⟵  ASIA TRAVEL NEWS

Emirates fined €180,000 for mishandling sensitive health data, ordered to delete records

ATC Intelligence
 ⋅ 

Quick summary

Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has fined Emirates €180,000 (approximately US $208,000) for mishandling sensitive health data collected from passengers with reduced mobility or medical conditions. The investigation, triggered by a passenger complaint in January 2025, found that Emirates violated core GDPR principles by failing to clearly inform passengers why their medical data was being collected and by retaining that data for seven years — a period the Garante deemed excessive and disproportionate.

The collection of health data for flight safety was ruled lawful. What wasn’t: the opacity around it, and the years-long retention of forms passengers had no idea were being kept.

Emirates has been ordered to overhaul how it handles passenger health data in Italy after the Garante found the airline kept medical records for seven years without adequately telling passengers why, who would see them, or how long they’d be stored. The ruling, issued following a complaint from a single passenger who was asked to complete a detailed medical form just to request wheelchair assistance, carries a €180,000 fine and a binding order to delete data older than three years.

The case centers on the MEDIF — Medical Information for Fitness to Travel — form that Emirates requires passengers with health conditions to complete online before flying. The Garante accepted that collecting this data is legitimate for safety reasons. What it rejected was Emirates’ failure to explain the process clearly and its practice of holding onto that sensitive information for years beyond any reasonable operational need.

For travelers flying Emirates on itineraries touching Italy, the immediate practical impact is limited — no flights are affected, no bookings need to change. But the decision has real implications for anyone who has ever submitted health details to an airline and assumed that data quietly disappeared after the flight.

What the Garante actually found — and what Emirates admitted

The investigation began when a passenger complained that Emirates appeared to require every field of the detailed MEDIF form to be completed, even for minor assistance requests such as a wheelchair at the gate. She also alleged the airline failed to present a clear privacy notice before collecting her data and did not seek her consent before processing it.

Garante’s review confirmed the airline’s right to gather medical information for safety and assistance purposes — aviation is a physiologically demanding environment, and in-flight medical emergencies are a genuine operational concern. But the authority found Emirates breached GDPR Articles 12–13 on transparency and Article 5(1)(e) on storage limitation. Privacy information on the airline’s website was unclear, and it was not evident which passengers were actually required to submit the form.

On retention, Emirates initially defended the seven-year period by citing litigation risk. The Garante pushed back — and Emirates itself then acknowledged that most legal claims against airlines on international routes must be filed within two years under the Montreal Convention. The airline has since begun reducing its retention period to three years, and the Garante has ordered deletion of all medical-form data held beyond that threshold.

Regulatory filings confirm the fine stands at €180,000, alongside corrective obligations covering both the information Emirates provides to passengers and its internal data-handling processes. The full ruling is documented in the Garante’s published decision.

Emirates GDPR violations: key findings from Italy’s Garante, June 2026
Issue identified Emirates’ position Garante’s finding Outcome
Transparency of privacy information Information provided on website and via staff Unclear which passengers must submit MEDIF; privacy notice inadequate Ordered to improve passenger information
Data retention period Seven years, citing litigation risk Excessive; Montreal Convention limits most claims to two years Ordered to delete data older than three years
Lawfulness of health data collection Necessary for flight safety and assistance Collection itself lawful for safety and assistance purposes No violation on this point
Scope of mandatory form fields All fields required for safety assessment Unclear which fields were genuinely mandatory for minor requests Included in corrective obligations
Administrative fine GDPR transparency and storage limitation breaches confirmed €180,000 fine imposed

Flight deals
most people never see

Our AI monitors 150+ airlines for pricing anomalies that traditional search engines miss. Air Traveler Club members save $650 per trip per person on average: see how it works.


Each deal saves 40–80% vs. regular fares:

Superdeals to Asia preview

Why this ruling reaches beyond one airline and one country

The Garante is not a minor regulator. It has previously imposed a €20 million fine against Clearview AI for unlawful biometric data processing — the Emirates case sits at the lower end of its sanction range, which can reach up to 4% of global annual turnover for serious violations. The authority has investigative powers, can order operational changes, and operates within the GDPR’s cooperation mechanism, meaning other EU data protection authorities can coordinate scrutiny of the same practices across their own jurisdictions.

That cooperation mechanism is the detail that makes this more than an Italian story. If Emirates’ updated privacy notices and revised retention periods — expected to appear on its EU-facing websites in the coming months — are substantive, the Garante’s decision will have driven real, measurable improvement for passengers across the bloc. If the changes are minimal or delayed, expect coordinated pressure from multiple EU authorities simultaneously.

Under GDPR Articles 77–82, passengers who believe their health data was mishandled can lodge complaints directly with their national data protection authority and may seek compensation through national courts for material or non-material damage. This is separate from flight-disruption regimes like EU261 — data protection remedies run on a different legal track entirely.

This case also sits alongside a broader pattern of Emirates navigating European regulatory pressure — the airline recently launched a paid conflict insurance product targeting passengers who fall outside mandatory EU protections, a move that itself drew scrutiny over what airlines owe passengers by default versus what they can charge for.

Steps to protect your health data when requesting airline assistance

Any passenger who has submitted medical or mobility-assistance information to an airline on itineraries touching the EU is now in a stronger position to demand transparency — and this ruling gives that demand regulatory teeth.

  • Request the specific privacy notice before submitting any health data. Before completing a MEDIF or similar form with Emirates or any EU-operating carrier, ask via chat, email, or at check-in for the privacy notice that specifically covers medical-assistance data. Keep a copy. If none is provided, that itself is a compliance gap worth noting.
  • Ask which fields are genuinely mandatory. The Garante found it unclear which passengers were actually required to complete the full form. If you are requesting minor assistance, ask whether all fields are compulsory or whether a subset suffices for your specific need.
  • Exercise your GDPR deletion rights if you’ve previously submitted forms. If you submitted a MEDIF or equivalent to Emirates on flights involving Italy and are concerned about retention, contact Emirates’ data protection officer to request access to your data and, where appropriate, deletion. If the response is unsatisfactory, file a complaint with the Garante or your own national data protection authority.
  • Corporate travel managers: review Emirates’ updated documentation. Staff who regularly book assistance for colleagues disclosing health conditions should monitor Emirates’ revised privacy notices — expected in coming months — and verify alignment with company data-protection policies.
  • Senior travelers and families booking for elderly relatives: ensure the person concerned understands and agrees to what is being disclosed. Where possible, submit forms directly through secure airline channels rather than via intermediaries who may retain copies.

Watch: Emirates’ publication of revised MEDIF privacy notices and updated retention policies on its Italian and EU-facing websites. Substantive changes within the next few months would confirm the Garante’s order is producing real compliance improvements. Minimal or delayed updates would signal escalating multi-authority scrutiny is likely.

Questions? Answers.

Was Emirates’ collection of passenger health data ruled illegal?

No. The Garante explicitly found that collecting health data via MEDIF forms for flight safety and assistance purposes is lawful. The violations were about how Emirates handled that data — specifically, failing to clearly inform passengers about the process and retaining the data for seven years, which the authority deemed excessive under GDPR storage limitation rules.

Does this ruling affect Emirates flights outside Italy?

The Garante’s jurisdiction covers Emirates’ processing of passenger data linked to Italian operations. However, because GDPR applies across all EU member states and data protection authorities cooperate under the regulation’s consistency mechanism, other EU authorities may monitor the outcome and apply similar scrutiny to Emirates’ practices in their own jurisdictions. The ruling’s practical effect could extend across the EU.

Can I claim compensation if Emirates held my health data for too long?

Potentially. Under GDPR Articles 77–82, passengers who believe their personal data was mishandled can lodge a complaint with their national data protection authority and may seek compensation through national courts for material or non-material damage caused by the breach. This is a separate legal track from flight-disruption compensation under EU261 — you do not need a cancelled or delayed flight to pursue a data-protection remedy.

How long can airlines legally keep my medical assistance data?

The Garante’s order sets three years as the acceptable maximum for Emirates in this context — a figure the airline itself is now implementing. The general GDPR principle is that data should not be kept longer than necessary for the purpose it was collected. For most airline assistance requests, the operational need ends well before three years; the two-year Montreal Convention window for legal claims was the benchmark the Garante used to assess Emirates’ original seven-year period as disproportionate.

What should I do if I’m uncomfortable submitting health data to an airline?

You have the right to ask which fields on a medical assistance form are genuinely mandatory for your specific request, and to receive a clear privacy notice before submitting anything. If you are unsatisfied with the information provided, you can ask whether alternative arrangements exist that require less data disclosure. If you believe your data has been mishandled after submission, contact the airline’s data protection officer and, if necessary, file a complaint with the data protection authority in your country of residence.

ATC Intelligence

Reporting by

ATC Intelligence

15 years in Asia-Pacific aviation. We monitor 150+ airlines across four continents, track fare anomalies with AI, and verify every deal by hand — from Bali, in the heart of the market we cover.

Travel Intel  ·  Asia Travel News  ·  Superdeals  ·  Facebook

Related travel intel

Intel featured image | 2026-04-29T00:58:26.142Z | DO NOT DELETE
Medevac insurance for Papua New Guinea: Non-negotiable for North Americans

Medical evacuation from Papua New Guinea to Australia or Singapore costs $50,000 to $100,000 upfront — double to quadruple the maximum coverage limits of standard travel insurance policies sold to North Americans. Standard policies cap emergency medical at $15,000–$50,000, and evacuation expenses count toward that total, leaving insufficient funds for both transport and treatment.

Intel featured image | 2026-05-08T09:40:13.394Z | DO NOT DELETE
Buy medical evacuation insurance for Mongolia travel

A medical evacuation flight from rural Mongolia to Seoul or Beijing costs $30,000–$50,000 USD — far exceeding the $10,000–$25,000 caps on standard credit card travel insurance. International SOS manages 220+ medical evacuations annually from Mongolia, reflecting high operational demand driven by limited in-country emergency care infrastructure. Travelers booking horseback riding, remote trekking, or winter camping face zero evacuation coverage unless policies explicitly include activity riders.

Intel featured image | 2026-05-15T21:39:56.198Z | DO NOT DELETE
Medical evacuation insurance for Solomon Islands: Mandatory coverage

Medical evacuation from Solomon Islands to Brisbane costs $50,000 to $100,000 upfront — and local facilities cannot treat serious injuries or illnesses. Air Traveler Club's analysis of Pacific medevac pricing shows that standard credit card insurance caps at $10,000–$50,000, leaving travelers exposed to five-figure bills they must pay before boarding the evacuation flight.

Intel featured image | 2026-02-13T22:26:35.760Z | DO NOT DELETE
Taiwan customs: A forgotten ham sandwich could cost you $6,500 USD

Taiwan enforces one of the world's strictest food import bans. Bringing any pork product into the country—even a vacuum-sealed jerky packet or a leftover sandwich from your flight—triggers an automatic fine of NT$200,000 (approximately $6,500 USD / €6,000). No exceptions, no negotiations. Customs deploys detection dogs throughout the arrivals hall, and they are specifically trained to find meat products in carry-on bags, checked luggage, and jacket pockets. This applies to all international travelers regardless of origin. The enforcement rate is near 100%—this is not a theoretical risk. Before you land, check every bag pocket and discard any food items in the amnesty bins located before the customs checkpoint. Declare everything if in doubt. The safest strategy: buy your snacks after you clear customs in Taipei. A $3 bag of jerky is not worth a $6,500 fine.

Intel featured image | 2026-05-01T19:37:53.523Z | DO NOT DELETE
Alaska miles from North America: 55k for Fiji Airways business class

Alaska Airlines Mileage Plan charges 55,000 miles one-way for Fiji Airways business class from the West Coast — 25,000 miles cheaper than American Airlines' 80,000-mile rate for the identical seat. Real bookings from August 2025 show redemption values of 3.5–5.1 cents per mile after taxes, with cash equivalents ranging $5,433–$6,320 for round-trips. Alaska also allows free stopovers in Australia or New Zealand on the same award, effectively bundling two destinations into one redemption.

Intel featured image | 2026-04-24T08:43:53.396Z | DO NOT DELETE
Pre-order meals on low-cost carriers: Avoid hunger on long-haul flights

VietJet and Jetstar flights usually sell out of hot meals quickly on the 8-9 hour trek between Australia and Vietnam. Buying on board is often not an option for passengers in the rear rows. Pre-booking meals saves money (approx 20% off onboard prices) and guarantees availability. Given the flight duration, relying on the buy-on-board cart is a recipe for hunger. Bring snacks as a backup, especially on VietJet.