Amadeus & GDPR

Last Updated – May 2018

The EU's new General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. This regulation aims to update existing data protection laws and strengthen the protection of personal data to take into account recent technological developments, globalization and complex flows of personal data. It is a modernization of current data protection laws.

The GDPR will apply to organizations processing personal data in the EU but also to organizations outside of the EU who may be targeting, or offering goods and services to individuals within the EU.

Compliance with regulation is one of Amadeus' highest priorities. Amadeus has run an internal GDPR program to address the requirements under the GDPR. This program has included an assessment of Amadeus systems, which has documented how personal data is processed and has also identified changes required to systems that process personal data to comply with GDPR requirements. Within this review, we have taken into account travel industry standards, to ensure that GDPR requirements are met while also meeting the needs of the travel industry.

Our goal has been and still is to assure that personal data is processed in accordance with the new transparency and accountability requirements of the GDPR and is adequately protected to enable Amadeus to address the requirements under the GDPR and to support our customers by providing information so that they can meet any compliance obligations they may have.

Our Amadeus Business Partner Privacy Notice can be found here.

For further information regarding the GDPR, please see below a Glossary, a Frequently Asked Questions (FAQ) section and our Privacy Principles. Should you have any further questions, please contact your account manager

Glossary

Personal data: personal data is all the information about an identified or identifiable individual; this means that if you can identify an individual from the information that you are processing or handling, even if not by name, it is likely that you are processing personal data.

Data processor: the entity processing on behalf of and in accordance with the instructions of a data controller.

Data controller: the entity deciding the means and purpose of the processing of personal data. Amadeus is considered a data controller in its role as GDS.

FAQ

  1. Is Amadeus GDPR compliant?
    Yes, Amadeus is compliant with the new requirements introduced by the GDPR. In particular, the GDPR introduces Privacy by Design and increased emphasis on transparency towards individuals and our customer baseline regarding processing activities.
  2. Are all your regional offices and subsidiaries also GDPR compliant?
    During 2017 and the first quarter of 2018 we ran an internal GDPR Program to adapt and prepare for the new regulation. As part of that Program, we assessed our business units and solutions that process personal data across our entire organization.
  3. If personal data is processed in the product or service how does Amadeus comply with the GDPR?
    Amadeus will comply with GDPR in the delivery of our services to our customers. As a Data Controller Amadeus will comply with the GDPR and GDS sector specific privacy laws that are applicable to Amadeus as a GDS, and as a Data Processor Amadeus will comply with the contractual obligations it has with customers and with direct responsibilities it may have as a Data Processor under the GDPR.
  4. When servicing your own customers, how do you manage your customer data to be compliant?
    As an IT provider to our customers, we operate under the instructions of our customers. Generally speaking, the Amadeus system functionality is developed to meet their requirements, and processes are in place to respond to any changes in their needs. In anticipation of the GDPR we have introduced the requisite degree of transparency on our processing activities. As such, customers maintain control and are enabled to meet transparency requirements in turn to their consumer base.
  5. Have you changed your processes to become compliant?
    We have introduced new processes in a variety of GDPR focal areas, including in the collection of data evidencing an entity's processing activities and also Privacy by Design.
  6. Who do I contact if I need to receive information directly from Amadeus?
    Please channel your questions through your ordinary contact at Amadeus.

Amadeus Privacy Principles
As information, in particular personal data, is at the core of Amadeus business, handling of personal data is essential and consequently Data Privacy / Data Protection has high priority in the Amadeus Group. Therefore, Amadeus has committed itself to adhere to the Amadeus Privacy Principles.

The Amadeus Privacy Principles form the basis of the Amadeus Privacy Framework as reflected in our Corporate Policies, standards and processes and ultimately our behavior.

As a global enterprise, Amadeus has taken account of internationally recognized standards (such as the Guidelines of the United Nations and of the OECD and the ISO/IEC 29100), and the EU General Data Protection Regulation (GDPR) in the course of setting the Amadeus Privacy Principles.


Amadeus Privacy Principles Infographic

Transparency  Inform how Amadeus processes personal data
Lawfulness

We must:

  • have a permissible legal basis for processing personal data (e.g. contract, legal obligation, legitimate interest or consent of the individual);
  • make sure that we do not do anything unlawful with the data.
Transparency We must be transparent about how we process personal data and give (1) individuals appropriate privacy notices when collecting their personal data and (2) customers appropriate information about data storage, flows and access.
Respecting data subject’s rights

The data subject has

  • a right to be informed about the collection and processing of its personal data;
  • a right to access its personal data;
  • a right to object to the processing and to decisions being taken by automated means;
  • a right to have inaccurate personal data rectified;
  • a right to erasure its personal data and to be forgotten, and
  • a right to data portability.

Proportionality  Process personal data as necessary to provide the services and allow access on a need-to-know basis
Purpose limitation

We have to specify from the outset for which purposes we are processing personal data and what we intend to do with it.

We may process personal data only for these specific and lawful purposes.

Data minimization We must limit
  • the personal data we hold an individual only to the information that is strictly necessary for the specific purpose;
  • he number of people within Amadeus that have access to personal data on a need-to-know basis.
Storage limitation

We must

  • a right to be informed about the collection and processing of its personal data;
  • a right to access its personal data;
  • a right to object to the processing and to decisions being taken by automated means;
  • a right to have inaccurate personal data rectified;
  • a right to erasure its personal data and to be forgotten, and
  • a right to data portability.
Accuracy

We must ensure that personal data is accurate, complete and up-to-date (unless there is a legitimate basis for keeping outdated data)

Adequate Protection  Keep personal data secure and treat it as strictly confidential
Security

We have to take appropriate technical and organizational measures to protect personal data against such risks as loss or unauthorized access, destruction, use modification or disclosure.

Data transfers We must ensure that personal data is adequately protected before transferring it to another party.