Information about General

Data Protection Regulation

(GDPR) for Amadeus Airline
Customers
Amadeus Airline Customer Unit

amadeus.com
 Index
_ Introduction/Purpose………………………………………………………………………………..3
_ What is the GDPR? .........................................................................................3
_ Roles and Obligations under GDPR…………………………………………………………….4
o Data Protection Positioning under the GDPR
o Traveller Personal Data processed through the Amadeus GDS
o Traveller Personal Data processed for IT Services through Altéa
_ Amadeus' GDPR Program…………………………………………………………………………..5
o Appointment of a Data Privacy Officer (DPO)
o Amadeus GDPR Program
o GDS Customer
o IT Customer
o Written Instructions of Airline Amadeus Customer
o Contractual Agreements to IT Services Agreements
o Transparent Report-Privacy Checklist
© 2017 Amadeus IT Group and its affiliates and subsidiaries

Page 2 of 10
amadeus.com
 Introduction/Purpose
This document explains
_ what the GDPR is;
_ how the GDPR affects Amadeus and Amadeus Airlines Customers in the processing of
Traveller Personal Data; and
_ what action Amadeus is taking with the Amadeus GDPR program.
This document is to supply information to Amadeus Airline Customers about the processing
of Personal Data by Amadeus to provide transparency and accountability required under the
GDPR. It is hoped that this document will focus on questions that Amadeus Airline
Customers may have when considering the GDPR and the use of Amadeus as a
partner/service provider. This document is not intended to constitute legal advice, rather it is
to provide information to Amadeus Airline Customers about how Amadeus services operate
and explain the roles of Amadeus and Amadeus Airline Customers in respect of services
provided by Amadeus.
This document can be used by Amadeus Account teams and shared with Amadeus Airlines
Customers.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) applies from 25th May 2018.
The GDPR represents an overhaul of existing EU data protection law, building on existing
Privacy Principles and introducing particular focus on documentary evidence and Privacy by
Design and by Default. These are the GDPR requirements of Transparency and
Accountability.
The GDPR applies to all types of Personal Data that Amadeus may process. For services
supplied to Airlines this would include processing of Traveller Personal Data and to a limited
extent Personal Data of employees of Amadeus Customers (Customer Personal Data) – e.g.
© 2017 Amadeus IT Group and its affiliates and subsidiaries

information that Amadeus may collect about Amadeus Customer employees required by
Amadeus to provide the services to Amadeus Customers. This document only addresses the
processing of Traveller Personal Data.
Amadeus has a set of Privacy Principles that apply to Amadeus entities that process Personal
Data. These Amadeus Privacy Principles are derived from the Privacy Principles set out in the
GDPR.
Amadeus has put in place a program to address the requirements that the GDPR imposes on
Amadeus, both as a Data Controller (the entity that determines the purposes and means of
processing of Personal Data) and as a Data Processor (where Amadeus is processing Personal
Data on behalf of a Data Controller).
This document refers to the processing of Traveller Personal Data. References in this
document to Amadeus are to Amadeus IT Group SA.

Page 3 of 10
amadeus.com
 Roles and Obligations under GDPR
Under the GDPR legal entities established in EU either as a Data Controller or a Data
Processor are in scope.
A Data Controller is a legal entity that determines the purposes and means of processing of
Personal Data.
A Data Processor is a legal entity that processes Personal Data on behalf of a Data Controller
Amadeus as a legal entity within the EU will be required to comply with GDPR either as a Data
Controller or Data Processor.
Amadeus Airline Customers as a Data Controller established in the EU and those who are not
legal entities within the EU but targeting individuals within the EU will be required to comply
with GDPR.
Data Protection Positioning under the GDPR
The data protection positioning is the role of a legal entity as a Data Controller or a Data
Processor for a specific data processing activity. Such positioning is relevant as the legal
obligations under the GDPR of a Data Controller and Data Processor are different.

Traveller Personal Data processed through the Amadeus GDS

In relation to the distribution services,
services Amadeus IT Group SA is acting as Data
Data Controller for
the Traveller Personal Data processed for the purposes of making reservations or issuing
tickets. 1
The positioning of Amadeus as a Data Controller does not mean that other parties involved in
the processing (travel agencies, airlines or other travel service providers of GDS business)
shall take the role of Data Processors. There are several Data Controllers involved in the
same traveller reservation and ticketing information. Airlines, travel agencies and
corporations could also be Data Controllers of the traveller reservation and ticketing
information. These Data Controllers each determine the purpose of the processing of the
Personal Data and are not joint Data Controllers.
Traveller Personal Data processed for IT Services through Altéa
© 2017 Amadeus IT Group and its affiliates and subsidiaries

In relation to Amadeus IT services (e.g. Altéa and e-commerce services) Amadeus is acting as
Data Processor and the Amadeus Airline Customers are Data Controllers for the Traveller
Personal Data generated under the IT Services Agreement.
Amadeus as a Data Processor is required to have a contract in place with a Data Controller.
The processing instructions to Amadeus IT Group SA are documented in the IT Services
Agreement. Other legal entities of the Amadeus Group (e.g. Amadeus ADP, Amadeus s.a.s
etc.) may be sub processors of Amadeus IT Group S.A. for the processing of Traveller Personal
Data. Any processing instructions received by Amadeus IT Group S.A. will be cascaded down

1
Article 11 EU CRS Code of Conduct establishes that with regards to the processing of such data a system vendor (Amadeus IT Group S.A.)
shall be considered a data controller.

Page 4 of 10
amadeus.com
 to other legal entities of the Amadeus group that support Amadeus IT Group SA in the
delivery of the services.

Amadeus’ GDPR Program

Appointment of a Data Privacy Officer (DPO)
GDPR requires the appointment of a DPO in a limited number of cases. Amadeus IT Group
S.A. has concluded that the processing of Traveller Personal Data will not require Amadeus to
appoint a DPO. There may be local requirements (e.g. in Germany) that require the
appointment of a DPO for particular Amadeus legal entities which are beyond the scope of
the GDPR.
Irrespective of the lack of DPO appointment, Amadeus has a structure to address privacy
matters. The point of contact for enquires relating to data privacy that Amadeus Airline
Customers may have for Amadeus IT Group S.A. will be the Amadeus Chief Privacy Officer –
Ana Regidor.
Amadeus GDPR Program
Amadeus has initiated a formal GDPR program to oversee and coordinate GDPR related
activities across all functions and business units which is divided into several project streams.
One project stream covers the processing of Traveller Personal Data.
For the processing of Traveller Personal Data Amadeus has translated the GDPR
requirements that need to be met (some of these requirements will only need to be met
when Amadeus is a Data Controller of Traveller Personal Data but requisite information will
need to be supplied to Amadeus Airline Customers where Amadeus is a Data Processor for
the relevant Amadeus Airline Customer):
1. Data Mapping
2. Register of processing
3. Privacy by design and by default
4. Security measures
5. External privacy statements – where Amadeus is Data Controller
© 2017 Amadeus IT Group and its affiliates and subsidiaries

6. Data subjects rights – where Amadeus is Data Controller

7. Data breach notifications – where Amadeus is Data Controller
8. Vendor management
GDS Customer
Amadeus will comply with applicable data protection legislation (GDPR) in its position as a
Data Controller. The following notice describes how Personal Data is processed through the
GDS.

Page 5 of 10
amadeus.com
 Privacy Notice for Amadeus Global Distribution System (“Amadeus GDS”)
This Privacy Notice describes how Amadeus processes personal data included in travel
information processed in the Amadeus global distribution system (“Amadeus GDS”). This
Privacy Notice applies to personal data Amadeus processes through the Amadeus GDS
globally.
This Privacy Notice for the Amadeus GDS does not apply to personal data that may be
collected or processed by Amadeus for other purposes, such as through Amadeus websites
or where Amadeus provides services for Amadeus Customers that are not provided through
the Amadeus GDS. Where personal data is collected for other purposes, the relevant privacy
notice will be provided explaining the purpose the personal data is being processed for.
The Amadeus GDS is a travel technology platform used for the distribution of travel services.
This Privacy Notice is independent of notices that Amadeus GDS Users (e.g. travel providers
such as airlines, hotels and other travel suppliers and subscribers to the Amadeus GDS such
as travel agents) may give travelers. This Privacy Notice describes how Amadeus processes
personal data on the Amadeus GDS.
What Personal Data is processed and how is this Personal Data collected?
Amadeus processes personal data when Amadeus GDS Users (e.g. the travel agent or airline)
input personal data of travelers on the Amadeus GDS that they, the Amadeus GDS Users,
have collected. The Amadeus GDS User will be responsible for giving any relevant privacy
notices and informing the traveler about how they will process personal data. To
understand more fully how personal data is processed and who it is shared with in the
processing of a travel reservation you should refer to privacy notices of Amadeus GDS Users
involved in the travel reservation.
The personal data processed includes a name, travel itinerary and form of payment and may
also include additional information as deemed necessary by the Amadeus GDS User (contact
information, telephone, email, billing information, date of birth, credit card information,
preferences or special requests). This personal data will normally be part of a travel itinerary
record which is called a Passenger Name Record (PNR). The information included in the PNR
is required to process travel reservations and issue the relevant tickets and provide other
travel related services.
© 2017 Amadeus IT Group and its affiliates and subsidiaries

What is the Personal Data used for and what is the legal basis for processing
Amadeus uses the personal data to process travel reservations, to provide Amadeus GDS
Users with access to such information, to issue tickets and other travel related documents, to
perform internal business processes (such as testing and quality assurance) for credit card
processing, authentication, and fraud prevention and to provide other travel related services.
The legal basis for processing personal data is that the processing is necessary for the
performance of a contract to which the traveler is a party.
Amadeus may also use personal data for research, analytical and statistical purposes, to
identify preferences, interests and trends and other activities in the travel industry and to
identify products and services that may be of interest to individuals.
The legal basis for processing the personal data for research, analytical and statistical
purposes and to identify products and services that may be of interest to individuals is on the

Page 6 of 10
amadeus.com
 basis of the legitimate business interests of Amadeus. Where personal data is processed for
these purposes the privacy impact on the individual whose data is being processed will be
considered.
Amadeus may share aggregated data which cannot identify individuals publicly with other
third parties.
Who is the Personal data shared with
Amadeus may share personal data with Amadeus GDS Users and service providers and
partners who act on Amadeus GDS Users behalf. Amadeus GDS Users can decide who any
personal data can be shared with. As a general principle information about the traveler is
shared with the parties involved in the transaction (and service providers and partners who
act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform
the contracts the Amadeus GDS Users have with travelers.
Amadeus may share personal data with its Affiliates, agents and third party service providers
such as suppliers of information technology services, security services and legal,
financial/accounting and other similar professional advisers. Where such disclosure takes
place the appropriate technical and organizational security measures are put in place to
protect personal data against loss or unlawful processing.

Amadeus may also disclose personal data as required by law, subpoena, or regulation; when
requested by government or law enforcement authorities or as otherwise required or
permitted by law.

International Transfer of Traveler Personal Data

Due to the global nature of the travel industry, personal data may be processed in different
locations around the world. When personal data on the Amadeus GDS is transferred to
another country it will continue to receive adequate protection through contractual or other
arrangements put in place with Affiliates and third party service providers.
Data Security and Integrity
Amadeus has taken the appropriate technical and organizational security measures to
protect personal data from loss or unlawful processing. Amadeus also takes steps to keep
© 2017 Amadeus IT Group and its affiliates and subsidiaries

personal data reliable for its intended use, accurate, current and complete.
Data Retention
Amadeus retains personal data no longer than is required or permitted by applicable law.

Data Access, correction requests and other questions

Amadeus GDS Users collect personal information from the traveler and input this information
in the Amadeus GDS. We recommend travelers contact the Amadeus GDS Users to whom
they provided the information directly with any issues or requests they may have relating to
personal data stored in the Amadeus GDS. Travelers can also direct requests relating to their
own personal data, or any other data protection related questions, to Amadeus at
dataprotection@amadeus.com or a letter addressed to the Chief Privacy Officer at Amadeus
IT Group, S.A. in Salvador de Madariaga 1, 28027 Madrid, Spain. Amadeus will require

Page 7 of 10
amadeus.com
 authentication of the identity of the traveler and may require addition information to confirm
that the correct personal data is being accessed.

Your rights
Amadeus intends to carefully address any request and/or claim from you, as well as carefully
process personal data. You are entitled to file any claim or complaint before the relevant
data protection authorities, if the answer provided by Amadeus does not meet your
expectations.

IT Customer
Amadeus Airline Customers are positioned as Data Controllers of Traveller Personal Data
under IT Agreements with Amadeus acting as Data Processor processing traveller Personal
Data on behalf of the Airline and under the contractual instructions of the Airline.
The written agreement between the Data Controller and Data Processor is currently
contained within the IT Services Agreement.
The IT Services Agreement sets out as required under the GDPR:
• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subject; and
• the obligations and rights of the controller.

Under the GDPR contracts between the Data Controller and Data Processor must also include
the following terms requiring Amadeus as Data Processor to:
• only act on the written instructions of the Data Controller;
• ensure that people processing the Personal Data are subject to a duty of confidence;
© 2017 Amadeus IT Group and its affiliates and subsidiaries

• take appropriate measures to ensure the security of processing;

• only engage sub-processors with the prior consent of the Data Controller and under a
written contract, such consent may include a general authorisation to engage sub
processors subject to the Data Controller having the right to object to any intended
changes to sub processors; Amadeus requires a general authorisation to engage
subprocessors from all Amadeus Airline Customers due to the nature of the services
being provided. Amadeus remains responsible for the processing of Personal Data by
sub-processors. The Amadeus Airline Customer will still remain in control of what
happens to Personal Data processed as there will be transparency about
subprocessors used in the provision of the services.
• assist the Data Controller in providing subject access and allowing data subjects to
exercise their rights under the GDPR;

Page 8 of 10
amadeus.com
 • assist the Data Controller in meeting its GDPR obligations in relation to the security of
processing, the notification of personal data breaches and data protection impact
assessments (if required) ;
• delete or return all Personal Data to the Controller as requested at the end of the
contract; and
• submit to audits and inspections, provide the Data Controller with whatever
information it needs to ensure that they are both meeting their Article 28 obligations,
and tell the Data Controller immediately if it is asked to do something infringing the
GDPR or other data protection law of the EU or a member state.
Amadeus will demonstrate compliance with obligations under Article 28 by providing
the necessary information about processing Personal Data to Amadeus Airline
Customers in the form of third party certifications.
Written Instructions of Airline Amadeus Customer
The instructions of the Data Controller are as set out in the IT Services Agreement and/or
provided by the Data Controller through the activation or configuration of a service. The
nature of the Amadeus Community model and the common platform concept where Altéa
shares platform functionality with the GDS Platform require any instructions from the Data
Controller to be considered in the context of the common platform architecture.
Additional instructions from an Airline Amadeus Customer are usually raised through the
Change Control Procedure insofar as adjustments are required to functionality or system
architecture in order to meet an Airline Amadeus Customer’s specific requirements.
Contractual Amendments to IT Services Agreements
The IT Services Agreement with Amadeus Airline Customers already contains terms relating
to Data Processing. However Amadeus Airline Customers should contact their Amadeus
Account Team should they wish to discuss further clarifications that they may require to IT
Services Agreements to cover the GDPR requirements in line with the above.
Transparency Report – Privacy Checklist
To assist the Amadeus Airline Customer in meeting their obligations under GDPR (Art. 28)
Amadeus will provide for each Amadeus Solution (Product/Service) that processes Traveller
© 2017 Amadeus IT Group and its affiliates and subsidiaries

Personal Data information to describe the processing of Personal Data.

The information will describe aspects of the Amadeus Solution relevant to the Privacy
Principles in the context of the travel industry standards to meet the GDPR requirements of
transparency and accountability. It will provide information about how Amadeus processes
Traveller Personal Data under the IT Services Agreement. This information/Privacy Checklist
can be used by Amadeus Airline Customers as Data Controllers to demonstrate how the
Amadeus Solutions meet the Privacy Principles set out in the GDPR taking into account travel
industry standards.
The Privacy Checklist will provide information that can be used as evidence of Privacy by
Design by the Amadeus Airline Customer and demonstrates compliance with the GDPR to
include the following:

Page 9 of 10
amadeus.com
 • Description of the purpose of the processing of Traveller Personal Data by Amadeus
Solution
• High-level Data Mapping/Flows to illustrate where Traveller Personal Data is
processed, access to and data transfers of Traveller Personal Data to vendors and
other third parties;
• Description of how the Amadeus Solution is relevant to Privacy Principles including:
o Security Measures (including relevant certifications) to provide adequate
protection to Traveller Personal Data
o Data Retention and deletion
o Data breach notification
o How rights of Data Subjects can be met through the Amadeus Solution

A high level illustration of the flows of Personal Data on Altéa for Traveller Personal Data is
shown illustrated below.
© 2017 Amadeus IT Group and its affiliates and subsidiaries

Page 10 of 10
amadeus.com