AEPD (Spain) - PS-00005-2025

Summary

Spain's data protection authority (AEPD) fined Amadeus IT Group €18 million for violating GDPR Articles 6 and 14 by repurposing passenger name record (PNR) data originally collected for travel reservations to test a new product without adequate consent or information provision. The case involved the unlawful consolidation and profiling of traveler data across its Global Distribution System, with the DPA finding that general privacy policy disclosures were insufficient given the B2B nature of the service and lack of direct consumer relationship.

Full text

Help AEPD (Spain) - PS-00005-2025: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:46, 3 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators64 editsTag: Visual edit← Older edit Latest revision as of 08:52, 3 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators64 editsTag: Visual edit Line 21: Line 21: |Type=Complaint|Type=Complaint |Outcome=Upheld|Outcome=Upheld |Date_Started=31/10/2023|Date_Started=31.10.2023 |Date_Decided=07/04/2026|Date_Decided=07.04.2026 |Date_Published=|Date_Published= |Year=|Year= Latest revision as of 08:52, 3 June 2026 AEPD - PS-00005-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6 GDPR Article 14 GDPR Type: Complaint Outcome: Upheld Started: 31.10.2023 Decided: 07.04.2026 Published: Fine: 18.000.000 EUR Parties: Amadeus IT Group, S.A. National Case Number/Name: PS-00005-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined the provider of a B2B reservation system used by airlines, hotels and travel agencies €14,400,000 for using travelers’ personal data originally collected for reservations, to test a new product without properly informing data subjects or having a valid legal basis. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA initiated proceedings against Amadeus IT Group, S.A., the controller, after receiving an anonymous complaint alleging the unlawful use of travel booking data for profiling. The controller operated a Global Distribution System (GDS), a B2B reservation system used by airlines, hotels and travel agencies. The complaint alleged that personal data of travellers worldwide had been consolidated in a data platform and used to create travel histories and profiles, without consent and without adequate information being provided to the travellers. During the investigation, the DPA found that the controller had used Passenger Name Record (PNR) data from its GDS for a pilot project. The DPA considered that, for data obtained from hotel chains, the controller acted as processor, while for its own GDS PNR data it acted as controller. The relevant data had originally been collected for travel reservations, but was later used to test the feasibility of developing a new product. The controller stated that the pilot was never commercialised and was later discarded, including for data protection reasons. It also claimed that the processing of its own GDS data was based on legitimate interest and that information on the processing was available in its privacy policy. Holding The DPA held that the controller violated Article 14 GDPR. Since the data had not been obtained directly from the data subjects and was later used for a different purpose, the controller had to provide information about that further purpose before the processing took place. The DPA found that a general reference in a website privacy notice was insufficient to meet this obligation, especially because the GDS service was B2B and the controller had no direct relationship with the end travellers. Data subjects could not reasonably be expected to know that travel reservation data would later be used by a company with which they had no direct relationship to test a new product. The DPA also held that the controller violated Article 6 GDPR. The controller could not rely on legitimate interest because the processing concerned PNR data collected for reservations and used years later for a pilot project. The DPA considered that the data subjects had no reasonable expectation that their data would be reused in this way. The DPA also found no evidence of consent, contractual necessity, legal obligation, vital interest, public interest task, or any other valid legal basis. The DPA further noted that Regulation (EC) 80/2009 requires identifiable individual reservation data under the control of a system vendor to be made inaccessible online no later than 72 hours after the last element of the reservation and destroyed within three years, with access only allowed for billing disputes. Nevertheless, the controller used active and inactive PNR data from 2019 three years later for the pilot. For the infringement of Article 14 GDPR, the DPA imposed a fine of €9,000,000. For the infringement of Article 6 GDPR, it imposed another €9,000,000, resulting in a total fine of €18,000,000. The controller made a voluntary payment without admitting liability, which according to the Spanish Administrative Law (39/2015) reduced the fine by 20% to €14,400,000 and terminated the procedure. No additional corrective measure was imposed beyond the monetary sanction and the termination of the procedure by voluntary payment. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/53  File No.: EXP202315175 IMI Reference: A56ID 590304 RESOLUTION OF TERMINATION OF THE PROCEDURE DUE TO VOLUNTARY PAYMENT From the procedure initiated by the Spanish Data Protection Agency and based on the following CONTENT BACKGROUND..........................................................................................................4 FIRST: The Spanish Data Protection Agency has become aware of certain facts............................................................................................................4 SECOND: As a result of the known facts, on October 31, 2023, the Director of the Spanish Data Protection Agency instructed the Deputy Directorate General for Data Inspection (SGID) to initiate the preliminary investigation proceedings ............................................................................................4 THIRD: In response to a request for information from this Agency, on October 18, In December 2023, a document from AMADEUS was received.........................................5 FOURTH: Through the “Internal Market Information System” (hereinafter IMI System), regulated by Regulation (EU) No 1024/2012 of the European Parliament and of the Council of 25 October 2012 (IMI Regulation), whose objective is to promote cross-border administrative cooperation, mutual assistance between Member States and the exchange of information, this Agency transmitted the aforementioned matter on 22 December 2023..........................................................5 FIFTH: The Deputy Directorate General for Data Inspection proceeded to carry out preliminary investigative actions....................................................................6 1. Extension of the complaint...............................................................................6 2. Regulatory framework..............................................................................................6 3. Glossary..........................................................................................................7 4. About AMADEUS............................................................................................8 4.1. About the operation of AMADEUS....................................................8 4.2. About the origin of passengers' personal data and the legal basis for collecting said data...................................................11 4.3. About the AMADEUS GDS privacy policy...........................12 4.4. About the role of data controller and processor of each of the parties involved.....................................................................................................14 4.5. About the Passenger Name Record (PNR) and the PNR Directive..19 28001 – Madrid

Entities