EUROPEAN COMMISSION
Brussels, 12.11.2025
COM(2025) 676 final
2025/0343(NLE)
Proposal for a
COUNCIL DECISION
on the conclusion of the Agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
EXPLANATORY MEMORANDUM
The present proposal concerns the conclusion of the Agreement with the Swiss Confederation on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘the Agreement’).
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Strengthening international cooperation on law enforcement, including on information sharing, is essential to address the threats posed by terrorism and serious transnational crimes. The latest Serious Organised Crime Threat Assessment (SOCTA) report published by Europol 1 illustrates the international dimension of the activities of most serious crime organisations. Additionally, its latest Terrorism Situation and Trend Report (TE-SAT) 2 stresses not only the direct links between transnational travel and the organization of terrorist activities and serious crime, but also the importance of effectively detecting, investigating and prosecuting other serious criminal offences for preventing and detecting terrorist offences.
Passenger name record (PNR) data is information provided by passengers and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes. The content of PNR data varies depending on the information given during the booking and check-in process and may include, for example, dates of travel and the complete travel itinerary of the passenger or group of passengers travelling together, contact details like address and phone number, payment information, seat number and baggage information.
The collection and analysis of PNR data can provide the authorities with important elements allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement authorities. Accordingly, the processing of PNR data has become a widely used law enforcement tool, in the EU and beyond, to detect terrorism and other forms of serious crime, such as drug-related offences, human trafficking and child sexual exploitation, and to prevent such crime from being committed. It has also proven to constitute an important source of information to support the investigation and prosecution of cases where such illegal activities have been committed 3 .
While crucial for combating terrorism and serious crime, the transfer of PNR data to third countries as well as the processing by their authorities constitutes an interference with the protection of individuals’ rights with regard to their personal data. For this reason, it requires a legal basis under EU law and must be necessary, proportionate and subject to strict limitations and effective safeguards, as guaranteed by the Charter of Fundamental Rights of the EU, notably in its Articles 6, 7, 8, 21, 47 and 52. The achievement of these important objectives requires striking a fair balance between the legitimate objective to maintain public security and the right of everyone to enjoy the protection of their personal data and private life.
In 2016, the European Parliament and the Council of the European Union adopted Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) 4 . This Directive regulates the transfer and processing of PNR data in the European Union and lays down important safeguards for the protection of fundamental rights, in particular the rights to privacy and the protection of personal data. In June 2022, the Court of Justice of the EU (CJEU) confirmed the validity and compliance of this Directive with the Charter of Fundamental Rights of the EU and the Union Treaties, in its Judgment in case C-817/19 5 .
Switzerland and the Member States of the Union which are Contracting Parties to the Schengen Convention 6 have a shared responsibility to ensure internal security within a common area without internal border controls, including by exchanging relevant information. PNR data processing has demonstrated the potential to enhance the security of the Schengen area, by improving the prevention and detection of serious crime and terrorism at the external borders and by providing a risk-based data-driven approach for Member States to use within the Schengen area as a compensatory measure for the absence of internal border controls 7 .
Switzerland informed of its plans to start operating a PNR system once the relevant national legislation will have entered into force. By then, Switzerland, would be capable to collect and process PNR data on flights landing or departing from its airports.
Under Union law, the transfer of any personal data from the Union to a third country may take place only if that country ensures a level of protection of personal data that is essentially equivalent to that guaranteed to those personal data within the Union. It should be noted that pursuant to the Schengen Association Agreement between the EU and Swiss Confederation of 1999, Switzerland is bound by the Union acts which constitute a development of the provisions of the Schengen acquis. Therefore, Switzerland is supposed to apply Directive (EU) 2016/680 in a similar manner as EU Member States. At the same time, the PNR Directive does not constitute a development of the Schengen acquis, hence Switzerland does not participate in the implementation of this legal instrument.
In these circumstances, namely in the absence of appropriate safeguards in relation to the specific processing of PNR data, that are to be established by means of a valid legal basis as required by EU law, Switzerland may not lawfully receive and process PNR data on flights operated by air carriers between the Union and Switzerland.
In light of this, on 6 September 2023, the Commission adopted a Recommendation, proposing that the Council authorises the opening of negotiations of an agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data for preventing, detecting, investigating and prosecuting terrorist offences and serious crime 8 . In parallel, it also recommended the opening of negotiations of such agreements with the Iceland 9 and Norway 10 . On 4 March 2024, the Council provided its authorisation to open negotiations and adopted negotiating directives 11 .
The purpose of this Agreement is to bridge this security gap existing in the Schengen area and enable the transfer of PNR data from the Union to Switzerland in recognition of the necessity to use PNR data as an essential tool in the fight against terrorism and other forms of serious crime.
Negotiations with Swiss Confederation, as well as with Iceland and Norway, began on 21 March 2024. Following the finalization of negotiations and subsequent proposals by the Commission on 12 June 2025 12 , the Council has already authorised the signing and conclusion of two PNR Agreements with Norway and Iceland on 22 September 2025. Negotiations between the EU and the Swiss confederation were concluded on 7 October 2025 with the initialling of the draft agreement text between lead negotiators.
The co-legislators have been informed throughout the negotiations process and consulted at all stages of the negotiations, notably by reporting to the Council’s Working Party on Justice and Home Affairs Information Exchange (IXIM) and the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE).
•Consistency with existing policy provisions in the policy area
The Commission first set out the broad lines of the EU's external PNR policy in a 2003 Communication 13 on the EU approach towards transfers of PNR data from the EU to third countries, which were reviewed in a Communication adopted in 2010 14 . There are currently three international agreements in force between the EU and third countries namely Australia 15 , the United States 16 (2012) and the United Kingdom 17 (2020) which cover the transfer and processing of PNR data from the EU. After negotiations which followed up on Opinion 1/15 of the CJEU of 26 July 2017, 18 a new PNR Agreement with Canada was signed on 4 October 2024 19 .
At international level, an increasing number of third countries have started developing their capabilities to collect PNR data from air carriers. This trend is further prompted by Resolutions adopted by United Nations Security Council (in 2017 and 2019), requiring all States to develop the capability to collect and use PNR data 20 , based on which Standards and Recommended Practices on PNR (SARPs) were adopted by the International Civil Aviation Organization (ICAO) in 2020, by means of Amendment 28 to Annex 9 to the Chicago Convention which became applicable in February 2021 21 .
The Union position, as established by Council Decision (EU) 2021/121, welcomes the ICAO SARPs on PNR as laying down ambitious safeguards on data protection and therewith allowing significant progress to be made at international level. At the same time, this Council Decision considered, by means of requiring Member States to register a difference, that the requirements resulting from Union law (including relevant case-law), are more exacting than certain ICAO Standards, and that transfers from the EU to third countries require a legal basis establishing clear and precise rules and safeguards in relation to the use of PNR data by competent authorities of a third country 22 .
In this context, the negotiation and conclusion of this Agreement constitutes part of a broader effort of the Commission to pursue a consistent and effective approach regarding the transfer of PNR data to third countries, as announced in the Security Union Strategy 2020-2025 23 , building on the ICAO SARPs on PNR, and in line with the Union law and case-law. Such an approach was also requested by the Council with its Conclusions of June 2021 24 .
Herewith, the Commission also seeks to respond to calls from air carriers to ensure more legal clarity and foreseeability on PNR transfers to third countries 25 .
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
In accordance to Article 218(6) of the Treaty on the Functioning of the European Union (TFEU), where the agreement relates to matters outside of the common foreign and security policy (CFSP), the Commission shall submit a proposal to the Council. The Council shall adopt a decision concluding the agreement.
Pursuant to Article 218(6) TFEU, where the agreement does not relate exclusively to the CFSP, the Council can only take the decision concluding the agreement either after obtaining the consent of the European Parliament (Article 218(6)(a) TFEU), or after consulting it (Article 218(6)(b) TFEU).
Given that Articles 16(2) and Article 87(2)(a) TFEU are the substantive legal bases, the Council is to adopt the decision concluding the agreement after obtaining the consent of the European Parliament.
Therefore, the procedural legal basis for the proposed decision on concluding the agreement is Article 218(6), second subparagraph, point (a) TFEU.
The proposal has two main aims and components, one relating to the necessity of ensuring public security by means of the transfer of PNR data to Switzerland and the other to the protection of privacy and other fundamental rights and freedoms of individuals. Thus, the substantive legal basis is Article 16(2) and Article 87(2)(a) of the Treaty on the Functioning of the European Union.
•Proportionality
The Union’s objectives with regard to this proposal as set out above can only be achieved by establishing a valid legal basis at Union level to ensure that appropriate protection of fundamental rights is granted to personal data transfers from the Union. The provisions of the agreement are limited to what is necessary to achieve its main objectives and strike a fair balance between the legitimate objective to maintain public security and the right of everyone to enjoy the protection of their personal data and private life.
•Choice of the instrument
This proposal for a Council decision is submitted in accordance with paragraph 6 of Article 218 TFEU, which envisages the adoption by the Council of a decision concluding the agreement. There exists no other legal instrument that could be used in order to achieve the objective expressed in this proposal.
The appropriate safeguards required for the specific processing of PNR data received by Switzerland from air carriers on flights operated by air carriers between the Union and Switzerland must be established by means of a valid legal basis under EU law. The present Agreement constitutes such legal basis enabling PNR data transfers.
• Fundamental rights
The exchange of PNR data and its processing by the authorities of a third country constitutes an interference with the fundamental rights to privacy and data protection. However, such interference is justified, also because the Agreement pursues legitimate objectives i.e. to prevent, detect, investigate and prosecute serious crime and terrorism. The Agreement includes appropriate data protection safeguards to the personal data transferred and processed, in line with EU law, notably Articles 7, 8, 47 and 52 of the Charter of Fundamental Rights of the EU.
3.BUDGETARY IMPLICATIONS
There are no budgetary implications for the Union budget.
4.OTHER ELEMENTS
•Detailed explanation of the specific provisions of the proposal
The Agreement, in full alignment with the the Charter of Fundamental Rights of the EU, the relevant caselaw of the Court of Justice of the EU and the negotiating directives, provides a legal basis, conditions and safeguards for the transfer to and processing by Switzerland of PNR data received from air carriers from the Union:
Article 1 sets out the scope and objectives the Agreement.
Article 2 includes key definitions of the Agreement, inter alia of the ‘Passenger Information Unit’ (PIU) of Switzerland as the designated competent authority responsible for processing PNR data and of the terms ‘serious crime’ and ‘terrorism’, in line with how these concepts have been defined in other relevant EU law instruments;
Article 3 regulates method and frequency of PNR data transfers by airlines to the Swiss PIU with a view to ensuring that PNR data transfers are kept to the minimum necessary and are proportionate to the purpose specified in the Agreement.
Article 4 provides for a common technical solution by including the possibility for Switzerland to make use of the API-PNR router set up according to Regulation (EU) 2025/13 26 and as envisaged by Article 10(c) of that Regulation.
Article 5 sets out the purpose limitation – i.e. prevention, detection, investigation and prosecution of terrorist offences and serious crime – in an exhaustive manner to all PNR processing covered by the Agreement.
Article 6 sets out the three specific modalities for the processing of PNR data received under the Agreement by the Swiss PIU.
Article 7 provides additional safeguards for carrying out ‘real-time assessment’ and limits automated processing of PNR data.
Article 8 provides for a prohibition to process special categories of PNR data in line with how this concept has been defined in the EU data protection acquis.
Article 9 provides for a high level of security of PNR data received under the Agreement and ensures notifications of data security breaches to the designated Swiss data protection supervisory authority.
Article 10 provides for the keeping of logs and documentation of all PNR processing.
Article 11 includes rules for restricted storage of PNR data with a view to ensuring that such data are not stored longer than what is necessary for and proportionate to the objective pursued by this Agreement. In line with the relevant caselaw of the Court of Justice of the European Union, this provision requires an objective connection between the PNR data to be retained and the objectives of the agreement, and make storage periods subject to regular reviews by the Swiss PIU.
Article 12 requires the Swiss PIU to depersonalise PNR data at the latest after 6 months.
Article 13 includes rules and conditions for the disclosure of PNR data within Switzerland, e.g. by limiting such disclosures to authorities with functions related to the purposes of the Agreement and by requiring prior approval by a judicial authority or another independent body for such disclosures.
Article 14 includes rules and conditions for the disclosure of PNR data outside Switzerland and the EU, e.g. by limiting such disclosures to third countries with which the EU has concluded a comparable agreement or for which the EU has adopted a relevant adequacy decision and by requiring prior approval by a judicial authority or another independent body for such disclosures.
Article 15 fosters police and judicial cooperation through the exchange of PNR data or the results of processing of PNR data between the Swiss PIU and the PIUs of Member States of the Union, as well as between the Swiss PIU, on the one hand, and Europol or Eurojust within their respective competences, on the other hand.
Article 16 requires Switzerland to apply the same rights and obligations as Directive (EU) 2016/680 to the processing of personal data under this Agreement and that such processing shall be overseen by an independent authority established in accordance with the implementation by Switzerland of this Directive.
Article 17 includes transparency and information obligations, including a requirement to notify individuals of the disclosure of their PNR data.
Article 18 provides for an obligation for Switzerland to notify the identity of the Swiss PIU and of the national supervisory authority.
Article 19 provides for the entry into force of the Agreement.
Article 20 provides for dispute settlement and suspension mechanisms.
Article 21 provides for the possibility for either Party to terminate the Agreement at any time.
Article 22 provides for the rules for amendments of the Agreement.
Article 23 provides the joint evaluation of the implementation of the Agreement.
Article 24 contains a clause regarding the territorial application of the Agreement.
The Joint Declaration attached to the Agreement aims to clarify the framework in the context of which PNR data transfers take place between the Union and Switzerland and to express the Parties desire to enhance their cooperation on matters related to PNR policy.
•Text of the Agreement and notifications
The text of the Agreement is submitted to the Council together with this proposal. The text of the Joint Declaration is submitted together with this proposal.
In accordance with the Treaties, it is for the Commission to proceed, on behalf of the Union, to make the notification provided for in Article 19(2) of the Agreement, in order to express the consent of the Union to be bound by the Agreement.
2025/0343 (NLE)
Proposal for a
COUNCIL DECISION
on the conclusion of the Agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16(2), and Article 87(2), point (a) in conjunction with Article 218(6), second subparagraph, point (a),
Having regard to the proposal from the European Commission,
Having regard to the consent of the European Parliament,
Whereas:
(1)In accordance with Council Decision [XXX] of […] 27 , the Agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data to prevent, detect, investigate and prosecute terrorist offences and serious crime (the ‘Agreement’) was signed on […], subject to its conclusion at a later date.
(2)The Agreement enables the transfer of PNR data by air carriers from the Union to Swiss Confederation in full respect of the rights provided in the Charter of Fundamental Rights of the Union, in particular the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter. In particular, the Agreement includes appropriate safeguards for the protection of personal data transferred under the Agreement.
(3)The Agreement fosters police and judicial cooperation between the competent authorities of Swiss Confederation and those of the Member States of the Union as well as Europol and Eurojust, with the aim to effectively ensure internal security in the absence of internal border controls within the Schengen area.
(4)[In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Decision and is not bound by it or subject to its application.] OR [In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Ireland has notified [, by letter of …,] its wish to take part in the adoption and application of this Decision.].
(5)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(6)The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered its Opinion [xxx] on [xx.xx.xxxx].
(7)The Agreement and the Joint Declaration attached to it should be approved,
HAS ADOPTED THIS DECISION:
Article 1
The Agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime and the Joint Declaration attached to it are hereby approved 28 .
Article 2
This Decision shall enter into force on the date of its adoption. 29
Done at Brussels,
For the Council
The President
EUROPEAN COMMISSION
Brussels, 12.11.2025
COM(2025) 676 final
ANNEX
to the
Proposal for a Council Decision
on the conclusion of the Agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
ANNEX
AGREEMENT BETWEEN THE EUROPEAN UNION AND SWISS CONFEDERATION ON THE TRANSFER OF PASSENGER NAME RECORD (PNR) DATA FOR THE PREVENTION, DETECTION, INVESTIGATION AND PROSECUTION OF TERRORIST OFFENCES AND SERIOUS CRIME
THE EUROPEAN UNION, hereinafter also referred to as the "Union" or “EU",
and
Swiss Confederation, hereinafter also referred to as “Switzerland”,
hereinafter jointly referred to as "the Parties",
RECOGNIZING that preventing, detecting, investigating, and prosecuting terrorist offences as well as other serious crime, while preserving human rights and fundamental freedoms, in particular rights to privacy and data protection, are objectives of general interest;
RECOGNIZING that information sharing is an essential component of the fight against terrorist offences and other serious crime, and that in this context, the use of Passenger Name Record (PNR) data is a critically important instrument to pursue these goals;
RECOGNIZING the importance of sharing PNR data and relevant and appropriate analytical information based on PNR data under this Agreement between the Parties with competent police and judicial authorities of Switzerland, Member States of the European union, Europol and Eurojust as a means to foster international police and judicial cooperation;
SEEKING to enhance and encourage the cooperation between the Parties on PNR through exchange of information, technical cooperation by national experts from the Member States and Schengen Associated Countries’ Passenger Information Units (PIUs), in particular on the development of pre-determined criteria and on other aspects of the processing of PNR;
HAVING REGARD to the United Nations Security Council Resolutions 2396 (2017) and 2482 (2019) which call upon all States to develop the capability to collect and process PNR data and to the International Civil Aviation Organisation Standards and Recommended Practices for the collection, use, processing and protection of PNR data adopted as Amendment 28 to Annex 9 of the Convention on International Civil Aviation (the Chicago Convention);
RECALLING that the Parties have a shared responsibility to ensure internal security within the Schengen area, including by exchanging relevant information, and that this Agreement provides the Parties’ competent authorities with an effective tool to achieve such goal in the absence of internal border control;
RECOGNISING that this Agreement is not intended to apply to advance passenger information that is collected and transmitted by air carriers to Switzerland for the purpose of border control.
MINDFUL of the European Union's commitments pursuant to Article 6 of the Treaty on European Union on respect for fundamental rights, the right to privacy with regard to the processing of personal data as stipulated in Article 16 of the Treaty on the Functioning of the European Union, the principles of proportionality and necessity concerning the right to private and family life, the respect for privacy, and the protection of personal data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union in line with the relevant caselaw of the Court of Justice of the European Union, Article 8 of the European Convention on the Protection of Human Rights and Fundamental Freedoms, Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional Protocol 181;
RECOGNISING that under Swiss law the transfer of PNR data by air carriers to Switzerland is mandatory.
RECOGNISING that Directive (EU) 2016/681 of the European Parliament and the Council on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime is the basis for the transfers by air carriers of PNR data to the competent authorities of the Member States. Together with Regulation 2016/679 and Directive 2016/680, it ensures a high level of protection of fundamental rights, in particular the rights to privacy and the protection of personal data.
RECOGNISING that Switzerland, in accordance with its 2008 Agreement with the Council of the European Union concerning its association with the implementation, application and development of the Schengen acquis 1 , has accepted, implemented and applies the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, given that that Directive constitutes a development of the Schengen acquis. Furthermore, and considering that the application by Switzerland of Directive (EU) 2016/680 applies to the processing of personal data under legal instruments forming part of the Schengen acquis, it should be clarified that Switzerland’s application of the Directive also includes the processing of personal data by competent authorities under this Agreement.
RECALLING the right to free movement of persons between the European Union and Switzerland, as provided for in the Agreement between the European Community and its Member States, of the one part, and the Swiss Confederation, of the other, on the free movement of persons, and that any national system requiring the transfer by air carriers and processing by the competent authorities of PNR data is liable to interfere with the exercise of freedom of movement for persons, and that, therefore, any interference to the exercise of such freedom is justified only where it is based on objective considerations and is proportionate to the legitimate objective pursued.
HAVE AGREED AS FOLLOWS:
CHAPTER I
GENERAL PROVISIONS
ARTICLE 1
Objective and scope
(1)The objective of this Agreement is to enable the transfer of Passenger Name Record (PNR) data by air carriers from the Union to Switzerland and to lay down rules and conditions subject to which those PNR data may be processed by Switzerland.
(2)The objective of this Agreement is also to enhance police and judicial cooperation in criminal matters between the Union and Switzerland in respect of PNR data.
(3)The scope of this Agreement covers air carriers operating passenger flights between the Union and Switzerland as well as air carriers incorporated, or storing data, in the Union and operating flights to or from Switzerland.
ARTICLE 2
Definitions
For the purposes of this Agreement, the following definitions apply:
(1)"air carrier" means an air transport undertaking with a valid operating licence or equivalent permitting it to carry out carriage of passengers by air between Union and Switzerland;
(2)"competent authorities" means the public authorities that under Swiss national law are responsible for the prevention, detection, investigation or prosecution of terrorist offences or serious crime;
(3)"passenger" means any person, including persons in transfer or transit and excluding members of the crew, carried or to be carried in an aircraft with the consent of the air carrier, such consent being manifested by that person's registration in the passengers list;
(4)"Passenger Information Unit of Switzerland" or "Swiss PIU" means the authority established or designated as responsible for receiving and processing PNR data by Switzerland in accordance with Article 6 of this Agreement.
(5)"passenger name record" or "PNR" means a record of each passenger's travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers onto flights, or equivalent systems providing the same functionalities; specifically, as used in this Agreement, PNR data consists of the elements exhaustively listed in Annex I;
(6)"serious crime" means the offences punishable by a maximum custodial sentence or detention order of at least three years under the national law of Switzerland which have an objective link, even if only an indirect one, with the carriage of passengers by air;
(7)"terrorist offences" means:
(a)(a) an act or omission that is committed for a political, religious or ideological purpose, objective or cause with the intention of intimidating the public with regard to its security, including its economic security, or with the intention of compelling a person, government or domestic or international organization to do or refrain from doing any act, and that intentionally: (i) causes death or serious bodily harm; (ii) endangers an individual's life; (iii) causes a serious risk to the health or safety of the public; (iv) causes substantial property damage likely to result in the harm referred to in (i) to (iii); or (v) causes serious interference with or serious disruption of an essential service, facility or system, other than as a result of lawful or unlawful advocacy, protest, dissent or stoppage of work, such as a strike, that is not intended to result in the harm referred to in (i) to (iii); or
(b)activities constituting an offence within the scope and as defined in applicable international conventions and protocols relating to terrorism; or
(c)knowingly participating in or contributing to or instructing a person, a group, or an organization to carry out any activity for the purpose of enhancing a terrorist entity's ability to facilitate or carry out an act or omission described in (a) or (b); or
(d)committing an indictable offence where the act or omission constituting the offence is committed for the benefit of, at the direction of, or in association with a terrorist entity; or
(e)collecting property or inviting a person, a group, or an organization to provide, providing or making available property or financial or other related services for the purpose of carrying out an act or omission described in (a) or (b) or using or possessing property for the purpose of carrying out an act or omission described in (a) or (b); or
(f)attempting or threatening to commit an act or omission described in (a) or (b), conspiring, facilitating, instructing or counselling in relation to an act or omission described in (a) or (b), or being an accessory after the fact, or harbouring or concealing for the purpose of enabling a terrorist entity to facilitate or carry out an act or omission described in (a) or (b); or
(g)travelling to or from Switzerland or a Member State of the Union for the purpose of committing, or contributing to the commission of a terrorist offence in the sense of letters a) or b), or for the purpose of participating in the activities of a terrorist entity in the sense of paragraph 8) with knowledge of the fact that such participation will contribute to the criminal activities of the terrorist entity.
(8)"terrorist entity" means: (i) a person, a group, or an organization that has as one of its purposes or activities facilitating or carrying out an act or omission described in paragraph 7 point (a) or (b); or (ii) a person, a group, or an organization that knowingly acts on behalf of, at the direction of or in association with such a person, group or organization in (i).
CHAPTER II
TRANSFER OF PNR DATA
ARTICLE 3
Method and frequency of transfer
(1)Switzerland shall ensure that air carriers transfer PNR data to the Swiss PIU exclusively by transmitting the required PNR data into the database of the requesting authority (‘push method’), and in accordance with the following procedures to be observed by air carriers:
(a)by electronic means in compliance with the technical requirements of the Swiss PIU or, in the case of a technical failure, by any other appropriate means ensuring an appropriate level of data security;
(b)by using a mutually accepted messaging format, and in a secure manner using common protocols as required by the Swiss PIU;
(c)either directly or through authorised agents, who act on behalf of and under the responsibility of an air carrier, for the purpose of and under the conditions laid down in this Agreement.
(2)Switzerland shall not require air carriers to provide elements of PNR data which are not already held, or collected by air carriers for their reservation purposes or in the normal course of their business.
(3)Switzerland shall ensure that the Swiss PIU deletes any data element transferred to it by an air carrier pursuant to this Agreement upon receipt of the PNR data, if that data element is not listed in Annex I.
(4)Switzerland shall ensure that the Swiss PIU requires air carriers to transfer PNR data:
(a)on a scheduled basis with the earliest point in time being up to 48 hours before the scheduled departure; and
(b)a maximum of five times, for a particular flight.
(5)Switzerland shall permit air carriers to limit the transfer referred to in point (b) of paragraph 4 to updates of the PNR data transferred as referred to in point (a) of that paragraph.
(6)Switzerland shall ensure that the Swiss PIU informs air carriers of the specified times for the transfers.
(7)In specific cases where there is an indication that additional access is necessary to respond to a specific threat related to the purposes set out in Article 5, the Swiss PIU may require an air carrier to provide PNR data prior to, between or after the scheduled transfers. In exercising this discretion, Switzerland shall act judiciously and proportionately and shall require the use of the method of transfer described in paragraph 1.
ARTICLE 4
API-PNR router
(1)The Parties may decide that Switzerland may require air carriers to transfer PNR data to the Swiss PIU by means of the API-PNR router set up according to Regulation (EU) 2025/13 2 . In such case, Switzerland shall:
(a)not require air carriers to transfer PNR data by any other means;
(b)be bound by the rules on the functioning and the conditions for the use of such router as established by that Regulation, by way of derogation from Articles 3(1), (4) and (6).
(2)Switzerland shall notify the Union of its request to use the router pursuant to paragraph 1. Such request shall be accepted by the Union in writing through diplomatic channels.
(3)The Union shall notify Switzerland in writing through diplomatic channels of any amendment of Regulation (EU) 2025/13 which affects the rules on the functioning and the conditions for the use of the API-PNR router. Within 120 days from the receipt of such notification, Switzerland may notify the Union of its intention to discontinue the use of the router in writing through diplomatic channels. In this case, the Parties shall enter into consultations as provided for in paragraph 1 of Article 23 and Article 3(1), (4) and (6) shall resume to apply.
CHAPTER III
PNR PROCESSING AND PROTECTION
ARTICLE 5
Purposes of PNR processing
Switzerland shall ensure that PNR data received pursuant to this Agreement is processed strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences or serious crime.
ARTICLE 6
Modalities of PNR processing
(1)The Swiss PIU may process PNR data exclusively by means of the following specific modalities of processing:
(a)carrying out an assessment of passengers prior to their scheduled arrival in or departure from Switzerland to identify persons who require further examination by the competent authorities, in view of the fact that such persons may be involved in a terrorist offence or serious crime in accordance with Article 7 (‘real-time’ assessment);
(b)carrying out a search into the database of retained PNR data with a view to respond, on a case-by-case basis, to a duly reasoned request submitted pursuant to Articles 13 and 14, and where appropriate disclose any relevant PNR data or results of their processing;
(c)analysing PNR data for the purpose of updating, testing or creating new criteria to be used in the assessments carried out under point (b) of paragraph 1 of Article 7, in order to identify any persons who may be involved in a terrorist offence or serious crime.
ARTICLE 7
Real-time assessment
(1)When carrying out an assessment referred to in point (a) of Article 6, the Swiss PIU may:
(a)compare PNR data only against databases on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such databases; and
(b)process PNR data against pre-determined criteria.
(2)Switzerland shall ensure that the databases referred to in paragraph 1(a) are non-discriminatory, reliable, up to date and limited to those used by the competent authorities of Switzerland in relation to and relevant for the purposes set out in Article 5.
(3)Switzerland shall ensure that any assessment of PNR data as referred to in paragraph 1(b) is based on non-discriminatory, specific and reliable pre-established models and criteria to enable the Swiss PIU to arrive at results targeting individuals who might be under a reasonable suspicion of involvement or participation in terrorist offences or serious crime. Switzerland shall ensure that those criteria are in no circumstances based on a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
(4)Switzerland shall ensure that any positive match resulting from the real-time processing of PNR data is individually reviewed by the Swiss PIU by non-automated means.
ARTICLE 8
Special categories of data
(1)Any processing of PNR data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, of data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited under this Agreement.
(2)To the extent that the PNR data received under this Agreement by the Swiss PIU includes such special categories of personal data, the Swiss PIU shall delete such data immediately.
ARTICLE 9
Data security and integrity
(1)Switzerland shall ensure that PNR data received under this Agreement are processed in a manner that ensures a high level of data security appropriate for the risks represented by the processing and the nature of PNR data received under this Agreement. In particular, the Swiss PIU shall:
(a)implement appropriate technical and organisational measures and procedures to ensure such level of security;
(b)apply encryption, authorization, and documentation procedures to the PNR data;
(c)limit access to PNR data to authorized staff; and
(d)store PNR data in a secure physical environment that is protected with access controls.
(2)Switzerland shall ensure that any breach of data security, in particular leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, or any unlawful forms of processing is subject to effective and dissuasive corrective measures.
(3)Switzerland shall report any breach of data security to the national supervisory authority established pursuant to Article 41 of Directive (EU) 2016/680.
ARTICLE 10
Logging and documenting of PNR data processing
(1)Swiss PIU shall log and document all processing of PNR data. Switzerland shall only use a log or document to:
(a)self-monitor and to verify the lawfulness of data processing;
(b)ensure proper data integrity or system functionality;
(c)ensure the security of data processing; and
(d)ensure oversight and accountability of the public administration.
(2)Logs or documentation kept under paragraph 1 shall be communicated upon request to the national supervisory authority which shall use this information only for the oversight of data protection and for ensuring proper data processing as well as data integrity and security.
CHAPTER IV
STORAGE AND DISCLOSURE OF PNR DATA
ARTICLE 11
Storage periods
(1)Switzerland shall ensure that PNR data received under this Agreement are stored:
(a)only as long as there is an objective connection, even an indirect one, between the PNR data stored and at least one of the purposes set out in Article 5; and
(b)in any case for periods not exceeding 5 years.
(2)Pursuant to paragraph 1, Swiss PIU may only store PNR data of all air passengers for an initial period of time that is to be provided in its national law. The length of such initial period of time shall not go beyond what is strictly needed to allow the PIU to carry out the searches referred to in Article 6(1)(b) for the purposes of identifying persons who have not already been suspected of involvement in terrorist offences or serious crime on the basis of the real-time assessment pursuant to Article 6(1)(a).
(3)After the initial period of time referred to in paragraph 2, the Swiss PIU may only store PNR data of passengers for whom there is objective evidence capable of establishing a risk that relates to terrorist offences or serious crime.
(4)Switzerland shall ensure that the Swiss PIU reviews the need for continued storage of PNR data pursuant to paragraphs 2 and 3 of this Article, on a regular basis.
(5)At the expiry of the appropriate storage period, Switzerland shall ensure that PNR data is irrevocably deleted or rendered anonymous in such a manner that the data subjects concerned are no longer identifiable.
(6)Notwithstanding paragraph 1(b), Switzerland may allow the storage of PNR data required for review, investigation, enforcement action, judicial proceeding, prosecution, or enforcement of penalties, until the relevant process is concluded.
ARTICLE 12
Depersonalisation
(1)The Swiss PIU shall depersonalise PNR data at the latest six months after PNR data are received. It shall do so through masking out the following data elements which could serve to identify directly the passenger to whom the PNR data relate:
(a)name(s), including the names of other passengers on the PNR and number of travelers on the PNR travelling together;
(b)address and contact information;
(c)all forms of payment information, including billing address, to the extent that it contains any information which could serve to identify directly the passenger to whom the PNR data relate or any other persons;
(d)frequent flyer information;
(e)general remarks to the extent that they contain any information which could serve to identify directly the passenger to whom the PNR data relate; and
(f)any API data that have been collected.
(2)The Swiss PIU may disclose the data elements referred to in paragraph 1 only for the purposes of Article 5 and under the conditions of Articles 13 or 14.
ARTICLE 13
Disclosure within Switzerland
(1)When responding to a duly reasoned request sent by a competent authority in accordance with Article 6(b), the Swiss PIU shall disclose, on a case-by-case basis, PNR data or the results of their processing, only where:
(a)such disclosure is necessary to achieve one of the purposes set out in Article 5;
(b)the minimum amount of PNR data necessary is disclosed;
(c)the receiving competent authority affords protection equivalent to the safeguards described in this Agreement;
(d)the disclosure is approved by either a judicial authority or another independent body competent under national law to verify whether the conditions for disclosure are met.
(2)By way of derogation from point (d) of paragraph 1, the Swiss PIU may disclose PNR data in cases of duly justified urgency without prior review or approval. In such cases, the review referred to in point (b) of paragraph 1 must take place within a short time.
(3)Switzerland shall ensure that the receiving competent authority does not disclose PNR data to another authority unless the disclosure is explicitly authorized by the Swiss PIU.
ARTICLE 14
Disclosure outside Switzerland and the EU
(1)When responding to a duly reasoned request sent by a competent authority of countries other than the Member States of the European Union in accordance with Article 6(b), the Swiss PIU shall disclose, on a case-by-case basis, PNR data or the results of their processing, only where:
(a)such disclosure is necessary to achieve one of the purposes set out in Article 5;
(b)the minimum amount of PNR data necessary is disclosed;
(c)the country to whose authority the PNR data is to be disclosed has either concluded an Agreement with the Union that provides for protection of personal data comparable to this Agreement or is subject to a decision of the European Commission pursuant to European Union law, finding that said country ensures an adequate level of data protection within the meaning of European Union law;
(d)the disclosure is approved by either a judicial authority or another independent body competent under national law to verify whether the conditions for disclosure are met.
(2)By way of derogation from paragraph 1(c), the Swiss PIU may disclose PNR data to another country if it considers that the disclosure is necessary for the prevention or investigation of a serious and imminent threat to public security and if that country provides a written assurance, pursuant to an arrangement, agreement or otherwise, that the information will be protected in line with the safeguards set out in this Agreement.
(3)By way of derogation from paragraph 1(d), the Swiss PIU may disclose PNR data in cases of duly justified urgency without prior review and approval. In such cases, the review referred to in paragraph 1 must take place within a short time.
ARTICLE 15
Exchange of PNR-related information
(1)The Swiss PIU shall share with Europol or Eurojust, within the scope of their respective mandates, or with the PIUs of the Member States PNR data, the results of processing those data, or analytical information based on PNR data as soon as possible and in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime. The Swiss PIU shall share such information either on its own initiative or at the request of Europol or Eurojust, within the scope of their respective mandates or of the PIUs of the Member States.
(2)The PIUs of Member States shall share with the Swiss PIU PNR data, the results of processing those data, or analytical information based on PNR data, as soon as possible and in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime. The PIUs of Member States shall share such information on their own initiative or at the request of the Swiss PIU.
(3)The Parties shall ensure that the information referred to in paragraphs 1 and 2 is shared in accordance with applicable rules on law enforcement cooperation or information sharing between Switzerland and Europol, Eurojust or the relevant Member State. In particular, the exchange of information with Europol under this Article shall take place through a secure communication channel established for the exchange of information.
CHAPTER V
DATA PROTECTION
ARTICLE 16
Rights and obligations under Directive (EU) 2016/680
(1)Switzerland shall ensure that, in respect of processing of personal data by competent authorities for the purposes of this Agreement, it applies the same rights and obligations as Directive (EU) 2016/680, including any amendments thereof that have been accepted and implemented by Switzerland in accordance with the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis.
(2)Processing of personal data by the Swiss PIU shall be overseen by an independent supervisory authority established in accordance with the implementation and application by Switzerland of Directive (EU) 2016/680, including any amendments thereof that have been accepted and implemented by Switzerland in accordance with the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis.
(3)This Article is without prejudice to the application of any more specific provisions in this Agreement relating to the processing of PNR data.
ARTICLE 17
Transparency and information
(1)Switzerland shall ensure that the Swiss PIU makes the following information available on its website:
(a)a list of the legislation authorizing the transfer of PNR data by air carriers;
(b)the reason for the collection and storage of PNR data;
(c)the manner of processing and protecting the PNR data;
(d)the manner and extent to which the PNR data may be disclosed to other competent authorities; and
(e)contact information for inquiries.
(2)Switzerland shall work with interested third parties, such as the aviation and air travel industry, to promote transparency at the time of booking regarding the reasons for the collection and processing of PNR data, and regarding how to request access, rectification and redress.
(3)If PNR data retained in accordance with Article 11 has been disclosed in accordance with Article 13 or Article 14, Switzerland shall inform, taking into account reasonable efforts, the passengers concerned by means of the modalities set out pursuant to Article 13(2)(d) of Directive 2016/680 and within a reasonable time once such notification is no longer liable to jeopardise the investigations by the public authorities concerned to the extent the relevant contact information of the passengers is available or can be retrieved.
CHAPTER VI
FINAL PROVISIONS
ARTICLE 18
Notifications
(1)Switzerland shall notify the Union through diplomatic channels of the identity of the following authorities:
(a)The Swiss PIU referred to in Article 2(4);
(b)The national supervisory authority referred to in Article 9(3).
(2)Switzerland shall notify without delay any changes on the identity of the authorities referred to in paragraph 1.
(3)The Union shall make this information available to the public.
ARTICLE 19
Entry into force
(1)This Agreement shall be approved by the Parties in accordance with their own procedures.
(2)2. This Agreement shall enter into force on the first day of the following month from the date of the receipt of the written notification by which Switzerland has notified about the identity of the authorities referred to in paragraph 1 of Article 18 or the written notifications by which the Parties have notified each other through diplomatic channels that the procedures referred to in paragraph 1 have been completed, whichever is the latest.
ARTICLE 20
Dispute resolution and suspension
(1)The Parties shall resolve any dispute regarding the interpretation, application or implementation of this Agreement through consultations with a view to reaching a mutually acceptable resolution, including providing an opportunity for either Party to comply within a reasonable time.
(2)Either Party may suspend in whole or in part the application of this Agreement by notification in writing to the other Party through diplomatic channels. Such written notification shall not be made until after the Parties have engaged in a reasonable period of consultation. The suspension shall come into effect 2 months from the date of such notification, unless the Parties jointly decide otherwise.
(3)The Party that has suspended the application of this Agreement shall immediately inform the other Party of the date that the application of this Agreement will resume, once it considers that the reasons for the suspension no longer apply. The suspending Party shall notify the other Party in writing.
(4)Switzerland shall continue to apply the terms of this Agreement to all PNR data received before any suspension of this Agreement.
ARTICLE 21
Termination
(1)This Agreement may be terminated at any time by either of the Parties by written notification through diplomatic channels. The termination shall take effect three months after the date of receipt of the written notification.
(2)If either Party gives notice of termination under this Article, the Parties shall decide what measures are needed to ensure that any cooperation initiated under this Agreement is concluded in an appropriate manner.
(3)Switzerland shall continue to apply the terms of this Agreement to all PNR data received before any termination of this Agreement.
ARTICLE 22
Amendments
(1)This Agreement may be amended in writing at any time by mutual consent between the Parties. The amendments to this Agreement shall enter into force in accordance with Article 19.
(2)The Annex to this Agreement may be updated, by mutual consent between the Parties expressed by written notification exchanged through diplomatic channels. Such updates shall enter into force on the date referred to in Article 19(2).
ARTICLE 23
Consultation and evaluation
(1)The Parties shall enter into consultation with respect to issues related to the monitoring of the implementation of this Agreement. They shall advise each other of any measure that may affect this Agreement.
(2)The Parties shall carry out a joint evaluation of the implementation of this Agreement if requested by either Party and jointly decided. In conducting such evaluation, the Parties shall pay special attention to the necessity and proportionality of processing PNR data for each of the purposes set out in Article 5. The Parties shall decide in advance of the modalities of such evaluations.
ARTICLE 24
Territorial application
(1)This Agreement shall apply to the territory of the European Union in accordance with the Treaty on the European Union and the Treaty on the Functioning of the European Union and to the territory of Switzerland.
(2)By the date of entry into force of this Agreement, the European Union shall notify Switzerland of the Member States to whose territories this Agreement applies. It subsequently may, at any time, notify any changes thereto.
This Agreement shall be drawn up in duplicate in the Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish, each text being equally authentic. In the event of any divergence between the texts of this Agreement, the English text shall prevail.
[signatures]
ANNEX I
PASSENGER NAME RECORD DATA ELEMENTS
REFERRED TO IN ARTICLE 2(5)
1. PNR record locator
2. Date of reservation/issue of ticket
3. Date(s) of intended travel
4. Name(s)
5. Address and contact information, namely telephone number and email address relating to the passengers
6. Information relating to the payment methods for, and billing of, the air ticket
7. Complete travel itinerary for specific PNR
8. Frequent flyer data relating to the passenger(s) (status and frequent flyer number)
9. Travel agency/travel agent
10. Travel status of passenger, including confirmations, check-in status, no-show or go-show information
11. Split/divided PNR information
12. Information relating to unaccompanied minors under 18 years: name, gender, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, name of departure and arrival agent
13. Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, automated ticket fare quote fields
14. Seat number and other seat information
15. Code share information
16. All baggage information
17. Number and other names of travellers on the PNR
18. Any advance passenger information (API) data elements as far as already collected by carriers
19. All historical changes to the PNR listed in numbers 1 to 18.
Joint Declaration
The Parties recall that:
–the Standards and Recommended Practices of Annex 9 of the Convention on International Civil Aviation (the Chicago Convention) set out the terms for the collection, use, processing and protection of PNR data;
–Directive (EU) 2016/681 3 lays down the rules and conditions for the transfer to and the processing of PNR data by Member States of the Union. Together with Regulation 2016/679 4 and Directive 2016/680 5 , it guarantees a high level of protection of fundamental rights, in particular the rights to privacy and the protection of personal data;
–the Swiss Federal Act 6 is the legal basis which enables the transfer of PNR data by Swiss air carriers to the Passenger Information Units or corresponding competent authorities of foreign States, including the ones of the Member States of the Union and which governs the use of PNR Data by Switzerland;
–this Agreement lays down the rules and conditions for enabling the transfer of PNR data from the Union to Switzerland and for the processing of this data by Switzerland.
The Parties express their intention to foster mutual cooperation in the field of PNR, while recalling the principle of availability and encouraging operational cooperation between the Passenger Information Units and the competent police and judicial authorities.
The Parties recognize the importance to inform each other on PNR-related developments and best practices in the Union, its Member States and Switzerland.