Professional Documents
Culture Documents
amadeus.com
Index
_ Introduction/Purpose………………………………………………………………………………..3
_ What is the GDPR? .........................................................................................3
_ Roles and Obligations under GDPR…………………………………………………………….4
o Data Protection Positioning under the GDPR
o Traveller Personal Data processed through the Amadeus GDS
o Traveller Personal Data processed for IT Services through Altéa
_ Amadeus' GDPR Program…………………………………………………………………………..5
o Appointment of a Data Privacy Officer (DPO)
o Amadeus GDPR Program
o GDS Customer
o IT Customer
o Written Instructions of Airline Amadeus Customer
o Contractual Agreements to IT Services Agreements
o Transparent Report-Privacy Checklist
© 2017 Amadeus IT Group and its affiliates and subsidiaries
Page 2 of 10
amadeus.com
Introduction/Purpose
This document explains
_ what the GDPR is;
_ how the GDPR affects Amadeus and Amadeus Airlines Customers in the processing of
Traveller Personal Data; and
_ what action Amadeus is taking with the Amadeus GDPR program.
This document is to supply information to Amadeus Airline Customers about the processing
of Personal Data by Amadeus to provide transparency and accountability required under the
GDPR. It is hoped that this document will focus on questions that Amadeus Airline
Customers may have when considering the GDPR and the use of Amadeus as a
partner/service provider. This document is not intended to constitute legal advice, rather it is
to provide information to Amadeus Airline Customers about how Amadeus services operate
and explain the roles of Amadeus and Amadeus Airline Customers in respect of services
provided by Amadeus.
This document can be used by Amadeus Account teams and shared with Amadeus Airlines
Customers.
information that Amadeus may collect about Amadeus Customer employees required by
Amadeus to provide the services to Amadeus Customers. This document only addresses the
processing of Traveller Personal Data.
Amadeus has a set of Privacy Principles that apply to Amadeus entities that process Personal
Data. These Amadeus Privacy Principles are derived from the Privacy Principles set out in the
GDPR.
Amadeus has put in place a program to address the requirements that the GDPR imposes on
Amadeus, both as a Data Controller (the entity that determines the purposes and means of
processing of Personal Data) and as a Data Processor (where Amadeus is processing Personal
Data on behalf of a Data Controller).
This document refers to the processing of Traveller Personal Data. References in this
document to Amadeus are to Amadeus IT Group SA.
Page 3 of 10
amadeus.com
Roles and Obligations under GDPR
Under the GDPR legal entities established in EU either as a Data Controller or a Data
Processor are in scope.
A Data Controller is a legal entity that determines the purposes and means of processing of
Personal Data.
A Data Processor is a legal entity that processes Personal Data on behalf of a Data Controller
Amadeus as a legal entity within the EU will be required to comply with GDPR either as a Data
Controller or Data Processor.
Amadeus Airline Customers as a Data Controller established in the EU and those who are not
legal entities within the EU but targeting individuals within the EU will be required to comply
with GDPR.
Data Protection Positioning under the GDPR
The data protection positioning is the role of a legal entity as a Data Controller or a Data
Processor for a specific data processing activity. Such positioning is relevant as the legal
obligations under the GDPR of a Data Controller and Data Processor are different.
In relation to Amadeus IT services (e.g. Altéa and e-commerce services) Amadeus is acting as
Data Processor and the Amadeus Airline Customers are Data Controllers for the Traveller
Personal Data generated under the IT Services Agreement.
Amadeus as a Data Processor is required to have a contract in place with a Data Controller.
The processing instructions to Amadeus IT Group SA are documented in the IT Services
Agreement. Other legal entities of the Amadeus Group (e.g. Amadeus ADP, Amadeus s.a.s
etc.) may be sub processors of Amadeus IT Group S.A. for the processing of Traveller Personal
Data. Any processing instructions received by Amadeus IT Group S.A. will be cascaded down
1
Article 11 EU CRS Code of Conduct establishes that with regards to the processing of such data a system vendor (Amadeus IT Group S.A.)
shall be considered a data controller.
Page 4 of 10
amadeus.com
to other legal entities of the Amadeus group that support Amadeus IT Group SA in the
delivery of the services.
Page 5 of 10
amadeus.com
Privacy Notice for Amadeus Global Distribution System (“Amadeus GDS”)
This Privacy Notice describes how Amadeus processes personal data included in travel
information processed in the Amadeus global distribution system (“Amadeus GDS”). This
Privacy Notice applies to personal data Amadeus processes through the Amadeus GDS
globally.
This Privacy Notice for the Amadeus GDS does not apply to personal data that may be
collected or processed by Amadeus for other purposes, such as through Amadeus websites
or where Amadeus provides services for Amadeus Customers that are not provided through
the Amadeus GDS. Where personal data is collected for other purposes, the relevant privacy
notice will be provided explaining the purpose the personal data is being processed for.
The Amadeus GDS is a travel technology platform used for the distribution of travel services.
This Privacy Notice is independent of notices that Amadeus GDS Users (e.g. travel providers
such as airlines, hotels and other travel suppliers and subscribers to the Amadeus GDS such
as travel agents) may give travelers. This Privacy Notice describes how Amadeus processes
personal data on the Amadeus GDS.
What Personal Data is processed and how is this Personal Data collected?
Amadeus processes personal data when Amadeus GDS Users (e.g. the travel agent or airline)
input personal data of travelers on the Amadeus GDS that they, the Amadeus GDS Users,
have collected. The Amadeus GDS User will be responsible for giving any relevant privacy
notices and informing the traveler about how they will process personal data. To
understand more fully how personal data is processed and who it is shared with in the
processing of a travel reservation you should refer to privacy notices of Amadeus GDS Users
involved in the travel reservation.
The personal data processed includes a name, travel itinerary and form of payment and may
also include additional information as deemed necessary by the Amadeus GDS User (contact
information, telephone, email, billing information, date of birth, credit card information,
preferences or special requests). This personal data will normally be part of a travel itinerary
record which is called a Passenger Name Record (PNR). The information included in the PNR
is required to process travel reservations and issue the relevant tickets and provide other
travel related services.
© 2017 Amadeus IT Group and its affiliates and subsidiaries
What is the Personal Data used for and what is the legal basis for processing
Amadeus uses the personal data to process travel reservations, to provide Amadeus GDS
Users with access to such information, to issue tickets and other travel related documents, to
perform internal business processes (such as testing and quality assurance) for credit card
processing, authentication, and fraud prevention and to provide other travel related services.
The legal basis for processing personal data is that the processing is necessary for the
performance of a contract to which the traveler is a party.
Amadeus may also use personal data for research, analytical and statistical purposes, to
identify preferences, interests and trends and other activities in the travel industry and to
identify products and services that may be of interest to individuals.
The legal basis for processing the personal data for research, analytical and statistical
purposes and to identify products and services that may be of interest to individuals is on the
Page 6 of 10
amadeus.com
basis of the legitimate business interests of Amadeus. Where personal data is processed for
these purposes the privacy impact on the individual whose data is being processed will be
considered.
Amadeus may share aggregated data which cannot identify individuals publicly with other
third parties.
Who is the Personal data shared with
Amadeus may share personal data with Amadeus GDS Users and service providers and
partners who act on Amadeus GDS Users behalf. Amadeus GDS Users can decide who any
personal data can be shared with. As a general principle information about the traveler is
shared with the parties involved in the transaction (and service providers and partners who
act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform
the contracts the Amadeus GDS Users have with travelers.
Amadeus may share personal data with its Affiliates, agents and third party service providers
such as suppliers of information technology services, security services and legal,
financial/accounting and other similar professional advisers. Where such disclosure takes
place the appropriate technical and organizational security measures are put in place to
protect personal data against loss or unlawful processing.
Amadeus may also disclose personal data as required by law, subpoena, or regulation; when
requested by government or law enforcement authorities or as otherwise required or
permitted by law.
personal data reliable for its intended use, accurate, current and complete.
Data Retention
Amadeus retains personal data no longer than is required or permitted by applicable law.
Page 7 of 10
amadeus.com
authentication of the identity of the traveler and may require addition information to confirm
that the correct personal data is being accessed.
Your rights
Amadeus intends to carefully address any request and/or claim from you, as well as carefully
process personal data. You are entitled to file any claim or complaint before the relevant
data protection authorities, if the answer provided by Amadeus does not meet your
expectations.
IT Customer
Amadeus Airline Customers are positioned as Data Controllers of Traveller Personal Data
under IT Agreements with Amadeus acting as Data Processor processing traveller Personal
Data on behalf of the Airline and under the contractual instructions of the Airline.
The written agreement between the Data Controller and Data Processor is currently
contained within the IT Services Agreement.
The IT Services Agreement sets out as required under the GDPR:
• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subject; and
• the obligations and rights of the controller.
Under the GDPR contracts between the Data Controller and Data Processor must also include
the following terms requiring Amadeus as Data Processor to:
• only act on the written instructions of the Data Controller;
• ensure that people processing the Personal Data are subject to a duty of confidence;
© 2017 Amadeus IT Group and its affiliates and subsidiaries
Page 8 of 10
amadeus.com
• assist the Data Controller in meeting its GDPR obligations in relation to the security of
processing, the notification of personal data breaches and data protection impact
assessments (if required) ;
• delete or return all Personal Data to the Controller as requested at the end of the
contract; and
• submit to audits and inspections, provide the Data Controller with whatever
information it needs to ensure that they are both meeting their Article 28 obligations,
and tell the Data Controller immediately if it is asked to do something infringing the
GDPR or other data protection law of the EU or a member state.
Amadeus will demonstrate compliance with obligations under Article 28 by providing
the necessary information about processing Personal Data to Amadeus Airline
Customers in the form of third party certifications.
Written Instructions of Airline Amadeus Customer
The instructions of the Data Controller are as set out in the IT Services Agreement and/or
provided by the Data Controller through the activation or configuration of a service. The
nature of the Amadeus Community model and the common platform concept where Altéa
shares platform functionality with the GDS Platform require any instructions from the Data
Controller to be considered in the context of the common platform architecture.
Additional instructions from an Airline Amadeus Customer are usually raised through the
Change Control Procedure insofar as adjustments are required to functionality or system
architecture in order to meet an Airline Amadeus Customer’s specific requirements.
Contractual Amendments to IT Services Agreements
The IT Services Agreement with Amadeus Airline Customers already contains terms relating
to Data Processing. However Amadeus Airline Customers should contact their Amadeus
Account Team should they wish to discuss further clarifications that they may require to IT
Services Agreements to cover the GDPR requirements in line with the above.
Transparency Report – Privacy Checklist
To assist the Amadeus Airline Customer in meeting their obligations under GDPR (Art. 28)
Amadeus will provide for each Amadeus Solution (Product/Service) that processes Traveller
© 2017 Amadeus IT Group and its affiliates and subsidiaries
Page 9 of 10
amadeus.com
• Description of the purpose of the processing of Traveller Personal Data by Amadeus
Solution
• High-level Data Mapping/Flows to illustrate where Traveller Personal Data is
processed, access to and data transfers of Traveller Personal Data to vendors and
other third parties;
• Description of how the Amadeus Solution is relevant to Privacy Principles including:
o Security Measures (including relevant certifications) to provide adequate
protection to Traveller Personal Data
o Data Retention and deletion
o Data breach notification
o How rights of Data Subjects can be met through the Amadeus Solution
A high level illustration of the flows of Personal Data on Altéa for Traveller Personal Data is
shown illustrated below.
© 2017 Amadeus IT Group and its affiliates and subsidiaries
Page 10 of 10
amadeus.com