Key Takeaways
- Spain’s data protection authority (AEPD) imposed a €18 million fine, which was reduced to €14.4 million after voluntary payout, on Amadeus IT Group for GDPR violations that involve reusing traveler data without the proper legal basis or notice.
- The enforcement action found breaches of both Articles 14 and 6 GDPR, including the failure to inform data subjects and insufficient legal basis for secondary data processing.
- The violations came from a traveler-profiling pilot project that repurposed Passenger Name Record (PNR) data to build travel profiles with details to share with hotel partners.
- The case highlights the growing research on profiling, data repurposing, and large-scale commercial use of travel data across Europe.
What Happened
In May 2026, Spain’s Agencia Española de Protección de Datos (AEPD) announced a major enforcement action against Amadeus IT Group, which is a global travel-technology provider that operates one of the largest Global Distribution Systems (GDS). The AEPD imposed an €18 million fine, which was later lowered to €14 million after Amadeus made a voluntary payment.
The Investigation began shortly after an anonymous complaint in September of 2023, which alleged that Amadeus had consolidated and repurposed over 12 billion traveler records which they used to build profiling datasets to share with hotel chains.
According to the AEPD, Amadeus reused PNR data collected through its GDS for a pilot profiling initiative known as “PLATFORMA.1”, that was designed to identify travel trends and support personalized search and retail experiences. The AEPD determined that Amadeus acted as a data controller and violated GDPR Articles 14 and 6 by failing to provide travellers with the required notices and lacking a valid legal basis for the secondary use of their data.
Amadeus has stated that it will appeal the decision, arguing that the sanction is disproportionate and emphasizing that no financial or sensitive data was externally shared.
Privacy and Governance Concerns
The Amadeus case raises several governance issues relevant to Europe data-protection enforcement. The AEPD found that Amadeus’s repurposing of PNR data for profiling without clear or timely notice underscores persistent risks associated with large-scale secondary use of commercial travel data.
Regulators also determined that the company lacked a sufficient legal basis for its profiling activities, noting that broad privacy-policy language was not adequate to justify complex processing involving millions of individuals.
The investigation further demonstrated the challenges of coordinating GDPR enforcement across borders. The case involved 18 European supervisory authorities, which reflects the scale of GDS data flows and the complexity of cross-border operations under the GDPR’s cooperation mechanism. The pilot project’s matching of PNR data with hotel-chain records also raised concerns about commercial surveillance, misuse of sensitive travel patterns, and data minimization, which highlight how easily detailed behavior profiles can be constructed from datasets.
Why It Matters / Policy Considerations
The Amadeus enforcement action underscores the heightened research surrounding data repurposing and profiling in sectors that handle large volumes of personal information, especially hospitality and travel. The case illustrates the need for stronger transparency requirements , as companies cannot solely rely on broad or generic privacy-policy language when engaging in complex secondary uses of personal data. Regulators are also signaling that large-scale profiling, especially when it uses cross-border datasets, requires explicit legal justification and robust safeguards, which reflects the GDPR’s emphasis on lawful processing and purpose limitation.
The case highlights broader risks associated with commercial data ecosystems, where travel data combined with a hotel or third-party datasets can reveal sensitive behavioral patterns. This suggests that stronger overweight may be necessary to prevent unauthorized repurposing or misuse. With multiple DPAs involved and no objections raised under the GDPR’s cooperation mechanism, the Amadeus decision may serve as a model for future cross-border enforcement actions, reinforcing the EU’s commitment to addressing profiling practices and large-scale data consolidation.
