Spain's Agencia Española de Protección de Datos this month closed a two-year investigation into Amadeus IT Group, S.A., confirming a €14.4 million penalty against the Madrid-based travel technology company for processing tens of millions of passenger booking records without adequate legal basis or transparency, in violation of Articles 6 and 14 of the General Data Protection Regulation.

What the AEPD found

The case began with an anonymous complaint filed on 26 September 2023. The complainant alleged that Amadeus, one of the world's largest Global Distribution System operators, had consolidated the personal travel histories of millions of individuals into a data platform and carried out passenger profiling by combining data from its own reservation system with customer records from major hotel chains. The filing put the volume of data affected at more than 12 billion records, including data belonging to millions of Spanish residents.

On 31 October 2023, the director of the AEPD instructed its Subdirección General de Inspección de Datos to open a preliminary investigation. Amadeus responded to the agency's first information request on 18 December 2023, confirming that Amadeus IT Group, S.A., headquartered at Calle Salvador de Madariaga 1, 28027 Madrid, is the data controller for the company's GDS processing activities and that its operations are cross-border in nature, affecting travellers from every EU member state.

The investigation expanded. On 21 October 2024 and again on 26 December 2024, the AEPD received supplementary complaints suggesting the conduct had also been reported to data protection authorities in Portugal, Iceland, Finland, and Greece, all countries where airlines use Amadeus software. By the time the agency issued its proposed sanction decision on 22 April 2025, eighteen European supervisory authorities had been notified through the Internal Market Information System as interested authorities under Article 60 of the GDPR. None filed objections to the proposed decision within the four-week window, which closed in May 2025.

The profiling pilot: how it worked

At the centre of the case is a data product internally designated in regulatory filings as a platform pilot. Amadeus describes the project in its 2022 Global Report as using "deep knowledge of the end customer acquired through a large volume of data and information" to enable airlines to create "unique experiences at every traveller touchpoint" including "hyper-personalised retail searches."

The pilot matched Passenger Name Record data from Amadeus's own GDS against customer data held by hotel chains. The AEPD confirmed that Amadeus signed a contract with one hotel chain on 12 June 2021, with an amendment effective 3 December 2021 and services running until the end of March 2022. A contract with a second hotel chain was signed on 23 March 2022, with an effective start date of 15 March 2022 and services running for three months from the date Amadeus began comparing the two datasets.

The personal data involved included names, nationality, gender, date of birth, email addresses, passport or identity document numbers, frequent flyer numbers, dietary preferences, special service requests, and payment information. Crucially, some of the GDS records drawn upon were PNR data from 2019 - active and archived booking files used three years after the original reservation took place.

According to the AEPD's resolution, Amadeus later described the pilot as having been "discarded, among other reasons, for personal data protection reasons." The company confirmed in December 2024 correspondence that the platform "was never commercialised and does not and never has formed part of our product or service offering."

The GDS as invisible data controller

Central to the AEPD's legal analysis is the question of who the traveller actually knows about. The Amadeus GDS is a B2B system. Airlines, travel agencies, hotels, and car rental companies are Amadeus's direct customers. Individual passengers make bookings through agencies or airline websites and have no direct contractual relationship with Amadeus itself.

Article 11.1 of Regulation (EC) No 80/2009, the European code of conduct for computerised reservation systems, states explicitly that the systems vendor is the data controller for personal data collected in the course of reservation and ticketing activities. Amadeus acknowledged this in its April 2024 submission, explaining that when bookings flow through a travel agent via the GDS, Amadeus acts as controller. When airlines use Amadeus for direct distribution, Amadeus acts as processor receiving instructions from the carrier.

The dual role matters. Travellers who book through an agency may have no awareness that Amadeus processes their data at all - let alone that their records from 2019 could later be cross-referenced with hotel loyalty data as part of an internal product experiment.

One German airline, whose identity is redacted in the published resolution, told its national authority that it had no knowledge of the profiling platform and had not contracted for it. The airline noted that while a German Amadeus subsidiary appeared among its IT subcontractors, subcontracting clauses explicitly prohibited Amadeus from re-using the data for purposes other than service delivery. "Amadeus also acts as an independent controller for its central reservation system (GDS) activities," the airline told the German authority. "We have no control or visibility over Amadeus's processing activities in this context."

Article 14: the transparency failure

The first of the two infringements found concerns Article 14 of the GDPR, which governs the obligation to inform individuals when their data is collected not from them directly but from third parties. This provision requires the controller to provide the data subject with information on the processing purposes, legal basis, data categories, recipients, and data retention periods.

According to the AEPD's resolution, Amadeus did not notify affected travellers that their booking data would be used for the pilot project. The agency examined Amadeus's privacy policy as it stood on 24 November 2023, which referenced analytical and statistical uses based on legitimate interest. Inspectors checked the policy again on 30 April 2024, by which point it had been updated to more clearly delineate individual processing purposes and their legal bases. By 2 December 2024, the URL for the GDS privacy statement had itself changed.

The AEPD found all three versions inadequate for the purpose of complying with Article 14 in the context of the pilot. A generic privacy notice on a corporate website, the resolution states, does not satisfy the requirement when the data subject has no direct relationship with the controller, when the processing concerns a purpose entirely unrelated to the original booking, and when the data is used years after the original reservation.

The agency highlighted the particular invisibility of the processing: "Not all individuals are aware that Amadeus processes their data when making a reservation," the resolution states, "let alone that their data would be processed by Amadeus, after a specific booking, for the purpose of developing new products from which it might benefit."

The pilot used PNR data from 2019, processed in 2022. The AEPD concluded that travellers whose booking records were used had no reasonable expectation that a company with which they had no direct contact would use those records three years later for a product development experiment.

Article 6: no lawful basis

The second infringement relates to Article 6 of the GDPR - the requirement that processing have a valid legal basis. Amadeus claimed legitimate interest under Article 6(1)(f) as the legal basis for the pilot.

The AEPD rejected this. The resolution identifies three problems.

First, sector-specific data retention law creates a hard ceiling. Article 11.4 of Regulation (EC) No 80/2009 requires that individually identifiable booking data held by a reservation system vendor must be taken offline within 72 hours of the last element of a booking being completed, and must be destroyed within a maximum of three years. Access to archived records is restricted to billing disputes only. Amadeus used 2019 PNR records - including archived Past Date Records - in 2022. The AEPD found this inconsistent with the legal framework governing how long such records can be accessed for commercial purposes.

Second, the legitimate interest assessment submitted by Amadeus - dated 5 November 2021 - did not include a detailed balancing of the company's commercial interests against the fundamental rights of the millions of affected travellers. The AEPD found that without this balancing step, the legitimate interest claim could not be sustained.

Third, and most significantly, the AEPD found an internal contradiction in Amadeus's own documents. An internal presentation made for the company's "privacy week" in 2022 included a slide explicitly setting out the reasons why legitimate interest should not be used to process data in the pilot project. The same presentation specified a different legal basis as the appropriate one for data sharing in the project - and that basis was not legitimate interest. "This Agency cannot but agree with the analysis carried out by Amadeus itself," the resolution states.

This is an unusual moment in regulatory decisions: a company's own internal training material was used as evidence against the legal basis it subsequently invoked.

The AEPD's EDPB's damning digest on how legitimate interest fails in practice published in March 2026 identifies this pattern across dozens of enforcement cases - controllers treating legitimate interest as a flexible fallback while failing to complete the balancing test the GDPR actually requires.

Scale, fines, and the voluntary payment reduction

According to financial data from the AXESOR business intelligence platform, Amadeus IT Group reported revenue of €4.467 billion in 2023. The AEPD cited this figure as the baseline for calibrating the penalty.

The authority imposed two separate fines: €9 million for the Article 14 transparency violation and €9 million for the Article 6 lawful basis violation, for a combined total of €18 million. Both infractions are classified as very serious under Article 83.5 of the GDPR, which carries a maximum penalty of €20 million or 4% of global annual turnover, whichever is higher.

Two aggravating factors increased the weight of the sanctions. First, Amadeus had a prior infringement: on 10 June 2022, the AEPD fined the company €5,000 for an Article 12 violation relating to transparency obligations - a modest penalty, but one the authority treated as a precedent under Article 83.2(e) of the GDPR. Second, the authority cited the nature of Amadeus's core activity: processing personal data for millions of travellers at scale is central to the GDS business model, making compliance failures in this area inherently more serious.

Amadeus opted for voluntary payment under Article 85(2) of Spain's Administrative Procedure Law, which provides a 20% reduction when a company settles without formal recognition of liability. The final amount paid on 29 May 2025 was €14.4 million. Voluntary payment also closes the administrative procedure entirely, though Amadeus retains the right to challenge the underlying decision before the administrative courts within two months.

The resolution was signed by Lorenzo Cotino Hueso, president of the AEPD. Under Article 76.4 of Spain's data protection law, rulings exceeding €1 million are published in the Official State Gazette identifying the company, the infringement, and the fine amount.

Why this matters for the marketing and ad tech sector

This case has structural implications that extend well beyond the travel industry. The central legal problem - using data collected for one purpose and then repurposing it for product development or audience profiling without informing the people concerned - is a pattern that appears across retail media, loyalty programmes, and the wider ad tech stack.

The AEPD's GDPR enforcement data on fine rates across European authorities shows that only 1.3% of GDPR cases resulted in financial penalties between 2018 and 2023. But when cases do result in fines at this scale, they consistently involve the same combination: secondary use of data without notice, and legitimate interest invoked without a genuine balancing test.

Italy's €17.6 million fine against Intesa Sanpaolo for profiling 2.4 million bank customers turned on exactly the same issue: the EDPB's case digest found that controllers routinely treat legitimate interest as a catch-all rather than completing the three-step necessity and balancing analysis. The Amadeus case adds a wrinkle that will interest privacy professionals: a company's own internal compliance documents can surface in enforcement as evidence that its publicly stated legal basis was not actually the one its own teams identified as appropriate.

The EDPB's first-ever DPIA template, adopted in March 2026 and currently under public consultation until June 2026, establishes a standardised framework for exactly the kind of high-risk processing involved here - large-scale profiling using data from multiple sources. Organisations using PNR or booking data for analytics, personalisation, or audience modelling should review whether their DPIA documentation covers secondary use cases with the specificity the AEPD now clearly expects.

The Amadeus resolution also reinforces the compliance risk embedded in data relationships where the end user has no visibility into the technology stack. Airlines, hotel chains, and travel agencies that use Amadeus as a technology provider may not always realise when the B2B service layer they rely on is independently processing end-customer data for its own commercial purposes. This is a controller-versus-processor boundary problem that the Luxembourg court's annulment of Amazon's €746 million GDPR fine and other recent cross-border cases have shown to be genuinely difficult to resolve - even for regulators applying the one-stop-shop mechanism.

Timeline

  • 26 September 2023 - Anonymous complaint filed with the AEPD alleging improper data profiling by Amadeus IT Group, affecting more than 12 billion data records including data of millions of Spanish residents.
  • 31 October 2023 - AEPD director instructs the Subdirección General de Inspección de Datos to open a preliminary investigation.
  • 18 December 2023 - Amadeus submits its first written response, confirming its role as GDS data controller with principal establishment in Madrid, and acknowledging the cross-border and transfrontier nature of the processing.
  • 22 December 2023 - AEPD transmits the case to other EU supervisory authorities through the IMI System under Article 56 GDPR. Seventeen additional authorities, including those of the Netherlands, France, Italy, Sweden, Belgium, Germany, and Ireland, participate as interested authorities.
  • 12 June 2021 - Contract signed with the first hotel chain for the profiling pilot (disclosed during the investigation; contract effective date was 3 December 2021, services ran to end of March 2022).
  • 23 March 2022 - Contract signed with the second hotel chain for the pilot (effective 15 March 2022, three-month duration).
  • January 2024 - Amadeus updates its GDS privacy statement, renaming the document and expanding traveller-facing disclosures.
  • 10 April 2024 - Amadeus submits a detailed second response covering its GDS architecture, data origins, privacy policy, processing register, and impact assessments.
  • 6 June 2024 - Amadeus submits a third response, providing contracts, its processing register, and the data protection impact assessment for the pilot project.
  • 4 September 2024 - A German data protection authority advises the AEPD that the airline whose data was involved had no knowledge of the profiling platform and had not contracted for it.
  • 21 October 2024 - Additional complaint received by the AEPD, suggesting Amadeus's conduct was also reported to authorities in Portugal, Iceland, Finland, and Greece.
  • 25 October 2024 - Amadeus submits further information on the pilot dataset scope and the service provided to hotel chains.
  • 26 December 2024 - Second supplementary complaint received at the AEPD.
  • 23 December 2024 - Amadeus confirms redacted client volumes used in the profiling pilot. GDPR enforcement data on European fine rates - PPC Land
  • 22 April 2025 - AEPD presidency adopts a proposed sanction decision and transmits it to the 17 interested supervisory authorities. A four-week period opens for objections under Article 60 GDPR. No objections are received.
  • 21 May 2025 - AEPD formally initiates the sanctioning procedure, citing infringements of Articles 14 and 6 of the GDPR, classified under Article 83.5.
  • 29 May 2025 - Amadeus pays the penalty of €14.4 million under the voluntary payment provision of Article 85(2) of the Administrative Procedure Law, without acknowledging legal responsibility.
  • March 2026 - EDPB publishes case digest on legitimate interest under Article 6(1)(f) GDPR, finding systematic underestimation of the balancing test across 62 One-Stop-Shop decisions. PPC Land coverage
  • May 2026 - AEPD publishes the final resolution closing the procedure by voluntary payment, reference EXP202315175. Italy fines Intesa Sanpaolo €17.6M for profiling - PPC Land

Summary

Who: Amadeus IT Group, S.A. (NIF A84236934), headquartered at Calle Salvador de Madariaga 1, Madrid, Spain. The Agencia Española de Protección de Datos (AEPD) acted as lead supervisory authority under the one-stop-shop mechanism, with 17 other EU authorities as interested parties.

What: A €14.4 million GDPR fine (after a 20% voluntary payment reduction from a base of €18 million), covering two separate violations: failure to inform data subjects under Article 14 when their booking records were used for a data profiling pilot (€9 million), and processing those records without a valid lawful basis under Article 6 (€9 million). The pilot combined Amadeus GDS Passenger Name Record data with hotel chain customer data to build traveller profiles for product development purposes.

When: The investigation ran from October 2023 to May 2025. The pilot itself operated across two hotel chain contracts spanning December 2021 to June 2022, using GDS booking records that included archived PNR data from 2019. Payment was made on 29 May 2025. The resolution was published in May 2026.

Where: Spain (principal establishment of Amadeus IT Group), with cross-border processing affecting travellers across all EU member states. Interested supervisory authorities included those of the Netherlands, Sweden, Estonia, Austria, Norway, Lithuania, France, Italy, Hungary, Belgium, Denmark, Ireland, Poland, Slovakia, Finland, and several German state authorities.

Why: Amadeus ran an internal pilot combining its own booking data with hotel chain records to test a passenger profiling and personalisation product. The AEPD found that travellers - who have no direct relationship with Amadeus and may not know the company processes their reservations at all - received no notice that their data was being used for this secondary purpose. The legal basis Amadeus invoked, legitimate interest, was rejected because the company failed to complete a genuine balancing test and because its own internal privacy documents identified legitimate interest as unsuitable for this processing.

Share this article
The link has been copied!