Spain fines Amadeus IT Group €14.4M for passenger data profiling

Spain’s Agencia Española de Protección de Datos this month closed a two-year investigation into Amadeus IT Group, S.A., confirming a €14.4 million penalty in opposition to the Madrid-based journey expertise firm for processing tens of hundreds of thousands of passenger reserving data with out enough authorized foundation or transparency, in violation of Articles 6 and 14 of the Normal Information Safety Regulation.

What the AEPD discovered

The case started with an nameless grievance filed on 26 September 2023. The complainant alleged that Amadeus, one of many world’s largest World Distribution System operators, had consolidated the private journey histories of hundreds of thousands of people into an information platform and carried out passenger profiling by combining knowledge from its personal reservation system with buyer data from main resort chains. The submitting put the quantity of knowledge affected at greater than 12 billion data, together with knowledge belonging to hundreds of thousands of Spanish residents.

On 31 October 2023, the director of the AEPD instructed its Subdirección Normal de Inspección de Datos to open a preliminary investigation. Amadeus responded to the company’s first data request on 18 December 2023, confirming that Amadeus IT Group, S.A., headquartered at Calle Salvador de Madariaga 1, 28027 Madrid, is the information controller for the corporate’s GDS processing actions and that its operations are cross-border in nature, affecting travellers from each EU member state.

The investigation expanded. On 21 October 2024 and once more on 26 December 2024, the AEPD obtained supplementary complaints suggesting the conduct had additionally been reported to knowledge safety authorities in Portugal, Iceland, Finland, and Greece, all international locations the place airways use Amadeus software program. By the point the company issued its proposed sanction choice on 22 April 2025, eighteen European supervisory authorities had been notified by means of the Inside Market Info System as authorities beneath Article 60 of the GDPR. None filed objections to the proposed choice inside the four-week window, which closed in Might 2025.

The profiling pilot: the way it labored

On the centre of the case is an information product internally designated in regulatory filings as a platform pilot. Amadeus describes the undertaking in its 2022 World Report as utilizing “deep data of the tip buyer acquired by means of a big quantity of knowledge and data” to allow airways to create “distinctive experiences at each traveller touchpoint” together with “hyper-personalised retail searches.”

The pilot matched Passenger Identify File knowledge from Amadeus’s personal GDS in opposition to buyer knowledge held by resort chains. The AEPD confirmed that Amadeus signed a contract with one resort chain on 12 June 2021, with an modification efficient 3 December 2021 and companies working till the tip of March 2022. A contract with a second resort chain was signed on 23 March 2022, with an efficient begin date of 15 March 2022 and companies working for 3 months from the date Amadeus started evaluating the 2 datasets.

The private knowledge concerned included names, nationality, gender, date of delivery, e mail addresses, passport or id doc numbers, frequent flyer numbers, dietary preferences, particular service requests, and cost data. Crucially, a number of the GDS data drawn upon had been PNR knowledge from 2019 – energetic and archived reserving information used three years after the unique reservation came about.

In response to the AEPD’s decision, Amadeus later described the pilot as having been “discarded, amongst different causes, for private knowledge safety causes.” The corporate confirmed in December 2024 correspondence that the platform “was by no means commercialised and doesn’t and by no means has fashioned a part of our services or products providing.”

The GDS as invisible knowledge controller

Central to the AEPD’s authorized evaluation is the query of who the traveller really is aware of about. The Amadeus GDS is a B2B system. Airways, journey businesses, inns, and automobile rental corporations are Amadeus’s direct prospects. Particular person passengers make bookings by means of businesses or airline web sites and haven’t any direct contractual relationship with Amadeus itself.

Article 11.1 of Regulation (EC) No 80/2009, the European code of conduct for computerised reservation programs, states explicitly that the programs vendor is the information controller for private knowledge collected in the middle of reservation and ticketing actions. Amadeus acknowledged this in its April 2024 submission, explaining that when bookings movement by means of a journey agent through the GDS, Amadeus acts as controller. When airways use Amadeus for direct distribution, Amadeus acts as processor receiving directions from the service.

The twin position issues. Travellers who guide by means of an company could haven’t any consciousness that Amadeus processes their knowledge in any respect – not to mention that their data from 2019 might later be cross-referenced with resort loyalty knowledge as a part of an inside product experiment.

One German airline, whose id is redacted within the revealed decision, informed its nationwide authority that it had no data of the profiling platform and had not contracted for it. The airline famous that whereas a German Amadeus subsidiary appeared amongst its IT subcontractors, subcontracting clauses explicitly prohibited Amadeus from re-using the information for functions apart from service supply. “Amadeus additionally acts as an impartial controller for its central reservation system (GDS) actions,” the airline informed the German authority. “We have now no management or visibility over Amadeus’s processing actions on this context.”

Article 14: the transparency failure

The primary of the 2 infringements discovered issues Article 14 of the GDPR, which governs the duty to tell people when their knowledge is collected not from them immediately however from third events. This provision requires the controller to supply the information topic with data on the processing functions, authorized foundation, knowledge classes, recipients, and knowledge retention intervals.

In response to the AEPD’s decision, Amadeus didn’t notify affected travellers that their reserving knowledge could be used for the pilot undertaking. The company examined Amadeus’s privateness coverage because it stood on 24 November 2023, which referenced analytical and statistical makes use of based mostly on respectable curiosity. Inspectors checked the coverage once more on 30 April 2024, by which level it had been up to date to extra clearly delineate particular person processing functions and their authorized bases. By 2 December 2024, the URL for the GDS privateness assertion had itself modified.

The AEPD discovered all three variations insufficient for the aim of complying with Article 14 within the context of the pilot. A generic privateness discover on a company web site, the decision states, doesn’t fulfill the requirement when the information topic has no direct relationship with the controller, when the processing issues a function totally unrelated to the unique reserving, and when the information is used years after the unique reservation.

The company highlighted the actual invisibility of the processing: “Not all people are conscious that Amadeus processes their knowledge when making a reservation,” the decision states, “not to mention that their knowledge could be processed by Amadeus, after a particular reserving, for the aim of creating new merchandise from which it’d profit.”

The pilot used PNR knowledge from 2019, processed in 2022. The AEPD concluded that travellers whose reserving data had been used had no cheap expectation that an organization with which they’d no direct contact would use these data three years later for a product growth experiment.

Article 6: no lawful foundation

The second infringement pertains to Article 6 of the GDPR – the requirement that processing have a sound authorized foundation. Amadeus claimed respectable curiosity beneath Article 6(1)(f) because the authorized foundation for the pilot.

The AEPD rejected this. The decision identifies three issues.

First, sector-specific knowledge retention legislation creates a tough ceiling. Article 11.4 of Regulation (EC) No 80/2009 requires that individually identifiable reserving knowledge held by a reservation system vendor have to be taken offline inside 72 hours of the final aspect of a reserving being accomplished, and have to be destroyed inside a most of three years. Entry to archived data is restricted to billing disputes solely. Amadeus used 2019 PNR data – together with archived Previous Date Information – in 2022. The AEPD discovered this inconsistent with the authorized framework governing how lengthy such data may be accessed for business functions.

Second, the respectable curiosity evaluation submitted by Amadeus – dated 5 November 2021 – didn’t embody an in depth balancing of the corporate’s business pursuits in opposition to the basic rights of the hundreds of thousands of affected travellers. The AEPD discovered that with out this balancing step, the respectable curiosity declare couldn’t be sustained.

Third, and most importantly, the AEPD discovered an inside contradiction in Amadeus’s personal paperwork. An inside presentation made for the corporate’s “privateness week” in 2022 included a slide explicitly setting out the the explanation why respectable curiosity shouldn’t be used to course of knowledge within the pilot undertaking. The identical presentation specified a unique authorized foundation as the suitable one for knowledge sharing within the undertaking – and that foundation was not respectable curiosity. “This Company can not however agree with the evaluation carried out by Amadeus itself,” the decision states.

That is an uncommon second in regulatory selections: an organization’s personal inside coaching materials was used as proof in opposition to the authorized foundation it subsequently invoked.

The AEPD’s EDPB’s damning digest on how legitimate interest fails in practice revealed in March 2026 identifies this sample throughout dozens of enforcement circumstances – controllers treating respectable curiosity as a versatile fallback whereas failing to finish the balancing check the GDPR really requires.

Scale, fines, and the voluntary cost discount

In response to monetary knowledge from the AXESOR enterprise intelligence platform, Amadeus IT Group reported income of €4.467 billion in 2023. The AEPD cited this determine because the baseline for calibrating the penalty.

The authority imposed two separate fines: €9 million for the Article 14 transparency violation and €9 million for the Article 6 lawful foundation violation, for a mixed complete of €18 million. Each infractions are categorized as very critical beneath Article 83.5 of the GDPR, which carries a most penalty of €20 million or 4% of worldwide annual turnover, whichever is greater.

Two aggravating elements elevated the load of the sanctions. First, Amadeus had a previous infringement: on 10 June 2022, the AEPD fined the corporate €5,000 for an Article 12 violation referring to transparency obligations – a modest penalty, however one the authority handled as a precedent beneath Article 83.2(e) of the GDPR. Second, the authority cited the character of Amadeus’s core exercise: processing private knowledge for hundreds of thousands of travellers at scale is central to the GDS enterprise mannequin, making compliance failures on this space inherently extra critical.

Amadeus opted for voluntary cost beneath Article 85(2) of Spain’s Administrative Process Regulation, which supplies a 20% discount when an organization settles with out formal recognition of legal responsibility. The ultimate quantity paid on 29 Might 2025 was €14.4 million. Voluntary cost additionally closes the executive process totally, although Amadeus retains the best to problem the underlying choice earlier than the executive courts inside two months.

The decision was signed by Lorenzo Cotino Hueso, president of the AEPD. Beneath Article 76.4 of Spain’s knowledge safety legislation, rulings exceeding €1 million are revealed within the Official State Gazette figuring out the corporate, the infringement, and the high-quality quantity.

Why this issues for the advertising and marketing and advert tech sector

This case has structural implications that stretch properly past the journey business. The central authorized downside – utilizing knowledge collected for one function after which repurposing it for product growth or viewers profiling with out informing the individuals involved – is a sample that seems throughout retail media, loyalty programmes, and the broader advert tech stack.

The AEPD’s GDPR enforcement data on fine rates across European authorities exhibits that only one.3% of GDPR circumstances resulted in monetary penalties between 2018 and 2023. However when circumstances do lead to fines at this scale, they constantly contain the identical mixture: secondary use of knowledge with out discover, and legit curiosity invoked with no real balancing check.

Italy’s €17.6 million fine against Intesa Sanpaolo for profiling 2.4 million bank customers turned on precisely the identical problem: the EDPB’s case digest discovered that controllers routinely deal with respectable curiosity as a catch-all reasonably than finishing the three-step necessity and balancing evaluation. The Amadeus case provides a wrinkle that can curiosity privateness professionals: an organization’s personal inside compliance paperwork can floor in enforcement as proof that its publicly said authorized foundation was not really the one its personal groups recognized as acceptable.

The EDPB’s first-ever DPIA template, adopted in March 2026 and at present beneath public session till June 2026, establishes a standardised framework for precisely the form of high-risk processing concerned right here – large-scale profiling utilizing knowledge from a number of sources. Organisations utilizing PNR or reserving knowledge for analytics, personalisation, or viewers modelling ought to evaluate whether or not their DPIA documentation covers secondary use circumstances with the specificity the AEPD now clearly expects.

The Amadeus decision additionally reinforces the compliance danger embedded in knowledge relationships the place the tip person has no visibility into the expertise stack. Airways, resort chains, and journey businesses that use Amadeus as a expertise supplier could not at all times realise when the B2B service layer they depend on is independently processing end-customer knowledge for its personal business functions. This can be a controller-versus-processor boundary downside that the Luxembourg court’s annulment of Amazon’s €746 million GDPR fine and different current cross-border circumstances have proven to be genuinely tough to resolve – even for regulators making use of the one-stop-shop mechanism.

Timeline

• 26 September 2023 – Nameless grievance filed with the AEPD alleging improper knowledge profiling by Amadeus IT Group, affecting greater than 12 billion knowledge data together with knowledge of hundreds of thousands of Spanish residents.
• 31 October 2023 – AEPD director instructs the Subdirección Normal de Inspección de Datos to open a preliminary investigation.
• 18 December 2023 – Amadeus submits its first written response, confirming its position as GDS knowledge controller with principal institution in Madrid, and acknowledging the cross-border and transfrontier nature of the processing.
• 22 December 2023 – AEPD transmits the case to different EU supervisory authorities by means of the IMI System beneath Article 56 GDPR. Seventeen further authorities, together with these of the Netherlands, France, Italy, Sweden, Belgium, Germany, and Eire, take part as authorities.
• 12 June 2021 – Contract signed with the primary resort chain for the profiling pilot (disclosed throughout the investigation; contract efficient date was 3 December 2021, companies ran to finish of March 2022).
• 23 March 2022 – Contract signed with the second resort chain for the pilot (efficient 15 March 2022, three-month period).
• January 2024 – Amadeus updates its GDS privateness assertion, renaming the doc and increasing traveller-facing disclosures.
• 10 April 2024 – Amadeus submits an in depth second response overlaying its GDS structure, knowledge origins, privateness coverage, processing register, and impression assessments.
• 6 June 2024 – Amadeus submits a 3rd response, offering contracts, its processing register, and the information safety impression evaluation for the pilot undertaking.
• 4 September 2024 – A German knowledge safety authority advises the AEPD that the airline whose knowledge was concerned had no data of the profiling platform and had not contracted for it.
• 21 October 2024 – Further grievance obtained by the AEPD, suggesting Amadeus’s conduct was additionally reported to authorities in Portugal, Iceland, Finland, and Greece.
• 25 October 2024 – Amadeus submits additional data on the pilot dataset scope and the service supplied to resort chains.
• 26 December 2024 – Second supplementary grievance obtained on the AEPD.
• 23 December 2024 – Amadeus confirms redacted shopper volumes used within the profiling pilot. GDPR enforcement data on European fine rates – PPC Land
• 22 April 2025 – AEPD presidency adopts a proposed sanction choice and transmits it to the 17 supervisory authorities. A four-week interval opens for objections beneath Article 60 GDPR. No objections are obtained.
• 21 Might 2025 – AEPD formally initiates the sanctioning process, citing infringements of Articles 14 and 6 of the GDPR, categorized beneath Article 83.5.
• 29 Might 2025 – Amadeus pays the penalty of €14.4 million beneath the voluntary cost provision of Article 85(2) of the Administrative Process Regulation, with out acknowledging obligation.
• March 2026 – EDPB publishes case digest on respectable curiosity beneath Article 6(1)(f) GDPR, discovering systematic underestimation of the balancing check throughout 62 One-Cease-Store selections. PPC Land coverage
• Might 2026 – AEPD publishes the ultimate decision closing the process by voluntary cost, reference EXP202315175. Italy fines Intesa Sanpaolo €17.6M for profiling – PPC Land

Abstract

Who: Amadeus IT Group, S.A. (NIF A84236934), headquartered at Calle Salvador de Madariaga 1, Madrid, Spain. The Agencia Española de Protección de Datos (AEPD) acted as lead supervisory authority beneath the one-stop-shop mechanism, with 17 different EU authorities as events.

What: A €14.4 million GDPR high-quality (after a 20% voluntary cost discount from a base of €18 million), overlaying two separate violations: failure to tell knowledge topics beneath Article 14 when their reserving data had been used for an information profiling pilot (€9 million), and processing these data with no legitimate lawful foundation beneath Article 6 (€9 million). The pilot mixed Amadeus GDS Passenger Identify File knowledge with resort chain buyer knowledge to construct traveller profiles for product growth functions.

When: The investigation ran from October 2023 to Might 2025. The pilot itself operated throughout two resort chain contracts spanning December 2021 to June 2022, utilizing GDS reserving data that included archived PNR knowledge from 2019. Fee was made on 29 Might 2025. The decision was revealed in Might 2026.

The place: Spain (principal institution of Amadeus IT Group), with cross-border processing affecting travellers throughout all EU member states. supervisory authorities included these of the Netherlands, Sweden, Estonia, Austria, Norway, Lithuania, France, Italy, Hungary, Belgium, Denmark, Eire, Poland, Slovakia, Finland, and a number of other German state authorities.

Why: Amadeus ran an inside pilot combining its personal reserving knowledge with resort chain data to check a passenger profiling and personalisation product. The AEPD discovered that travellers – who haven’t any direct relationship with Amadeus and should not know the corporate processes their reservations in any respect – obtained no discover that their knowledge was getting used for this secondary function. The authorized foundation Amadeus invoked, respectable curiosity, was rejected as a result of the corporate failed to finish a real balancing check and since its personal inside privateness paperwork recognized respectable curiosity as unsuitable for this processing.