The pilot lasted three months. The fine — €14.4 million.
It wasn't a cyberattack. It wasn't a data leak. Nobody broke into anything. It was an internal test, run by a company most travelers don't even know processes their bookings.
And that's exactly what should give us pause. Because the mistake Amadeus made wasn't a security mistake. It's one that half the travel industry makes, in one form or another — without realizing it.
What happened
Spain's data protection authority (AEPD) fined Amadeus IT Group €14.4 million. The original figure was €18 million, reduced after a voluntary payment, with no admission of liability. The investigation began with an anonymous complaint in 2023, and Amadeus has said it will challenge the decision in court, arguing the fine is disproportionate.
What Amadeus actually did: it took booking data from its own GDS — including archived PNR records from 2019 — combined it with customer data from hotel chains, and built traveler profiles based on their reservation histories. The stated goal was to test a personalization product.
The fine covers two separate violations: failure to inform the data subjects (Article 14) and processing without a valid legal basis (Article 6).
The detail that matters most: the data came from 2019 and was used years later, for a purpose nobody consented to when they made their booking.
Why it matters — and why it's not just Amadeus's problem
This isn't about security in the classic sense. The data was, in all likelihood, perfectly secured. The problem is subtler and, precisely for that reason, more dangerous: purpose.
GDPR has a principle called purpose limitation. Data collected to complete a booking doesn't automatically become available for anything else you later think of. A PNR is collected to move a passenger from A to B. Not to build a behavioral profile three years down the line.
This is the trap a large part of the travel industry falls into: we treat booking data as an asset that belongs to us, one we can reuse however we like. It doesn't work that way. Every new purpose needs its own legal basis and its own notice to the data subject. "We already have the data" is not a justification. "We collected it legally three years ago" doesn't cover what you do with it today.
And it doesn't matter that the pilot only ran three months. It doesn't matter that it was "just a test." GDPR has no exemption for internal experiments. If you process personal data without a legal basis, duration won't save you — the exposure exists from day one.
What anyone touching PNR data should check
This case isn't about Amadeus. It's about every TMC, agency, and vendor working with booking data. Three questions worth asking before any project that touches it:
- What purpose did I originally collect this data for — and is what I want to do now the same purpose, or a new one? If it's new, do I have a separate legal basis for it?
- Do the data subjects know their data can be used this way? If there's no clear notice, that absence is itself a violation — independent of anything else.
- Am I using archived data, collected for something else, a long time ago? If so, I need a solid justification all the more — not the assumption that "it was there anyway."
None of these questions is solved by a tool. They're solved by someone who stops before the start and asks the uncomfortable question.
Who actually carries the weight
In any organization, this check falls on a small set of people — the ones who understand both the technology and the regulation, and who put their name on the decision. They're the same people who, under the pressure of "let's ship the product fast," have to be the ones saying "hold on — on what legal basis?"
It's invisible, thankless work. It shows up in no productivity report. But €14.4 million is exactly what it costs when nobody does it.
The question for any company working with traveler data isn't whether we have the data. It's why we're allowed to use it this way — and who, in your organization, has the authority and the nerve to answer that honestly before it's too late.