Privacy Notice for the Pyton Flight Portal

This Pyton Flight Portal Privacy Notice describes how Amadeus IT Group, S.A. (“Amadeus”) process personal data included in travel information processed in the Pyton Flight Portal (the “PFP”). The PFP is a travel technology platform used for the distribution of travel services. This Privacy Notice applies to personal data Amadeus process through the PFP globally.

This Privacy Notice does not apply to personal data that may be collected or processed by Amadeus for other purposes, such as through Amadeus websites or where Amadeus provide services for Amadeus customers that are not provided through the PFP. Where personal data is collected for other purposes, the relevant privacy notice will be provided explaining the purpose the personal data is being processed for.

This Privacy Notice is independent of notices that PFP users (each a “User”), for example travel providers such as airlines, including low cost carriers, and other travel suppliers and subscribers to the PFP such as travel agents, may give travellers.

What Personal Data is Processed and how is this Personal Data Collected?

Amadeus process personal data when PFP Users (e.g. the travel agent or airline) input personal data of travellers on the PFP that they, the PFP Users, have collected. The PFP User will be responsible for giving any relevant privacy notices and informing the traveller about how they will process personal data. To understand more fully how personal data is processed and who it is shared with in the processing of a travel reservation you should refer to privacy notices of PFP Users involved in the travel reservation.

The personal data processed includes a name, travel itinerary and form of payment and may also include additional information as deemed necessary by the PFP User (contact information, telephone, email, billing information, date of birth, credit card information, preferences or special requests). This personal data will normally be part of a travel itinerary record which is called a Passenger Name Record (PNR). The information included in the PNR is required to process travel reservations and issue the relevant tickets and provide other travel related services.

What is the Personal Data Used for and what is the Legal Basis for Processing?

Amadeus use the personal data to process travel reservations, to provide PFP Users with access to such information, to issue tickets and other travel related documents, to perform internal business processes (such as testing and quality assurance) for credit card processing, authentication, and fraud prevention and to provide other travel related services.

The legal basis for processing personal data is that the processing is necessary for the performance of a contract to which the traveller is a party.

Amadeus may also use personal data for research, analytical and statistical purposes, to identify preferences, interests and trends and other activities in the travel industry and to identify products and services that may be of interest to individuals. Personal data used for analytical purposes is derived from personal data but when it is used it is in anonymised and aggregated form.

The legal basis for processing the personal data for research, analytical and statistical purposes and to identify products and services that may be of interest to individuals is on the basis of the legitimate business interests of Amadeus. Where personal data is processed for these purposes the privacy impact on the individual whose data is being processed will be considered.

Individuals cannot be identified from aggregated data but if individuals do not want personal data included in aggregated data they can object to this by making this request to the contact details below in the section Legal Rights. When making this request there should be a reference to not wanting personal data used for the purposes of analytics.

Amadeus may share aggregated data which cannot identify individuals and with other third parties.

Who is the Personal Data Shared with?

Amadeus share personal data with PFP Users and service providers and partners who may act on PFP Users behalf. PFP Users can decide who any personal data can be shared with. As a general principle information about the traveller is shared with the parties involved in the transaction (and service providers and partners who act on their behalf) and with other industry stakeholders (e.g., IATA) as necessary to perform the contracts the PFP Users have with travellers.

Amadeus may share personal data with its affiliates, agents and third party service providers such as suppliers of information technology services, security services and legal, financial/accounting and other similar professional advisers.

Where such disclosure takes place Amadeus require the appropriate technical and organisational security measures to be in place to protect personal data and for personal data to be processed lawfully.

Amadeus only allow affiliates and third party service providers to use personal data for specified purposes and in accordance with Amadeus’ instructions.

Further information on the affiliates and third party service providers that Amadeus use to process personal data on their behalf can be requested through the contact details set out below in the section Legal Rights. When requesting this information please make a reference to information about affiliates and third party service providers so that the relevant information can be provided.

Amadeus may also disclose personal data as required by law, subpoena, or regulation; when requested by government or law enforcement authorities or as otherwise required or permitted by law.

International Transfer of Traveller Personal Data

When Amadeus share your personal data with its affiliates and third party service providers who process personal data on behalf of Amadeus this will involve transferring personal data outside the European Economic Area (the “EEA”). When personal data is transferred to another country it will continue to receive adequate protection through contractual or other arrangements put in place with affiliates and third party service providers. For these transfers at least one of the following appropriate safeguards will be implemented;

• Personal data will be transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
• Standard data protection clauses approved by the European Commission which give personal data transferred the same protection it has in EEA; and
• With affiliates and third party service providers based in the United States, Privacy Shield which gives personal data similar protection it has in EEA.

Further information on the appropriate safeguards used when transferring personal data outside the EEA can be requested through the contact details set out below in the section Legal Rights. When requesting this information please make a reference to the transfer of personal data outside the EEA.

Due to the global nature of the travel industry, personal data may be transferred to and processed by PFP Users in different locations around the world. These transfers will be necessary for the performance of a contract between the traveller and the PFP User.

Data Security and Integrity

Amadeus has taken the appropriate technical and organisational security measures to protect personal data from loss or unlawful processing. When personal data is processed on behalf of Amadeus access is limited to those who have a business need to know, personal data will be processed in accordance with the instructions of Amadeus and those who have access are subject to a duty of confidentiality.

Amadeus have in place procedures to deal with any suspected personal data breach and will notify individuals and any applicable regulator of a breach where they are legally required to do so.

 

Data Retention

Amadeus retains personal data for as long as necessary to fulfil the purposes it was collected for including for the purposes of satisfying any legal, accounting or reporting requirements.

Legal Rights

PFP Users collect personal data from the traveller and input this information in the PFP. We recommend travellers contact the PFP Users to whom they provided the information directly with any issues or requests they may have relating to personal data stored in the PFP.

Under certain circumstances individuals can exercise rights under data protection laws. Travellers can exercise these rights relating to their own personal data, or contact Amadeus for data protection related questions, by email to dataprotection@amadeus.com or write Chief Privacy Officer of Amadeus IT Group, S.A., C/Salvador de Madariaga 1, 28027 Madrid, Spain.

Please indicate your request relates to the Pyton Flight Portal and for the following rights please make a reference to the following:

• Right to access – request for access to personal data
• Right to object – object to processing of personal data for the purpose of analytics
• Right to information about
  • Affiliates of Amadeus and third party service providers who process personal data on behalf of Amadeus; and
  • transfers to third countries – information about data transfers outside EEA.

Amadeus will require authentication of the identity of the traveller and may require additional information to confirm that the rights that travellers may have under data protection laws are being exercised correctly.

Your Rights

Amadeus intends to carefully address any request and/or claim from you, as well as carefully process personal data. You are entitled to file any claim or complaint before the relevant data protection authorities, if the answer provided by Amadeus does not meet your expectations.

Updates

This Privacy Notice is published by Amadeus IT Group, S.A. This Privacy Notice may be changed at any time. The date it was last updated is shown here: July 25, 2019.