Italy’s data protection regulator has fined Emirates EUR180,000 after finding that its MEDIF process for passengers with disabilities or reduced mobility did not give clear enough privacy information and kept health data for too long.
The useful point for managers is narrower than the headline. The Garante newsletter, published on 17 June 2026, says airlines can process health data without consent where this is necessary for safe transport and assistance during travel. The breach was about the process around that collection: unclear notices and a seven-year retention period that the regulator considered excessive.
What the Garante decided
The formal 14 May decision followed a complaint made on 29 January 2025 by a passenger who said Emirates had required her to complete a MEDIF form even though she did not fall within the categories that needed to provide that documentation.
MEDIF means Medical Information for Fitness to Travel or Special Assistance. The form collected information about the passenger’s health, their doctor and any accompanying people. The Garante consulted ENAC, Italy’s civil aviation authority, and accepted that processing health data can be legitimate where it is needed to guarantee safe transport and assistance for passengers with disabilities or reduced mobility.
The finding was still unlawful processing. The Garante recorded breaches of GDPR Article 5, specifically transparency and storage limitation, plus Article 12 and Article 13 on privacy information. That matters. The regulator did not say every MEDIF request was unlawful. It said Emirates had not explained the process clearly enough and had not limited storage to a proportionate period.
Where Emirates fell short
The first failure was notice quality. The Garante said Emirates did not give passengers clear and complete information through its website or through the staff involved in assistance. Passengers also needed to know which categories of traveller had to complete the MEDIF form and which sections were actually mandatory.
The second failure was retention. Emirates kept health data collected through the MEDIF form for seven years. The Garante found that period excessive and disproportionate when the purpose was organising and carrying out the trip. In the final order, Emirates was told to set suitable retention periods, update how information is provided to passengers, and respond to the regulator within 30 days.
This is close to the everyday privacy problem many organisations face with accessibility requests, HR adjustments, visitor access, events, medical questionnaires and customer support. Sensitive information is often collected for a valid operational reason. The risk comes when forms ask for more than staff need, notices sit away from the collection point, and records stay in shared folders years after the service has been delivered.
Why health and accessibility data needs tighter handling
Health data is a special category of personal data under GDPR Article 9. Accessibility information often reveals health, disability or mobility needs even when the person is only asking for practical help. That does not ban collection. It raises the standard for explaining, limiting and controlling it.
Three controls should be visible in the workflow before the data is collected. Staff should know who is required to complete the form. The form should separate mandatory information from optional detail. The privacy notice should sit at the point where the person is deciding whether to submit the information, not on a generic policy page that they have to find afterwards.
The Garante’s reasoning also links health data to retention discipline. A long legal-hold period is not a substitute for a retention schedule. If the purpose is to arrange a flight, event, appointment or workplace adjustment, managers need a documented reason for each retention period and a deletion step that actually runs. Our recent medical-records piece covers the same point from the staff-access side: sensitive data needs tighter rules because the harm from unnecessary access is higher.
A practical checklist for managers
- Map the trigger for the form. Write down exactly which requests require health or accessibility information.
- Strip the form back. Ask only for fields needed to deliver the service safely.
- Put the privacy notice next to the form. Explain purpose, legal basis, recipients, retention and rights before submission.
- Separate consent from necessity. Do not ask for consent if the organisation is relying on another lawful route for a necessary service.
- Set a retention period that matches the operational purpose. Record why the period is enough.
- Delete old records. A policy is weak if the data still sits in a mailbox, ticketing system or shared drive.
- Train frontline staff. The person explaining the form needs the same script as the privacy notice.
The transparency point is also current across Europe. The EDPB transparency enforcement work shows regulators are still looking closely at whether people understand what happens to their data at the moment it is collected.
What to review this week
Start with any form that collects health, disability, mobility, accessibility or adjustment information. Check the live user flow, not just the policy document. The question is whether a person can tell, before submitting the form, why the information is needed, who receives it, how long it stays, and which fields they must complete.
Then test the back end. Find one completed request from 2023 or earlier and ask where the data now lives. If the answer is a mailbox, spreadsheet, upload folder and CRM record, the retention policy is not under control.
For teams that need a baseline for staff handling personal data, the GDPR Essentials course covers lawful basis, transparency, special category data and retention in a practical manager-friendly format.
Questions managers may ask
Why did the Garante fine Emirates?
The Garante fined Emirates EUR180,000 because its MEDIF process did not provide clear and complete privacy information to passengers and retained health data for seven years, which the regulator considered excessive for the travel-assistance purpose.
Did the Garante say airlines cannot collect health data?
No. The Garante accepted that airlines can process health data where necessary for safe transport and assistance for passengers with disabilities or reduced mobility. The breach was about transparency and retention.
What should other organisations learn from the Emirates fine?
Any organisation collecting health or accessibility information should define who must provide it, make mandatory fields clear, give privacy information at the point of collection, and delete the data once the operational purpose and justified retention period have ended.
