Amadeus GDS Privacy Notice

Last updated - December 2018

This Amadeus GDS Privacy Notice (“Privacy Notice”) describes how Amadeus IT Group S.A. (“Amadeus”) processes personal data included in travel information processed in the Amadeus Global Distribution System (“Amadeus GDS”). This Privacy Notice applies to personal data Amadeus process through the Amadeus GDS, globally.

 

This Privacy Notice does not apply to personal data that may be collected or processed by Amadeus for other purposes, such as through Amadeus websites or where Amadeus provides services for Amadeus Customers that are not provided through the Amadeus GDS. Where personal data is collected for other purposes, the relevant privacy notice will be provided explaining the purpose the personal data is being processed for.

This Privacy Notice describes how Amadeus processes personal data on the Amadeus GDS, a travel technology platform used for the distribution of travel services. This Privacy Notice is independent of notices that Amadeus GDS Users (e.g. travel providers such as airlines, hotels and other travel suppliers and subscribers to the Amadeus GDS such as travel agents) may give travelers. 

 

What personal data is processed and how is this personal data collected?

Amadeus process personal data when Amadeus GDS Users (e.g. the travel agent or airline) input the personal data of travelers on the Amadeus GDS that they, the Amadeus GDS Users, have collected. The Amadeus GDS User will be responsible for giving any relevant privacy notices and informing the traveler about how they will process that personal data. To understand more fully how personal data is processed and who it is shared with in the processing of a travel reservation, you should refer to the privacy notices of Amadeus GDS Users involved in the travel reservation.

The personal data processed includes a name, travel itinerary, and form of payment, and may also include additional information as deemed necessary by the Amadeus GDS User (e.g. contact information, telephone, email, billing information, date of birth, credit card information, preferences or special requests). This personal data will normally be part of a travel itinerary record which is called a Passenger Name Record (“PNR”). The information included in the PNR is required to process travel reservations and issue the relevant tickets and provide other travel related services.

 

What is the personal data used for and what is the legal basis for processing?

Amadeus use personal data to process travel reservations, to provide Amadeus GDS Users with access to such information, to issue tickets and other travel related documents, to perform internal business processes (such as testing and quality assurance) for credit card processing, authentication, fraud prevention, and to provide other travel related providers.

The legal basis for processing personal data is that the processing is necessary for the performance of a contract to which the traveler is a party.

Amadeus may also use personal data for research, analytical and statistical purposes, to identify preferences, interests and trends and other activities in the travel industry, and to identify products and services that may be of interest to individuals. Personal data used for analytical purposes is derived from personal data, but when it is used it is in anonymized and aggregated form.

The legal basis for processing the personal data for research, analytical and statistical purposes, and to identify products and services that may be of interest to individuals, is on the basis of the legitimate business interests of Amadeus. Where personal data is processed for these purposes, the privacy impact on the individual whose data is being processed will be considered.

Individuals cannot be identified from aggregated data, but if individuals do not want personal data included in aggregated data they can object to this by making this request using the contact details found in the ‘Legal rights’ section of this Privacy Notice. When making this request there should be a reference made to not wanting personal data used for the purposes of analytics.

Amadeus may share aggregated data which cannot identify individuals with other third parties.

 

Who is the personal data shared with?

Amadeus shares personal data with Amadeus GDS Users, service providers, and partners who may act on Amadeus GDS Users’ behalf. Amadeus GDS Users can decide who any personal data can be shared with. As a general principle, information about the traveler is only shared with the parties involved in the transaction (and service providers and partners who act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform the contracts the Amadeus GDS Users have with travelers.

Amadeus may share personal data with its affiliates, agents, and third party service providers such as suppliers of information technology services, security services, and legal, financial/accounting service providers, and other similar professional advisers. 

Where such disclosures take place, Amadeus requires the appropriate technical and organizational security measures to be in place to protect personal data, and for personal data to be processed lawfully.

Amadeus only allows affiliates and third party service providers to use personal data for specified purposes and in accordance with Amadeus’ instructions.

Further information on the affiliates and third party service providers that Amadeus uses to process personal data on their behalf can be requested through using the contact details found in the ‘Legal rights’ section of this Privacy Notice. When requesting this information, please make a reference to information about affiliates and third party service providers so that the relevant information can be provided.

Amadeus may also disclose personal data as required by law, subpoena, or regulation, or when requested by a government, law enforcement authority, or as otherwise required or permitted by law. 

 

International transfers of traveler personal data

When Amadeus shares personal data with its affiliates and third party service providers who process personal data on behalf of Amadeus, this will involve transferring personal data outside the European Economic Area (“EEA”). When personal data is transferred to another country it will continue to receive adequate protection through contractual or other arrangements put in place with affiliates and third party service providers. For these transfers at least one of the following appropriate safeguards will be implemented:

  • Personal data will be transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • Standard data protection clauses approved by the European Commission which give personal data transferred the same protection it has in EEA; or
  • With affiliates and third party service providers based in the US, Privacy Shield which gives personal data similar protection it has in EEA.

Further information on the appropriate safeguards used when transferring personal data outside the EEA can be requested through using the contact details found in the ‘Legal rights’ section of this Privacy Notice. When requesting this information please make a reference to the transfer of personal data outside the EEA.

Due to the global nature of the travel industry, personal data may be transferred to and processed by Amadeus GDS Users in different locations around the world. These transfers will be necessary for the performance of a contract between the traveler and the Amadeus GDS User.

Data security and integrity

Amadeus has taken the appropriate technical and organizational security measures to protect personal data from loss or unlawful processing. When personal data is processed on behalf of Amadeus, access is limited to those who require access on a business need-to-know basis. Personal data will be processed in accordance with the instructions of Amadeus and those who have access are subject to a duty of confidentiality.

Amadeus has in place procedures to deal with any suspected personal data breach, and will notify individuals and any applicable regulator of a breach where they are legally required to do so.

Data Retention

Amadeus retains personal data for as long as necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The default retention period for a PNR is 5 years from when it becomes inactive. PNRs are active as long as a segment in the PNR is active (the related service is still pending). After the completion of the last segment of the PNR, the PNR is archived, and access to the PNR is restricted. After a period of 5 years the PNRs are deleted.

Legal rights

Amadeus GDS Users collect personal data from the traveler and input this information in the Amadeus GDS. We recommend travelers contact the Amadeus GDS Users to whom they provided the information directly, with any issues or requests they may have relating to personal data stored in the Amadeus GDS.

Under certain circumstances individuals can exercise rights under data protection laws. Individuals may exercise these rights relating to their own personal data or contact Amadeus for other data protection related questions by emailing dataprotection@amadeus.com ,  or writing to our Chief Privacy Officer at  Amadeus IT Group, S.A. C/Salvador de Madariaga 1, 28027 Madrid, Spain. 

Amadeus will require authentication of the identity of the traveler and may require additional information to confirm that the rights that traveler(s) may have under data protection laws are being exercised correctly.

For the following rights please make a reference to the following:

  • Right to access: ‘Request for access to personal data’
  • Right to object: ‘Object to processing of personal data for the purpose of analytics’
  • Right to information about:
    • ‘Amadeus affiliates and third party service providers who process personal data on behalf of Amadeus’
    • ‘Transfers to third countries – information about data transfers outside EEA’

Your rights

Amadeus intends to carefully address any request and/or claim from you, as well as carefully process personal data. You are entitled to file any claim or complaint before the relevant data protection authorities if the answer provided by Amadeus does not meet your expectations.

Updates

This Privacy Notice is published by Amadeus IT Group S.A. This Privacy Notice may be changed at any time. The date it was last updated is shown here: 5th December 2018.