Amadeus IT Group, S.A. – €18,000,000 Fine (Spain, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Amadeus IT Group was fined €18 million for using travel booking data without proper consent. The company collected personal data from travelers and used it to create profiles without informing them. This case highlights the importance of transparency and consent in handling personal data, especially for businesses in the travel industry.
What happened
Amadeus IT Group was fined for unlawfully using travel booking data to create profiles without consent.
Who was affected
Travelers whose data was used to create profiles without their knowledge were affected.
What the authority found
The data protection authority found that Amadeus violated GDPR by not providing adequate information to travelers about how their data was used.
Why this matters
This case emphasizes the need for companies to be transparent about data usage and obtain consent. Businesses in the travel sector should ensure they inform customers properly about how their data is handled.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA initiated proceedings against Amadeus IT Group, S.A., the controller, after receiving an anonymous complaint alleging the unlawful use of travel booking data for profiling. The controller operated a Global Distribution System (GDS), a B2B reservation system used by airlines, hotels and travel agencies. The complaint alleged that personal data of travellers worldwide had been consolidated in a data platform and used to create travel histories and profiles, without consent and without adequate information being provided to the travellers. During the investigation, the DPA found that the controller had used Passenger Name Record (PNR) data from its GDS for a pilot project. The DPA considered that, for data obtained from hotel chains, the controller acted as processor, while for its own GDS PNR data it acted as controller. The relevant data had originally been collected for travel reservations, but was later used to test the feasibility of developing a new product. The controller stated that the pilot was never commercialised and was later discarded, including for data protection reasons. It also claimed that the processing of its own GDS data was based on legitimate interest and that information on the processing was available in its privacy policy. The DPA held that the controller violated Article 14 GDPR. Since the data had not been obtained directly from the data subjects and was later used for a different purpose, the controller had to provide information about that further purpose before the processing took place. The DPA found that a general reference in a website privacy notice was insufficient to meet this obligation, especially because the GDS service was B2B and the controller had no direct relationship with the end travellers. Data subjects could not reasonably be expected to know that travel reservation data would later be used by a company with which they had no direct relationship to test a new product. The DPA also held that the controller viol
Related Enforcement Actions (0)
No other enforcement actions found for Amadeus IT Group, S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 April 2026
Authority
Agencia Española de Protección de Datos
Fine Amount
€18,000,000
GDPRhub ID
gdprhub-10025About this data
Cite as: Cookie Fines. Amadeus IT Group, S.A. - Spain (2026). Retrieved from cookiefines.eu
Last updated: