Spain’s data protection agency, the Agencia Española de Protección de Datos (AEPD), has fined Amadeus IT Group, S.A. (Amadeus) €18 million in relation to a traveller profiling pilot project. The enforcement decision, published on 26 May 2025, has found breaches of Article 14 and Article 6 REGULATION (EU) 2016/679 (GDPR). Amadeus has made a €14.4 million voluntary payment, representing a 20% reduction from the proposed total fine, and has stated that they intend to appeal the ruling.

Background

Amadeus is a major Global Distribution System (GDS) provider and is one of the largest travel booking networks used by airlines and travel agencies, responsible for processing the personal data of millions of individuals for bookings in the travel industry. Following an anonymous complaint on 26 September 2023, the AEPD initiated proceedings against Amadeus to investigate possible GDPR breaches in relation to a pilot scheme called ‘PLATAFORMA.1’ (the Pilot).

The intention of the Pilot was to identify travel trends and offer “hyper-personalised” experiences and targeted searches through user profiling. The Pilot took personal data collected from flight and travel bookings through its GDS, including Passenger Name Record (PNR) data. This data was then repurposed to create traveller profiles which would then be shared with hotels and other travel companies.

Why were they fined?

(i) Breach of Article 14 (Information obligations to data subjects)

The AEPD found that Amadeus had failed to comply with its obligations to provide data subjects with information about its processing under Article 14 GDPR. Amadeus is a B2B service and they generally receive traveller data through intermediaries, airlines and travel agencies. It was found that the Pilot involved further processing of traveller data for a purpose that was different than the original intention. Amadeus failed to provide the information required under Article 14 to data subjects about the further processing of their data in relation to the Pilot.

Amadeus attempted to rely on broad language in their privacy policy, such as references to use of data for analytics or product improvement. This was rejected by the AEPD as insufficient, especially for a specific and complex further processing activity, where there is a lack of a direct relationship between Amadeus and travellers. Furthermore, Amadeus did not provide specific, timely information about the new purpose in advance of the new processing.

Without meaningful notice of the new processing, travellers are unable to exercise their rights under GDPR, and travellers could not reasonably be expected to be aware of the use of their data.

(ii) Breach of Article 6 (No lawful basis)

In addition, the AEPD found that Amadeus had breached Article 6, as they had processed the personal data for the pilot without a valid lawful basis. Amadeus sought to rely on the legitimate interest basis, however AEPD rejected this for a number of reasons, including that the processing was not within the reasonable expectations of travellers, there was no direct relationship between the parties, the processing lacked transparency, and, particularly given the scale and context, no clear balancing exercise had taken place to demonstrate that Amadeus’s commercial interests outweighed the fundamental rights of the travellers.

The AEPD also referenced the failure to meet the requirement under GDPR Article 6(4) to conduct a compatibility assessment to determine whether a new purpose (i.e. the further processing under the pilot) is compatible with the original purpose for which the data had been collected. Amadeus did not appear to have sufficiently carried out such an assessment. Furthermore, it was found that the PNR data was kept beyond statutory retention periods set out in Regulation (EC) No 80/2009 (the Computerised Reservation Systems Regulation). Under the Computerised Reservation Systems Regulation, it should have ensured that information concerning individual bookings was stored offline within seventy-two hours and destroyed within three years, but instead, Amadeus had used both active and inactive data for 2019.

(iii) Final outcome

The AEPD proposed a fine of €9 million for the breach of the duty to provide information (Article 14), and a further €9 million for processing with no lawful basis (Article 6), totalling an overall fine of €18 million. The AEPD considered aggravating factors in setting the amounts:

  •  the scale and severity of the processing, with millions of data subjects affected, and unable to exercise their rights, as they were unaware of the further processing;
  • a prior infringement for breach of Article 12 GDPR in 2022; and
  • Amadeus’s position as a routine processor of large-scale personal data meant they should have been fully aware of their obligations.

Amadeus’ processing under the Pilot was cross-border, so the AEPD had submitted a draft decision to other supervisory authorities under the Article 60 GDPR cooperation process. The concerned supervisory authorities raised no relevant and reasoned objections.

Amadeus chose to make voluntary payment of the proposed fine, resulting in a 20% discount to €14.4 million. However, voluntary payment can be made without admission of liability, and Amadeus has stated that it intends to appeal in the Spanish court.

Our take: key steps for data reuse projects

The AEPD’s decision highlights a number of key lessons for any organisations looking to reuse data for development of new products, services, or insights.

Service providers reusing data to develop products, services, or insights are data controllers – where the reuse is carried out for the supplier’s own purpose, and is not for any specific client, organisations act as controller. This is the case even if they acquired the data through providing services as a processor; factually, the supplier is a controller and must comply with its controller obligations.

Compliance still matters for pilots – fast-tracking compliance for pilots may be the correct risk decision in some cases, for example where dummy data is used.  But where a ‘pilot’ involves processing real data, particularly where the processing is unexpected, intrusive, or carried out at scale, privacy compliance processes should be followed in full before the pilot commences.

Privacy notices need to be specific – individuals should be given enough information to understand how their personal data will be used.

Privacy notices need to be communicated – where organisations have no direct relationship with the data subjects, they must consider how they will communicate information about their processing to comply with their Article 14 obligations.

Compatibility assessments, legitimate interests assessments and data protection impact assessments – where an organisation is carrying out further processing for a new purpose not originally communicated, it will need to assess compatibility with the initial purpose. The AEPD’s decision also highlights the importance of carrying out a legitimate interests assessment and, in particular, the balancing test to see whether the individual’s fundamental rights outweigh the controller’s interests. For most projects involving innovative uses of, and insights from, data, a data protection impact assessment will be appropriate.

Contracts – where suppliers reuse customer personal data for their own purposes, they should ensure contracts include:

  • clear terms on where they act as controller, joint controller, and processor and appropriate provisions in each case; and
  • the right to use customer data for their own business purposes.

Where it makes sense to do so, they should also consider an obligation on their customers to provide their privacy notice to data subjects, where the customer is best placed to do so.

The full AEPD decision is available to read in Spanish here

The authors of this article are human subject matter experts, but have referred to a machine translation of the decision (from the original Spanish language decision linked above).

Article prepared with the kind assistance of Amelia Farquharson.