Amadeus & GDPR

The EU's new General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. This regulation aims to update existing data protection laws and strengthen the protection of personal data to take into account recent technological developments, globalization and complex flows of personal data. It is a modernization of current data protection laws.

The GDPR will apply to organizations processing personal data in the EU but also to organizations outside of the EU who may be targeting, or offering goods and services to individuals within the EU.

Compliance with regulation is one of Amadeus' highest priorities. Amadeus has run an internal GDPR program to address the requirements under the GDPR. This program has included an assessment of Amadeus systems, which has documented how personal data is processed and has also identified changes required to systems that process personal data to comply with GDPR requirements. Within this review, we have taken into account travel industry standards, to ensure that GDPR requirements are met while also meeting the needs of the travel industry.

Our goal has been and still is to assure that personal data is processed in accordance with the new transparency and accountability requirements of the GDPR and is adequately protected to enable Amadeus to address the requirements under the GDPR and to support our customers by providing information so that they can meet any compliance obligations they may have.

For further information regarding the GDPR, please see below a Glossary, a Frequently Asked Questions (FAQ) section and our Privacy Principles. Should you have any further questions, please contact your account manager


Personal data: personal data is all the information about an identified or identifiable individual; this means that if you can identify an individual from the information that you are processing or handling, even if not by name, it is likely that you are processing personal data.

Data processor: the entity processing on behalf of and in accordance with the instructions of a data controller.

Data controller: the entity deciding the means and purpose of the processing of personal data. Amadeus is considered a data controller in its role as GDS.


  1. Is Amadeus GDPR compliant?
    Yes, Amadeus is compliant with the new requirements introduced by the GDPR. In particular, the GDPR introduces Privacy by Design and increased emphasis on transparency towards individuals and our customer baseline regarding processing activities.
  2. Are all your regional offices and subsidiaries also GDPR compliant?
    During 2017 and the first quarter of 2018 we ran an internal GDPR Program to adapt and prepare for the new regulation. As part of that Program, we assessed our business units and solutions that process personal data across our entire organization.
  3. If personal data is processed in the product or service how does Amadeus comply with the GDPR?
    Amadeus will comply with GDPR in the delivery of our services to our customers. As a Data Controller Amadeus will comply with the GDPR and GDS sector specific privacy laws that are applicable to Amadeus as a GDS, and as a Data Processor Amadeus will comply with the contractual obligations it has with customers and with direct responsibilities it may have as a Data Processor under the GDPR.
  4. When servicing your own customers, how do you manage your customer data to be compliant?
    As an IT provider to our customers, we operate under the instructions of our customers. Generally speaking, the Amadeus system functionality is developed to meet their requirements, and processes are in place to respond to any changes in their needs. In anticipation of the GDPR we have introduced the requisite degree of transparency on our processing activities. As such, customers maintain control and are enabled to meet transparency requirements in turn to their consumer base.
  5. Have you changed your processes to become compliant?
    We have introduced new processes in a variety of GDPR focal areas, including in the collection of data evidencing an entity's processing activities and also Privacy by Design.
  6. Who do I contact if I need to receive information directly from Amadeus?
    Please channel your questions through your ordinary contact at Amadeus.

Amadeus Privacy Principles