European Implementing Principles
American Express’ Binding Corporate Rules – or BCRs – are a means of transferring personal data internationally within the American Express Group in compliance with applicable data protection legislation in the European Economic Area (EEA). Our BCRs consist of the American Express Privacy Principles and the additional European Implementing Principles. They were approved by the Information Commission’s Office, the local Data Protection Authority in the United Kingdom and have been in effect as of January 28, 2013.
These European Implementing Principles provide information about how American Express ensures compliance with our Data Protection and Privacy Principles in the EEA, and how to make a privacy complaint in the EEA.
IN THE EUROPEAN ECONOMIC AREA
AMERICAN EXPRESS DATA PROTECTION AND PRIVACY PRINCIPLES
(THE “EUROPEAN IMPLEMENTING PRINCIPLES”)
The Principles for the implementation in the European Economic Area of the American Express Data Protection and Privacy principles (the “European Implementing Principles”) apply only to individuals who are domiciled in the EEA and who have personal data that is processed by the American Express Group in the EEA and which may also be processed by the American Express Group elsewhere (the “Data Subjects”).
In particular, the European Implementing Principles set out (i) how the American Express Data Protection and Privacy Principles (the “Principles”) are to be implemented by American Express Company, with registered office in World Financial Center, 200 Vesey St. New York (“American Express” or the “Company”) and each company in the American Express group of companies (together, the “American Express Group”) and (ii) certain requirements specified by European data protection law for individuals who are domiciled in the European Economic Area (“EEA”) and who have personal data that is processed by the American Express Group in the EEA and which may also be processed by the American Express Group elsewhere (the “Data Subjects”).
American Express Services Europe Limited (“AESEL”) is the European company within the American Express Group that has assumed responsibility for ensuring that the personal data of Data Subjects is stored or processed in accordance with the Principles.
Any Data Subject who is directly addressed as being subject to a benefit given to them by the Principles or these European Implementing Principles can enforce those provisions against AESEL as a third party beneficiary, as described below. The American Express Summary of Personal Data Processing and the Implementing Decisions and Policies are also binding on the American Express Group, but they are not directly enforceable by the Data Subjects or any third parties.
The Principles and the European Implementing Principles will be made available on the American Express websites in each country in the EU. If you do not have access to the internet then you may request a copy of the Principles from AESEL’s Data Protection Officer at the address set out below or from the local American Express Office in your country.
These Principles and the European Implementing Principles must be read in conjunction with the notices, terms and conditions which are applicable to the product or service you have obtained from or are intending to obtain from any company in the American Express Group. These notices, terms and conditions may contain additional provisions which are relevant to the processing of personal data, pursuant to the national applicable laws and regulations.
Description of the Processing of Personal Data
American Express is a global payments services and travel company. A description of the types of personal data that are processed and the way in which they are processed, may be found in the American Express Summary of Personal Data Processing, from time to time.
In order to ensure compliance with the Principles, a compliance programme has been established that provides for regular compliance checks of the American Express Group operations; the results of which will be communicated to the Privacy Office of American Express, the relevant Data Protection Authorities (if by these requested) and where appropriate the Audit Committee of the Board of Directors of American Express Company. Where a compliance gap is determined, the relevant company in the American Express Group in the EEA must comply with any specific requests from AESEL’s Data Protection Officer. The American Express Group shall also co-operate with any compliance checks conducted by any Data Protection Authority with applicable jurisdiction, whether commenced in response to a complaint from a data subject, or by the Data Protection Authority’s own initiative.
In relation to any complaints (as defined below), companies in the American Express Group will follow and comply with the Data Protection and Privacy Complaint Handling Procedure
- ‘Complaints’ are considered to be any expression of dissatisfaction whether oral or written, via telephone, email, post or in person, from or on behalf of a customer or employee or any other Data Subject, about American Express Group’s provision of, or failure to provide, sufficient safeguards to personal data collected, processed and/or transferred.
- The responsibility and accountability for dealing with complaints received by AESEL rests with the AESEL Data Protection Officer.
- Complaints will be handled fairly, consistently and promptly.
- Where it has been decided that redress is appropriate, AESEL will provide a complainant with fair compensation as set out below, and shall comply with any offer of redress which the complainant accepts. Compensation must be agreed by the AESEL Data Protection Officer before an offer of redress or payment is made.
- Data Subjects can refer their complaints to the relevant Data Protection Authority or European court when they are dissatisfied with American Express Group’s response. A list of contact points for Data Protection Authorities may be found here: http://ec.europa.eu/justice_home/fsj/privacy/nationalcomm/index_en.htm.
- AESEL will correspond with and will recognise any Data Protection Authority with applicable jurisdiction. If a Data Subject complains to the local Data Protection Authority and the Data Protection Authority finds that a company in the American Express Group has breached any of the rights under these European Implementing Principles, then the relevant company in the American Express Group will abide by the findings of the Data Protection Authority, subject to the right to challenge or appeal such findings.
Compliance and enforcement
All companies in the American Express Group must comply with the provisions of the European Implementing Principles and the American Express Code of Conduct. Companies in the American Express Group will ensure compliance with European national data protection and privacy laws and any enforcement will be in compliance with those European national laws.
Each Data Subject, as defined above, may enforce the terms of the Principles and the European Implementing Principles as a third party beneficiary and shall have the right to seek compensation up to the actual damages suffered by the complainant as a result of the breach of the Principles and/or these European Implementing Principles, including, but not limited to, a judicial award for compensation for actual damage suffered by the Data Subject for such breach.
Data Subjects whose data are transferred from the EEA are able to commence a claim not only in the EEA country of origin of the data transfer, but also within the country of AESEL’s headquarters, the United Kingdom. The burden of proof that the processing of the Personal Data is not covered by the Principles rests with AESEL.
American Express will provide appropriate training materials and courses for American Express employees who collect, use or have access to personal data or who develop systems that process personal data to ensure that they are aware of their obligations under the Principles and these European Implementing Principles.
Conflict of laws
Where a company within the American Express Group has reason to believe that applicable European national legislation prevents that company from fulfilling its obligations under the Principles or the European Implementing Principles, that company shall promptly inform AESEL unless it is prohibited from doing so by law. AESEL will then consider how to proceed and will, in case of serious doubts, consult the competent Data Protection Authorities.
Questions about these Principles
Any questions about the Principles or these European Implementing Principles may be addressed to AESEL’s Data Protection Officer at AESEL’s headquarters at American Express Services Europe Limited, Belgrave House, 76 Buckingham Palace Road, London, SW1W 9TX.
American Express Summary of Personal Data Processing
American Express Summary of Personal Data Processing
Description of types of Personal Data
American Express is a global payments services and travel company that is principally engaged in two segments: i) card issuing and merchant network services, and (ii) travel related services. The nature of the personal data routinely processed by companies in the American Express Group comprise personal data relating to the customers, suppliers and partners of the American Express Group, which includes current, former and prospective corporate customers, consumers, suppliers and partners of the American Express Group (together “Customer Data”). In accordance with the European Directive 2007/64/EC (the “Payment Services Directive”), the Group has established American Express Payment Services Limited (“AEPSL”) as the legal entity for its merchant acquiring business in Europe (reference no.: 484347). As such, in addition to the Group’s robust business management and governance practices, payment services offered by AEPSL will be subject to supervision by the Financial Conduct Authority. In addition, companies in the American Express Group process personal data and sensitive categories of data personal data of employees and contractors of the American Express Group, which includes current, former and prospective employees and contractors, whether full time, part time, permanent or temporary (together “Employee Data”). Sensitive categories of data as it applies to Employee Data comprises information about workers health, occupational health schemes, equal opportunities monitoring, information on trade unions and works councils, information from medical examination and testing, and information from drug and alcohol testing in countries where that is permitted. American Express does not request any sensitive Customer Data as it is not part of the customer application or any other American Express service. To the extent that sensitive personal data is collected, it will only be processed with additional data security safeguards and appropriate measures as required by law including EU Directive 95/46/EC.
Description of types of processing and data flows
Personal data is transferred throughout the American Express Group, which is a worldwide organization, and onward to authorised suppliers and customers. This flow of data is made legitimate through a combination of EU approved Binding Corporate Rules (subject to approval in each Member State) and data transfer contracts including EU model contracts. No evaluation or decision about a data subject will be made by automatic means unless permitted by applicable law.
The flows of personal data for each of Customer Data and Employee Data may be generally described as follows:
Customer Data relating to the card, issuing and merchant network services
In order to issue a card to a cardholder, the local issuing entity within the American Express Group will collect cardholder personal data for operational and regulatory compliance purposes. The local issuing entity is sometimes, but may not be in each case, located in the same country as the residence of the cardholder. Once the card is issued, in order to permit the global operation of the card, all customer data is stored centrally in several American Express Group main servers all located in American Express Group’s secure data centers in the United States (Phoenix, Arizona, Salt Lake City, Utah). In addition, in order to cover the entire process of the global operations of the card it is worth noting that Customer Data ad well as Employee Data may be transferred to other countries outside of the European Union (e.g., India, Malaysia).
When a card is used with a qualifying merchant anywhere in the world, there are several flows of data:
- Basic transaction data is sent electronically by the point of sale terminal to the American Express Group’s authorization centre in the country or the region concerned;
- The complete transaction data is then collected by the local merchant acquiring entity of the American Express Group which settles the transaction by paying the merchant and sends the details of the transaction to the USA for the transaction to be then billed by the card issuer to the card holder.
Customer Data relating to travel related services
Personal data is provided by individual travellers and, in the case of corporate travel, by their employers, from their location anywhere in the world to their local American Express travel services provider. This data, comprising a profile created from data collected with the traveller’s consent, is then transmitted to the central database of one of the global distribution systems (such as Galileo, Amadeus and Sabre) with whom the American Express Group has a relationship in the country, so that when the American Express Group makes a reservation using the local GDS the passenger information stored in the GDS will permit the creation of a personalized reservation, a passenger name record (PNR). Basic information contained in the PNR will be extracted by the American Express Group to bill the price of the reservation to the customer.
Employee Data is stored both centrally and de centrally in mainframes, mid ranges and local servers throughout the American Express Group. Most mainframes are located in the US and UK and are accessible from American Express Group offices worldwide by personnel with the appropriate access rights to access Employee Data. Mid range and local replicating servers (only used only for e-mails and/or repository purposes) that store data are distributed across geographical locations based on business need.
Personal Data is transferred for the following purposes:
- Staff administration (e.g., appointments or removals, pay, discipline, superannuation, work management or other personnel matter in relation to the Group’s staff);
- Crime prevention and prosecution of offenders (e.g. crime prevention and detection and the apprehension and prosecution of offenders);
- Licensing and registration (e.g., the administration of licensing or maintenance of official registers);
- Management of employee records;
- Information and databank administration (e.g. maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases);
- Assessment and collection of taxes and other revenue (i.e. assessment and collection of taxes, duties, levies and other revenue);
- Accounting and Auditing (e.g. the provision of accounting and related services and the provision of an audit where such an audit is required).
Post transfer processing: The Personal Data transferred will be processed for the administration of Human Resources functions and the maintenance of the Group’s workforce and may be further processed by third party service providers who provide payroll services, health and other insurance, and other benefits to the employees.
Implementing Decisions and Policies
The decisions of the following internal groups and the following policies are binding on and shall be used by the American Express Group globally in order to implement the Principles:
- American Express Services Europe Limited - Data Protection and Privacy Complaint Handling Procedure.
- Code of Conduct .
- American Express Privacy Office Policy.
- American Express generally deals with privacy matters via the American Express Privacy Office, an independent business unit with specific responsibility for the systems, processes and procedures that govern the collection, use and sharing of personal data about customers, potential customers and employees. The Privacy Office also leads the Privacy Board which meets regularly to review privacy business issues, create solutions and establish policies and guidelines.
- American Express Company –General Management Policy.
- This policy applies to all General Management and Finance policies to be implemented within the American Express organisation. This includes new polices and revisions to existing policies.
- All American Express business groups come within the scope of this policy.
- Specifically, the General Management Policy:
- requires all general management and finance policy issues to be resolved via the Global Policies and Procedures Group;
- actively promotes global company policy implementation, replacing, where practical regional policies which may not be aligned;;
- sets out the authority of global company policy over regional policy documents;
- sets out minimal policy document contents; and;
- establishes timeframes for defined stages of policy initiation, preparation and implementation.
- Agreement for the Supply of Services.
- American Express Group’s standard procurement contract requires all vendors and third party data processors to adhere to American Express Group’s stringent Information Protection Contract Requirements to safeguard the security of all personal data held by American Express Group and processed by a service provider.
- The Information Protection Contract Requirements are incorporated into all contracts with third parties where the processing of personal data is contemplated.
- The selection of third party data processors and vendors is based upon, in part, their performance against risk assessment templates and the review of their data security practices and risks.
- Third party data processors and vendors must be governed by adequate contractual provisions which include necessary technical and organisational security measures to protect American Express Group data. The policy provides at a minimum that:
- consultants, contractors and vendors have signed confidentiality and/or non-disclosure agreements as part of their initial terms and conditions of employment/contract and when the terms and conditions are changed.
- certain contracts contains a penalty clause for using customer or restricted information in a manner different than that documented in the contract.
- security policies and standards followed by the vendor are equal to or greater than American Express Group policies and standards and the security practices and standards followed by the vendors meet required data protection requirements, as they may be updated from time to time.
- Third Party Services Policy
- The American Express Third Party Services Policy requires that third parties must adhere to American Express Group Policies and Standards when employed by a company within the American Express Group, and must acknowledge their responsibility through formal written statements. This applies to all personnel involved in the selection and oversight of third party service providers including American Express Group personnel, its respective affiliates, subsidiaries, personnel, third party consultants, contractors, vendors and any individual or entity that are granted external access to American Express Group information resources.
Code of Conduct
The Code of Conduct presently provides, in relation to employee privacy:
“We must safeguard the privacy, confidentiality and security of personally identifiable employee data. Our colleagues, as well as prospective and former employees, trust us to properly manage and use their personal information. For this reason, we must know and abide by the American Express Employee Data Privacy Principles at all times. This policy governs the collection, access, use and disclosure of personally identifiable employee data. Such data includes information about salaries, performance reviews, disabilities and leaves of absence, as well as more sensitive data like government-issued identification numbers. We may only use such data for relevant and appropriate business purposes. We must not share this information with anyone, either inside or outside our Company, who does not have a business need to know it. In addition, we must take steps to properly secure such data at all times. Many countries have their own legal requirements governing the use of employee data. Contact Human Resources if you are unsure of these requirements.”
The Code of Conduct presently provides, in relation to customer privacy:
“We are responsible for protecting the privacy, confidentiality and security of customer information entrusted to our Company. To uphold our Company’s reputation and best serve our customers, our Company has made a firm commitment to vigilantly protect the privacy of customer information. This means we must collect, use and safeguard customer information according to our Online Privacy Statement or Minimum Standards for Safeguarding Customer Information Policy. We must never share customer information with a third party or any colleague who doesn’t have a business need to know it. We must also take steps to prevent the accidental disclosure of customer information. Make sure to follow established Company procedures in the rare event of disclosure. In the event of a potential data compromise incident, immediately contact the CSI Data Privacy Office and EIRP on Lotus Notes. Do not share any details about the incident with others, internally or externally, who don’t have a business need to know it. Refer to our EIRP Guide for more information on identifying and reporting data compromise situations. If a government agency requests information about one of our customers, we must contact the GCO before providing any information. In addition, many countries have their own legal requirements governing the use of customer information. If you are unsure of local requirements or have other privacy related questions, you should contact your leader, your Compliance Officer or the GCO.”
Data Protection and Privacy Complaint Handling Procedure
Our aim is to provide you with the best possible service every time. We realise, however, that on occasions mistakes can happen and we need your help to improve. If things do go wrong we have set up a complaint handling procedure that is easy to follow and will make sure that you receive a quick and thorough reply to any complaints or inquiries that you may have.
The Complaint Process
This Complaint handling procedure applies to you if you live in the European Economic Area (“EEA”) and have personal data that is processed by any company in the American Express Group in the EEA and which may also be processed by the American Express Group elsewhere outside of the EEA.
Contacting Us Regarding General Data Questions
If you have any general comments or concerns about the way we handle your personal data, you can speak to a member of our Customer Service team on one of the numbers below:
0800 917 8054 or 0044 1293 820925
Alternatively, you may wish to contact us in writing at the following address:
American Express Services Europe Ltd.
Brighton BN88 1AH
In addition, you may wish to contact us through our local American Express company reaching out to the relevant customers service contact details indicated in the information provided to you in our national terms & conditions, privacy notices and related documentation.
When you contact us, please tell us:
- Your name
- Your account number
- The nature of your complaint
Contacting Us Regarding More Detailed Inquiries
If you wish to obtain details of the information we hold and process about you, or if you wish to make any specific objections about the way we process your personal data then you can make a detailed enquiry. With a detailed enquiry, you have the right to do the following:
- object to the processing of your personal data;
- have your personal data erased or destroyed;
- correct your personal data;
- block the collection of your personal data; and
- exercise your data subject access rights, where you have the right to be:
- told whether American Express is processing any of your personal data;
- given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people;
- given a copy of the information comprising the persona data;
- given details of the source of the personal data, where possible; and
- told the reasoning behind any automated decisions based upon your personal data,
We deal with these requests centrally, and so please contact us in writing at the following address:
American Express Services Europe Ltd.
Data Privacy Officer
Brighton BN88 1AH
When you contact us, please tell us:
- Your name
- Your account number
- Details of how we may contact you
- The nature of your complaint
We will contact you promptly to confirm your identity, and once this is done we will try to resolve the matter within 5 (five) working days following that confirmation. Some types of detailed enquiries may require a small charge, and if this is the case, we will provide you details of this charge when we contact you. In some circumstances you may be entitled to compensation for any failure by American Express to process your personal data correctly or in accordance with the American Express Data Protection and Privacy Principles [link].
Response Times In certain circumstances it may not be possible for us to resolve your concerns immediately and we may need to carry out a more detailed investigation. If this is the case then we will write to you within 10 (ten) working days to tell you who will deal with your concerns and how long it is likely to take to investigate the matter fully. Our aim is to provide you with a full response within 4 (four) weeks. If you are not satisfied with this response we will ask that you let us know so that we can investigate the matter further.
If You Are Not Satisfied If you feel we have not resolved your complaint satisfactorily or you have not been given a final response after 4 weeks, you have the right to bring your complaint to the local Data Protection Authority for data protection.
You can contact the appropriate Data Protection Authority at:
A - 1014 WIEN
Tel. +43 1 531 15 25 25
Fax +43 1 531 15 26 90
||Commission de la protection de la vie privée
Rue Haute, 139
B - 1000 BRUXELLES
Tel. +43 1 531 15 25 25
Fax +43 1 531 15 26 90
||Commission for Personal Data Protection
Mrs. Veneta Shopova
1 Dondikov Blvd.
Tel. +3592 940 2046
Fax +3592 940 3640
||Mr. Franjo LACKO
Croatian Personal Data Protection Agency
Republike Austrije 25
Tel. +385 1 4609 000
Fax +385 1 4609 099
e-mail: firstname.lastname@example.org or email@example.com
||Commissioner for Personal Data Protection
Ms Goulla Frangou
40, Th. Dervis Street
CY - 1066 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
||Mr. Igor Nemec
The Office for Personal Data Protection
Urad pro ochranu osobnich udaju
Pplk. Sochora 27
CZ - 170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
Borgergade 28, 5
DK - 1300 Copenhagen K
Tel. +45 33 19.32.00
Fax +45 33 19.32.18
||Estonian Data Protection Inspectorate
Mr Viljar Peep (Ph.D)
Tel. +372 6274 135
Fax +372 6274 137
||Office of the Data Protection
P.O. Box 315
Mr Viljar Peep (Ph.D)
Tel. +358 10 3666 700
Fax +358 10 3666 735
|Ms. Marijana MARUSIC
Directorate for Personal Data Protection
former Yugoslav Republic of Macedonia
Tel. +389 (0) 2 3244 760
Fax +389 (0) 2 3244 766
||Commission Nationale de l'Informatique et des Libertés
8, rue Vivienne, CS 30223
F-75002 Paris, CEDEX 02
Tel. +33 (0) 1 53 73 22 22
Fax +33 (0) 1 53 73 22 00
||Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Tel. +49 (0) 228 997799 0 or +49 (0) 228 81995 0
Fax +49 (0) 228 997799 550 or +49 (0) 228 81995 550
||Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens, Greece
Tel. +30 210 6475 600
Fax +30 210 6475 628
||Dr. Peter Harris C. Eng, MA, PhD, FBCS
Data Protection Commissioner
P.O. Box 642
Sir William Place
St. Peter Port
Guernsey GY1 3JE
Tel. +44 1481 742074
Fax +44 1481 742077
||Data Protection Commissioner of Hungary
Parliamentary Commissioner for Data Protection and Freedom of Information
Dr. Attila Péterfalvi
Nádor u. 22.
H - 1051 Budapest
Tel. +36 1 475 7186
Fax +36 1 269 3541
||Icelandic Data Protection Agency
105 Reykjavík, Ísland
Tel.+354 510 9600
Fax +354 510 9606
||Data Protection Commissioner
Lo-Call: 1890 25 22 31
Tel.+353 57 868 4800
Fax +353 57 868 4757
|Isle of Man
||Mr Iain McDonald
Data Protection Supervisor
Office of Data Protection Supervisor
P.O. Box 69
Isle of Man IM99 1EQ
Tel.+44 (0) 1624 693260
Fax +44 (0) 1624 6610
||Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
I - 00186 Roma
Tel.+39 06 69677 1
Fax+39 06 69677 785
||The Office of the Data Protection Commissioner
Mrs. Emma Martins
Jersey JE1 1DD
Tel.+44 (0) 1534 441064
Fax+44 (0) 1534 441065
||Data State Inspectorate
Director Ms Signe Plumina
Kr. Barona Street 5-4
LV - 1050 Riga
Tel.+371 6722 3131
Fax+371 6722 3556
||Dr. Philipp Mittelberger
Datenschutzbeauftragter des Fürstentums Liechtenstein
Stabsstelle für Datenschutz
Kirchstrass 8, Postfach 684
Tel.+423 236 6091
Fax+423 236 6099
Verwaltung: http://www.sds.llv.li Liechtenstein: http://www.liechtenstein.li
||State Data Protection
Mr Algirdas Kuncinas
Žygimantu str. 11-6a
LT - 011042 Vilnius
Tel.+ 370 5 279 14 45
Fax+370 5 261 94 94
||Commission nationale pour la protection des données
41, avenue de la Gare
Tel.+352 2610 60 1
Fax+352 2610 60 29
||Office of the Data Protection Commissioner
Data Protection Commissioner
Mr Paul Mifsud Cremona
2, Airways House
High Street, Sliema SLM 16, Malta
Tel.+356 2328 7100
Fax+356 2328 7198
The Data Inspectorate
P.O.Box 8177 Dep
N - 0034 OSLO
Tel.+47 22 39 69 00
Fax+47 22 42 23 50
||The Bureau of the Inspector General for the Protection of Personal Data
Mr Michal Serzycki
Inspector General for Personal Data Protection
ul. Stawki 2
Tel.+48 22 860 70 81
Fax+48 22 860 70 90
||Comissão Nacional de Protecção de Dados
R. de São. Bento, 148-3°
P - 1200-821 LISBOA
Tel.+351 21 392 84 00
Fax+351 21 397 68 32
||The National Supervisory Authority for Personal Data Processing
Mrs. Georgeta BASARABESCU
Str. Olari nr. 32
Sector 2, BUCURESTI
Cod postal 024057
Tel.+40 21 252 5599
Fax+40 21 252 5757
||Office for Personal Data Protection of the SR
Mr Gyula Veszelei
Odborárske námestie c. 3
817 60, Bratislava
Tel.+ 421 2 5023 9418
Fax+ 421 2 5023 9441
e-mail:firstname.lastname@example.org or email@example.com
Ms. Natasa Pirc Musar
SI - 1000 LJUBLJANA
Tel.+386 (0) 1 230 9730
Fax+386 (0) 1 230 9778
||Agencia de Protección de Datos
C/Jorge Juan, 6
E - 28001 MADRID
Tel.+34 91399 6200
Fax+34 91455 5699
S - 104 20 STOCKHOLM
Tel.+46 8 657 6100
Fax+46 8 652 8652
||Data Protection Commissioner of Switzerland
CH - 3003 Bern
Tel.+41 (0) 31 322 4395
Fax+41 (0) 31 325 9996
||College bescherming persoonsgegevens (CBP)
Dutch Data Protection Authority
Juliana van Stolberglaan 4-10
NL - 2509 AJ Den Haag/The Hague
CH - 3003 Bern
Tel.+31 70 888 8500
Fax+31 70 888 8501
||Mr Richard Thomas
The Office of the Information Commissioner Executive Department
Water Lane, Wycliffe House
UK - WILMSLOW - CHESHIRE SK9 5AF
Tel.+44 1 625 54 57 00 (switchboard)
e-mail:please use the online enquiry from our website
Bringing Court Proceedings
If you are unable to get the response you require from either us, or your local Data Protection Authority, then you may bring proceedings in a local court. In this situation, we recommend that you first consult an independent and appropriate qualified legal advisor. American Express will accept claims either against your local American Express entity or against AESEL directly.
The Principles and the European Implementing Principles are binding upon the American Express Group and give you rights as a third party contractual beneficiary as set out in the programme documentation.
If you need to know the name of your local American Express entity or have any other queries about this Step 5, please contact us using the details in Step 2 “Contacting Us Regarding More Detailed Inquiries”, however please note in that case there is no need to provide any administrative fee.