We’re creating a more connected travel industry, underpinned by sustainability and long-term investor relations.
Last updated - May 2018
The EU’s new General Data Protection Regulation (GDPR) is effective May 25, 2018. This regulation aims to update existing data protection laws and strengthen the protection of personal data to take into account recent technological developments, globalization and complex flows of personal data. It is a modernization of current data protection laws.
The GDPR will apply to organizations processing personal data in the EU but also to organizations outside of the EU who may be targeting, or offering goods and services to individuals within the EU.
Compliance with regulation is one of Amadeus’ highest priorities. Amadeus has run an internal GDPR program to address the requirements under the GDPR. This program has included an assessment of Amadeus systems, which has documented how personal data is processed and has also identified changes required to systems that process personal data to comply with GDPR requirements. Within this review, we have taken into account travel industry standards, to ensure that GDPR requirements are met while also meeting the needs of the travel industry.
Our goal has been and still is to assure that personal data is processed in accordance with the new transparency and accountability requirements of the GDPR and is adequately protected to enable Amadeus to address the requirements under the GDPR and to support our customers by providing information so that they can meet any compliance obligations they may have.
Our Amadeus Customer and Business Partner Privacy Notice can be found here.
For further information regarding the GDPR, please see below a Glossary, a Frequently Asked Questions (FAQ) section and our Privacy Principles. Should you have any further questions, please contact your account manager.
Personal data: personal data is all the information about an identified or identifiable individual; this means that if you can identify an individual from the information that you are processing or handling, even if not by name, it is likely that you are processing personal data.
Data processor: the entity processing on behalf of and in accordance with the instructions of a data controller.
Data controller: the entity deciding the means and purpose of the processing of personal data. Amadeus is considered a data controller in its role as GDS.
Please channel your questions through your ordinary contact at Amadeus.
As information, in particular personal data, is at the core of Amadeus business, handling of personal data is essential and consequently Data Privacy / Data Protection has high priority in the Amadeus Group. Therefore, Amadeus has committed itself to adhere to the Amadeus Privacy Principles.
The Amadeus Privacy Principles form the basis of the Amadeus Privacy Framework as reflected in our Corporate Policies, standards and processes and ultimately our behaviour.
As a global enterprise, Amadeus has taken account of internationally recognized standards (such as the Guidelines of the United Nations and of the OECD and the ISO/IEC 29100), and the EU General Data Protection Regulation (GDPR) in the course of setting the Amadeus Privacy Principles.
|Transparency||Inform how Amadeus processes personal data|
|Transparency||We must be transparent about how we process personal data and give (1) individuals appropriate privacy notices when collecting their personal data and (2) customers appropriate information about data storage, flows and access.|
|Respecting data subject’s rights||
The data subject has
|Proportionality||Process personal data as necessary to provide the services and allow access on a need-to-know basis|
We have to specify from the outset for which purposes we are processing personal data and what we intend to do with it.
We may process personal data only for these specific and lawful purposes.
We must limit
|Accuracy||We must ensure that personal data is accurate, complete and up-to-date (unless there is a legitimate basis for keeping outdated data)|
|Adequate Protection||Keep personal data secure and treat it as strictly confidential|
|Security||We have to take appropriate technical and organizational measures to protect personal data against such risks as loss or unauthorized access, destruction, use modification or disclosure.|
|Data transfers||We must ensure that personal data is adequately protected before transferring it to another party.|