A B2B platform holds years of customer booking data collected for one operational purpose. A product team wants to mine it for a new analytics pilot. No breach, no hacker. Just reuse. In May 2026, Spain’s data protection authority closed a cross-border GDPR case against Amadeus with a €14.4 million fine, reduced from €18 million after voluntary payment, for doing exactly that. The AEPD final decision PS/00005/2025 is a board-level reminder that secondary-use projects fail on transparency and lawful basis long before security controls enter the picture.
What the AEPD decided in the Amadeus case
The Spanish Supervisory Authority (AEPD) closed cross-border proceeding PS/00005/2025 after Amadeus paid €14.4 million. The original sanction was €18 million. A 20% reduction applied through voluntary payment without admission of liability.
The fine split evenly: €9 million for infringing GDPR Article 14 (information where personal data is not obtained from the data subject) and €9 million for infringing Article 6 (lawful basis). An anonymous complaint arrived in September 2023. The investigation centred on a March to June 2022 pilot with hotel-chain partners that analysed historical booking data to test viability for a new product. Amadeus later shelved the project.
Gibson Dunn’s June 2026 European privacy roundup records the closure on 26 May 2026. The AEPD treated a prior 2022 Article 12 infringement as an aggravating factor when setting the penalty.
Why booking data made the compliance bar higher
Indirect collection through airlines, hotels, and agencies
Amadeus operates as a global travel-distribution platform. It receives reservation data from airlines, hotels, and travel agencies rather than collecting it directly from passengers. That B2B chain triggers stricter transparency duties when the company later wants a new use for data it never collected face-to-face.
Travellers had no direct relationship with Amadeus
Most people who booked a flight or hotel room never dealt with Amadeus. They expected their airline or hotel to handle their reservation. The AEPD found travellers were unaware Amadeus processed their data at all, let alone for a later product experiment.
Years-old reservation data reused for a new commercial purpose
The pilot drew on historical booking records to build traveller profiles for product development. The data had been gathered for operational distribution, not for analytics on future services. The same pattern appears outside travel: a loyalty programme mining purchase history for a new recommendation engine, or an HR platform repurposing absence records for performance scoring.
Where Amadeus fell short on transparency (Article 14)
Article 14 requires specific information when personal data is obtained indirectly. Amadeus relied on generic website privacy-policy wording. The AEPD concluded that language did not cover the distinct purpose of the 2022 pilot. A blanket policy clause cannot substitute for notice tied to a new processing activity.
The authority also noted that travellers could not reasonably have known their years-old booking data would feed a product-development experiment run by a company they had never contacted. Article 14 exceptions for disproportionate effort or impossibility did not rescue the pilot. The AEPD’s 2026 coordinated transparency enforcement theme, covered in our EDPB transparency enforcement guide, sits in the same operational lane: specific notice before processing, not boilerplate.
Why legitimate interest did not carry the pilot (Article 6)
Amadeus relied on legitimate interests as its lawful basis for the pilot. The AEPD rejected it. Travellers could not reasonably expect years-old booking data to be aggregated into profiles for a new commercial product. The balancing test between Amadeus’s interests and travellers’ rights failed.
Internal company documentation reportedly questioned whether legitimate interest was appropriate for the pilot. That internal inconsistency weakened the defence. Regulators treat self-doubt in project papers as evidence the balancing exercise was never properly done.
Passing a compatibility or purpose-limitation test does not clear the lawful-basis gate. UK organisations face the same split. ICO guidance on reuse requires a separate lawful basis for any new processing activity, as set out in our ICO compatibility rules explainer.
Four checks managers should run before any reuse pilot
Map the original collection purpose and every proposed new use
Write down what the dataset was collected for and what the pilot will do with it. If the new use is not listed in your records of processing or privacy notice, stop and reassess before any code runs.
Test reasonable expectations: would the person be surprised?
Ask whether a customer, employee, or traveller would expect this reuse. Surprise is a red flag. The Amadeus case turned on travellers not expecting a B2B distributor to profile them for product experiments years after booking.
Document a balancing test before you rely on legitimate interests
Run a legitimate interests assessment before the pilot starts. Record the outcome. If internal stakeholders question the basis during planning, treat that as a signal to pick a different route or redesign the project.
Provide specific transparency before processing starts
Update privacy information, contracts, or direct notices to cover the new purpose. A generic policy update months later is too late. Article 14 information must reach individuals when you obtain data indirectly, and any new use needs its own transparency path.
How this connects to UK compatibility rules
UK GDPR purpose limitation and compatibility rules ask the same operational questions, even though the Amadeus fine sits under EU GDPR enforcement. A compatibility assessment and a lawful-basis check are separate gates. Passing one does not clear the other.
UK organisations holding CRM, HR, or loyalty data face the same function-creep risk. The ICO’s March 2026 refresh on purpose limitation and reuse sets out five compatibility factors managers should document before repurposing a dataset. The Amadeus fine adds EU enforcement weight to a checklist UK teams should already be running.
Which teams own the response
- Privacy and DPO functions: records of processing, Article 14 notices, legitimate interests assessments.
- Product and analytics: purpose statements in project charters before data access.
- Legal: contract review with B2B data suppliers and downstream processors.
- Procurement: data-flow clauses when onboarding vendors who hold customer datasets.
- Engineering and data platform: access controls tied to declared purposes, not open warehouse exports.
New uses need specific transparency and a documented lawful basis before the pilot starts. That is the operational lesson from a €14.4 million voluntary payment on a shelved travel analytics project.
For team-wide training on lawful basis, transparency, and reuse documentation, see our GDPR Essentials course.
FAQ
Why did Spain fine Amadeus €14.4 million?
The AEPD sanctioned Amadeus €18 million for reusing traveller booking data in a 2022 product pilot without adequate Article 14 transparency or a valid Article 6 lawful basis. Voluntary payment reduced the total to €14.4 million without admission of liability.
What GDPR articles did Amadeus infringe?
€9 million related to Article 14 (information on indirectly obtained data) and €9 million to Article 6 (lawful basis). A prior 2022 Article 12 infringement counted as an aggravating factor.
Can companies reuse old customer data for new product pilots?
Only with a documented compatibility or purpose-limitation assessment, a valid lawful basis for the new use, and specific transparency provided before processing begins. Generic privacy-policy wording and an assumed legitimate interest will not suffice.
When does Article 14 apply to indirectly collected data?
Article 14 applies when you obtain personal data from a source other than the individual, which includes B2B supply chains. You must provide prescribed information unless an exception applies, and a new use case typically needs its own notice path.
Why did legitimate interest fail in the Amadeus case?
Travellers could not reasonably expect years-old booking data to be profiled for product development by a company they had no direct relationship with. The AEPD found the balancing test failed, and internal documentation reportedly cast doubt on the basis.
Does a generic privacy policy satisfy GDPR transparency for a new data use?
No. The AEPD treated Amadeus’s general website policy as insufficient for a specific pilot purpose. New processing activities need purpose-specific transparency, especially where data was obtained indirectly.
