Data Privacy Addendum for all customers other than Amadeus Hospitality Shanghai Customers

Data Processing Addendum

The Customer acknowledges and agrees that it will be acting as the Data Controller of Personal Data Processed by Amadeus as a consequence of the provision of Services under the Agreement(s) between the Parties as amended from time to time, and Amadeus will be acting as Data Processor. Notwithstanding the foregoing, Amadeus shall be the Data Controller in respect of activities relating to the administration of the commercial relationship between it and the Customer (e.g., invoicing Customer).

  1. DEFINITIONS

    For the purpose of this Data Processing Addendum, ‘Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; ‘Data Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller; ‘Subprocessor’ means any processor engaged by Amadeus in the Processing of Personal Data; ‘Data Protection Laws’ shall mean all applicable laws and legally binding regulations relating to the Processing of Personal Data, data protection, and privacy and/or legally binding regulations implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them; ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’) including all data or information that constitutes personal information, personal data, sensitive personal information, personally identifiable information or similar term under any applicable Data Protection Laws; and ‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

  2. SUMMARY OF PROCESSING

    The purpose for Amadeus Processing the Personal Data is Amadeus’s provision of the Services to the Customer. This Processing includes the activities specified in the Agreement, which shall in particular determine the duration and the subject-matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects to which the Personal Data relates, as further detailed in Annex 1 (Details of the Processing of Personal Data). 

  3. OBLIGATIONS OF AMADEUS AS DATA PROCESSOR

    3.0 Amadeus shall only Process the Personal Data in accordance with the Customer’s instructions. These instructions will be as set out in the Agreement and this Data Processing Addendum and further to any other documented instruction provided by the Customer, except to the extent that any legal requirement prevents Amadeus from complying with such instructions or requires the Processing of Personal Data other than as instructed by the Customer. Amadeus will inform Customer if, in its opinion, an instruction infringes any Data Protection Laws, as permitted by applicable Data Protection Laws. Customer acknowledges that in the provision of the Services under the Agreement Amadeus may transfer Personal Data in accordance with applicable Data Protection Legislation.3.1 The Customer agrees that Amadeus may hire other companies to provide Processing Services on its behalf, provided that Amadeus complies with the provisions of this clause. Amadeus has a general authorization from the Customer to engage Subprocessors listed in Annex 2 (Amadeus Technical and Organizational Security Measures). Amadeus remains responsible for its Subprocessors’ compliance with the obligations of this Data Processing Addendum and the Agreement as applicable. Any Subprocessor to whom Amadeus transfers Personal Data will have entered into written agreements with Amadeus requiring that the Subprocessor abide by terms no less protective than this Data Processing Addendum and the Agreement as applicable. Amadeus shall inform Customer of any changes to the Subprocessors used in Processing of Personal Data made after the Effective Date of this Data Processing Addendum by notifying Customer as specified in the Agreement.

    If Customer, acting reasonably, objects to the use of a Subprocessor, Customer may notify Amadeus promptly in writing within fourteen (14) calendar days after receipt of Amadeus notice in accordance with paragraph above providing details of its objections. Amadeus shall use reasonable endeavours to resolve the reasons for Customer’s objections or to procure use of a different Subprocessor.

    3.2 If Amadeus is unable to or fails to resolve the reasons for Customer’s objections or to procure use of a different Data Processing Subcontractor within a reasonable period of time, Customer may terminate the Services which cannot be provided by Amadeus without the use of the Data Processing Subcontractor to which Customer objects by providing written notice to Amadeus, provided Customer will not be entitled to claim damages in respect such termination.

    3.3 Amadeus shall Process Personal Data subject to appropriate technical and organizational measures against unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with Data Protection Laws as more fully described in Annex 2 (Amadeus Technical and Organizational Security Measures).

    3.4 Amadeus shall use personnel authorized by Amadeus to access the Personal Data who are subject to a duty of confidentiality in respect of the Personal Data.

    3.5 Amadeus shall, at the choice of the Customer, delete or return all Personal Data to the Customer after the end of the Processing of Personal Data under the Agreement and in accordance with the terms of the Agreement, unless Amadeus is required to retain the Personal Data by applicable law.

  4. ASSISTANCE

    4.1 Amadeus shall:

    1. inform Customer of any requests or queries from a Data Subject, regulatory authority or any other law enforcement authority regarding Processing of Personal Data under the Agreement and this Data Processing Addendum and provide Customer with any information and assistance that may reasonably be required to respond to any such requests or queries;
    2. reasonably assist the Customer with its obligations to comply with Articles 32 to 36 of the applicable Data Protection Laws taking into account the nature of processing and the information available to Amadeus;
    3. make available to Customer information reasonably necessary to demonstrate compliance with Amadeus’s Personal Data Processing obligations under the Agreement and this Data Processing Addendum. If Customer, acting reasonably, considers that Amadeus has not provided sufficient evidence of its compliance, Customer must notify Amadeus in writing providing evidence of such concerns, and Amadeus shall use reasonable endeavors to resolve Customer’s concerns. If Amadeus is unable to resolve Customer’s concerns, Customer may, as required under Data Protection Laws, audit Amadeus’s control environment and security practices relevant to the Personal Data Processed under the Agreement and this Data Processing Addendum for Customer. Any audits conducted by Customer or a mutually agreed upon third party auditor pursuant to this provision shall be subject to: the execution of an appropriate confidentiality agreement with Amadeus, compliance with Amadeus’s on-site or other applicable security policies and the following conditions: unless required or otherwise requested by a regulator: (i) audits shall be limited to once annually; (ii) audits will be carried out during normal working hours, without disturbing business operations; (iii) Customer will provide at least thirty (30) days prior written notice; and (iv) a Customer will provide Amadeus with a copy of the audit report.
      Amadeus reserves the right to charge Customer a reasonable fee for the assistance provided by Amadeus under Section 5.1.

  5. MUTUAL OBLIGATIONS OF THE PARTIES

    5.0 Each Party shall:

    1. implement appropriate technical and organizational measures against unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with Data Protection Laws;
    2. maintain comprehensive, documented information security policies that are appropriate, taking into account the information security risks and applicable recognized industry standards;
    3. review and, if required, update its technical and organizational measures and policies at least on an annual basis, taking into account good industry practices; and
    4. notify the other Party without undue delay on becoming aware of any Security Incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Amadeus in connection with the Agreement and this Data Processing Addendum.
  6. General Terms

    6.1 Precedence.     The provisions of this Data Processing Addendum are supplemental to the relevant Agreement.  In the event of inconsistencies between the provisions of this Data Processing Addendum and the provisions of the relevant Agreement the provisions of this Data Processing Addendum shall prevail. 

    6.2 Compliance with Data Protection Laws. Each Party to this Data Processing Addendum shall comply with all applicable Data Protection Laws.

 

ANNEX 1

Details of the Processing of Personal Data

 

Categories of data subjects whose personal data is transferred Customer’s hotel guests. 
Categories of personal data processed.  Guest information: First and last name; email address; position salutation, last name, first mail, title, email, company, address 1, address2, city, state, postal code, country, phone, frequent guest id, initial_, phoneday, phoneevening, rawstreetaddr, lastupdate, users, unsubscribe, gsource, groupconame, birthdate, corpid, frequent_guestid, lastccno, contacttitle, contactfirstname, contactlastname, contactemail, airtravelerid, cartravelerid, guest profile, IP, tracking technology and IDs (e.g. cookies, pixels, hashed identifiers, universal identifiers, etc.) – as applicable. Payment information (if applicable): credit card type, credit card number, expiration date, name on card, billing address 1, billing address 2, billing city, billing country, billing state, billing postal code, billing code.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. The personal data transferred does not concern nor require to provide the services no special categories of data
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous basis 
Nature of the processing  Processing of the Customer data for the provision of the services described in the service agreement between the processor and the controller
Purpose(s) of the data transfer and further processing  Provision of the services described in the service agreement between the processor and the controller
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Service provision Term (or as long as required under applicable laws).

 

ANNEX 2

Amadeus Technical and Organization Security Measures

  1. GENERAL 
    1. 1 Amadeus has implemented and will maintain the following measures for Customer Personal Data that is in the possession, control, or otherwise processed by and under the control and responsibility of Amadeus in accordance with the following security measures.    
    1. 2 The Amadeus Technical and Organisational Security Measures are based on ISO 27001 controls and require Amadeus to implement and maintain physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability and security of the products and services and security of Customer Personal Data processed in the provision of the services. Details of additional security measures and relevant exceptions that apply to a specific Service Module are available upon request.

  2. SECURITY REQUIREMENTS

2.1 Information Security Policies  

Amadeus shall maintain documented information security policies, processes, organization and controls (the ‘Processes’’), that are appropriate, taking into account the information security risks and where applicable, recognized industry standards. The Processes will be reviewed and, if required, updated by Amadeus at least on an annual basis, taking into account good industry practices.

2.2 Organization of Information Security 

Security Ownership – Amadeus has a designated security official responsible for information security and control and implementation of the Processes. 

Security Roles and Responsibilities – Amadeus personnel are subject to confidentiality obligations; Individuals for whom Amadeus is responsible will have documented security roles and responsibilities where relevant.

Risk Management Program – Amadeus will have in place a risk management process to perform risk assessments before and while providing the products and services.. 

2.3 Human Resources Security  

Amadeus will screen Amadeus personnel as part of the hiring process in accordance with its policies and subject to limitations of applicable law.

During employment – Amadeus will make personnel aware of security rules and procedures through a documented security awareness and training program including informing personnel of consequences of breaching security rules and procedures. 

Termination of employment – Amadeus will maintain the relevant processes, including the removal of system accesses after termination or change of employment.

2.4 Asset Management  

Asset Inventory – Amadeus will maintain an inventory of where Customer Personal Data is stored.

Classification and labelling of Customer Personal Data – Amadeus will maintain access to Customer Personal Data that is appropriately restricted, according to the classification.

Acceptable use policy – Amadeus will have in place an acceptable use policy that applies to information and assets that contain Customer Personal Data.

Handling of assets and disposal of assets – Amadeus will have in place procedures for handling, management and secure disposal of information and assets.

2.5 Access Controls 

Access Policy –Amadeus will maintain a record of access and security privileges of individuals having access to Customer Personal Data.

Access Authorization – Amadeus shall maintain a record of personnel’s accounts authorised to access information systems that contain Customer Personal Data, and individual personnel shall have separate identifiers or log ins.

Least Privilege – access to Customer Personal Data is restricted to those individuals who are required to access the Customer Personal Data to perform their job function on a need-to-know basis.

Application Security – Amadeus shall implement system and application access controls. 

Authentication – Amadeus shall use industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication measures are based on passwords, the passwords shall be renewed regularly and meet industry standard password protection practices.

Network Design – Amadeus shall logically have controls in place to avoid access to Customer Personal Data by individuals where they may not be authorised to access.

2.6 Physical and Environmental Security 

Physical Access to facilities – Amadeus shall limit access to facilities where Customer Personal Data is located or accessed from to identified authorised individuals.

Physical Access to components – Amadeus shall maintain records of the incoming and outgoing media containing Customer Personal Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of such data they contain.

Protection from disruption – Amadeus shall use industry standard systems to protect against loss of Customer Personal Data due to power supply failure or other disruptions.

Data deletion – Amadeus shall use industry standard practices to securely delete Customer Personal Data in accordance with the Agreement and applicable law.

2.7 Communications and Operations Management  

Operational – Amadeus shall maintain documentation describing security measures, the relevant procedures and responsibilities of its personnel who have access to Customer Personal Data.

Environment Separation – Amadeus shall maintain separation of development, testing and production environments.

Data Recovery procedures – Amadeus shall have in place data recovery procedures so that Customer Data can be recovered, including written business continuity and disaster recovery plans.

Malicious software –Amadeus shall maintain reasonable and up-to-date anti-malware, anti-spam, and similar controls on networks, systems and devices.

Encryption and Other Security Measures 

Strong cryptography and security protocols are deployed for or made available to protect Customer Personal Data while in transit and at rest.

Monitoring and Logging – Amadeus shall log access to information systems containing Customer  Personal Data.  

Technical Vulnerability Management – Amadeus will maintain a vulnerability management program addressing vulnerabilities in a timely manner based on risk assessments.  

2.8 Third Party Suppliers  

Amadeus shall only use third party suppliers who contractually agree to implement appropriate technical and organisational measures that are substantially similar to the Amadeus Technical and Organisational Security Measures.

Amadeus shall have contractual safeguards in place with its third-party suppliers and will carry out reasonable due diligence and monitoring of such third-party suppliers in connection with the provision of the services.

2.9 Information Security Incident Management  

Incident Response Process – Amadeus has a written security incident response plan that includes procedures to be followed to identify, address and report any Security Incident. The plan is regularly tested and has procedures to notify impacted stakeholders.

Investigation and Cooperation in event of Security Incident – In the event of a Security Incident, Amadeus shall promptly take reasonable steps to contain, investigate and mitigate any Security Incident.

2.10 Business Continuity Management   

Business Continuity – Amadeus has processes, procedures and controls for business continuity that applies to the people, processes and facilities in which Amadeus processes Customer Personal Data. Amadeus shall review the processes, procedures and controls at regular intervals.

Last Updated: January 2026

Take a trip to other Amadeus sites

Corporate site

We’re creating a more connected travel industry, underpinned by sustainability and long-term investor relations.

Careers site

At Amadeus, we’re always on the lookout for talented, passionate people to join our team. Interested?