The full APIS data set would, I believe, constitute personally identifiable information (PII) under GDPR:
- Full name (last name, first name, middle name if applicable)
- Gender
- Date of birth
- Nationality
- Country of residence
- Travel document type (normally passport)
- Travel document number (expiry date and country of issue for passport)
The passport number could be considered as sensitive information in this context.
To protect PII in transit,
minimum technical measures under the GDPR would include:
- Encryption of personal data in transit by using suitable encryption solutions. This may include SSL and IPsec VPN connections which are appropriate for machine-to-machine connections, or PGP which is generally used for messaging, such as, e-mail.
Note that the GDPR does not specifically mention these measures, but on the basis of commonly adopted security measures and trends in enforcement action by data protection regulators, it can reasonably be assumed that these are indeed a requirement.
If you feel that your personal data is being put at risk by the data processor in breach of the GDPR, you should complain to the supervisory authority - in the UK that would be:
The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow - Cheshire SK9 5AF
Tel. +44 1625 545 745
e-mail:
[email protected]
Website:
https://ico.org.uk
FBW