Table of Contents
American Express values your trust and respects your privacy.
Data protection and information security are long-standing priorities for our company. As a multinational organization, we are committed to protecting personal data, irrespective of where it is used, and all personal data American Express collects is handled according to our Data Protection and Privacy Principles.
In 2012, American Express was one of the first companies to publish Binding Corporate Rules (BCRs) approved by the Information Commissioner’s Office. Today, these BCRs continue to lay a framework for our strong privacy commitments, promoting a robust compliance culture across our enterprise.
Amongst other things, these BCRs govern the international Transfers of Personal Data within the American Express BCRs Entities in accordance with Applicable Data Protection Legislation and ensure that your Personal Data is always adequately protected regardless of where it is Transferred.
Easy access to the UK BCRs
These BCRs are available on American Express’ websites in the United Kingdom. You may also request a copy of these BCRs in an alternative format from our Data Protection Officer (DPO) at the address below or from the local American Express entity responsible for your Personal Data. Please note that the authority overseeing these BCRs is the Information Commissioner Office (ICO).
These BCRs are legally binding on the American Express BCRs Entities and their Employees by an Intra-Group Agreement between American Express Company and American Express Europe Limited (AESEL), the legal representative of American Express in the United Kingdom.
Each American Express BCRs Entity and their Employees may only Process Personal Data in accordance with these BCRs. Employees who violate these BCRs may be subject to disciplinary actions.
3.1. Geographical scope
These BCRs apply to all Processing of Personal Data subject to Applicable Data Protection Legislation. This is, Personal Data of a Data Subject that is or has been Processed in the context of the activities of an American Express BCRs Entity established in the United Kingdom even if the Processing is carried out by an American Express BCRs Entity outside of the United Kingdom.
3.2. Material scope
In its capacity as Data Controller, American Express Processes the Personal Data of past, present and prospective employees, directors, contractors, individual consultants, contingent workers, employed by American Express whether full time, part time, permanent or temporary, as well as retirees ("Employees”) and the Personal Data of past, present and prospective American Express consumers, and natural persons working at the corporate clients, suppliers and partners of American Express (“Customers”).
The purposes for which American Express Processes Personal Data mainly relate to consumer, commercial, merchant, insurance, travel, meetings and events, and network services as well as human resources.
To effectively conduct American Express’ global activities, the Processing of Personal Data by the American Express BCRs Entities, in connection with the purposes identified in these BCRs, may involve international Transfers of Personal Data of Data Subjects, from any United Kingdom American Express BCRs Entity to any other American Express BCRs Entity outside of the United Kingdom (including, from the United Kingdom to the United States, where American Express’ main servers are located), and any other onward Transfer of that received Personal Data to a third party outside of the American Express group.
For a more comprehensive view of American Express’ Processing activities, please refer to Appendix 1. To see where our American Express BCRs Entities are located, please refer to Appendix 2.
When Processing your Personal Data, American Express BCRs Entities are committed to complying with robust data protection principles (section 4.1) and to respecting your data protection rights (section 4.2).
4.1. Data protection principles
4.1.1. Transparency and fairness
The American Express BCRs Entities will collect and Process your Personal Data in a transparent manner and by fair means.
We ensure that You are provided with easy access to the information on our Processing activities as required by the United Kingdom’s General Data Protection Regulation (UK GDPR). This information is provided to You in a concise, transparent, intelligible and easily accessible form, using clear and plain language and is available in the relevant American Express Privacy Statements, as applicable to your relationship with Us. These notices and terms and conditions may also contain additional provisions which are relevant to the Processing of Personal Data, pursuant to national applicable law(s) and regulation(s).
In particular, when the Personal Data is collected from the Data Subject, the following information will be provided at the moment the Personal Data is collected:
- the identity and contact details of the Controller and, where applicable, its representative;
- the contact details of the DPO;
- the purposes of the Processing for which the Personal Data are intended and the legal basis for the Processing ;
- the recipients or categories of recipients of the Personal Data, if any;
- the existence of Personal Data Transfers to countries without adequate level of protection and the appropriate safeguards adopted to ensure the same level of protection as required by the UK GDPR;
- the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; and the existence of the Data Subjects’ rights recognised by the UK GDPR.
When the Personal Data has not been collected from the Data Subject, the previous information, as well as the categories of Personal Data concerned and the source from which the Personal Data originates, will be timely communicated (unless the Data Subject already has the information, the provision of such information proves impossible or would involve a disproportionate effort, obtaining or disclosure is expressly laid down by Union or Member State law or where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy).
These BCRs also inform You about the rights You are entitled to enforce against AESEL or any American Express BCRs Entity as third-party beneficiary with regard to the Processing of your Personal Data under these BCRs (“Third-party Beneficiary Rights”) and on the means to exercise such rights (see section 8). In addition, these BCRs will provide You with information on the data protection principles that We apply when Processing your Personal Data (as explained in this section 4) and information about the liability American Express BCRs Entities assume in the event of a breach of these BCRs (see section 8).
In addition, You are always able to obtain, upon request, a copy of these BCRs. A public version will be available on American Express BCRs Entities’ public websites in the United Kingdom as well as on our intranet if You are an Employee.
4.1.2. Lawfulness of Processing
Your Personal Data and Special Categories of Data are collected and Processed fairly and lawfully, in accordance with the Applicable Data Protection Legislation. The lawful bases for Processing your Personal Data are described in more detail in the relevant American Express Privacy Statements, as applicable to your relationship with American Express.
Your Personal Data is collected and Processed only where there is a lawful basis for Processing :
- when You have given your explicit Consent (for instance, to send You email communications containing ads, promotions, and offers for American Express products and services);
- when the Processing is necessary for the performance of a contract to which You are a party or in order to take steps at your request prior to entering into a contract (for instance, to administer our contractual relationship with You and process your application for a card, account or other product or to manage your existing accounts);
- when the Processing is necessary for compliance with a legal obligation (for instance, to report certain suspicious transactions to the competent authorities under anti-money-laundering rules or as required by law to perform due diligence on Customers before approving their applications); or
- when the Processing is necessary for the purposes of the legitimate interests pursued by an American Express BCRs Entity or by third-party(ies) (for instance, to deliver products and services, advertise and market products and services, conduct research and analysis, and manage our fraud and security risks), except where such interests are overridden by your interests or fundamental rights and freedoms.
We may collect Special Categories of Data including data related to health, biometric data, sexual orientation or race / ethnic origin. This data is collected and Processed to satisfy legal requirements, for purposes essential to administering the employment relationship or where provided with explicit Consent, and only if permitted by applicable law.
Sometimes, You may provide Us with this type of data to improve your journey with Us (for instance, if You inform Us about specific dietary requirements or your need of special assistance during a flight).
To the limited extent that Special Categories of Data are collected, they will only be Processed under one of the lawful basis mentioned above, and provided one of the conditions for Processing Special Categories of Data applies, such as for instance when:
- You have given your explicit Consent to the Processing,
- the Processing is necessary for the purpose of carrying out the obligations and specific rights of American Express in the field of employment law,
- the Processing relates to Special Categories of Data which You have manifestly made public,
- the Processing is necessary for the establishment, exercise or defence of legal claims,
- the Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.
In addition, the American Express BCRs Entities will take reinforced measures to Process Special Categories of Data, as required by the Applicable Data Protection Legislation.
4.1.3. Data minimization, accuracy and storage limitation
The American Express BCRs Entities use appropriate technology and established Employee practices to Process your Personal Data promptly and accurately.
We take reasonable steps to ensure that your Personal Data is:
- Accurate and kept up to date having regard to the purposes for which it is Processed (data accuracy). Inaccurate Personal Data is erased or rectified without delay;
- Adequate, relevant and not excessive in relation to the purpose for which the Personal Data is collected and Processed (data minimization);
- Not kept in an identifiable form for longer than necessary for the purposes for which the Personal Data is Processed, and only retained for a longer period for archival purposes or as otherwise permitted or required to be retained in accordance with applicable law(s), and then only when appropriate administrative, technical and organisational measures are taken.
4.1.4. Purpose limitation
The American Express BCRs Entities only collect Personal Data for specific and legitimate purposes. We Process your Personal Data fairly and only for those purposes We have told You, for purposes permitted by You or by the Applicable Data Protection Legislation. We will ensure that your Personal Data is not further Processed in a manner that is incompatible with such purposes.
4.1.5. Data security and confidentiality
American Express has implemented and commits to maintain a comprehensive written information security program that complies with applicable law(s) and Applicable Data Protection Legislation.
The American Express BCRs Entities implement appropriate administrative, technical and organizational measures to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed. We will keep your Personal Data confidential and limit access to your Personal Data to those who specifically need it to conduct their business activities, except as otherwise required by law applicable to Us.
Such measures ensure a level of security appropriate to the risk and take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, and may include as appropriate:
- the pseudonymisation and encryption of Personal Data of Data Subjects,
- measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- measures to ensure the ability to restore the availability and access to Personal Data of Data Subjects in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
We also require appropriate administrative, technical and organisational measures from those third-parties who are authorised by Us to Process your Personal Data on our behalf and We enter into contractual commitments with internal and external Data Processors that comply with safeguards required by the UK GDPR.
In particular, Processing by the Data Processor shall be governed by a contract, that is binding on the Data Processor with regard to the Data Controller and that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Data Controller.
The following duties must also be covered in the agreement that must require the Data Processor to:
- Process the Personal Data only on documented instructions from the Data Controller or ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all appropriate technical and organizational measures required to guarantee an acceptable level of security;
- not contract another Data Processor (“Sub-processor”), without prior specific or general written authorisation of the Data Controller and only provided that the same data protection obligations as set out in the contract between the Data Controller and the Data Processor are imposed on that Sub-processor;
- assist the Data Controller with appropriate technical and organizational measures whenever possible for the fulfilment of the duty of the Data Controller to answer Data Subject's requests exercising their rights;
- assist the Data Controller with the fulfilment of its obligations regarding security of Processing, Personal Data Breaches and Data Protection Impact Assessments;
- at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless the applicable law requires storage of the Personal Data;
- make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR regarding Data Processors and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
In addition, the American Express BCRs Entities have implemented administrative, technical and organisational measures to detect, investigate, escalate and remediate Personal Data Breaches. The American Express DPO is notified of Personal Data Breaches by the American Express BCRs Entities without undue delay and the American Express DPO determines whether to notify the ICO and the Data Subjects in accordance with the UK GDPR requirements. Any Personal Data Breaches are documented (comprising the facts relating to the Personal Data Breach, its effects, and the remedial action taken) and the documentation is made available to the ICO on request.
4.1.6. Onward Transfers
Your Personal Data is Transferred throughout American Express BCRs Entities and onward to third-parties, always ensuring an adequate level of protection for the Processing of your data as required by Applicable Data Protection Legislation, regardless of where it is Transferred.
This flow of data is legitimized through these BCRs, which allow Us to Transfer Personal Data from the UK to the American Express BCRs Entities located outside of the United Kingdom.
In all cases of onward Transfers (i.e., Personal Data that has first been Transferred from a UK American Express BCRs Entity to a non-UK American Express BCRs Entity and later transferred to third-party(ies) not covered by these BCRs), the American Express BCRs Entities will ensure that they enter into a written agreement with these third-parties containing provisions that ensure the Personal Data is protected at least to confidentiality and security standard contemplated by these BCRs, or use another valid legal method to ensure that the Transfer is lawful and adequate guarantees are given under Article 46 of the UK GDPR.
All American Express BCRs Entities are responsible for, and must demonstrate compliance with, these BCRs. Compliance with these requirements includes:
- the maintenance of electronic records of Processing activities, available to the ICO on request, contains the information required by the UK GDPR, such as the name and contact details of the Data Controller, the purposes of Processing ,the categories of Data Subjects and categories of Personal Data ,the recipients of the Personal Data ,the Transfers to countries outside of the UK, the time limits for erasure of the categories of Personal Data and the description of the security measures applied);
- the completion of Data Protection Impact Assessments (applicable only when the Processing activities are likely to result in a high risk to the rights and freedoms of the Data Subjects); and
- consultation with the ICO when required to demonstrate such compliance.
In addition, the American Express BCRs Entities have put in place appropriate administrative, technical and organisational measures designed to implement data protection principles and to facilitate compliance with the requirements set up by these BCRs (data protection by design and by default).
4.2. Data Subjects’ rights
The American Express BCRs Entities comply with your requests to exercise the rights entitled to You by the UK GDPR, where applicable. More specifically, We ensure that You can exercise your right to:
- access your Personal Data (right of access);
- restrict and/or object to the Processing of your Personal Data (right to restriction of Processing and right to object to Processing);
- rectify your Personal Data (right of rectification);
- erase your Personal Data (right to erasure);
- withdraw a previously provided Consent for Processing, and
- receive your Personal Data in a structured, commonly used and machine-readable format and/or transmit such data to another Data Controller (right to data portability).
The American Express BCRs Entities are subject to policies on how to handle such requests to ensure that You have the means to exercise these rights. If You would like to exercise any of your rights, You may contact our DPO at email@example.com.
The American Express BCRs Entities ensure that You are not subject to decisions based solely on automated Processing of Personal Data , including Profiling, which produce legal effects or similar significant effects, unless the Processing is:
- necessary for entering into or performing a contract between You and American Express;
- authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- based on your explicit Consent to such Processing.
In accordance with applicable law(s), We will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express your point of view and to contest the decision.
In compliance with these restrictions, We may use automated processes to help Us make certain decisions, for example, to detect and manage fraud (e.g., to help decide whether your account is used for fraud or money laundering purposes or to detect if fraudsters have accessed your account); or to process card applications and assess credit and security risks. These methods are regularly tested to ensure that they remain fair, effective and unbiased.
You may contact our DPO at firstname.lastname@example.org to exercise your right to request a manual review of certain automated Processing activities that may impact your legal or other contractual rights or that may have a similar legal effect.
American Express has appointed a DPO who monitors compliance with these BCRs. The DPO has the following tasks:
- informs and advises American Express entities and American Express Employees of their obligations under Applicable Data Protection Legislation;
- monitors compliance with Applicable Data Protection Legislation through the assessment of key risk indicators and controls. The DPO reports the results of these monitoring activities to the relevant internal senior-level governance forum;
- provides advice in connection with Data Protection Impact Assessments and monitors their performance; - cooperates with the ICO; and
- acts as a point of contact for the ICO.
The DPO is appointed by the American Express entities as a Board Advisor of AESEL and American Express Payments Services Limited (AEPSL), respectively the group’s issuing and acquiring entities in the UK.
The appointment is communicated to the ICO.
The DPO works closely with a network of privacy specialists and compliance lawyers who monitor compliance with Applicable Data Protection Laws in the UK. The DPO is supported in his/her tasks by the Global Privacy Office led by American Express Chief Privacy Officer.
All American Express BCRs Entities provide appropriate training materials and courses for all Employees, and in particular for Employees who collect, Process, have permanent or regular access to Personal Data or who are involved in the development of tools used to Process Personal Data to ensure that they are aware of their obligations under Applicable Data Protection Legislation and these BCRs. Such courses are mandatory, and their completion is monitored.
American Express has implemented a compliance programme that provides for regular compliance checks and audits of American Express BCRs Entities ’ operations (by internal or, where needed, by external auditors) to ensure that these BCRs and all related policies and procedures are respected and up to date.
Data protection audits cover all aspects of these BCRs including methods of ensuring that corrective measures will take place.
Additional data protection audits may be requested by the DPO upon his/her own initiative or upon specific request of an American Express BCRs Entity. American Express internal audit group, as an independent control body, will assess the opportunity of these audit requests according to their risk assessment framework.
The results of these compliance checks and audits will be communicated to the Global Privacy Office of American Express, the DPO, the ICO (if requested) and made available to the Audit Committee of the Board of Directors of American Express Company.
Where a compliance gap is found, the relevant American Express BCRs Entity must follow any specific guidance from the DPO. Where the guidance cannot be observed, the American Express BCRs Entity must document the reason for this.
American Express will also co-operate with any compliance checks conducted by the ICO whether commenced in response to a complaint from a Data Subject, or by the ICO’s own initiative.
8.1. Liability of American Express BCRs Entities
The American Express BCRs Entities are responsible for complying with these BCRs. In addition to the individual responsibilities of the American Express BCRs Entities, AESEL will accept responsibility for any breach of these BCRs by an American Express BCRs Entity outside of the UK that Processes Personal Data as per Applicable Data Protection Legislation. AESEL shall be entitled to take any necessary action to remedy the acts or omissions of any American Express BCRs Entity that Process Personal Data in violation of these BCRs.
AESEL is liable to pay compensation due for any material or non-material damages suffered by Data Subjects arising in connection with any breach of these BCRs. Compensation must be agreed upon by the DPO before an offer of redress or payment is made. All compensation paid will be in full satisfaction of the Data Subject’s claim against all American Express BCRs Entities . For the avoidance of doubt, AESEL’s liability extends to the acts or omissions of any American Express BCRs Entity that is not situated in the UK that breaches these BCRs.
If an American Express BCRs Entity (including when that entity is situated outside of the UK) violates these BCRs, the competent UK courts will have jurisdiction in relation to such violation. To the extent that an American Express BCRs Entity breaches these BCRs, Data Subjects, the ICO and courts of applicable jurisdictions may exercise their rights and bring a claim against AESEL as if such conduct had been performed by AESEL in the UK (for more information about how to lodge a complaint, please refer to section 9 below).
8.2. Third-Party Beneficiary Rights
Each Data Subject may enforce against AESEL or any American Express BCRs Entity, the terms of the following provisions of these BCRs as a third-party beneficiary:
- data protection principles (Section 4.1);
- transparency and easy access to BCRs (Section 1.2 and 4.1.1);
- Data Subjects’ rights (Section 4.2);
- compliance, enforcement and liability (Section 8);
- right to complain through the American Express internal complaint mechanism (Section 9);
- right to lodge a complaint with the ICO and before the competent UK court (Section 9);
- co-operation with the ICO (Section 10); and
- conflict of laws (Section 11.1).
8.3. Burden of proof
AESEL bears the burden of proof in demonstrating that the American Express BCRs Entity situated outside of the UK is not liable for any purported violation of these BCRs that gives rise to the Data Subject’s claim for compensation for damages. Where AESEL can prove that an American Express BCRs Entity outside of the UK is not responsible for the event giving rise to the damage, AESEL and such company may discharge itself from such responsibility and liability.
If You want to submit a complaint or claim and exercise your rights in relation to these BCRs, You are encouraged to contact the DPO at any time, in writing at AESEL’s headquarters at American Express Services Limited at Belgrave House, 76 Buckingham Palace Rd, Belgravia, London SW1W 9AX or via email at email@example.com.
Our DPO will address your complaints without undue delay and in any event, within one month. Taking into account the complexity and number of the requests, that one-month period may be extended at maximum by an additional two months, in which case We will inform You accordingly.
For more information on the American Express complaints handling process and on how to submit a complaint please visit our Online Privacy Statement.
If the issue is not resolved to your satisfaction, You may also:
- lodge a complaint with the ICO;
- bring your claim before a competent court of the UK, and where appropriate, obtain compensation for the damages You suffered as a result of the breach of the above-mentioned Third-Party Beneficiary Rights.
All American Express BCRs Entities will co-operate with, and accept to be audited by, the ICO and will comply with its advice on any issues regarding the Applicable Data Protection Legislation.
If the ICO finds that one of the American Express BCRs Entities has breached any of the rights offered to Data Subjects under these BCRs, this American Express BCRs Entity will abide by the findings of the ICO, subject to the right to challenge or appeal such findings.
11.1. National legislation preventing compliance with the UK BCRs
In the event an American Express BCRs Entity has reason to believe a law to which it is subject precludes compliance with these BCRs or is likely to have a substantial effect on the guarantees set forth in these BCRs, the relevant contact for this American Express BCRs Entity will inform the DPO at AESEL unless prohibited by applicable law(s). Where necessary, the DPO will notify the ICO of the conflict of law, save to the extent prohibited by applicable law(s).
If an American Express BCRs Entity receives a request for Personal Data by a law enforcement authority or state security body, the DPO will inform the ICO about the request (including information about the data requested, the requesting body, and the legal basis for the disclosure). If, in specific cases, the suspension and/or notification to the ICO is prohibited by applicable law(s), American Express will use its best efforts to waive this prohibition to expeditiously communicate as much information to the ICO, and be able to demonstrate that it did so.
If, in the above cases, despite having used its reasonable efforts, the American Express BCRs Entity is not in a position to notify the ICO, it will annually provide general information on the requests it received to the ICO (such as the number of applications for disclosure, type of Personal Data requested, name of the requestor if possible, etc.).
In any case, Transfers of Personal Data by an American Express BCRs Entity to any public authority will not be massive, disproportionate and indiscriminate. This limitation shall apply to any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body.
11.2. Relationship between national laws and the UK BCRs
Where the Applicable Data Protection Legislation requires a higher level of protection for Personal Data , those data protection laws will take precedence over these BCRs.
We may update the terms of these BCRs to, for instance, consider modifications of the regulatory environment or the company structure. We commit to report material changes to these BCRs without undue delay to all American Express BCRs Entities and to the ICO. Any changes to the BCRs or to the list of American Express BCRs Entity will be reported once a year to the ICO with a brief explanation of the reasons justifying the update. Where a modification would possibly affect the level of the protection offered by these BCRs or significantly affect these BCRs, it will be promptly communicated to the ICO.
American Express has identified a team that keeps a fully updated list of the American Express BCRs Entities and keeps track of and records any updates to the rules and provides the necessary information to the Data Subjects or ICO upon request. In addition, the American Express BCRs Entities will not make any Transfer to a new American Express BCRs Entity until this new entity is effectively bound by these BCRs and can deliver compliance.
American Express is a globally integrated payments and travel company that is principally engaged in four segments: i) Customer payment services, ii) merchant services, iii) network services and operations, and (iv) travel, meetings and events services. Our Processing activities are carried out in the context of these activities, as described below.
i) Customer payment services
American Express issues a wide range of payment services (such as payment cards and credit cards) to individuals, each with related services (such as loyalty programmes, membership and award schemes, and insurance mediation).
American Express also offers commercial products and services to businesses (including corporate payment, expense management services and loan products).
iI) Merchant services
American Express operates a global merchant services business, which includes obtaining the agreement of merchants to accept American Express branded cards and other financial products from their customers as a means of payment, as well as permitting American Express to perform processing and settling of card transactions for those merchants.
As a part of this merchant services business, American Express notably assists merchants that accept American Express cards by providing analytical and consulting expertise to identify new trends, enable product innovation, and enable expansion and improvements to marketing through the more effective use of the American Express data infrastructure. The Processing activities carried out for these purposes will create deidentified or aggregated databases where it is appropriate.
iii) Network services and operations
The American Express network authenticates, clears and settles card transactions and provides multi-channel marketing programs and capabilities, services and data analytics. It manages and evolves American Express’ payment network reliability, security, and processing capabilities to enable commerce across the globe. In addition, the American Express network manages a variety of capabilities that enable payments in new forms or channels while implementing policy to govern the many parties that engage with the network.
iv) Travel, meetings and events services
American Express is one of the world’s largest travel agency businesses and annually makes millions of travel reservations for consumers and individual employees of corporate clients and, on an exceptional basis, their travel companions, who may wish to travel anywhere in the world.
American Express also provides travel management expertise to corporate clients and assists Customers in organising meetings and events on a global basis. American Express also provides consumer travel services to individual consumers, but primarily those who are cardholders of an American Express branded card.
v) Human resources
American Express BCRs Entities also Process Employees’ Personal Data mainly for the purpose of administering and fulfilling its employment relationship with American Express’ Employees (for instance, appointments or severance, background checks, performance management, work management or other personnel matter in relation to management of Employee relations); and to comply with internal policies and applicable law(s).
The types of Personal Data Processed are described in the various American Express Privacy Statements, as applicable to the Data Subjects’ relationship with American Express and may be generally described as follows:
i) Customers’ Personal Data
Customers’ Personal Data may include personal details (such as name, address, and other contact information), information relating to products and services used and purchased; creditworthiness; online activity including for instance information We collect when Customers access our online account services or via cookies and similar technologies; information relating to lifestyle and social circumstances; etc. To perform travel, meetings and events related services, American Express must Process Personal Data relating to the traveller, including nationality, passport details, gender, date of birth, location and travel preferences (together “Customers’ Personal Data ”).
In some cases, Customers’ Personal Data may include Special Categories of Data, such as biometric information for security purposes (e.g., ID voice) or, for travel related services, details of any disability which may affect the ability to travel.
ii) Employees’ Personal Data
Employees’ Personal Data often includes, for instance, personal details (such as name, address, date of birth, phone number), family details, information relating to lifestyle and social circumstances; products and services used; online activity; creditworthiness; public office held; immigration status; and education and employment history and other employment related information such as performance or talent designations and compensation and benefits information (together “Employees’ Personal Data ”).
In some cases, and where allowed by national laws, Employees’ Personal Data may include Special Categories of Data, including information about racial and ethnic origin, sexual orientation, information about Employees’ health, occupational health schemes, biometric data, equal opportunities monitoring, information on trade unions and works councils.
The American Express BCRs Entities are located in the following countries:
“AESEL” – means American Express Europe Limited located at Belgrave House, 76 Buckingham Palace Rd, Belgravia, London SW1W 9AX. AESEL is the UK company within American Express that has assumed responsibility for ensuring that Personal Data is Processed in accordance with these BCRs. AESEL is a signatory party to the Intra-Group Agreement.
“American Express BCRs Entity” or “American Express BCRs Entities” or “We” or “Us” – means the American Express entity or entities which are bound by these UK BCRs.
“American Express Company” - means American Express Company, located World Financial Center, 200 Vesey St., New York, NY 10285 USA. American Express Company is a signatory party to the Intra-Group Agreement.
“American Express Privacy Statements” - means the Cardmember Privacy Statement (for cardmembers), the Online Privacy Statement (for Customers and website visitors), the Online Recruitment Privacy Statement (for potential Employees), or the Employee Privacy Notice (for current Employees), and other notices, terms and conditions (such as for merchants and corporate clients) which are applicable to the Data Subject’s relationship with American Express and as amended from time to time.
“Applicable Data Protection Legislation” – means the UK GDPR, the Data Protection Act 2018 (UK DPA), The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and any other data protection law and regulation applicable in the UK (all the above as amended and replaced from time to time).
“Consent” – means any freely given, specific, informed and unambiguous indication, through a statement or clear affirmative action, of the Data Subjects’ agreement to the Processing of their Personal Data.
“Data Breach” or “Personal Data Breach” - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Impact Assessment” – means an assessment of the impact of an envisaged Processing operation on the protection of Personal Data carried out where the Processing is likely to result in a high risk to the rights and freedoms of Data Subjects.
“Data Subject(s)” or “You” – refers to an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in scope of these BCRs.
“Data Processor” - means the natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of and under the instructions of the Data Controller.
“Intra-Group Agreement” – means the intra-group agreement that binds American Express BCRs Entities to these UK BCRs.
“Personal Data” – means any information relating to an identified or identifiable natural person (Data Subject) that is within the scope of these BCRs.
“Processing” or “Process” – means any operation or set of operations which is performed on Personal Data or on sets of Personal Data , whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Profiling” – means automated Processing of Personal Data intended to analyse, to evaluate certain personal aspects relating to individuals (such as their performance at work, creditworthiness, reliability, conduct) or to make predictions about them.
“Special Categories of Data” – means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data Processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Transfer”– means any transfer of Personal Data from one company in the UK to another or onward transfer which would otherwise be restricted by the UK GDPR. A transfer is performed via any communication, copy or disclosure of Personal Data through a network, including remote access to a database or transfer from any medium to another.
“UK GDPR” – means the General Data Protection Regulation, Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.