A passenger in embarking on an Emirates flight was given the airline's Medical Information Form (MEDIF) to complete. Puzzled, as the passenger did not fall into the category of people who would need special assistance during a flight, the passenger's questioning led to an investigation about Emirates' handling of personal data.
As a result of this, Emirates was fined €180,000 on 17 June 2026 by the Italian data protection authority. Key points were noted:
- Emirates did not need to rely on consent when processing sensitive data about disabilities or individuals with mobility issues, as it was a necessary requirement to ensure safe travel.
- However, Emirates failed to inform passengers - either online or through its staff - about data collection practices. The lack of transparency and the resulting confusion from passengers contributed to the fine.
- The data was retained for a period of seven years, which the Italian DPA found 'excessive' - passenger information pertaining to only one flight should have a lower retention period.
As a result:
- Emirates was ordered to update its privacy policy, specifying which categories of passengers are required to complete the MEDIF form and which sections are mandatory.
- It also required the airline to define retention periods consistent with the purposes of the processing and to delete data retained beyond the period deemed appropriate.
Transparency is key - even if your organisation has the correct practices, but your users are unsure how you handle their data, you are at the risk of being fined for lack of transparency.
Keep your privacy notices updated!
