AEPD (Spain) - PS-00005-2025

Summary

Spain's Data Protection Authority (AEPD) fined Amadeus €14.4M for violating GDPR Articles 6 and 14 by reusing passenger name record (PNR) data originally collected for reservations to test a new product without proper legal basis or data subject notification. The company failed to provide required information about the secondary purpose and could not rely on legitimate interest, while also violating EU Regulation 80/2009 retention limits. Amadeus made a voluntary settlement payment at 80% of the original €18M fine to terminate proceedings.

Full text

Help AEPD (Spain) - PS-00005-2025: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 13:39, 27 May 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators51 edits Tag: submission [1.0] Latest revision as of 11:33, 2 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators51 editsTag: Visual edit Line 63: Line 63: }}}} Amadeus was fined for using travellers’ PNR data, originally collected for reservations, to test a new product without properly informing data subjects or having a valid legal basis.Amadeus was fined for using travellers’ passenger name record data, originally collected for reservations, to test a new product without properly informing data subjects or having a valid legal basis. == English Summary ==== English Summary == Line 75: Line 75: === Holding ====== Holding === The DPA held that the controller violated [[Article 14 GDPR|Article 14 GDPR]]. Since the data had not been obtained directly from the data subjects and was later used for a different purpose, the controller had to provide information about that further purpose before the processing took place. The DPA found that a general reference in a website privacy notice was insufficient to meet this obligation, especially because the GDS service was B2B and the controller had no direct relationship with the end travellers. Data subjects could not reasonably be expected to know that travel reservation data would later be used by a company with which they had no direct relationship to test a new product.The DPA held that the controller violated [[Article 14 GDPR]]. Since the data had not been obtained directly from the data subjects and was later used for a different purpose, the controller had to provide information about that further purpose before the processing took place. The DPA found that a general reference in a website privacy notice was insufficient to meet this obligation, especially because the GDS service was B2B and the controller had no direct relationship with the end travellers. Data subjects could not reasonably be expected to know that travel reservation data would later be used by a company with which they had no direct relationship to test a new product. The DPA also held that the controller violated [[Article 6 GDPR|Article 6 GDPR]]. The controller could not rely on legitimate interest because the processing concerned PNR data collected for reservations and used years later for a pilot project. The DPA considered that the data subjects had no reasonable expectation that their data would be reused in this way. The DPA also found no evidence of consent, contractual necessity, legal obligation, vital interest, public interest task, or any other valid legal basis.The DPA also held that the controller violated [[Article 6 GDPR]]. The controller could not rely on legitimate interest because the processing concerned PNR data collected for reservations and used years later for a pilot project. The DPA considered that the data subjects had no reasonable expectation that their data would be reused in this way. The DPA also found no evidence of consent, contractual necessity, legal obligation, vital interest, public interest task, or any other valid legal basis. The DPA further noted that Regulation (EC) 80/2009 requires identifiable individual reservation data under the control of a system vendor to be made inaccessible online no later than 72 hours after the last element of the reservation and destroyed within three years, with access only allowed for billing disputes. Nevertheless, the controller used active and inactive PNR data from 2019 three years later for the pilot.The DPA further noted that Regulation (EC) 80/2009 requires identifiable individual reservation data under the control of a system vendor to be made inaccessible online no later than 72 hours after the last element of the reservation and destroyed within three years, with access only allowed for billing disputes. Nevertheless, the controller used active and inactive PNR data from 2019 three years later for the pilot. For the infringement of [[Article 14 GDPR|Article 14 GDPR]], the DPA imposed a fine of €9,000,000. For the infringement of [[Article 6 GDPR|Article 6 GDPR]], it imposed another €9,000,000, resulting in a total fine of €18,000,000. The controller made a voluntary payment without admitting liability, which reduced the fine by 20% to €14,400,000 and terminated the procedure. No additional corrective measure was imposed beyond the monetary sanction and the termination of the procedure by voluntary payment.For the infringement of [[Article 14 GDPR]], the DPA imposed a fine of €9,000,000. For the infringement of [[Article 6 GDPR]], it imposed another €9,000,000, resulting in a total fine of €18,000,000. The controller made a voluntary payment without admitting liability, which according to the Spanish Administrative Law (39/2015) reduced the fine by 20% to €14,400,000 and terminated the procedure. No additional corrective measure was imposed beyond the monetary sanction and the termination of the procedure by voluntary payment. == Comment ==== Comment == Latest revision as of 11:33, 2 June 2026 AEPD - PS-00005-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6 GDPR Article 14 GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: Fine: 18.000.000 EUR Parties: Amadeus IT Group, S.A. National Case Number/Name: PS-00005-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms Amadeus was fined for using travellers’ passenger name record data, originally collected for reservations, to test a new product without properly informing data subjects or having a valid legal basis. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA initiated proceedings against Amadeus IT Group, S.A., the controller, after receiving an anonymous complaint alleging the unlawful use of travel booking data for profiling. The controller operated a Global Distribution System (GDS), a B2B reservation system used by airlines, hotels and travel agencies. The complaint alleged that personal data of travellers worldwide had been consolidated in a data platform and used to create travel histories and profiles, without consent and without adequate information being provided to the travellers. During the investigation, the DPA found that the controller had used Passenger Name Record (PNR) data from its GDS for a pilot project. The DPA considered that, for data obtained from hotel chains, the controller acted as processor, while for its own GDS PNR data it acted as controller. The relevant data had originally been collected for travel reservations, but was later used to test the feasibility of developing a new product. The controller stated that the pilot was never commercialised and was later discarded, including for data protection reasons. It also claimed that the processing of its own GDS data was based on legitimate interest and that information on the processing was available in its privacy policy. Holding The DPA held that the controller violated Article 14 GDPR. Since the data had not been obtained directly from the data subjects and was later used for a different purpose, the controller had to provide information about that further purpose before the processing took place. The DPA found that a general reference in a website privacy notice was insufficient to meet this obligation, especially because the GDS service was B2B and the controller had no direct relationship with the end travellers. Data subjects could not reasonably be expected to know that travel reservation data would later be used by a company with which they had no direct relationshi

Entities