Amadeus Gets $16.7M Fine as Spain Targets Travel Data Reuse

Spain’s Data Protection Agency has fined Amadeus IT Group €14.4 million ($16.7 million) over a traveler profiling pilot.

The project used passenger booking data from Amadeus’ global distribution system (GDS), which is the technology used by travel agencies and booking platforms to access and sell airline, hotel, and other travel content. The fine was first set at €18 million ($20.9 million), but it was reduced after Amadeus made a voluntary payment without admitting liability.

Amadeus works behind the scenes in many travel bookings. Travelers may know the airline, hotel, or online travel agency they used, but they may not know which technology company processed the reservation.

What the regulator found

The investigation started after an anonymous complaint in September 2023. The Spanish regulator said Amadeus used historical booking records from 2019 to analyze traveler behavior and create profiles. The pilot also combined GDS booking data with hotel customer data, which raised concerns about how travel information was reused after the original booking.

The AEPD cited GDPR Article 6 and Article 14. Article 6 requires companies to have a legal reason for using personal data. Article 14 requires companies to clearly inform people when their data is collected from another source, not directly from them.

Amadeus says the project was limited

Amadeus disagrees with the decision and plans to appeal. The company said the pilot lasted three months and was designed to test whether traveler data could produce aggregated statistical patterns. Amadeus said the goal was to improve the traveler experience and that no personal data was shared outside the company.

The regulator’s concern was different. It focused on whether travelers were clearly told that their booking data could be reused later for profiling, and whether Amadeus had the right legal basis to do that.

Travel companies should pay attention

The fine is a warning for airlines, hotels, OTAs, travel agencies, and travel technology vendors. Data collected to complete a booking may not automatically be available for a new purpose years later. Even a short internal test can create GDPR risk if it uses personal data without clear notices and a documented legal basis.

This case also fits Spain’s wider push to tighten oversight of travel platforms. Airbnb won a legal challenge after Spain’s Supreme Court annulled a national short-term rental registry, but local restrictions on tourist apartments remain in place. Together, the Amadeus and Airbnb cases show the same direction of travel: Spain is not only regulating what platforms sell, but also how they collect, reuse, and report travel-related data.

Photo by Loris Boulinguez on Unsplash