Spain's data protection authority (AEPD) has concluded its proceeding against Amadeus IT Group after the company made a voluntary payment of €14.4 million to settle a penalty over the profiling of travellers using their booking data. The figure represents a reduction from an initial €18 million penalty, applied following Amadeus's voluntary payment; the company did not admit liability. The investigation was triggered by an anonymous complaint filed in September 2023.

At the centre of the case was a pilot in which booking data drawn from airlines and travel agencies was consolidated into a platform used to profile travellers based on their reservation histories. The AEPD found that the project combined global distribution system (GDS) data with hotel customer data and drew on passenger name record (PNR) files dating from 2019 — records accessed up to three years after the original reservations were made. The regulator cited alleged violations of Article 6 of the GDPR, concerning the lawful basis for processing, and Article 14, which requires organisations to inform individuals when their data is processed without having been collected directly from them. Amadeus characterised the pilot as a three-month test of the technical feasibility of analysing traveller data to generate aggregated statistical patterns, intended to improve the traveller experience.

The decision is being read across the travel technology sector as a warning about the reuse of passenger data. The case turns on a familiar tension: data collected for one purpose — completing and managing a booking — was repurposed for profiling and analytics without a fresh lawful basis or the transparency that Article 14 demands when individuals are not the direct source of the data. That the processing was framed as a limited pilot did not insulate it from enforcement, and the use of PNR records years after the original reservation underscored the AEPD's concern about data being retained and reused well beyond its original context.

For organisations that hold large volumes of customer transaction data, the Amadeus settlement is a reminder that analytics and profiling initiatives — even exploratory ones — require their own lawful basis and their own transparency provision. The reuse of historical data for a new purpose is not a technical detail; it is a distinct processing activity that must be assessed and documented on its own terms.

Acompli perspective: The Amadeus case is a textbook example of purpose limitation and transparency colliding with the commercial appetite to extract value from existing data. Calling a profiling exercise a "pilot" does not exempt it from the GDPR, and reusing data collected for bookings to build traveller profiles is a new purpose that needs its own legal basis and its own Article 14 disclosure. Organisations planning analytics or profiling on customer data should confirm that their data mapping accurately reflects what data they hold and for what original purpose, that their assessment processes cover the specific risks of repurposing historical data, and that their records of processing document the actual legal basis relied upon for each activity — not an aspirational one.