The Spanish Data Protection Agency’s (AEPD) ruling followed an investigation launched after an anonymous complaint was filed in 2023, which alleged improper use of traveller data to profile users.
The investigation focused on the Traveler Centric Platform pilot project, a three-month initiative that tested technical capabilities for analysing traveller data by extracting aggregated statistical patterns with the aim of improving the travel experience.
In making its judgement, the AEPD said the travel tech giant had violated two key articles of the General Data Protection Regulation by improperly processing passenger booking data stored in its GDS to conduct a program aimed at developing new predictive products for airlines, hotels, & travel agencies.
The fine, which was initially €18 million before being reduced after voluntary payments were made, will be appealed by Amadeus.
According to local reporting, the company has indicated it will file an appeal before the courts, stating the fine is not proportionate and that it “respectfully” disagrees with the interpretation by the AEPD.
In its privacy statement, Amadeus states that it may share personal data with Amadeus GDS users, services providers who may act on Amadeus GDS users, Amadeus affiliates within its group of companies, and, if necessary or legally required, with public and govt authorities. Amadeus was contacted for comment but did not reply by the time of publishing.
