Why Spain fined a travel giant €14m over privacy

Spain’s data protection watchdog has handed travel technology giant Amadeus a €14.4 million fine after ruling that a pilot project used traveller booking data to build customer profiles without a sufficient legal basis and without properly informing those affected.

The penalty was imposed by Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), following an investigation that began after an anonymous complaint was filed in 2023. The case centred on a pilot programme that analysed passenger booking information collected through Amadeus’ global distribution system, one of the world’s largest travel booking networks used by airlines and travel agencies.

What was Amadeus accused of?

According to the regulator, the project brought together booking information from airlines, travel agents and hotel partners to create traveller profiles based on booking histories and travel behaviour. The investigation found that passenger name record (PNR) data dating back to 2019 was used, including records that had been stored for several years after the original trips took place.

The AEPD concluded that the project breached key provisions of the EU’s General Data Protection Regulation (GDPR), specifically rules covering transparency and the lawful processing of personal data. Regulators argued that travellers were not adequately informed that their data could be used in this way and that the company lacked a valid legal basis for the profiling activity.

Why this matters to travellers

For many consumers, booking a flight or hotel means providing personal information with the expectation that it will be used to complete their reservation. The case highlights growing concerns about how travel companies use customer data beyond the original booking process.

Privacy regulators across Europe have become increasingly active in policing the use of personal information, particularly where profiling and behavioural analysis are involved. Spain’s regulator has significantly increased both the number and value of fines issued in recent years as GDPR enforcement intensifies.

Fine reduced after payment

The original penalty was set at €18 million. However, the amount was reduced by 20 per cent to €14.4 million after Amadeus opted to make a voluntary payment. The company did so without admitting liability.

The ruling serves as a reminder that companies operating in Europe face increasing scrutiny over how they collect, store and analyse customer information. For travellers, it is another example of regulators taking a tougher stance on the use of personal data in the digital age.