Amadeus fined €14.4M: the lesson isn’t for the giants

Fourteen million four hundred thousand euros. That is the figure Amadeus IT Group ended up paying Spain’s data protection authority, and the first reaction of anyone running a small field business is to exhale and file it under big-company trouble. A travel-tech giant, a case with a registration number, lawyers lined up on both sides. Nothing to do with you, your van, your six operatives and the sign-in sheet by the door. That is exactly the trap, because what sank Amadeus was not its size, it was a question your business answers every single day without noticing.

The penalty started at a base of 18 million, two tranches of nine, cut by 20% for voluntary payment down to the final 14.4. The company paid without admitting fault, which is the polite way to close a wound without conceding that it bleeds. The underlying reason, though, does not airbrush. The regulator found a breach of two articles of the GDPR: Article 6, which demands a lawful basis for processing personal data, and Article 14, which obliges you to inform people when their data is processed without having been collected from them directly.

It is worth looking at what Amadeus actually did, because the lesson lives in the detail. The company ran a pilot that cross-matched the booking data from its own system, the PNR records, with the customer files of hotel chains, and from that match it built traveller profiles for what they called hyper-personalised retail. The pilot reached back to 2019 bookings and reused them in 2022, three years after those people had booked a flight with something else entirely on their minds. Nobody told them their travel footprint would be back on the table feeding a commercial model. The project, Amadeus says, was never commercialised. It does not matter. You are not fined for selling, you are fined for processing.

Two questions, and neither is about size

Take Amadeus out of the picture and keep the skeleton of the case, because that skeleton is yours. The first question is the Article 6 one: do you have a lawful basis to process this data, for this specific purpose? Holding the data is not the same as being free to use it for whatever crosses your mind. Amadeus held the PNRs lawfully, it needed them to manage bookings, and still could not recycle them three years on to profile. The purpose changed, the basis did not follow. The second question is the Article 14 one: does the person know you are processing their data? A good reason locked in a drawer is not enough, it has to be told, in writing, clearly, and beforehand, not once the complaint has already landed.

This is where the owner of the van can no longer look away. If you geolocate your operatives, you are processing personal data, theirs, every day. Under UK GDPR the same two articles bite, and the ICO’s guidance on monitoring at work spells out the rest: location tracking must be necessary and proportionate to a legitimate aim, backed by a data protection impact assessment where the risk is high, and staff must be clearly informed before it starts. They are, funnily enough, the same two questions Amadeus failed, wearing a British coat. A legitimate, proportionate purpose, and a genuine duty to inform the worker. The line between a calm SME and one with a file open is not headcount, it is whether those two boxes are ticked.

In the daily life of a small firm the problem is almost never bad faith. It is improvisation. You install an app that pings location all day because it came in the bundle, you leave continuous vehicle tracking switched on when all you needed was the start and end of the job, and the notice to the worker stays a “I told him on day one.” None of those three things survives an inspection. Permanent tracking when the start and the end would have done is not proportionate. And told-him-verbally, in front of a regulator, carries the weight of a manifesto pledge.

The way out is not to stop measuring, it is to measure properly

The paradox is that being compliant and holding proof of work are not opposing forces, they pull the same way. What the law asks for, a narrow purpose, the minimum data and an informed person, is exactly what you need for a job sheet to stand up when a client disputes the hours. A record that captures location only at the moment that matters, the start and the end of the job, and nothing in between, is at once the one that respects proportionality and the one nobody can pick apart. Collecting less, here, is worth more.

That is why GeoTapp was built the opposite way to the Amadeus pilot. No following the crew all day: location is taken with one tap to start and one tap to finish, the data stays tied to that single purpose, and the worker knows what is recorded because the information is part of the tool, not part of a chat at the gate. It is the line the Amadeus venture crossed and the one the app, by design, does not.

If you want to see the exact wording used to inform a worker about geolocation, we have a practical guide on what the GDPR says about employee geolocation and what you can actually do. The Amadeus fine is expensive as a warning, but cheap if it spares you yours.

So the question is not how much the company that took the fine turns over, it is whether you could answer those two questions today, in writing. Could you prove on what basis and with what notice you geolocate your crew?