgotten” (Art.17 GDPR).

The Board selected this topic during its October 2024 plenary as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.
 

Next steps

During 2025, 30 Data Protection Authorities (DPAs) across Europe, as well as the European Data Protection Supervisor (EDPS), will take part in this initiative.

Participating DPAs will soon contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed. 

DPAs will check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right. 

DPAs will also stay in close contact to share and discuss their findings throughout this year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic, allowing for targeted follow-ups on both national and EU levels.
 

Background

The CEF is a key action of the EDPB under its 2024-2027 strategy, aimed at streamlining enforcement and cooperation among DPAs.
In the past three years, three previous CEF actions on different topics were carried out: 

1. the use of cloud-based services by the public sector,
2. the designation and position of Data Protection Officers, and
3. the implementation of the right of access by controllers.

For further information:

• AT DPA: Coordinated Enforcement Framework 2025 (CEF 2025) - EDSA
• BG DPA: Започва координирано действие по изследване на приложението на правото на изтриване (право „да бъдеш забравен“)
• CS DPA: Evropský sbor pro ochranu osobních údajů zahájil další společnou koordinovanou dozorovou akci
• DA DPA: EDPB igangsætter koordineret indsats om retten til sletning
• DE DPA (Baden-Wuerttemberg): Europaweite Aktion zum Recht auf Löschung
• DE DPA (Berlin):  PRESSEMITTEILUNG der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 5. März 2025
• DE DPA (Brandenburg): Brandenburgische Datenschutzaufsicht beteiligt sich an europaweiter Prüfung zum Recht auf Löschung mit Schwerpunkt Wohnungsunternehmen
• EDPS: EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data
• EL DPA: Έναρξη συντονισμένης δράσης του ΕΣΠΔ 2025 σχετικά με το δικαίωμα διαγραφής
• ES DPA: La AEPD participa en una acción europea para analizar la aplicación del derecho de supresión
• FI DPA: Tietosuojavaltuutetun toimisto selvittää henkilötietojen poisto-oikeuden toteutumista osana EU:n laajuista toimenpidettä
• HR DPA: Započela nova koordinirana akcija EDPB-a: pravo na brisanje
• IE DPA: Launch of coordinated enforcement action on the right to erasure
• IT DPA: GDPR, il Garante italiano partecipa al CEF 2025 sul diritto alla cancellazione
• LI DPA: Europäische Initiative zum Recht auf Löschung
• LU DPA: Lancement d’un sondage sur le droit à l’effacement (French), Umfrage zum Recht auf Löschung (German), Launch of a survey on the right to erasure (English)
• MT DPA: Launch of Coordinated Enforcement Action on the Right to Erasure
• SI DPA: Informacijski pooblaščenec bo v letu 2025 nadzoroval upoštevanje pravice do izbrisa

The post Interprivacy webinar appeared first on Europrivacy Community.

The European Centre for Certification and Privacy is delighted to announce that the International Accreditation Forum (IAF) has formally reviewed and approved the Interprivacy (IP-CS.1) certification scheme as adequate for accredited certification worldwide. IAF is the international organisation of accreditation authorities. It brings together 90 accreditation bodies, 30 association members and the 6 regional accreditation […]

The post Interprivacy approved by the International Accreditation Forum (IAF) appeared first on Europrivacy Community.