A Conversation with Carlos Tur, CIO & DPO at Travelgate

Most CIOs arrive from outside with a mandate to transform. Carlos Tur never left. He joined Travelgate in January 2012 as a junior developer — one of the earliest technical hires — and has been here ever since. Junior developer, DevOps Manager, CIO.

He's watched the platform grow from a small connectivity project in Palma de Mallorca into one of Europe's leading B2B travel Marketplaces, and he's been inside the infrastructure for every version of it.

In 2024 he added the DPO role — Data Protection Officer — to his responsibilities. In 2026, with Spain leading GDPR enforcement in Europe and the AI Act reshaping how platforms handle data, that combination has never mattered more. We asked him what 14 years at the same company actually looks like.

 You started as a junior developer at Travelgate in 2012. What was the platform like then — and what does it look like now? 

Almost unrecognisable, technically. In 2012 we were a small team building the foundations of what connectivity could look like in B2B travel.

The core idea was always the same — connect Buyers and Sellers through a reliable platform — but the scale, the complexity, the product surface, the infrastructure requirements were all orders of magnitude smaller.

We had the ambition. We didn't yet have the architecture to match it.

14 years later, the architecture is the product. The investments we made in Infrastrure and automation, in scalability, in how we deploy and monitor systems — those decisions compound over time.

Some of the best technical decisions we made in 2015 are still paying dividends. Some of the shortcuts we took in 2013 took years to properly fix. That's the honest version of what long-term platform development looks like.

You moved from DevOps Manager to CIO. What changed — and what stayed the same?

What changed: the scope and the altitude. As DevOps Manager I was close to the systems — how they ran, how they failed, how to make them better. As CIO I'm more focused on how technology strategy aligns with business objectives, how we invest, how we build a team that can execute across a much larger surface area. The conversations are different. The stakeholders are different.

What stayed the same: the obsession with reliability. I still care deeply about whether the platform is up, whether it's fast, whether Partners can trust it to do what it's supposed to do. That never stops being the foundation. If the systems don't work, nothing else matters.And all of this has to be done with efficiency in mind — building systems that are not only reliable and scalable, but also sustainable in terms of cost. 

You're also DPO. Spain is the most active GDPR enforcer in Europe. How does that shape the way you build things?

It means privacy has to be in the design, not the review.

When you're operating in the most regulated data protection environment in Europe, you can't afford to build first and comply later.

Every new system, every new data flow, every third-party integration gets evaluated for its data protection implications from the start.

That discipline has actually made our architecture cleaner — when you force yourself to justify why you're collecting data and how you're protecting it, you end up collecting less and protecting it better. Both outcomes are good.

The DPO role also means I'm in conversations I wouldn't otherwise be in — legal, commercial, Partner relations.

Data protection touches everything. That cross-functional visibility makes me a better CIO.

The AI Act and GDPR are converging. What should B2B platforms be doing now that many aren't?

Documenting their systems honestly. The AI Act's core requirement — that you can explain how automated decisions are made, with what data, with what risk assessment — sounds straightforward until you actually try to do it across a complex platform.

Most organisations have more AI-adjacent tooling than they realise, and less documentation than they'll need.

The platforms that start that inventory now will be fine.

The ones that wait until enforcement arrives will be doing it under pressure, which is the worst time to make good architectural decisions.

At Travelgate we're building explainability and audit trails into our systems as we go. It costs something upfront. It costs a lot less than remediation.

What's the technology investment at Travelgate that Partners never see but matters most?

Observability and incident prevention.

The work that goes into monitoring systems before something breaks, into building alerting that catches problems before they become outages, into the processes that mean our on-call engineers can resolve issues at 3am without waking up half the company.

A Marketplace only works if Partners trust it absolutely.

That trust is built in the moments that don't happen — the breach that was prevented, the outage that was caught before it cascaded, the integration that went live cleanly.

My team's best work tends to be invisible. I consider that a success metric.

Where is data protection heading — what should companies be thinking about now for 2027 and beyond?

Three things. First, AI governance becomes standard compliance — the expectation that you can document and justify automated decisions is coming fast, and the platforms building that capability now will have a real advantage. Second, cross-border data flows get more complex — the divergence between EU, US, and APAC frameworks is accelerating, and any B2B platform operating globally needs jurisdiction-aware data architecture, not just legal documentation.

Third — and this is the one I think is most underappreciated — privacy will become a sales conversation, not just a legal one. Partners already ask us about our data practices before they sign. That trend will intensify. The platforms that have genuinely built trust into their infrastructure — not just their privacy policy — will win those conversations. We've been doing that work for years. I'm glad the market is catching up. 

After 14 years at Travelgate, what keeps you motivated?

Curiosity.

Technology changes constantly. The problems change. The scale changes. The regulations change. What keeps it interesting is that you're never really finished.

When I joined in 2012, we were building connectivity. Today we're building trust at scale — through infrastructure, security, privacy, and increasingly through responsible AI governance.

The tools are different, but the objective is the same: help our Partners connect, grow, and operate with confidence.

One of the advantages of staying in the same company for a long time is that you get to see the consequences of your decisions. You learn which investments compound, which shortcuts become expensive, and why building things properly matters.

Fourteen years later, that's probably the biggest lesson: technology moves fast, but trust is built slowly. And once you've earned it, protecting it becomes the most important job of all.