[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP2qDs8omzERkcnEuNoP0h-ukXgiTGPlg_Z48kAAPiQ8":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"7ac457af-1323-4986-ad56-9b2741b12201","AEPD (Spain) - PS-00005-2025","aepd-spain-ps-00005-2025-add9ab","Created page with \"{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00005-2025 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Fps-00005-2025.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...\" Show changes","Spain's data protection authority (AEPD) fined Amadeus IT Group €18 million for violating GDPR Articles 6 and 14 by reusing traveller Passenger Name Record (PNR) data originally collected for reservations to test a new product without proper legal basis or notification. The company, which operates a Global Distribution System (GDS) used by airlines and travel agencies, failed to adequately inform data subjects of the secondary use and could not justify the processing under legitimate interest, as travelers had no reasonable expectation their data would be reused years later by a company they had no direct relationship with.","Spain's AEPD fines Amadeus IT Group €18M for unlawful PNR data reuse without consent or legal basis.","Help AEPD (Spain) - PS-00005-2025: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 13:39, 27 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 edits Tag: submission [1.0] (No difference) Latest revision as of 13:39, 27 May 2026 AEPD - PS-00005-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6 GDPR Article 14 GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: Fine: 18.000.000 EUR Parties: Amadeus IT Group, S.A. National Case Number\u002FName: PS-00005-2025 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms Amadeus was fined for using travellers’ PNR data, originally collected for reservations, to test a new product without properly informing data subjects or having a valid legal basis. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA initiated proceedings against Amadeus IT Group, S.A., the controller, after receiving an anonymous complaint alleging the unlawful use of travel booking data for profiling. The controller operated a Global Distribution System (GDS), a B2B reservation system used by airlines, hotels and travel agencies. The complaint alleged that personal data of travellers worldwide had been consolidated in a data platform and used to create travel histories and profiles, without consent and without adequate information being provided to the travellers. During the investigation, the DPA found that the controller had used Passenger Name Record (PNR) data from its GDS for a pilot project. The DPA considered that, for data obtained from hotel chains, the controller acted as processor, while for its own GDS PNR data it acted as controller. The relevant data had originally been collected for travel reservations, but was later used to test the feasibility of developing a new product. The controller stated that the pilot was never commercialised and was later discarded, including for data protection reasons. It also claimed that the processing of its own GDS data was based on legitimate interest and that information on the processing was available in its privacy policy. Holding The DPA held that the controller violated Article 14 GDPR. Since the data had not been obtained directly from the data subjects and was later used for a different purpose, the controller had to provide information about that further purpose before the processing took place. The DPA found that a general reference in a website privacy notice was insufficient to meet this obligation, especially because the GDS service was B2B and the controller had no direct relationship with the end travellers. Data subjects could not reasonably be expected to know that travel reservation data would later be used by a company with which they had no direct relationship to test a new product. The DPA also held that the controller violated Article 6 GDPR. The controller could not rely on legitimate interest because the processing concerned PNR data collected for reservations and used years later for a pilot project. The DPA considered that the data subjects had no reasonable expectation that their data would be reused in this way. The DPA also found no evidence of consent, contractual necessity, legal obligation, vital interest, public interest task, or any other valid legal basis. The DPA further noted that Regulation (EC) 80\u002F2009 requires identifiable individual reservation data under the control of a system vendor to be made inaccessible online no later than 72 hours after the last element of the reservation and destroyed within three years, with access only allowed for billing disputes. Nevertheless, the controller used active and inactive PNR data from 2019 three years later for the pilot. For the infringement of Article 14 GDPR, the DPA imposed a fine of €9,000,000. For the infringement of Article 6 GDPR, it imposed another €9,000,000, resulting in a total fine of €18,000,000. The controller made a voluntary payment without admitting liability, which reduced the fine by 20% to €14,400,000 and terminated the procedure. No additional corrective measure was imposed beyond the monetary sanction and the termination of the procedure by voluntary payment. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1\u002F53  File No.: EXP202315175 IMI Reference: A56ID 590304 RESOLUTION OF TERMINATION OF THE PROCEDURE DUE TO VOLUNTARY PAYMENT From the procedure initiated by the Spanish Data Protection Agency and based on the following CONTENT BACKGROUND..........................................................................................................4 FIRST: The Spanish Data Protection Agency has become aware of certain facts............................................................................................................4 SECOND: As a result of the known facts, on October 31, 2023, the Director of the Spanish Data Protection Agency instructed the Deputy Directorate General for Data Inspection (SGID) to initiate the preliminary investigation proceedings ............................................................................................4 THIRD: In response to a request for information from this Agency, on October 18, In December 2023, a document from AMADEUS was received.........................................5 FOURTH: Through the “Internal Market Information System” (hereinafter IMI System), regulated by Regulation (EU) No 1024\u002F2012 of the European Parliament and of the Council of 25 October 2012 (IMI Regulation), whose objective is to promote cross-border administrative cooperation, mutual assistance between Member States and the exchange of information, this Agency transmitted the aforementioned matter on 22 December 2023..........................................................5 FIFTH: The Deputy Directorate General for Data Inspection proceeded to carry out preliminary investigative actions....................................................................6 1. Extension of the complaint...............................................................................6 2. Regulatory framework..............................................................................................6 3. Glossary..........................................................................................................7 4. About AMADEUS............................................................................................8 4.1. About the operation of AMADEUS....................................................8 4.2. About the origin of passengers' personal data and the legal basis for collecting said data...................................................11 4.3. About the AMADEUS GDS privacy policy...........................12 4.4. About the role of data controller and processor of each of the parties involved.....................................................................................................14 4.5. About the Passenger Name Record (PNR) and the PNR Directive..19 28001 – Madrid 6 sedeaepd.gob.es 2\u002F53 4.6. Regarding the Record of Processing Activities (ROPA)....................19 4.7. Regarding the Impact Assessment of Personal Data Processing in the AMADEUS Reservation System...............................................................20 4.8. Regarding the retention periods for PNRs...............................20 5. Regarding ***PLATFORM.1 (***PLATFORM.1)..........................................23 -.5.1.- Regarding knowledge of ***PLATFORM.1.......................................23 -.5.2.- Information about the product ***PLATF","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_PS-00005-2025&diff=51750&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-05-27T13:39:39+00:00","2026-05-27T14:00:10.534608+00:00",8,[18,21],{"name":19,"type":20},"Amadeus IT Group","vendor",{"name":22,"type":23},"Global Distribution System (GDS)","technology","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":24,"icon":26,"name":27,"slug":28},null,"GDPR","gdpr",[30,35,40],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":41},{"id":42,"icon":26,"name":43,"slug":44},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]