Solutions
- Airlines
  - Amadeus for Airlines
  - Products
- Airports
  - Amadeus for Airports
  - Products
- Border Authorities
  - Amadeus for Border Authorities
  - Products
- Corporate Travel & Expense
  - Products
  - Capabilities
  - Integrations
    - Travel & Expense Solution for Microsoft Teams
- Travel Sellers
  - Products
  - Content
- Hospitality
- Payments & e-invoicing
  - Outpayce
  - Voxel: B2B Payments and e-Invoicing
- AI at Amadeus
  
  Driving integration, scalability, trust and integrity across the travel industry.
  Learn more
- Unlocking the power of AI agents in travel
  
  In this whitepaper, Amadeus and Microsoft explore how AI agents and modern data platforms are improving travel at every stage.
  Learn more
Support & Training
- Support
- Training
- Already a customer?
  
  Log into Amadeus Service Hub for product news, learning materials, and customer support.
  Login
Partners
- Transforming travel with AI
  
  Our partnership with Microsoft accelerates our Cloud journey and unlocks new, AI‑powered innovations that strengthen and elevate the travel industry.
  Learn more
- Landmark partnership between Amadeus and Google Cloud
  
  Learn how this collaboration strengthens Amadeus' multi-cloud approach and AI innovation to improve efficiency, reliability and growth in travel.
  Learn more
Resources
- Trending Topics
- Connected journeys: How will technology transform travel in the next decade?
  
  From AI-driven planning and biometric check-ins to smarter disruption management.
  Read the report
- Six travel trends that will redefine how we travel in 2026 and beyond
  
  Amadeus, in collaboration with Globetrender, unveils the tech, policy and innovation coming to transform the face of travel.
  Discover now
Company
- About Amadeus
  - About us
  - Leadership
  - Awards
  - Locations
- Careers
- Innovation
- Sustainability
  
  Learn how we’re working to make travel a force for good.
- Amadeus Global Report
  
  Gain insights into Amadeus' 2025 business, financial performance, and sustainability.
  Read the report
- Latest financial results
  
  Amadeus published its financial results for Q1 2026.
  View the results

Amadeus GDS Privacy Notice For Travellers

Last updated - April 2026

Basic information about the processing of Personal Data

For more details (including legal bases, recipients, transfers, retention and your rights), please read the full Privacy Notice below, as well as the privacy notices of your travel agency and the carrier(s) you travel with.

Basic information about the processing of Personal Data (FULL POLICY BELOW)
Data Controller	AMADEUS IT GROUP, S.A. (“Amadeus” “we” or “us”) will be the independent data controller and entity responsible for data processing activities related to travellers’ personal data included in travel information processed in the Amadeus Global Distribution System (“Amadeus GDS”) – the reservation tool used by airlines and other travel and hospitality operators.
For which purposes do we process travellers’ data?	When you make a booking, your personal data will also be processed in accordance with the applicable carrier(s)’ privacy notice to manage the booking, and, if your booking is made via a reservation system provider, with its privacy policy. Amadeus will be the independent data controller for the processing of your personal data for the purposes of providing access to Amadeus GDS Users to enable travel reservations; and issuing tickets and other travel related documents. For this purpose, personal data may be shared with Amadeus’ affiliates. Amadeus also processes this information to keep its systems safe, to prevent fraud and protect against security incidents. Where applicable, Amadeus removes personal identifiers, so it is difficult to identify you or anonymizes booking data. This information may be used for analytics to enhance the performance, operation, and integrity of its services and technologies.
In what legal basis do we rely on for the processing of personal data?	The legal basis by which we will process your personal data for the purposes above are: the performance of a contract to which you (as a traveller) are a party with Amadeus GDS Users (e.g., with your travel agency); your consent if you have granted it to Amadeus GDS Users (or in the case you are a minor, the consent of the holder of parental responsibility); Amadeus’ legitimate interest and/or compliance with legal obligations. See below further details, per purpose, of how these legal grounds apply.
What Information do Amadeus GDS Users share about travellers?	Personal data required by the Amadeus GDS User to enable the reservation and its input in the PNR (Passenger Name Record) of the Amadeus GDS. This always includes the name of the traveller, the itinerary and the form of payment. In addition, the Amadeus GDS User may require and/or collect other personal data to complete the reservation such as contact details (email, telephone number or address), billing data, date of birth or special service requests.
Traveller’s personal data may be shared with the following entities	For the purposes above, Amadeus shares personal data with Amadeus GDS Users. It may also share personal data with services providers who may act on Amadeus GDS Users’ and Amadeus’ behalf where necessary for the provision of the services. In addition, Amadeus may share personal data with Amadeus affiliates (within the Amadeus group of companies) who may be in any location around the world. A link to the complete list of Amadeus affiliates and their locations can be found here. If necessary or legally required we may disclose personal data to public and government authorities, including public and government authorities outside your country of residence.
Do we send travellers’ personal data outside the European Economic Area?	Amadeus may share your personal data with the Amadeus GDS Users, its affiliates and other third-party service providers acting on behalf of Amadeus or the Amadeus GDS User. This may involve transferring personal data outside the European Economic Area. When personal data is transferred to a third country, it will continue to receive adequate protection through contractual (e.g., Standard contractual clauses approved by the European Commission) or other arrangements put in place with the entities receiving such data (see below for further details). You can obtain information on the mechanisms put in place by writing to the address included in the section “Your rights” below
For how long we keep travellers’ personal data?	Amadeus retains personal data for as long as necessary to fulfil the purposes it was received for, including for the purposes of satisfying any legal requirements.
Your rights	You have the rights of access, rectification, erasure, objection, restriction of processing, portability and the right to lodge a complaint before the applicable data protection authorities or the Spanish Data Protection Authority (AEPD). You can find the data protection authorities contact details here. You may exercise your rights via e-mail: dataprotection@amadeus.com or by sending your request to our registered office at Calle Salvador de Madariaga, 1, 28027 Madrid (Spain).
Additional information	More information about privacy and data protection is available below.

Data Controller

AMADEUS IT GROUP, S.A. with registered office at Calle Salvador de Madariaga, 1, 28027 Madrid (Spain) (“Amadeus” “we” or “us”) will be the independent data controller and entity responsible for processing your personal data included in travel information processed within the Amadeus Global Distribution System (“Amadeus GDS”) on a global scale.

For the purposes of this Notice, a “data controller” is the legal person that determines the purposes and means of the processing of personal data. Other entities may also process the personal data on behalf of the data controller; these will be the “data processors”.

One of the main purposes for which Amadeus processes personal data is operating and providing the Amadeus GDS. A Global Distribution System is a technology platform that connects the content and offer from travel service providers (such as airlines, hotels, etc) with the sellers (travel agents) that book the content; collectively "GDS Users". Travel service providers give content to Amadeus that is non personal data facilitating the services offered. The content consists of the available seats, cars, rooms, the corresponding fares, pricing rules, etc. Conversely, travel agents collect the personal data of the traveller and perform a booking or reservation in the Amadeus GDS by creating a passenger name record ("PNR") for the service selected. The PNR is the record that keeps pertinent details of the travel reservation. When creating the PNR, the travel agency provides Amadeus with the traveller personal data by imputing it into the Amadeus GDS. In these cases, Amadeus will act as an independent data controller for the purpose of providing access to your personal data to Amadeus GDS Users to enable travel reservations, issuing tickets and other travel-related documents.

In this context, “personal data” is any data that is related to you and that identifies you either directly or indirectly (for instance, ID number, date of birth, location data, billing information, etc.).

Also, throughout this Notice, the term “minor” will be understood as a person conceived as such from a data protection perspective. Minors will always be children younger than 14 years old. However, depending on the local laws this threshold can rise up to children under 18 years of age.

Where does Amadeus obtain travellers’ personal data from?

When you make a booking, your personal data will be processed in accordance with the applicable carrier’s privacy notice, and, if your booking is made via a reservation system provider, with its privacy notice. These are available at: IATA - Privacy Legal Notices or from the carrier or reservation system provider directly.When booking through a travel agency using the Amadeus GDS, the travel agency collects your personal data and enters it into the Amadeus systems to process reservations. Amadeus receives this information, including mandatory information like your name, itinerary, and form of payment. Travel agencies may also add additional details such as contact information, date of birth, meal preferences, or special requests.

For which purposes do we process travellers’ data and on which legal basis do we rely on?

This Privacy Statement (“Notice”) is applicable to all your personal data processed by Amadeus for the purposes of managing the Amadeus GDS and any processing thereafter. This Notice does not address the collection, use, or disclosure of information through any other means other than the Amadeus GDS. This Notice does not apply to the personal data that Amadeus may process about you for other purposes such as through websites or regarding services not related to the Amadeus GDS. If you are interested in learning more about other processing activities, please follow this link.

This Notice is separate from (and does not replace) the applicable carrier’s privacy notice, and, if your booking is made via a reservation system provider or other Amadeus GDS User, with its privacy notice, which also apply when you make a booking.

Personal data that Amadeus GDS Users share with us about you will be used, transferred and disclosed (if applicable) (“processed”) as permitted by local law, to:

Purpose	Legal Basis
Manage the Amadeus GDS. That is, providing access to Amadeus GDS Users to enable travel reservations; and to issue tickets and other travel related documents. Strictly for this purpose, we share personal data with Amadeus affiliates (within the Amadeus group of companies), who may be in any location around the world. A link to the complete list of Amadeus affiliates and their locations can be found here.	The performance of a contract to which you (as a traveller) are a party with Amadeus GDS User (for instance, your travel agency).
Anonymization and aggregation processes in order to use data for analytical purposes. Aggregated data which cannot be used to identify travellers may be shared by Amadeus with third parties. Where applicable, Amadeus removes personal identifiers or anonymizes booking data. This information may be used for analytics to enhance the performance and operation of its services and technologies, and to contribute to the reliability and efficiency of the travel ecosystem, facilitating smooth travel experiences.	Amadeus' legitimate interest to conduct research, analytical, and statistical activities for the purpose of improving our services and developing new products as these activities are key to its business growth and leveraging technology, innovation, and aggregated insights makes the experience of travel better for everyone, everywhere. Amadeus' legitimate interest is limited to what is necessary to achieve the relevant purpose, having considered whether there are realistic, less intrusive alternatives.
Interact with public and government authorities, including public and government authorities outside your country of residence when required by law or to defend Amadeus rights.	Comply with legal obligations to which Amadeus is subject.
Detecting, preventing and otherwise addressing fraudulent activities to keep systems safe, to prevent fraud and protect against security incidents.	Our legitimate interest to ensure security and integrity of the services. Amadeus' legitimate interest is limited to what is necessary to achieve the relevant purpose, having considered whether there are realistic, less intrusive alternatives.
Disclose data to third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock (including without limitation in connection with any bankruptcy or similar proceedings).	Amadeus’ legitimate interest to managing the company’s structure and ownership including its dissolution. Amadeus' legitimate interest is limited to what is necessary to achieve the relevant purpose, having considered whether there are realistic, less intrusive alternatives.
Disclosing personal data with local authorities and counsels or advisors, if necessary, to enforce our terms and conditions; to protect our operations or those of any of our affiliates; protect our rights, respond to requests from public and government authorities, including public and government authorities outside your country of residence; privacy, safety, property, and/or that of our affiliates you, or others; and permit us to pursue available remedies or limit the damages that we may sustain.	Where not mandatory to meet legal obligations (i.e., responding courts and competent authorities), our legitimate interest to exercise our rights including the rights to protect our business and defend our position. Amadeus' legitimate interest is limited to what is necessary to achieve the relevant purpose, having considered whether there are realistic, less intrusive alternatives.

When processing travel reservations, Amadeus will process preferences or special requests which may be considered as special categories of data such as health data or information on religious / ideological beliefs. This is the case, for instance, when someone requires traveling assistance due to a physical disability and such information is provided by the traveller. In relation to some health data (e.g., physical disabilities), we process it in compliance with legal obligations to which we are subject and based on the public interest to meet such requests in accordance with the law. Otherwise, we will, through Amadeus GDS Users, requests your explicit consent.

Where the processing of your personal data is based on the legitimate interest, we will carry out a balancing test to ensure that our legitimate interests are not overridden by your rights and freedoms. Amadeus' legitimate interest is limited to what is necessary to achieve the relevant purpose, having considered whether there are realistic, less intrusive alternatives. Although travellers cannot be identified from this personal data once personal identifiers are removed and it is anonymized and aggregated, you may object to your personal data being anonymised by requesting it through the contact information included in the “Your Rights” and “Contacting Us” section. Objections you raise do not impact processing of personal data up to the point the objection was raised.

What Information do Amadeus GDS Users share about travellers?

Personal data required by the Amadeus GDS User to enable the reservation and its input in the PNR (Passenger Name Record) of the Amadeus GDS. This always includes the name of the traveller, the itinerary and the form of payment.

In addition, the Amadeus GDS User may require and/or collect other personal data to complete the reservation such as contact details (email, telephone number or address), billing data, date of birth or special service requests.

Traveller’s personal data may be shared with the following entities

Amadeus shares personal data with:

Amadeus GDS Users who can also share personal data with third parties that are considered reliable from the perspective of data protection. As a general principle, information about you (the traveller) is only shared with the parties involved in the agreement Amadeus signs with Amadeus GDS User and with other entities from the industry (for instance, the International Airport Transport Association) as necessary to perform the contracts (which serve as the legal basis of the data sharing) that Amadeus GDS Users have entered into with you (the traveller).
Amadeus may share personal data with Amadeus affiliates (within the Amadeus group of companies) who may be in any location around the world. A link to the complete list of Amadeus affiliates and their locations can be found here.
If necessary or legally required we may disclose personal data to public and government authorities, including public and government authorities outside your country of residence.

To better understand how personal data is processed and shared when processing a travel reservation, you can also refer to the relevant privacy notices of Amadeus GDS Users involved in the provision of the travel reservation.

Agents, suppliers, subcontractors, and service providers for the performance of any contract we enter into with them and which process the personal data on our behalf as processors.
Local authorities.

Where such disclosures take place Amadeus requires recipients to apply the appropriate technical and organizational security measures to protect personal data, and for personal data to be processed lawfully. Amadeus only allows affiliates and third-party service providers to use personal data for specified purposes and in accordance with Amadeus’ instructions.

Do we send travellers’ personal data outside the European Economic Area?

Due to the global nature of the travel industry, personal data may be transferred to and processed by Amadeus GDS Users in different locations around the world. These transfers will be conducted as needed for the performance of a contract between you (the traveller) and the Amadeus GDS User.

Also, when Amadeus shares your personal data with Amadeus affiliates and third-party service providers who process personal data on behalf of Amadeus, this may involve transferring personal data outside the European Economic Area (“EEA”) to countries which may not offer an equivalent level of protection for personal data as in the EEA.

When personal data is transferred to a country outside the EEA, Amadeus will ensure that the entities receiving such data will continue to apply the same level of protection as the one in the EEA. For these transfers, at least one of the following appropriate safeguards will be implemented:

Personal data will be transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
Standard contractual clauses as approved by the European Commission which, together with supplementary measures, will ensure personal data transferred will retain the same protection it has in EEA; or
Any other lawful transfer mechanism as foreseen in applicable laws and/or as approved by the European Commission or relevant Data Protection Authority

Further information on the appropriate safeguards used when transferring personal data outside the EEA can be requested through the contact details set out below in the section “Your rights” and “Contacting Us”. When requesting this information please make specific reference to the transfer of personal data outside the EEA.

For how long do we keep travellers’ personal data?

Retention periods are determined by taking into account the duration of the booking lifecycle, applicable statutory limitation periods, Amadeus’ obligations under financial, regulatory and security laws, and to protect its business and defend its legal position. Once personal data is no longer required for these purposes, it is deleted or anonymised.

Security and Integrity of Personal Information

We use reasonable organizational, technical and administrative measures to protect personal data under our control, including but not limited to measures to protect personal data from loss or unlawful processing.

When personal data is processed on behalf of Amadeus, access is provided only to those who have a business need to know and to the information strictly needed to perform the pertinent task or service. Personal data will be processed in accordance with the instructions of Amadeus and those who have access will be subject to a duty of confidentiality.

Amadeus has procedures in place to deal with any suspected personal data breach and will notify travellers and any applicable regulator of a breach where they are legally required to do so. A data breach is an incident that leads to the unauthorised destruction, modification, loss or disclosure of your personal data.

Your rights

Under data protection laws, you may exercise your rights of:

Access. This means that you can ask us to confirm whether we are processing your data or not, and ask for a copy of your personal data. You can also ask for information on how we process your data such as which data is processed about you, who it is shared with and how it is used.
Erasure. This means you will be able to ask us to delete your data where it is no longer required for the purposes they were received; or where we should have already deleted them.
Objection. This means that you can ask us not to process your data in certain situations, for instance, when we use your data to fulfil our legitimate interests.
Rectification. This means that you can ask us to modify or change certain data about you if it is not accurate or complete.
Data portability. This means you can ask for a portable copy of your data in a structured way and for the same to be easily shared with another controller upon your request.
Restriction of the processing. This means you can limit the processing of your personal data in certain circumstances.
You, or your parents / legal guardians in case of minors under 14, can also withdraw the consent you have granted for a specific purpose at any time.

All of these rights can be exercised by sending a request to Amadeus via email: dataprotection@amadeus.com or by sending your request to the registered office at Salvador de Madariaga, 1, 28027, (Madrid).

Lastly, although Amadeus intends to carefully address any request and/or claim from you, as well as carefully process your personal data, you are entitled to file any claim or complaint before the applicable data protection authority including to the Spanish Data Protection Authority (AEPD). You can find their contact details here. If you have any questions regarding this Notice, please contact us at dataprotection@amadeus.com.

For U.S. residents:

Please refer to our United States Supplemental Privacy Notice for additional information applicable to individuals residing in the United States.