American Express Data Protection and Privacy Principles
The following Data Protection and Privacy Principles (“Principles”) set out the way that American Express Company and its wholly owned direct and indirect subsidiaries (“American Express”) will collect, use, store, share, transmit, delete or otherwise process (collectively “process”) your personal data. Personal data means any information that relates to an identified or identifiable individual. The standard of personal data protection set out in these Principles will be used by American Express globally, providing adequate and consistent protection for the processing of your personal data. In these Principles, “you” and “your” means any individual customer or employee of American Express and any other individual whose personal data we process and “we”, “us”, “our” and “American Express Group” means American Express.
- Collection: We will only collect personal data that is needed and by lawful and fair means.
- Notice and Processing: Where it is not apparent from the products or services you require or the nature of your relationship with us, we will tell you how your personal data will be processed and which companies in the American Express Group are responsible for that processing. We will process your personal data fairly and only for those purposes we have told you, for purposes permitted by you or as permitted by applicable law. In addition, you may object to certain types of processing as expressly permitted by applicable law.
- Choice: We give customers the option of having their personal data included or removed from lists used for marketing as required by applicable law. This includes product and service offers from American Express and those made in conjunction with our business partners. Of course each of our businesses will continue to send customers information about the products or services they receive from that business.
- Data Quality: We use appropriate technology and well-defined employee practices to process your personal data promptly and accurately. We will not keep your personal data longer than is necessary, except as otherwise required by applicable law.
- Security and Confidentiality: We will keep your personal data confidential and limit access to your personal data to those who specifically need it to conduct their business activities, except as otherwise permitted by applicable law. We refer to industry standards and use reasonable administrative, technical and physical security measures to protect your personal data from unauthorised access, destruction, use, modification or disclosure. We require industry standard data security measures from those third parties who are authorised by us to process your personal data on our behalf.
- Data Sharing: We only share your personal data with third parties where it is necessary to provide you with products or services or as part of the nature of our relationship with you, where we have previously informed or been authorised by you, in connection with our efforts to reduce fraud or criminal activity, or as permitted by law.
- Openness and Data Access: If you ask, we will inform you about how your personal data is processed and the rights and remedies you have under these Principles. You may inquire as to the nature of the personal data stored or processed about you by American Express. You will be provided access as is required by law in your country, regardless of the location of the data processing and storage. If any data is inaccurate or incomplete, you may request that the data be amended.
- International Transfer: Where it is not apparent from the international products or services you require or the nature of your relationship with us, we will inform you if your personal data may be transferred outside of your country and ensure that such transfer is only performed in accordance with applicable law. Regardless of where your personal data is transferred, your personal data is protected by these Principles.
- Responsibility: Each company in the American Express Group and their employees may only process your personal data in accordance with these Principles. We conduct training and reviews of our compliance with these Principles. Employees who violate these Principles may be subject to disciplinary action, up to and including dismissal. Employees are expected to report violation of these Principles, and may do so to their managers, to their business unit's compliance officer, to the legal department, to the Privacy Office or to the company's Office of the Ombudsperson.
- Accountability: You may enforce these Principles in your country against any company in the American Express Group that is responsible for your personal data, as a third party contractual beneficiary to these Principles. If you have a complaint that we have breached these Principles and have attempted in good faith to resolve the complaint through our customer service process, but the complaint was not resolved by us within a reasonable amount of time, then you may enforce these Principles against us. If you complain to your local data protection authority and the data protection authority finds that we have breached these Principles, we will abide by the findings of the data protection authority, but we reserve the right to challenge or appeal such findings. These Principles do not affect any rights you have under applicable law, the requirements of any applicable regulatory data protection authority, or any other type of agreement that you may have with us.
These Principles emphasise our commitment to protect your personal data. They are binding on all companies in the American Express Group, demonstrating our commitment to privacy. In addition, each company in the American Express Group that holds personal data may maintain its own additional rules and practices for particular products or services, consistent with these Principles. If you have questions or comments about the Principles, please contact us here.