GDS Privacy Statement

Last updated - April 2018

Privacy notice for Amadeus global distribution system (“Amadeus GDS”)

This Privacy Notice describes how Amadeus IT Group S.A. (“Amadeus”) process personal data included in travel information processed in the Amadeus global distribution system (“Amadeus GDS”). This Privacy Notice applies to personal data Amadeus process through the Amadeus GDS globally.

 

This Privacy Notice for the Amadeus GDS does not apply to personal data that may be collected or processed by Amadeus for other purposes, such as through Amadeus websites or where Amadeus provide services for Amadeus Customers that are not provided through the Amadeus GDS. Where personal data is collected for other purposes, the relevant privacy notice will be provided explaining the purpose the personal data is being processed for.

The Amadeus GDS is a travel technology platform used for the distribution of travel services. This Privacy Notice is independent of notices that Amadeus GDS Users (e.g. travel providers such as airlines, hotels and other travel suppliers and subscribers to the Amadeus GDS such as travel agents) may give travelers. This Privacy Notice describes how Amadeus process personal data on the Amadeus GDS.
 

What personal data is processed and how is this personal data collected?

Amadeus process personal data when Amadeus GDS Users (e.g. the travel agent or airline) input personal data of travelers on the Amadeus GDS that they, the Amadeus GDS Users, have collected. The Amadeus GDS User will be responsible for giving any relevant privacy notices and informing the traveler about how they will process personal data. To understand more fully how personal data is processed and who it is shared with in the processing of a travel reservation you should refer to privacy notices of Amadeus GDS Users involved in the travel reservation.

The personal data processed includes a name, travel itinerary and form of payment and may also include additional information as deemed necessary by the Amadeus GDS User (contact information, telephone, email, billing information, date of birth, credit card information, preferences or special requests). This personal data will normally be part of a travel itinerary record which is called a Passenger Name Record (PNR). The information included in the PNR is required to process travel reservations and issue the relevant tickets and provide other travel related services.
 

What is the Personal Data used for and what is the legal basis for processing

Amadeus use the personal data to process travel reservations, to provide Amadeus GDS Users with access to such information, to issue tickets and other travel related documents, to perform internal business processes (such as testing and quality assurance) for credit card processing, authentication, and fraud prevention and to provide other travel related services.

The legal basis for processing personal data is that the processing is necessary for the performance of a contract to which the traveler is a party.

Amadeus may also use personal data for research, analytical and statistical purposes, to identify preferences, interests and trends and other activities in the travel industry and to identify products and services that may be of interest to individuals. Personal data used for analytical purposes is derived from personal data but when it is used it is in anonymized and aggregated form.

The legal basis for processing the personal data for research, analytical and statistical purposes and to identify products and services that may be of interest to individuals is on the basis of the legitimate business interests of Amadeus. Where personal data is processed for these purposes the privacy impact on the individual whose data is being processed will be considered.

Individuals cannot be identified from aggregated data but if individuals do not want personal data included in aggregated data they can object to this by making this request to the contact details below in the section Legal Rights. When making this request there should be a reference to not wanting personal data used for the purposes of analytics.

Amadeus may share aggregated data which cannot identify individuals and with other third parties.
 

Who is the personal data shared with

Amadeus share personal data with Amadeus GDS Users and service providers and partners who may act on Amadeus GDS Users behalf. Amadeus GDS Users can decide who any personal data can be shared with. As a general principle information about the traveler is shared with the parties involved in the transaction (and service providers and partners who act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform the contracts the Amadeus GDS Users have with travelers.

Amadeus may share personal data with its affiliates, agents and third party service providers such as suppliers of information technology services, security services and legal, financial/accounting and other similar professional advisers.

Where such disclosure takes place Amadeus require the appropriate technical and organizational security measures to be in place to protect personal data and for personal data to be processed lawfully.

Amadeus only allow affiliates and third party service providers to use personal data for specified purposes and in accordance with Amadeus instructions.

Further information on the affiliates and third party service providers that Amadeus use to process personal data on their behalf can be requested through the contact details set out below in the section legal rights. When requesting this information please make a reference to information about affiliates and third party service providers so that the relevant information can be provided.

Amadeus may also disclose personal data as required by law, subpoena, or regulation; when requested by government or law enforcement authorities or as otherwise required or permitted by law.
 

International Transfer of Traveler Personal Data

When Amadeus share your personal data with its affiliates and third party service providers who process personal data on behalf of Amadeus this will involve transferring personal data outside the EEA. When personal data is transferred to another country it will continue to receive adequate protection through contractual or other arrangements put in place with Affiliates and third party service providers. For these transfers at least one of the following appropriate safeguards will be implemented;

  • Personal data will be transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • Standard data protection clauses approved by the European Commission which give personal data transferred the same protection it has in EEA;
  • With affiliates and third party service providers based in the US, Privacy Shield which gives personal data similar protection it has in EEA;

Further information on the appropriate safeguards used when transferring personal data outside the EEA can be requested through the contact details set out below in the section legal rights. When requesting this information please make a reference to the transfer of personal data outside the EEA.

Due to the global nature of the travel industry, personal data may be transferred to and processed by Amadeus GDS Users in different locations around the world. These transfers will be necessary for the performance of a contract between the traveler and the Amadeus GDS User.
 

Data Security and Integrity

Amadeus has taken the appropriate technical and organizational security measures to protect personal data from loss or unlawful processing. When Personal Data is processed on behalf of Amadeus access is limited to those who have a business need to know, Personal Data will be processed in accordance with the instructions of Amadeus and those who have access are subject to a duty of confidentiality.

Amadeus have in place procedures to deal with any suspected personal data breach and will notify individuals and any applicable regulator of a breach where they are legally required to do so.
 

Data Retention

Amadeus retains personal data for as long as necessary to fulfil the purposes it was collected for including for the purposes of satisfying any legal, accounting or reporting requirements.

The default retention period for a PNR is 5 years from when it becomes inactive. PNRs are active as long as a segment in the PNR is active (the related service is still pending). After the completion of the last segment of the PNR the PNR is archived and access to the PNR is restricted. After a period of 5 years the PNRs are deleted.
 

Legal rights

Amadeus GDS Users collect personal data from the traveler and input this information in the Amadeus GDS. We recommend travelers contact the Amadeus GDS Users to whom they provided the information directly with any issues or requests they may have relating to personal data stored in the Amadeus GDS.

Under certain circumstances individuals can exercise rights under data protection laws. Travelers can exercise these rights relating to their own personal data, or contact Amadeus for data protection related questions, by email to dataprotection@amadeus.com or write to Chief Privacy Officer , Amadeus IT Group, S.A. C/Salvador de Madariaga 1, 28027 Madrid, Spain.

For the following rights please make a reference to the following:

  • Right to access – request for access to personal data
  • Right to object – object to processing of personal data for the purpose of analytics
  • Right to information about
    • Amadeus affiliates and third party service providers who process personal data on behalf of Amadeus;
    • transfers to third countries – information about data transfers outside EEA;

Amadeus will require authentication of the identity of the traveler and may require additional information to confirm that the rights that travelers may have under data protection laws are being exercised correctly.
 

Your rights

Amadeus intends to carefully address any request and/or claim from you, as well as carefully process personal data. You are entitled to file any claim or complaint before the relevant data protection authorities, if the answer provided by Amadeus does not meet your expectations.
 

Updates

This Privacy Notice is published by Amadeus IT Group SA. This Privacy Notice may be changed at any time. The date it was last updated is shown here April 30, 2018.