Emirates Fined €180,000 for GDPR Violations Over Health Data Transparency and Excessive Retention

Awareness Lessons

3 days ago

Emirates Fined €180,000 for GDPR Violations Over Health Data Transparency and Excessive Retention

Emirates failed to adequately inform passengers with reduced mobility about how their sensitive health data collected via the MEDIF form was being processed, violating GDPR's transparency requirements under Article 13/14. Compounding this, the airline retained health data for 7 years without a lawful justification for that retention period, breaching the data minimisation and storage limitation principles. This case highlights that even when the underlying data processing is lawful, failures in transparency and retention governance can independently trigger significant regulatory penalties. Organisations handling special category data (such as health information) face heightened obligations and must ensure both clear communication to data subjects and strict enforcement of data lifecycle policies.

Tactical Insight

Immediate actions

Audit all data collection forms involving special category data (health, biometric, etc.) to verify that privacy notices are complete, plain-language, and GDPR-compliant.
Review current retention schedules for sensitive personal data and immediately purge records held beyond any justifiable retention period.

Long-term improvements

Establish and enforce a formal Data Retention and Disposal Policy with automated controls that flag or delete records at defined lifecycle endpoints.
Embed Data Protection Impact Assessments (DPIAs) into any process that collects special category data, ensuring lawful basis, necessity, and transparency are documented before go-live.
Appoint or empower a Data Protection Officer (DPO) to conduct annual reviews of privacy notices and retention schedules across all business units.

Detection & compliance measures

Implement a Privacy Information Management System (PIMS) or Records of Processing Activities (RoPA) tool to maintain real-time visibility of what data is held, for how long, and under what lawful basis.
Schedule periodic third-party GDPR compliance audits focused on special category data handling to identify transparency and retention gaps before regulators do.

Framework References

GDPR Article 5(1)(a) – Lawfulness, fairness and transparencyGDPR Article 5(1)(e) – Storage limitationGDPR Article 9 – Processing of special categories of personal dataGDPR Article 13/14 – Information to be provided to the data subjectGDPR Article 30 – Records of processing activitiesGDPR Article 35 – Data Protection Impact Assessment (DPIA)NIST Privacy Framework PR.PO-P1 – Policies and procedures for data processingNIST SP 800-53 IP-3 – Personally Identifiable Information Retention and DisposalCIS Control 3 – Data Protection (Data Management Lifecycle)ISO/IEC 27701:2019 – Privacy Information Management System (PIMS)ITIL Service Design – Information Security and Data Governance Policies

Source

Read originalGarante per la protezione dei dati personali (Italy) - 347/2026

PublishedJun 18, 2026