On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.

Background to the Fine

Amadeus operates one of the world’s leading GDS platforms: a computerised network that enables real-time transactions between travel service providers (including airlines, hotels, car rentals and travel agencies). In its capacity as a GDS operator, the AEPD determined that Amadeus acts as a data controller for the processing of travellers’ personal data contained in Passenger Name Records (“PNRs”) generated through its reservation system, as it determines the purposes and means of processing PNR data in this context, in accordance with Article 4(7) GDPR. This finding aligns with Article 11(1) of the EU Code of Conduct for Computerised Reservation Systems (Regulation (EC) No. 80/2009), which designates the system vendor as the data controller for personal data collected in the course of computerised reservation system activities, and which Amadeus expressly acknowledged in its submissions to the AEPD.

The AEPD’s investigation was triggered by an anonymous complaint filed in September 2023, alleging that Amadeus had misused passenger data for profiling purposes. Specifically, the complaint raised concerns that Amadeus had consolidated personal data from travellers worldwide into a data platform and conducted profiling by compiling travel histories associated with specific individuals, including trips booked through agencies and airlines, without obtaining consent or providing adequate notice to data subjects. The complaint alleged that over 12 billion data records were used for this purpose. During the investigation, the AEPD discovered that Amadeus had conducted a pilot project with various hotel chains from 2021-2022 (the “Pilot Project”), which involved reusing active and inactive PNR data that had been collected up to three years earlier for travel bookings.

The AEPD acted as the lead supervisory authority under the GDPR’s one-stop-shop mechanism, given that Amadeus has its principal establishment in Spain, and ultimately found two violations: (1) a breach of Article 14 GDPR (failure to provide required information to data subjects when personal data is not obtained directly from them); and (2) a breach of Article 6 GDPR (processing personal data without a valid legal basis).

Article 14 GDPR: Transparency Obligations

Because Amadeus collects personal data indirectly (travellers book through airlines or travel agencies, not directly with Amadeus), Article 14, rather than Article 13, governs its transparency obligations. Article 14 requires controllers to proactively inform data subjects of the identity of the controller, the purposes and legal basis for processing, and the categories of data processed, among other matters. The AEPD found that Amadeus’s privacy policy, while publicly available on its website, was insufficient to satisfy these obligations in the context of the Pilot Project.

In reaching this conclusion, the AEPD emphasised several deficiencies. Critically, the privacy policy did not provide specific information about the Pilot Project or the hotel chains involved, and Amadeus failed to inform data subjects that their PNR data would be used for developing new products which could potentially benefit travellers. The AEPD also noted that, given the B2B nature of GDS services, many travellers were unaware that Amadeus processed their data when making a reservation, let alone that their data would be reused years later for product development purposes by a company with which they had no direct relationship. Generic references in Amadeus’s privacy policy to “developing new products” were similarly insufficient for the purposes of informing data subjects under Article 14.

Article 6 GDPR: Lawfulness of Processing

The second violation concerned the absence of a valid legal basis under Article 6 GDPR for the processing of personal data in connection with the Pilot Project. Amadeus relied on legitimate interests (Article 6(1)(f)) as its lawful basis; however, the AEPD rejected this basis on several grounds:

  1. First, the AEPD noted that Amadeus’s own internal analysis, prepared for “Privacy Week 2022”, had identified reasons why legitimate interests should not be used for this particular processing, and had included a different legal basis for the processing.
  • Second, given that Amadeus had no direct relationship with travellers and that most data subjects were unaware their data was being processed by Amadeus, there was no reasonable expectation that their booking data would be used years later for an unrelated project by a company they did not know.

Additionally, the AEPD pointed to the fact that Amadeus had implemented an opt-out mechanism allowing data subjects to object to legitimate-interest processing, but this mechanism was rendered useless because travellers were never informed that such processing would take place.

Key Takeaways

The Amadeus decision offers important lessons for organisations that process personal data in contexts where they may not have a direct relationship with the individuals whose data they process:

  1. First, generic privacy policy language may be insufficient to satisfy Article 14 obligations for specific, novel processing activities. Organisations intending to repurpose data for new projects, especially those involving data subjects with whom they have no direct relationship, should consider providing targeted, specific notice about such activities, rather than relying on broad descriptions of potential uses.
  • Second, legitimate interest is not a default fallback. It requires a genuine, documented balancing exercise that weighs the controller’s interests against the data subjects’ rights and reasonable expectations, and that balancing must be specific to each processing activity.
  • Third, implementing technical safeguards, like an opt-out mechanism, does not cure a transparency failure. If data subjects are unaware that processing is occurring, opt-out rights cannot meaningfully be exercised.

***

Covington regularly advises leading technology and travel companies on their most challenging data protection, privacy, and regulatory compliance issues in the EU and other major markets. For questions about this decision or its implications for your organisation’s data practices, please contact a member of the Covington team.

Tags: AEPD, Amadeus, Article 14, Article 6, GDPR, Spain
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joshua Gray Joshua Gray

Joshua Gray is a technology and data-focused lawyer with a distinctly international practice that combines commercial and regulatory expertise. He excels in assisting clients for deals with no precedent where technology and data are at the heart of the project.

Joshua advises on…

Joshua Gray is a technology and data-focused lawyer with a distinctly international practice that combines commercial and regulatory expertise. He excels in assisting clients for deals with no precedent where technology and data are at the heart of the project.

Joshua advises on the structuring and negotiation of bespoke technology projects, with a particular focus on AI technologies and large-scale digital infrastructure transactions. His practice includes advising on the full life cycle of data centre projects—from regulatory diligence and corporate transactions to strategic commercial arrangements, co-location and other operational agreements. He also advises leading AI model providers on regulatory matters and strategic collaborations with government agencies on AI safety and testing issues.

Joshua otherwise advises on the full spectrum of technology transactions, including IT services agreements, outsourcing, software development and licensing, cloud computing and infrastructure, M&A and joint ventures.

Joshua has deep industry knowledge and experience in the AI, digital infrastructure, technology, life sciences and travel sectors. This experience has been bolstered through client secondments to Illumina Inc, Barclays Bank and du, a leading telecoms operator in the UAE.

Read more about Joshua GrayEmail
Show more Show less
Photo of Nigel Howard Nigel Howard

For over 30 years Nigel Howard has specialized in technology transactions such as M&A, strategic alliances, licensing, distribution agreements and outsourcing. Clients range from start-ups and emerging companies to international corporations. He has led negotiations of billion dollar service agreements that were critical…

For over 30 years Nigel Howard has specialized in technology transactions such as M&A, strategic alliances, licensing, distribution agreements and outsourcing. Clients range from start-ups and emerging companies to international corporations. He has led negotiations of billion dollar service agreements that were critical to his client, and successfully handled the intellectual property and data issues on over 250 venture capital and M&A transactions.

Nigel advises clients on their proprietary rights to data and global strategies for protecting these assets. He has represented companies in transactions covering the full spectrum of AI and data-related activities—including AI deployments, data capture and storage, business and operational intelligence, analytics and visualization, personalized merchandizing, and the related cloud computing services.

Nigel is a “tremendous attorney” singled out for his detail-oriented approach, according to clients interviewed by Chambers and Partners. Peer commentators note his admirable commercial awareness, which achieves business-focused results, often in the most challenging of circumstances. He uses his extensive experience with IP and technology to advise on the commercial imperatives underlying these agreements.

Nigel has been ranked by Chambers Global, Chambers USA, Legal 500, Best Lawyers in America, and Who’s Who in American Law. He is frequent speaker on AI, data, distribution, and technology legal issues. His past and current clients include American Airlines, the American Bankers Association, American Express, AstraZeneca, British Airways, Brown Brothers Harriman, Cathay Pacific, Cisco, CoBank, DoubleClick, Etihad, HPE, Farelogix, Iberia, Mars, Merck, Merrill Lynch, Microsoft, NCR, the NFL, Novartis, P&G, Philippine Airlines, Promontory Financial, Singapore Airlines, Teva, TouchTunes, UBS, and Wyeth.

Read more about Nigel HowardEmail
Show more Show less
Photo of Will Capstick Will Capstick

Will Capstick is an associate in the Corporate Practice Group in the London office. He advises clients on a broad range of corporate matters.

Will also has experience advising clients operating in the digital media space in relation to the creation, acquisition, and…

Will Capstick is an associate in the Corporate Practice Group in the London office. He advises clients on a broad range of corporate matters.

Will also has experience advising clients operating in the digital media space in relation to the creation, acquisition, and distribution of content.

Will is committed to pro bono and provides ongoing support to a charity in challenging the death penalty in the US as well as immigration law advice to families seeking leave to remain in the UK.

Read more about Will CapstickEmail
Show more Show less