Information about General

Data Protection Regulation

(GDPR) for Amadeus Airline
Customers
Amadeus Airline Customer Unit

amadeus.com
 Index
_ Introduction/Purpose………………………………………………………………………………..3
_ What is the GDPR? .........................................................................................3
_ Roles and Obligations under GDPR…………………………………………………………….4
 Data Protection Positioning under the GDPR
 Traveller Personal Data processed through the Amadeus GDS
 Traveller Personal Data processed for IT Services through Altéa

_ Amadeus' GDPR Program…………………………………………………………………………..5

 Appointment of a Data Privacy Officer (DPO)
 Amadeus GDPR Program
 GDS Customer
 IT Customer
 Written Instructions of Airline Amadeus Customer
 Contractual Agreements to IT Services Agreements
 Transparent Report-Privacy Checklist
_ Annex One: Privacy Notice…………………………………………………………………………..11
© 2018 Amadeus IT Group and its affiliates and subsidiaries

Page 2 of 13
amadeus.com
 Introduction/Purpose
This document explains

_ what the GDPR is;

_ how the GDPR affects Amadeus and Amadeus Airlines Customers in the processing of
Traveller Personal Data; and
_ what action Amadeus is taking with the Amadeus GDPR program.
This document is to supply information to Amadeus Airline Customers about the processing
of Personal Data by Amadeus to provide transparency and accountability required under the
GDPR. It is hoped that this document will focus on questions that Amadeus Airline
Customers may have when considering the GDPR and the use of Amadeus as a
partner/service provider. This document is not intended to constitute legal advice, rather it is
to provide information to Amadeus Airline Customers about how Amadeus services operate
and explain the roles of Amadeus and Amadeus Airline Customers in respect of services
provided by Amadeus.
This document can be used by Amadeus Account teams and shared with Amadeus Airlines
Customers.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) applies from 25 th May 2018.
The GDPR represents an overhaul of existing EU data protection law, building on existing
Privacy Principles and introducing particular focus on documentary evidence and Privacy by
Design and by Default. These are the GDPR requirements of Transparency and
Accountability.
The GDPR applies to all types of Personal Data that Amadeus may process. For services
supplied to Airlines this would include processing of Traveller Personal Data and to a limited
extent Personal Data of employees of Amadeus Customers (Customer Personal Data) – e.g.
© 2018 Amadeus IT Group and its affiliates and subsidiaries

information that Amadeus may collect about Amadeus Customer employees required by
Amadeus to provide the services to Amadeus Customers. This document only addresses th e
processing of Traveller Personal Data.
Amadeus has a set of Privacy Principles that apply to Amadeus entities that process Personal
Data. These Amadeus Privacy Principles are derived from the Privacy Principles set out in the
GDPR.
Amadeus has put in place a program to address the requirements that the GDPR imposes on
Amadeus, both as a Data Controller (the entity that determines the purposes and means of
processing of Personal Data) and as a Data Processor (where Amadeus is processing Personal
Data on behalf of a Data Controller).
This document refers to the processing of Traveller Personal Data. References in this
document to Amadeus are to Amadeus IT Group SA.

Page 3 of 13
amadeus.com
 Roles and Obligations under GDPR
Under the GDPR legal entities established in EU either as a Data Controller or a Data
Processor are in scope.
A Data Controller is a legal entity that determines the purposes and means of processing of
Personal Data.
A Data Processor is a legal entity that processes Personal Data on behalf of a Data Controller
Amadeus as a legal entity within the EU will be required to comply with GDPR either as a Data
Controller or Data Processor.
Amadeus Airline Customers as a Data Controller established in the EU and those who are not
legal entities within the EU but targeting individuals within the EU will be required to comply
with GDPR.
Data Protection Positioning under the GDPR
The data protection positioning is the role of a legal entity as a Data Controller or a Data
Processor for a specific data processing activity. Such positioning is relevant as the legal
obligations under the GDPR of a Data Controller and Data Processor are different.

Traveller Personal Data processed through the Amadeus GDS

In relation to the distribution services, Amadeus IT Group SA is acting as Data Controller for
the Traveller Personal Data processed for the purposes of making reservations or issuing
tickets. 1
The positioning of Amadeus as a Data Controller does not mean that other parties involved in
the processing (travel agencies, airlines or other travel service providers of GDS business)
shall take the role of Data Processors. There are several Data Controllers involved in the
same traveller reservation and ticketing information. Airlines, travel agencies and
corporations could also be Data Controllers of the traveller reservation and ticketing
information. These Data Controllers each determine the purpose of the processing of the
Personal Data and are not joint Data Controllers.
© 2018 Amadeus IT Group and its affiliates and subsidiaries

Traveller Personal Data processed for IT Services through Altéa

In relation to Amadeus IT services (e.g. Altéa and e-commerce services) Amadeus is acting as
Data Processor and the Amadeus Airline Customers are Data Controllers for the Traveller
Personal Data generated under the IT Services Agreement.
Amadeus as a Data Processor is required to have a contract in place with a Data Controller.
The processing instructions to Amadeus IT Group SA are documented in the IT Services
Agreement. Other legal entities of the Amadeus Group (e.g. Amadeus ADP, Amadeus s.a.s
etc.) may be sub processors of Amadeus IT Group S.A. for the processing of Traveller Personal
Data. Any processing instructions received by Amadeus IT Group S.A. will be cascaded down

1
Article 11 EU CRS Code of Conduct establishes that with regards to the processing of such data a system vendor (Amadeus IT Group S.A.)
shall be considered a data controller.

Page 4 of 13
amadeus.com
 to other legal entities of the Amadeus group that support Amadeus IT Group SA in the
delivery of the services.

Amadeus’ GDPR Program

Appointment of a Data Privacy Officer (DPO)
GDPR requires the appointment of a DPO in a limited number of cases. Amadeus IT Group
S.A. has concluded that the processing of Traveller Personal Data will not require Amadeus to
appoint a DPO. There may be local requirements (e.g. in Germany) that require the
appointment of a DPO for particular Amadeus legal entities which are beyond the scope o f
the GDPR.
Irrespective of the lack of DPO appointment, Amadeus has a structure to address privacy
matters. The point of contact for enquires relating to data privacy enquires that Amadeus
Airline Customers may have for Amadeus IT Group S.A. will be the Amadeus Chief Privacy
Officer – Ana Regidor.
Amadeus GDPR Program
Amadeus has initiated a formal GDPR program to oversee and coordinate GDPR related
activities across all functions and business units which is divided into several project streams.
One project stream covers the processing of Traveller Personal Data.
For the processing of Traveller Personal Data Amadeus has translated the GDPR
requirements that need to be met (some of these requirements will only need to be met
when Amadeus is a Data Controller of Traveller Personal Data but requisite information will
need to be supplied to Amadeus Airline Customers where Amadeus is a Data Processor for
the relevant Amadeus Airline Customer):
1. Data Mapping
2. Register of processing
3. Privacy by design and by default
4. Security measures
5. External privacy statements – where Amadeus is Data Controller
© 2018 Amadeus IT Group and its affiliates and subsidiaries

6. Data subjects rights – where Amadeus is Data Controller

7. Data breach notifications – where Amadeus is Data Controller
8. Vendor management

GDS Customer
Amadeus will comply with applicable data protection legislation (GDPR) in its position as a
Data Controller. The Amadeus GDS Privacy Notice explains how personal data will be
processed through the GDS, a copy of this Privacy Notice can be found at Annex One.

Page 5 of 13
amadeus.com
 IT Customer
Amadeus Airline Customers are positioned as Data Controllers of Traveller Personal Data
under IT Agreements with Amadeus acting as Data Processor processing traveller Personal
Data on behalf of the Airline and under the contractual instructions of the Airline.
The written agreement between the Data Controller and Data Processor is currently
contained within the IT Services Agreement.
The IT Services Agreement sets out as required under the GDPR:
 the subject matter and duration of the processing;
 the nature and purpose of the processing;
 the type of personal data and categories of data subject; and
 the obligations and rights of the controller.

Under the GDPR contracts between the Data Controller and Data Processor must also include
the following terms requiring Amadeus as Data Processor to:
 only act on the written instructions of the Data Controller;

 ensure that people processing the Personal Data are subject to a duty of confidence;
 take appropriate measures to ensure the security of processing;
 only engage sub-processors with the prior consent of the Data Controller and under a
written contract, such consent may include a general authorisation to engage sub
processors subject to the Data Controller having the right to object to any inten ded
changes to sub processors; Amadeus requires a general authorisation to engage
subprocessors from all Amadeus Airline Customers due to the nature of the services
being provided. Amadeus remains responsible for the processing of Personal Data by
sub-processors. The Amadeus Airline Customer will still remain in control of what
happens to Personal Data processed as there will be transparency about
© 2018 Amadeus IT Group and its affiliates and subsidiaries

subprocessors used in the provision of the services.

 assist the Data Controller in providing subject access and allowing data subjects to
exercise their rights under the GDPR;

 assist the Data Controller in meeting its GDPR obligations in relation to the security of
processing, the notification of personal data breaches and data protection impact
assessments (if required) ;
 delete or return all Personal Data to the Controller as requested at the end of the
contract; and
 submit to audits and inspections, provide the Data Controller with whatever
information it needs to ensure that they are both meeting their Article 28 obligations,
and tell the Data Controller immediately if it is asked to do something infringing the

Page 6 of 13
amadeus.com
 GDPR or other data protection law of the EU or a member state.
Amadeus will demonstrate compliance with obligations under Article 28 by providing
the necessary information about processing Personal Data to Amadeus Airline
Customers in the form of third party certifications.
Written Instructions of Airline Amadeus Customer
The instructions of the Data Controller are as set out in the IT Services Agreement and/or
provided by the Data Controller through the activation or configuration of a service. The
nature of the Amadeus Community model and the common platform concept where Altea
shares platform functionality with the GDS Platform require any instructions from the Data
Controller to be considered in the context of the common platform architecture.
Additional instructions from an Airline Amadeus Customer are usually raised through the
Change Control Procedure insofar as adjustments are required to functionality or system
architecture in order to meet an Airline Amadeus Customer’s specific requirements.
Contractual Amendments to IT Services Agreements
The IT Services Agreement with Amadeus Airline Customers already contain terms relating to
Data Processing. However Amadeus Airline Customers should contact their Amadeus
Account Team should they wish to discuss further clarifications that they may require to IT
Services Agreements to cover the GDPR requirements in line with the above.
Transparency Report – Privacy Checklist
To assist the Amadeus Airline Customer in meeting their obligations under GDPR (Art. 28)
Amadeus will provide for each Amadeus Solution (Product/Service) that processes Traveller
Personal Data information to describe the processing of Personal Data.
The information will describe aspects of the Amadeus Solution relevant to the Privacy
Principles in the context of the travel industry standards to meet the GDPR requirements of
transparency and accountability. It will provide information about how Amadeus process es
Traveller Personal Data under the IT Services Agreement. This information/Privacy Checklist
can be used by Amadeus Airline Customers as Data Controllers to demonstrate how the
Amadeus Solutions meet the Privacy Principles set out in the GDPR taking into account travel
industry standards.
© 2018 Amadeus IT Group and its affiliates and subsidiaries

The Privacy Checklist will provide information that can be used as evidence of Privacy by
Design by the Amadeus Airline Customer and demonstrates compliance with the GDPR to
include the following:
 Description of the purpose of the processing of Traveller Personal Data by Amadeus
Solution
 Data Mapping/Flows to illustrate where Traveller Personal Data is processed, access
to and data transfers of Traveller Personal Data to vendors and other third parties;

 Description of how the Amadeus Solution is relevant to Privacy Principles including:

o Security Measures (including relevant certifications) to provide adequate
protection to Traveller Personal Data
o Data Retention and deletion

Page 7 of 13
amadeus.com
 o Data breach notification
o How rights of Data Subjects can be met through the Amadeus Solution

A high level illustration of the flows of Personal Data on Altéa for Traveller Personal Data is
shown illustrated below.
© 2018 Amadeus IT Group and its affiliates and subsidiaries

Page 8 of 13
amadeus.com
 Annex One: Privacy Notice – Amadeus Global Distribution System

Basic information about the processing of personal data

Data controller Amadeus IT Group, S.A.

C/Salvador de Madariaga 1, 28027 Madrid,
Spain

Purpose of personal data processing To process travel reservations, to provide

Amadeus GDS Users with access to such
information, to issue tickets and other travel
related documents, to perform internal
business processes for credit card processing,
authentication, and fraud prevention and to
provide other travel related services

Legal grounds for processing Performance of a Contract

Legitimate Interest

Recipients of the personal data Amadeus Affiliates, Third Party Service

Providers, Amadeus GDS Users and Partners
who act on Amadeus GDS Users behalf

Legal rights You have a right to access, review and restrict

processing of Personal Information and the
right to lodge a complaint with a supervisory
© 2018 Amadeus IT Group and its affiliates and subsidiaries

authority.

Page 9 of 13
amadeus.com
 Privacy Notice for Amadeus Global Distribution System (“Amadeus GDS”)
This Privacy Notice describes how Amadeus IT Group S.A. (“Amadeus”) process personal data
included in travel information processed in the Amadeus global distribution system
(“Amadeus GDS”). This Privacy Notice applies to personal data Amadeus process through the
Amadeus GDS globally.
This Privacy Notice for the Amadeus GDS does not apply to personal data that may be
collected or processed by Amadeus for other purposes, such as through Amadeus websites
or where Amadeus provide services for Amadeus Customers that are not provided through
the Amadeus GDS. Where personal data is collected for other purposes, the relevant privacy
notice will be provided explaining the purpose the personal data is being processed for.
The Amadeus GDS is a travel technology platform used for the distribution of travel services.
This Privacy Notice is independent of notices that Amadeus GDS Users (e.g. travel providers
such as airlines, hotels and other travel suppliers and subscribers to the Amadeus GDS such
as travel agents) may give travelers. This Privacy Notice describes how Amadeus process
personal data on the Amadeus GDS.

What personal data is processed and how is this personal data collected?

Amadeus process personal data when Amadeus GDS Users (e.g. the travel agent or airline)
input personal data of travelers on the Amadeus GDS that they, the Amadeus GDS Users,
have collected. The Amadeus GDS User will be responsible for giving any relevant privacy
notices and informing the traveler about how they will process personal data. To
understand more fully how personal data is processed and who it is shared with in the
processing of a travel reservation you should refer to privacy notices of Amadeus GDS Users
involved in the travel reservation.
The personal data processed includes a name, travel itinerary and form of payment and may
also include additional information as deemed necessary by the Amadeus GDS User (contact
information, telephone, email, billing information, date of birth, credit card information,
© 2018 Amadeus IT Group and its affiliates and subsidiaries

preferences or special requests). This personal data will normally be part of a travel itinerary
record which is called a Passenger Name Record (PNR). The information included in the PNR
is required to process travel reservations and issue the relevant tickets and provide other
travel related services.

What is the Personal Data used for and what is the legal basis for processing

Amadeus use the personal data to process travel reservations, to provide Amadeus GDS
Users with access to such information, to issue tickets and other travel related documents, to
perform internal business processes (such as testing and quality assurance) for credit card
processing, authentication, and fraud prevention and to provide other travel related services.
The legal basis for processing personal data is that the processing is necessary for the
performance of a contract to which the traveler is a party.

Page 10 of 13
amadeus.com
 Amadeus may also use personal data for research, analytical and statistical purposes, to
identify preferences, interests and trends and other activities in the travel industry and to
identify products and services that may be of interest to individuals. Personal data used for
analytical purposes is derived from personal data but when it is used it is in anonymized and
aggregated form.
The legal basis for processing the personal data for research, analytical and statistical
purposes and to identify products and services that may be of interest to individuals is on the
basis of the legitimate business interests of Amadeus. Where personal data is processed for
these purposes the privacy impact on the individual whose data is being processed will be
considered.
Individuals cannot be identified from aggregated data but if individuals do not want personal
data included in aggregated data they can object to this by making this request to the contact
details below in the section Legal Rights. When making this request there should be a
reference to not wanting personal data used for the purposes of analytics.
Amadeus may share aggregated data which cannot identify individuals and with other third
parties.

Who is the personal data shared with

Amadeus share personal data with Amadeus GDS Users and service providers and partners
who may act on Amadeus GDS Users behalf. Amadeus GDS Users can decide who any
personal data can be shared with. As a general principle information about the traveler is
shared with the parties involved in the transaction (and service providers and partners who
act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform
the contracts the Amadeus GDS Users have with travelers.
Amadeus may share personal data with its affiliates, agents and third party service providers
such as suppliers of information technology services, security services and legal,
financial/accounting and other similar professional advisers.
© 2018 Amadeus IT Group and its affiliates and subsidiaries

Where such disclosure takes place Amadeus require the appropriate technical and
organizational security measures to be in place to protect personal data and for personal
data to be processed lawfully.
Amadeus only allow affiliates and third party service providers to use personal data for
specified purposes and in accordance with Amadeus instructions.
Further information on the affiliates and third party service providers that Amadeus use to
process personal data on their behalf can be requested through the contact details set out
below in the section legal rights. When requesting this information please make a reference
to information about affiliates and third party service providers so that the relevant
information can be provided.
Amadeus may also disclose personal data as required by law, subpoena, or regulation; when
requested by government or law enforcement authorities or as otherwise required or
permitted by law.

Page 11 of 13
amadeus.com
 International Transfer of Traveler Personal Data

When Amadeus share your personal data with its affiliates and third party service prov iders
who process personal data on behalf of Amadeus this will involve transferring personal data
outside the EEA. When personal data is transferred to another country it will continue to
receive adequate protection through contractual or other arrangements put in place with
Affiliates and third party service providers. For these transfers at least one of the following
appropriate safeguards will be implemented;
 Personal data will be transferred to countries that have been deemed to provide an
adequate level of protection for personal data by the European Commission;
 Standard data protection clauses approved by the European Commission which give
personal data transferred the same protection it has in EEA;
 With affiliates and third party service providers based in the US, Privacy Shield which gives
personal data similar protection it has in EEA;

Further information on the appropriate safeguards used when transferring personal data
outside the EEA can be requested through the contact details set out below in the section
legal rights. When requesting this information please make a reference to the transfer of
personal data outside the EEA.
Due to the global nature of the travel industry, personal data may be transferred to and
processed by Amadeus GDS Users in different locations around the world. These transfers
will be necessary for the performance of a contract between the traveler and the Amadeus
GDS User.

Data Security and Integrity

Amadeus has taken the appropriate technical and organizational security measures to
protect personal data from loss or unlawful processing. When Personal Data is processed on
behalf of Amadeus access is limited to those who have a business need to know, Personal
Data will be processed in accordance with the instructions of Amadeus and those who have
access are subject to a duty of confidentiality.
© 2018 Amadeus IT Group and its affiliates and subsidiaries

Amadeus have in place procedures to deal with any suspected personal data breach and will
notify individuals and any applicable regulator of a breach where they are legally required to
do so.

Data Retention

Amadeus retains personal data for as long as necessary to fulfil the purposes it was collected
for including for the purposes of satisfying any legal, accounting or reporting requirements.
The default retention period for a PNR is 5 years from when it becomes inactive. PNRs are
active as long as a segment in the PNR is active (the related service is still pending). After the
completion of the last segment of the PNR the PNR is archived and access to the PNR is
restricted. After a period of 5 years the PNRs are deleted.

Page 12 of 13
amadeus.com
 Legal rights

Amadeus GDS Users collect personal data from the traveler and input this information in the
Amadeus GDS. We recommend travelers contact the Amadeus GDS Users to whom they
provided the information directly with any issues or requests they may have relating to
personal data stored in the Amadeus GDS.

Under certain circumstances individuals can exercise rights under data protection laws.
Travelers can exercise these rights relating to their own personal data, or contact Amadeus
for data protection related questions, by email to dataprotection@amadeus.com or write to
Chief Privacy Officer , Amadeus IT Group, S.A. C/Salvador de Madariaga 1, 28027 Madrid,
Spain.
For the following rights please make a reference to the following:

 Right to access – request for access to personal data

 Right to object – object to processing of personal data for the purpose of analytics
 Right to information about
o Amadeus affiliates and third party service providers who process personal data on
behalf of Amadeus;
o transfers to third countries – information about data transfers outside EEA;

Amadeus will require authentication of the identity of the traveler and may require addition al
information to confirm that the rights that travelers may have under data protection laws are
being exercised correctly.

Your rights

Amadeus intends to carefully address any request and/or claim from you, as well as carefully
process personal data. You are entitled to file any claim or complaint before the relevant
© 2018 Amadeus IT Group and its affiliates and subsidiaries

data protection authorities, if the answer provided by Amadeus does not meet your
expectations.

Updates

This Privacy Notice is published by Amadeus IT Group SA. This Privacy Notice may be
changed at any time. The date it was last updated is shown here April 30, 2018.

Page 13 of 13
amadeus.com