Spain's data protection authority has fined Amadeus IT Group EUR 14.4 million for using passenger booking data to profile travellers without a lawful basis.
The AEPD said it reduced the initial EUR 18 million penalty after Amadeus made a voluntary payment, though the company did not admit liability. The investigation was triggered by an anonymous complaint filed in September 2023 alleging improper use of traveller data.
Data sources and processing scope
According to the ruling, booking data from airlines and travel agencies was consolidated into a platform used to profile travellers based on their reservation histories. The pilot combined GDS data with hotel customer data, drawing on passenger name record (PNR) files from 2019, records that were accessed up to three years after the original reservations were made. Agreements with hotel companies for the limited testing periods were signed in 2021 and 2022.
Amadeus described the pilot as a three-month exercise designed to test technical capabilities for analysing traveller data and generating aggregated statistical patterns, with the stated aim of improving the traveller experience. The company said no personal data was shared externally.
The AEPD, however, found that airlines could not be confirmed as having been aware of the profiling platform during the investigation period. The authority cited alleged violations of Article 6 of the General Data Protection Regulation (GDPR), concerning the lawful basis for processing personal data, and Article 14, which governs transparency obligations, specifically the requirement to inform individuals when their data is processed without direct collection from them.
Regulatory and industry context
The GDPR, which has applied across the EU since May 2018, sets binding requirements on how organisations collect, process, and retain personal data. The use of archived PNR data (originally collected for flight bookings) in a profiling context raises questions about purpose limitation, a core GDPR principle that restricts the secondary use of data beyond its original collection purpose.
Amadeus, a Spain-based provider of technology and distribution infrastructure to the global travel industry, disputed both the AEPD's interpretation of the applicable data protection framework and the proportionality of the fine. A company representative stated that Amadeus intends to challenge the decision before the courts.
The case is likely to attract attention from data protection practitioners operating at the intersection of travel technology and privacy regulation, particularly given the scale of GDS ecosystems and the volume of traveller data they handle on behalf of airlines and travel agencies worldwide.
