Spain fined Amadeus €14.4M for profiling travelers with booking data
A regulator put a price on reusing data collected to complete a booking — as commerce media and AI personalization race to do the same
Driving the news. Spain's data protection authority, the AEPD, has closed a two-year case against Amadeus with a €14.4 million penalty, cut from €18 million after the company made a voluntary payment without admitting liability. The reason carries further than the figure: a pilot that took booking records from Amadeus's global distribution system and combined them with hotel-chain customer data to profile travelers. For an industry now racing to turn booking data into AI-driven personalization, the ruling marks where that road meets the law.
The principle. The regulator did not object to the profiling because it was sophisticated. It objected because the data had been collected to complete a reservation, then repurposed for something travelers were never told about and never agreed to. Two violations, €9 million each: processing without a lawful basis, and failing to inform the people whose records were used. The AEPD noted Amadeus held no direct relationship with most of the travelers it profiled — a system several steps removed from the passenger, holding data the passenger did not know it held.
Why it lands now. This is the same data question sitting underneath agentic commerce. The pitch across the industry is that visibility inside AI recommendations depends on knowing the traveler — fusing booking history, preferences and context into a profile a model can act on. Amadeus ran a small version of that thesis with archived booking files from 2019. The fine prices the gap between what the data can technically do and what its original purpose permits. Calling the use case "AI" does not reset the consent it was collected under.
Amadeus's position. The company describes the pilot as a three-month test "designed to test the technical capabilities of analyzing traveler data," meant to generate aggregated patterns and improve the experience, and says no personal data left its systems. It disagrees with the regulator's reading of the law and retains the right to challenge the decision in court. The dispute turns partly on intent. The ruling answers that purpose and disclosure are what count.
What it means for hotels. Hotel data was in this pilot. Chains fed customer records into a shared platform, and the governance exposure traveled with them. As more booking and guest data flows into distribution and marketing systems built to feed AI, the question for a property is less whether the data is useful, more whether anyone can show what it was collected for and what the guest was told. That is a provenance question before it is a marketing one — and the regulator just attached a figure to getting it wrong.
Enjoying this analysis? Hospitality.today delivers daily insights on hotel distribution, AI trends, and travel commerce — straight to your inbox. Subscribe for free at Hospitality.today →