AEPD fines Amadeus €14.4M for traveler profiling without legal basis

At a glance — Spain’s AEPD imposed an initial €18M fine on Amadeus, reduced to €14.4M via voluntary payment, for reusing booking (PNR) data in a marketing profiling pilot without a lawful basis and without informing data subjects.

Key facts

• Who: Amadeus IT Group, a global travel technology provider.
• What: processing data of “millions” of passengers for a marketing profiling pilot without a valid legal basis and without providing information to individuals.
• Where: Spain (competent authority: AEPD).
• When: decision made public on May 26–27, 2026 (anonymous complaint filed in September 2023).
• How much: €18M (two infringements at €9M each), reduced to €14.4M through “pago voluntario” without admission of liability. Amadeus stated it will challenge the decision.

Legal basis

The AEPD found two very serious infringements: lack of a lawful basis for the tested purpose (Article 6) and failure to inform when data is not obtained directly from the individual (Article 14). See Articles 6 and 14 of the GDPR for lawfulness and transparency requirements.

The case signals strict enforcement against secondary data reuse in B2B ecosystems, especially when the controller is effectively “invisible” to the data subject (e.g., GDS, aggregators, sector data hubs).

What it means for Luxembourg-based companies

Exposed actors include airlines, OTAs, TMCs, hospitality, rail, travel insurers, and any player feeding a GDS, B2B marketplace, or sector data hub. Companies that operate in Luxembourg should urgently revalidate their legal bases and information mechanisms when:

• the subsequent purpose (profiling, scoring, marketing, dynamic pricing, fraud detection) relies on an undocumented/insufficient legitimate interest, or requires consent that has not been validly obtained;
• travelers are not directly and effectively informed (Article 14) — a buried reference in a generic privacy notice is insufficient when your brand is invisible to the end customer.

Immediate actions

• Map “invisible” processing: GDS/marketplace flows, data lakes, AI/profiling pilots; verify the legal basis (legitimate interest assessment, consent where required) and the alignment between purposes and information provided.
• Upgrade Article 14 transparency: targeted and actionable notices (controller identity, purposes, legal basis, rights, sources, recipients, transfers); effective channels (transactional emails, dedicated pages, booking confirmation banners).
• Control profiling pilots: no testing on real data without a DPIA, a clear legal basis, and contractual governance (Arts. 26/28); establish a data/ethics committee and DPO/Legal go-no go; document necessity/proportionality and rejection of incompatible purposes.
• DPO support: formalize a certified DPO mandate to lead lawfulness analyses, Article 14 transparency, and DPIAs across complex B2B ecosystems.

Bottom line

The trio “B2B reuse + invisible controller + lack of information” drives high enforcement risk. Get ahead by strengthening transparency, documenting legitimate interest, and tightening governance of profiling/AI pilots.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.