American Express®
Online Privacy Statement - Spain

The type of information we collect depends on the product or service you use. We only collect personal information that is reasonably necessary for legitimate business purposes.

In some cases, we collect information if you provide it to us directly. For example, we may collect personal information such as your name, account number, date of birth, address, phone number and/or email address. When you interact online with American Express, we may also process digitaldata and other information originating from your online behaviour, such as your IP address or whether you have previously visited us online during the application process.

For instance, we collect personal information when you:

• apply for an American Express product or service online;
• access our online account services;
  
• book a flight through American Express Travel or purchase something on our websites;
  
• enrol in an American Express offer, participate in a promotion or take one of our surveys.
  

If you apply for an American Express card account, we may collect more detailed personal information, such as your employment details or your income.

Please note that we may also collect special categories of personal information (such as information regarding health or biometric data) in some instances. We will use this information only as permitted or required by law or where provided by you with your explicit consent.

Cookies and similar technologies

We also collect information through cookies and similar technologies when you use our online services or access our content online.

A cookie is a small data file that a website transfers to your computer. We place cookies when you visit our website or another company’s websitewhere our ads appear or when you make purchases, request or personalise information or register for certain services. If you accept the cookies used on our website, websites that are ‘powered by’ another company on our behalf or websites where our ads appear, you give us access to information about your interests. We use that information to personalise your experience. Similar technologies include clear GIFs, web beacons and pixel tags, which tend to be transparent images on websites. Our cookies and similar technologies collect information about your device, operating system and web browser. They also collect information about your use of the device, as described in more detail below.

Most cookies and similar technologies will only collect de-identified information, such as how you arrive at our website or your general location. However, certain cookies and similar technologies do collect personal information. For example, if you click “Remember me” when you log in to our website, a cookie will store your username.

Cookies and similar technologies may collect information that includes:

• the device(s) you use (e.g. the operating system or type of device you use to open electronic communications from American Express);
  
• information related to your IP address, such as your domain information, internet provider and general geographic location;
  
• how you use our websites and apps, such as what you search for on our websites and apps, the pages you view, how long you stay and how often you visit them;
  
• how you search for our websites or apps, which website or app you came from and which of our business or commercial partners’ websites you visit;
  
• which ads or online content from us and our business or commercial partners you view, access or click on;
  
• whether you open our electronic communications, which sections you click on or how often you open them.
  

If you use your mobile device to access our products or services, we may collect information related to that device, such as your location to provide location-based content, which you request.

To find out more about cookies and similar technologies, please refer to our notice “About Cookies and Similar Technologies”.

Other sources of information

We may obtain information about you from other sources and combine it with information we collect under this Statement. For example, we may obtain information about other American Express products and services you use, in accordance with those privacy notices. In accordance with your Cardmember Privacy Statement, we may collect information from your paper application form and your card transactions. We may also obtain information from publicly available records or databases or third-party sources, such as credit bureaus or business and commercial partners.

We use information about you either on its own or combined with other information: (i) where it is necessary to administer our contractual relationship with you; (ii) for our own legitimate interests to provide you with better products and services (such as to reduce fraud); (iii) where we have obtained your consent, such as for certain marketing purposes; or (iv) for compliance with laws. Please note that we consider and balance any potential impact on you and your rights before processing your personal information for our legitimate interest.

(i) More specifically, to administer our contractual relationship with you and deliver products and services, including, for instance, to:

• process your applications;
• process and complete transactions;
  
• manage your accounts;
  
• update you about new features and benefits;
  
• provide location-based services you may request;
  
• communicate with you better;
  
• provide you with open banking services (see the Open Banking section for further information).
  

(ii)For our legitimate interests or for the legitimate interests of others, we may use information about you to:

• conduct research and analysis to better understand our online visitors, customers and our business, including to:
  
  • request feedback or reviews about our products and services and those of our commercial and business partners;
    
  • determine the effectiveness of our advertising and marketing campaigns;
    
  • improve our websites and apps and make them easier to use;
    
  • place you in groups with similar customers to make predictions about you, deliver more personalised services and help determine whether you may be interested in new products or services.
    
• manage our business risks, such as fraud, credit and security risks, including to:
  
  • detect and prevent fraud or criminal activity and safeguard your accounts, including by using the location and other technical attributes of your mobile device or browser;
    
  • review and approve individual transactions you make through digital channels;
    
  • develop and refine our risk management policies, models and procedures for applications, as well as customer accounts;
    
  • inform our information collection practices and how we share information with credit reference agencies and fraud-management agencies, for example asset solvency files. Specifically, we hereby inform you that your data may be reported to Experian’s BADEXCUG file in case of failure to comply with your monetary, financial or credit obligations (for further information, see the Credit Reporting Agency Information Notice).
    
• advertise and market our products and services and those of our business and commercial partners, including to present content that is tailored to your interests, including targeted advertising across multiple devices (see the Digital Advertising section for further information).
  

(iii)With your consent, to:

• promote our products and services;
  
• send you ads, promotions and offers about products and services for companies within the American Express group and those of our business and commercial partners;br>
• recognise you when you return to our websites, receive our emails or use our apps, including across multiple devices (for example, to send you tailored ads, promotions, offers or content, including targeted advertising). Please refer to the “Cookies and Similar Technologies” section above for further information.
  

(iv) To comply with applicable laws and regulations around the world, we may use information about you:

• to establish, exercise, or defend legal rights or claims and assist in dispute resolution;
  
• for reasons of substantial public interest (including for instance the use of your biometric information, such as your ID voice print) for security verification and fraud prevention purposes;
  
• as required or permitted by law (such as performing due diligence on you before approving your application).
  

Open banking

We may use your personal information to provide our open banking services. These services may include providing you with consolidated information on one or more payment account(s) that you hold with one or more bank(s) or payment institution(s); or contacting your bank to perform a credit transfer to a merchant. In this context, we will process your personal information to provide you with the regulated open banking services or as otherwise described in this “Use of Information” section.

Automated decision making

We may use fully automated processes to help us make certain decisions, including to evaluate certain attributes about you to provide our services. For example, we may use such processes to:

- assess security risks, detect and manage fraud;

- process card applications;

- assess credit risks, including to check if you meet our eligibility criteria and decide whether we can issue you a card.

These assessments are based on information that we obtain lawfully, such as information that you provided in your application form (including your reported income), your payment history with American Express and information we obtain from third parties, such as credit bureaus. We also look at digital data (such as information about your device or browser or patterns in your online interactions with American Express) to help us detect fraud. These methods are regularly tested to ensure that they remain fair, effective and unbiased.

Some of those decisions that are made solely by automated means have legal effects or similar effects. However, we will only perform such processing if it is:

-necessary for entering into or performing a contract between you and American Express;

- authorised by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests;

- based on your explicit consent to such processing.

Please see the “Your Rights” section for further information about your rights related to automated decision making.

Digital Advertising

We advertise through our websites and apps, as well as third-party platforms. We may use information about you to display online marketing content tailored to your interests or general geographic location, across multiple devices you use. Here are some ways this works.

• We engage in targeted advertising, which involves the use of personal information: your email address and other information collected through cookies and similar technologies, regarding your browsing behaviour over time and across different websites.
• We also use information about you to present advertising content or participate in targeted advertising campaigns on social media platforms. If you follow our social media pages or “like” our content on these platforms, we may use information about you to improve what and how we serve content to you on social media. Bear in mind that we do not own these websites and apps, and we are required to use information about you only in ways that are consistent with these platforms’ privacy policies and terms & conditions.
  

You can choose how we market to you, as specified in the “Your Choices” section below.

In some circumstances, we may share information about you, including with:

• service providers who perform services for us, such as printing, mail, advertising, marketing, etc. We require all of our service providers to protect personal information according to our standards and use it only for the purposes we allow;
• regulatory authorities, courts, governmental agencies and fraud prevention agencies, to comply with legal or regulatory requirements, assist in legal or regulatory investigations and protect the rights of American Express or others;
  
• credit reference agencies and similar institutions – e.g. asset solvency files – to report or enquire about your financial circumstances and to report or collect debts you owe;
  
• companies or other lines of products and services within the American Express group;
  
• business or commercial partners, such as other financial institutions, loyalty programmes, travel partners and certain advertising partners with whom we offer or develop products and services;
  
• third parties for provision of open banking and related services on your request, for example where you seek to connect your account information to another platform or to initiate payments from other accounts;
  
• necessary parties involved in the sale of all or part of a company in the American Express group, or its assets;
  
• other relevant third parties, as required or permitted by law or with your consent;
  

Likewise, you are hereby informed that we may request information recorded in the SCIRBE regarding all background, risks and credits appearing in your name to determine your financial solvency.

Cross-border transfers of personal information

Where necessary, we will transfer personal information to other countries with different data protection laws to provide you with our products or services (including to countries outside of the European Economic Area, such as to the United States, where our main operational data centres are located), unless this is restricted by applicable law. Bear in mind, no matter where we process your personal information, we will always protect it in the manner described in our privacy notices and in accordance with applicable laws. For example, when we share personal information with other companies within the American Express group that are outside the European Economic Area, we ensure an adequate level of protection though our Binding Corporate Rules. When we share personal information with third parties outside the European Economic Area, we include appropriate contractual protections in those agreements. In addition, we assess whether other technical and organisational measures are required for those transfers.

We sometimes process personal information so that it no longer identifies any individual. Once processed, this is referred to as aggregated and anonymised information, which we use to:

• analyse patterns among groups of people, such as cardmembers and online users;
• create business insights or statistical research reports;
  
• improve our advertising and our business.
  

We sometimes share aggregated and anonymised information with third parties, for many of the same reasons mentioned above.

We use administrative, organisational, technical and physical security measures to protect the confidentiality, integrity and availability of personal information. Here’s what you should know:

• these measures include technological safeguards and appropriate access controls to data and facilities;
• we require service providers to safeguard personal information and only use it for the purposes we specify;
  
• we take reasonable steps to securely destroy or de-identify personal information when we no longer need it.
  

We keep personal information for only as long as necessary to provide you with products or services – unless we are required or permitted to keep it for longer by law, regulation or for litigation or regulatory investigations.

You have the right to access, update, restrict, object to and erase your personal information. You are also entitled to exercise your right to data portability and/or to withdraw your consent. Such rights include:

• requesting details on the personal information we have about you;
• restricting and/or objecting to the use of personal information;
  
• requesting a manual review of certain automated processing activities that may impact your legal or contractual rights or that may have a similar legal effect;
  
• receiving your personal information in a structured, commonly used and machine-readable format and/or transmitting such data to another data controller;
  
• withdrawing the consent you have given for the processing of personal information at any time.
  

If you wish to exercise any of your rights, please click here

IIf you have any questions about how we process your Personal Data, please contact us.

If we receive a complaint from you, we will do everything in our power to resolve it as soon as possible and within 30 days at the latest. If we are unable to meet this deadline, we will send you a letter explaining the reason for the delay and informing you of a new deadline for responding to you. Remember that your request will be free of charge, except if you incur additional expenses for our company, in which case you may be charged a fee at the rate determined by the data protection authority.

You can also contact the Data Protection Authority directly. For further details, please refer to the Spanish Data Protection Agency website. You also have the option to take your case to the court of your place of residence, your place of work or the place where the infringement occurred.

You have the power to make choices about how American Express collects and uses information about you for marketing and advertising purposes. We work with a range of advertising partners to present our ads online, including ad networks, ad servers and social media platforms. Your choices may vary depending on whether we are serving you ads through websites, email, apps or social media.

Choices about the information we collect

• If you do not want us to collect information about you through cookies for marketing and advertising purposes, you can opt-out of cookies in the banner that appears the first time you visit our site by clicking on “Set Cookie Preferences” or through your browser settings as explained in the “About Cookies and Similar Technologies” policy.
  • If you delete cookies, buy a new device, access websites from a different device, or change browsers, you will need to opt-out again.
    
  • If you opt out of cookies, we will still show you advertising related to our products or services, but it will not be based on information about you.
    
• You can adjust how we collect information about you through your mobile device settings. For example, you can turn off location-based services and device ad tracking.
  

Choices about marketing communications

If you do not want to receive direct marketing communications from us, you can opt out by:

-Email: Click unsubscribe at the bottom of an e-mail and follow the instructions or go here

-Your account online: Log in to your account and click on Account Management / Alerts, Communications, Privacy / Contact Preferences.

-Phone: Register for the national do not call list at https://www.listarobinson.es/

Keep in mind, even if you opt out of direct marketing, we will still communicate with you to service your account, fulfil your requests or administer any promotion or programme of which you have opted to be part. These communications, which are necessary for us to inform you about the service you expect to receive from us, are not considered as direct marketing, but are rather qualified as service messages. For example, they can be used to inform you of a benefit on your account.

How to Access Your Customer Choices

If you are a customer, you can make choices about how we communicate with you. To update your communication preferences, you can:

Log into your account and click on Account Management / Alerts, Communications, Privacy / Contact Preferences to update your marketing and data sharing choices.

Call Full-time Member Customer Service on 900 814 500.

Merchants

• Log in to your account at americanexpress.com/merchant and visit your settings to update your marketing communications preferences. 
• Call 900 816 738 or 902 100 956.

If you have any questions about this Statement, feel free to get in touch at the number on the back of your card or visit the “Contact Us” page on our website. You may also contact our DPO at DPO-Europe@aexp.com.

If you are a customer, you can update personal information by logging in to your account online or in your Amex® app any time. We’re here for you 24/7.

We may change this Statement when necessary. Depending on what we change, we may let you know in advance. Whenever we make any changes, we will update the “Effective date” at the top of this page. Any changes to this Statement will become effective immediately when posted. When you continue to use our products and services following an update, this will indicate that you accept the revised Statement.