American Express®
Corporate Cardmember Privacy Statement

Effective date: 31/07/2025

Corporate Cardmember Privacy Statement

What is this document?

American Express Europe, S.A. ("American Express") is committed to protecting your privacy. For our contact details and those of our Data Protection Officer, please see the "Query or Complaint" section.

In this Corporate Cardmember Privacy Statement we describe how American Express, as a data controller, collects, uses, shares and retains your Personal Data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) and Organic Law 3/2018, dated December 5, on Personal Data Protection and guarantee of digital rights, when you use our products or services linked to our corporate cards (that is, Corporate Card, Corporate Meeting Card, Business Expense Card, Travel Card, B2B Card or any other corporate card) and we also explain the rights and choices that are available to you. This Corporate Cardmember Privacy Statement includes specific details about how we use the information tied to your corporate card and related services.

There is a separate Online Privacy Statement that describes how we collect, use, share and retain your Personal Data when you interact with us online. It is not specific to our products or services. It applies to Personal Data collected online through our websites and mobile applications, as well as in connection with services where we rely on third parties, such as social media providers and Business Partners, or when you interact or communicate with us (for example, by phone).

Therefore, we ask that you also take some time to review the Online Privacy Statement. If you are ever unsure about which privacy statement applies to a particular activity, please remember that this Corporate Cardmember Privacy Statement will prevail over the Online Privacy Statement and will apply to the extent that the activity relates to the processing of your Personal Data tied to your corporate card. In other words, regarding the interaction between this Corporate Cardmember Privacy Statement and the Online Privacy Statement, please note that both will apply to you when you use any digital services related to your corporate card. The Corporate Cardmember Privacy Statement governs American Express' general use of your Personal Data in connection with your card and related services, while the Online Privacy Statement supplements the Corporate Cardmember Privacy Statement with respect to American Express' use of your Personal Data in connection with your use of digital services related to your corporate card.

From time to time, we may change our Corporate Cardmember Privacy Statement. If it is a material change, we will notify this to you. We will do this by contacting you in writing (to ask you to read the updated version - for example, by mail or e-mail), by clearly indicating it on your monthly statement, or by informing you that it has been updated when you visit our website, www.americanexpress.com/en-iec/.

This version was last updated on the date set out above.

This privacy statement is provided in a layered format, so if you access the privacy statement online, you can click on the specific areas listed below:

Personal Data is any information relating to you as an identified or identifiable natural person, such as your name, address, telephone number and email address and other specific information about you, such as demographic data, employment data, your income and/or transaction information. If you do not provide us with Personal Data that we tell you is mandatory (for example, if we need to collect Personal Data by law or if it is necessary to enter into a contract with you), we may not be able to offer you our corporate card products and services. We will notify you when this is the case.

We collect and process various categories of Personal Data about you, throughout your relationship with us as a corporate cardmember, and beyond that relationship, subject to the appropriate retention periods further explained below. The type of information we collect will depend on the purpose for which we process your Personal Data. Please see the section "Use of Personal Data" for more information about these purposes. We will only collect Personal Data that is necessary for our business or to comply with our legal obligations. Personal Data may include:

your identification data, including name and address, date and place of birth, nationality and contact details
financial information, such as your bank account number, card numbers, card expiration date and card cryptogram, and details of your transactions (for example, payments you make and receive)
information about your financial and credit history, including proof of income, employment data, expenses and credit and loan history
information about your preferences (for example, the offers you redeem through your Membership Rewards points)
information about your financial and credit history, including proof of income, employment data, expenses, and credit and loan history when you have an individual or combined liability corporate card
in limited cases where it is authorized by law, information about criminal convictions and offences

We collect your Personal Data directly from you, through the following means:

your application form;
your communications with us and the way in which you use your account (such as information provided during service calls);
any study (for example, a statistical or market study), survey or contest in which you participate or to which you respond, or any marketing offer in which you register; and
other information you provide directly to us.

We also collect your Personal Data through different sources depending on the product or service you request or use, such as:

when you use your corporate card to make transactions with merchants, ATM operators, use concierge services or book travel);
from publicly available registries or databases (for example, when you have an individual or combined liability corporate card, from the Central Risk Information Service (the SCIRBE), from credit information systems, from the Commercial Registry and from the Social Security database if you authorize it);
forms relating to services and benefits, insurance, travel or other corporate programs in which you or your company are enrolled;
third parties, such as:
- Business Partners. These are third parties with whom we maintain business or contractual relationships, such as co-brand partners, partners or Membership Rewards partners, insurance and car rental service providers, or merchants that accept American Express cards as payment for the goods or services they offer; or;
- Open Banking Providers. Information we receive from open banking providers that you (or a duly authorized third party on your behalf) have authorized. Open banking providers provide payment initiation or account information services (for example, you may authorize open banking providers to collect account information from your bank, which is then shared with American Express in order to complete our underwriting verifications to issue you a card).

In addition, we also collect digital data, such as your IP address or other information about your online interactions, as described in the Online Privacy Statement.

We sometimes process Personal Data in a way that it no longer identifies any individual. Once processed in this way, they will no longer constitute Personal Data and will be aggregated and anonymized information. We process Personal Data to aggregate and anonymize it to:

analyze trends among groups of people, such as cardmembers;
create business analysis or statistical reports; and/or
improve our advertising and our business.

We sometimes share aggregated and anonymized information with Business Partners or other trusted third parties for one or more purposes mentioned above.

We use your Personal Data on its own or combined with other information (for example, when you use any digital services related to your corporate card). Under data protection legislation, we need a "lawful basis" to process your Personal Data, which may be any of the following: (i) where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract with you; (ii) where it is necessary to pursue our legitimate interests, such as preventing fraud and/or improving our products or services; (iii) where we have obtained your consent, (iv) for compliance with legal obligations where we are required by law to process your Personal Data, such as, for example, to carry out the due diligence process that financial institutions are required to perform before approving card accounts.

The following table sets out what we use your Personal Data for and our legal basis for doing so. Please note that we consider and balance the potential impact on you and your rights before processing your Personal Data to pursue our legitimate interests. The legitimate interest relied upon in each case is also set out in the table below.

Please note that we may process your Personal Data under more than one legal basis, depending on the specific purpose for which we are using your Personal Data. Please contact us if you need detailed information about the specific legal basis on which we are relying to process your Personal Data where more than one basis has been set out in the table below.

What we use your information for	Legal basis for using your Personal Data
To process applications for our corporate card products, including making decisions about whether to approve your application, which sometimes are automated and involve profiling. See the "Automated Decision Making" section of this Corporate Cardmember Privacy Statement for more information.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company.
To maintain records of rejected applications for our products and services for audit, analysis, quality control and reporting purposes.	To comply with our legal obligations, for example, pursuant to Law 16/2011, dated June 24, 2011, on consumer credit contracts, and any other relevant for payment institutions. To pursue our legitimate interest in ensuring the management and protection of our business and interests and to check the quality of our internal processes. To pursue our legitimate interest in complying with the regulatory guidelines of the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses ("SEPBLAC").
To comply with our regulatory obligations when reviewing your corporate card application (such as performing due diligence on you before approving your application). This sometimes involves automated decision making and profiling. See the "Automated Decision Making" section of this Corporate Cardmember Privacy Statement for more information.	To comply with our legal obligations, such as the anti-money laundering obligations set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and terrorist financing; Royal Decree-Law 19/2018, dated November 23, 2018, on payment services and other urgent measures in financial matters; Law 44/2002, dated November 22, 2002, on Financial System Reform Measures, and any other relevant for payment institutions.. To pursue our legitimate interest in conducting due diligence processes to ensure that our interests (as a company) are adequately protected.
To administer and manage your account and provide you and/or your company with our services, as well as process, approve and complete individual transactions.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company. To pursue our legitimate interest in managing our business risks (such as fraud and security risks), fulfilling our obligations to your company and ensuring that you and your company are provided with a high level of customer care and service.
To administer any service, benefit, insurance, travel or other corporate programs in which you or your company are enrolled. This means that we will transfer Personal Data to our insurance partners if the insurance programs provided in conjunction with our products and services are provided by these third parties..	To pursue our legitimate interest in managing our contractual relationship with your company and performing corporate card products and services contract that we have entered into with your company. When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services.
To provide you and your company with the location- based services you have requested (if any).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company.
To communicate with you via email, SMS or any other electronic method, postal mail and/or telephone in relation to your accounts, products and services for legal, regulatory or service purposes ( for example, to inform you about features associated with your contracted products or services).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company. To comply with our legal obligations, for example, under Royal Decree-Law 19/2018, dated November 23, on payment services and other urgent measures in financial matters. To pursue our legitimate interest in ensuring that we provide you with the information you need to know about your contracted products and services.
To provide you with a more appropriate service and/or to protect your interests by making reasonable accommodations, such as sending or providing you information in an adequate format (for example, if you are visually impaired).	To pursue our legitimate interest in improving your customer experience and ensuring that our service meets your needs and is tailored to your needs. To comply with our legal obligations, such as those established in Royal Decree 193/2023, dated March 21, 2007, regulating the basic conditions of accessibility and non-discrimination of persons with disabilities for access to and use of goods and services available to the public and other accessibility standards.
When interacting with some of our Business Partners available in your card's benefit program, to connect you to your Membership Rewards account (where enrolled and applicable) and, depending on your card product, allow you to use Membership Rewards points to pay for products or services with a Business Partner.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company. To pursue our legitimate interest in enhancing your customer experience, promoting the use of the benefits we offer you and facilitating the use of these benefits with our Business Partners (as applicable).
To carry out checks for the purpose of keeping your account and Personal Data secure, detecting and preventing fraud or criminal activity (including reviewing and approving individual transactions) and verifying your identity before providing services to you (including by conducting and monitoring "know your customer" processes).	To comply with our legal obligations, such as those set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and the financing of terrorism; Royal Decree-Law 19/2018, dated November 23, 2018, on payment services and other urgent measures in financial matters; Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication and any other relevant for payment institutions. To pursue our legitimate interest in managing our business risks, such as operational and security risks, and detecting, preventing and investigating fraud.our consent
To answer any questions you may have, to respond to your requests (customer service) and to manage and process any complaints you may have.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in having complaints investigated and in providing you with a high level of service. To comply with our legal obligations, for example, under Royal Decree-Law 19/2018, dated November 23, on payment services and other urgent measures in financial matters.d oturgent measures in financial matters.
To protect our business interests, recover debts and exercise other rights we have under any contract with you or your company.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company. To pursue our legitimate interest in ensuring the management and protection of our business, including the collection of any debts owed to us.
To manage mergers, acquisitions, sales of business assets and, in general, the management of extraordinary corporate operations.	To pursue our legitimate interest in managing corporate operations.
To establish, exercise or defend rights or in the context of legal claims and to assist in dispute resolution.	To pursue our legitimate interest in ensuring the management and protection of our business and interests. protection
To develop and improve our products and services, including to better understand our customers, their needs, preferences and behaviors based on the preferences you select when interacting with our corporate card products and services. In this regard, we will place you in groups of similar customers to offer you products or services that may be more suitable for you or tailored to your preferences, and we will try to evaluate and analyze whether our advertisements, promotions and offers are effective.	To pursue our legitimate interest in improving our products and services (for example, to ensure that our products and services remain competitive and relevant to our customers).
To analyze how our corporate cardmembers use our corporate card products and services to create reports that enable our corporate clients to develop and maintain efficient transactions and travel policies and procedures.	To pursue our legitimate interest in helping our corporate clients with the maintenance and development of efficient travel transactions, policies and procedures.
To help us better understand your financial circumstances and behavior so that we can make decisions about how to manage your existing accounts and what other products or services we may offer you.	To pursue our legitimate interest in improving our products and services and to ensure that they meet your needs. To comply with our legal obligations, such as those set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and the financing of terrorism; Royal Decree-Law 19/2018, dated November 23, on payment services and other urgent measures in financial matters; Law 44/2002, dated November 22, 2002, on Financial System Reform Measures, and any other relevant for payment institutions.
To check that we have followed your instructions correctly, to develop and improve our services and for training and quality purposes.	To pursue our legitimate interest in improving our products and services and to ensure that we provide you with a high level of customer service.
To record, transcribe and monitor calls for the following purposes: training, quality, compliance, fraud prevention and complaint processing.	To pursue our legitimate interest in improving our products and services and ensuring that we provide you with a high level of customer service, as well as to manage our business risks, such as operational and security risks, and to detect, prevent and investigate fraud and credit risks.
To offer you open banking services (for more information, see the "Open Banking" section).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To comply with our legal obligations, such as under Royal Decree-Law 19/2018 dated 23 November on payment services and other urgent financial measures; Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication and any other relevant for payment institutions.
To perform tests and checks (to ensure security and when we upgrade our systems), to manage the administration of the website, to support and facilitate the development of the information technology system and to safeguard the security of your Personal Data.	To pursue our legitimate interest in managing our business risks, such as compliance, regulatory, operational and security risks.
To develop and refine our policies, models and procedures on customer applications and accounts, based on information contained in your application or relating to your creditworthiness (including any information provided by third parties, such as the Bank of Spain), fraud risk and account history.	To pursue our legitimate interest in managing our business risks, including credit, regulatory and fraud risks.
To have information about our collection practices and share information with the Bank of Spain (for example, to report risks you hold with us to the extent you have an individual or combined liability corporate card).	To pursue our legitimate interest in managing our business and credit risk. To comply with our legal obligations, such as those arising from Royal Decree-Law 19/2018, dated November 23, on payment services and other urgent measures in financial matters; Law 44/2002, dated November 22, on Financial System Reform Measures, and any other relevant for payment institutions.
To conduct research and analysis, including allowing you to provide feedback by rating and reviewing our products and services and those of the merchants that act as our Business Partners, and to produce data analysis, statistical studies and reports on an aggregate basis.	To pursue our legitimate interest in conducting research and analysis, to improve and develop our business and the services and products we offer to our corporate customers, and to help our Business Partners do the same.
To anonymize Personal Data and produce aggregated and anonymized information to be shared with Business Partners or other trusted third parties to analyse trends among groups of people, such as corporate cardmembers, create business insights or statistical research reports, and/or improve our advertising and our business and that of our Business Partners.	To pursue our legitimate interest in conducting research and analysis, to improve and develop our business and the services and products we offer to our corporate customers, and to help our Business Partners do the same.
To produce reports and statistics that enable your company to maintain an effective administration and recruitment policy (this may also include information on outstanding debts).	To pursue our legitimate interest in managing our business relationship with your company.
To respond to inquiries from and/or cooperate with regulators, law enforcement and other authorities.	To comply with our legal obligations under any law that requires us to cooperate with regulators, law enforcement and any other authorities. To pursue our legitimate interest in supporting and/or cooperating with regulators, law enforcement and other authorities in the detection and prevention of fraud and crime, particularly as it affects our cardmembers.
To share your Personal Data with other entities within the American Express Group so that they can provide us with back-office services and assist us in meeting our regulatory obligations (for example, conducting and monitoring "know your customer" processes).	To comply with our legal obligations, such as the anti-money laundering obligations set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and terrorist financing; Royal Decree-Law 19/2018, dated November 23, 2018, on payment services and other urgent measures in financial matters. To pursue our legitimate interest in managing our business risks, such as operational and security risks, and detecting, preventing and investigating fraud. To pursue our legitimate interest in transmitting Personal Data within the American Express Group for internal administrative purposes.

Some of the Personal Data we collect is of a more sensitive nature (also known as special categories of Personal Data). We will always collect these data in accordance with applicable law. In particular, we may process sensitive Personal Data relating to your health (in order to provide you with a more appropriate service). The following table explains what we use your sensitive Personal Data for and the legal basis for doing so.

What we use your Sensitive Personal Data for	The legal basis for doing so and the condition allowing the processing
To comply with relevant laws and regulations and to cooperate with regulators, law enforcement and any other authorities (for example, in connection with the processing of criminal convictions and offences data to comply with a court order or subpoena).	To comply with our legal obligations to cooperate with regulators, law enforcement and other authorities. When necessary for the establishment, exercise or defence of legal claims.
Criminal convictions and offences data for the purpose of gathering evidence and investigating an alleged crime in order to prosecute, bring an action or defend the legal rights of American Express.	To pursue our legitimate interest in investigating suspected crimes related to the provision of our card products and services to protect our business, interests and rights, as well as those of affected individuals. To comply with our legal obligations to report crimes that come to our attention, such as, for example, under the obligations set forth in the Royal Decree dated September 14, 1882, approving the Criminal Procedure Act and Law 2/2023 dated February 20, regulating the protection of persons who report regulatory violations and the fight against corruption. When necessary for the establishment, exercise or defence of legal claims.
We may use the information you have provided about your personal circumstances (including medical and health information) for some of the purposes set out in the table above. For example, to enable us to provide you with a more appropriate service and to make reasonable accommodations (for example, if you have a disability).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in performing the corporate card products and services contract we have entered into with your company. Your express consent.

When you use open banking services (when available), we will process your Personal Data to enable activities such as:

our credit card and/or credit lines application processes, for purposes of income verification and fraud prevention; or
(if any) to comply with a request made on your behalf by (i) an account information service provider, when they provide you with consolidated information on the account(s) that you hold with one or more bank(s) or payment institution(s) or (ii) a payment initiation services provider, when they initiate a payment to pay a merchant on your behalf.

In this context, we will process your Personal Data for the above purposes as described in the section "Use of Personal Data".

We use fully automated processes to help us make certain decisions about you, including to asses certain attributes about you in order to provide our services to you. This may also involve profiling (for example, credit and risk fraud profiles). This means that we will use software and/or artificial intelligence to automatically assess your personal circumstances in order to identify or predict risks or certain outcomes. For example, we use automated processes to make decisions about you in relation to the following:

detect, monitor and manage fraud; and
assess credit risks, for example, to check whether you meet our eligibility criteria and decide whether we can issue you a card, or grant you credit when you have an individual or combined liability corporate card.

This is known as "automated decision making". Some of these decisions are made solely by automated means and have legal or similar effects, as explained below. However, we will only carry out such processing if it is:

necessary to enter into or perform a contract between you and American Express. For example, we may decide that some of our products and/or services may not be suitable for you based on your credit history and if you do not meet our eligibility criteria;
authorized by a law to which American Express is subject and which also provides for appropriate measures to safeguard your rights and freedoms and legitimate interests (for example, to prevent fraud); or
carried out on the basis of your explicit consent to such processing.

How automated processes make decisions

Application process

We consider several factors when approving or declining an application for one of our corporate cards, including the information provided on your application form, your income and your expenses. We will use this information to determine the likelihood that you (if your application is approved) will default on your account within a certain period of time. In order to manage our credit risk, we may decline your application if we believe there is a high probability that you will default during this period. If your application is approved, we will also use this information to determine your credit limit.

Fraud

We will evaluate payments made to and from your account to identify any payments that are unusual. For example, if there is a payment that you would not normally make (such as a payment of a significant sum, which does not match your transaction history), we may take steps to prevent us from making a payment that is likely to be fraudulent.

We will also evaluate your spending behavior and transaction history to identify whether it is likely to constitute a fraud risk (for example, if a sudden change in your spending and repayment behavior suggests that you do not intend to pay outstanding balances owed to American Express). This may result in us taking steps to mitigate the risk to us, including declining charges you make on your card.

Assessing credit risks

When you have an individual or combined liability corporate card, as part of managing our relationship with you, we consider several factors to assess whether a credit risk exists, or whether you are experiencing financial difficulties. This may include assessing the activity on your account, your payment history (for example, whether you have missed payments that are due and payable), the information you provided to us on your application form (for example, your income) and information we obtain from the Bank of Spain and credit information systems. We will use this information to decide whether to take any action in relation to your card to manage any credit risk. This may involve us reducing your credit line if we reasonably believe that you are likely to default on your payments in the future.

Our automated decision-making methods are regularly tested to ensure that they remain fair, effective and unbiased.

When we use automated decision making to enter into or perform a contract with you, as authorized by law or based on your explicit consent, you have the right to express your point of view, challenge the decision made, and request human intervention. See the "Your Rights" section for more information about your rights related to automated decision making.

We will only share your Personal Data with third parties when it is lawful for us to do so and for a specific purpose (as set out in the tables above or below), including with:

the Bank of Spain and credit information systems to inquire about your financial circumstances, and to report financial risks and, where applicable, debts that you have with us (for more information, see the section "Bank of Spain and Fraud Prevention" below);
police, regulators, courts, government agencies, tax authorities and any other third parties (for example, third parties specified in a court order) to comply with legal or regulatory requirements, law enforcement and/or other requests in connection with actual or suspected fraud or criminal activity, or the investigation thereof, as well as regulatory investigations, and to protect the rights of American Express or others;
collection agencies and external legal counsel to collect debts and charges on your account or that of your company;
our Service Providers (including their subcontractors) who perform services on our behalf and assist us in managing your account and/or operating our business (that is, any supplier, third party and/or company that provides services or performs business operations on our behalf, such as communications services, fraud checks, outsourced data processing and technology, services, ad management, auditors, consultants and professional advisors, such as external legal counsel and accountants);
companies or other product and service lines within the American Express Group. For example, when such companies provide services to us and/or when it is necessary for us to lawfully conduct our business;
Business Partners, such as entities that accept American Express branded cards for payment of goods/services purchased by you (that is, merchants), distribution partners, your bank or other payment card issuers to provide, deliver, offer, customize or develop products and services to you, and address or resolve complaints. We will not share your contact information with Business Partners to independently promote their own products or services to you without your consent. However, we may send you offers about their products or services. Please note that if you take advantage of an offer from a Business Partner and become their customer, they may send you communications independently. In this case, you should review their privacy statement and inform them separately if you wish to opt out of receiving future communications from them;
providers of insurance products or services included in your corporate card program that may be available to you as a benefit of the card;
any third party authorized by you or your company, such as any open banking or payment service provider or service provider that provides its services to your company and is authorized by your company to allow transactions and billing, or third parties that provide banking services;
our loyalty partners to connect you to your Membership Rewards account (where enrolled and applicable) and, depending on your corporate card product, to any partners available in your card's benefit program;
your company (including the program administrator) or its related companies, including its agents and processors and advisors (such as accountants, attorneys and other professional advisors) that your company has authorized, or any other person that your company has communicated to us that is authorized to give instructions or use the account, as well as to fulfill contractual obligations with your company;
any person to whom we transfer or assign our contractual rights.

Where you have an individual or combined liability corporate card we will exchange your Personal Data as part of the due diligence process performed on you as a customer and to prevent fraudulent conduct or behavior that contravenes international sanctions and comply with anti-money laundering, anti-terrorist financing and tax fraud regulations. We will do so with:

Credit information systems, in the event of non-compliance with credit, financial or monetary obligations, such as BADEXCUG (Experian Bureau de Crédito, S.A., Apartado de Correos 1.188, 28108, Alcobendas (Madrid) and e-mail badexcug@experian.com). American Express and Experian Bureau de Crédito, S.A. act as joint data controllers regarding the processing of the debtors' data communicated to the BADEXCUG file by American Express.
Fraud Prevention Agencies, such as the CONFIRMA File. We match the personal data you provide in the context of an application with those of applications and transactions registered in the CONFIRMA File to assess the probability of fraud of your application. This processing is carried out on the basis of our legitimate interest in preventing fraud. The data relating to your application will be kept in the CONFIRMA File for a maximum period of two years. The CONFIRMA File is the responsibility of the entities adhered to the same, you can access the complete list of the same in the following link: www.confirmasistemas.es. You may exercise your data protection rights in relation to the CONFIRMA File by sending an email to dpo@confirmasistemas.es.
The Central Credit Register of the Bank of Spain (the "SCIRBE"), to which we will report all financial risks that you may hold with us to the extent that you have an individual or combined liability corporate card.

We may obtain Personal Data about you from Fraud Prevention Agencies and credit information systems, including, where applicable, those regarding your household, and those regarding any company in which you are involved (including data regarding your directors or partners in the company). We may also request from SCIRBE information regarding all background, risk and credit information in your name in order to determine your financial solvency to the extent that you have an individual or combined liability corporate card.

When you apply

We request confirmation from Fraud Prevention Agencies and credit information systems to verify that no payment incidents have been reported against you.

During the lifetime of your account

We will continue to search the records of the Bank of Spain and Fraud Prevention Agencies and credit information systems to provide assistance in the management of your account, including by consulting the associated records of your financial partners. These searches will not be viewed or used by other organizations to assess your creditworthiness. We will also conduct other credit checks while you have money owed on your account.

We will communicate to the Bank of Spain the financial risks you hold with us. The Bank of Spain will record this information in SCIRBE and may share it with other organizations for the purpose of evaluating your applications, and the applications of any other party that has a financial relationship with you, for credit or other services, for other risk management purposes, and for fraud prevention and debtor tracing. Records exchanged with the Bank of Spain remain on file for up to 5 years unless you close and settle them earlier.

We will analyze your Personal Data to provide assistance in managing your account and to prevent fraud or other illegal activity. If fraud is detected, you may be denied certain services, financing or employment. We and other organizations, including Fraud Prevention Agencies, other American Express Group entities and our insurance partners, may access and use your Personal Data to prevent fraud and money laundering and to verify your identity, for example, when:

we verify information you provide to us through applications for insurance, credit and credit- related or other services;
we manage credits, accounts or services related to credits and insurance policies;
we collect debts; or
we check the details of applications, proposals and claims for all types of insurance.

We and other organizations may access and use information recorded by Fraud Prevention Agencies from other countries. See the "International Data Transfers" section for more information.

We transfer your Personal Data to organizations located in other countries and to regulatory authorities in other countries in certain circumstances in connection with the provision of our corporate card products and services. Some of these jurisdictions may not offer the same level of protection for Personal Data as that offered in the European Economic Area (EEA). Some countries will have different data protection laws. This includes transfers to countries outside the EEA, such as the United States, where our main operational data centers are located. We carry out these transfers to operate our business, process foreign purchase transactions, administer your account and that of your company and provide our products and services to you and your company.

Please note that no matter where we process your Personal Data, we will always protect it in the manner described in our privacy policies or statements and in accordance with applicable law. When we transfer your Personal Data to certain countries outside the EEA:

If that country has been the subject of an adequacy decision by the European Commission (see the list of countries here), we will rely on that decision to conduct our transfer; orIf that country has been the subject of an adequacy decision by the European Commission (see the list of countries here), we will rely on that decision to conduct our transfer; or

In the case of transfers of Personal Data to a third party in the United States, we may rely on that third party's certification under the EU-US Data Privacy Framework to transfer your Personal Data.

In other cases, we are obliged to establish an "adequate guarantee". In particular:

When we share Personal Data with other entities in the American Express Group covered by our Binding Corporate Rules and outside the EEA, we ensure an adequate level of protection through our Binding Corporate Rules, available here. Our Binding Corporate Rules ensure the protection of your Personal Data by requiring all entities in our group to follow the same standards when processing your Personal Data.

When we share your Personal Data with other entities outside the EEA located in countries that have not been the subject of an European Commission adequacy decision, we include appropriate contractual protections (including European Commission standard contractual clauses) in those agreements. In addition, we assess whether additional technical and organizational measures are required for such transfers.

You can receive a copy of these contractual protections by contacting us. For more information, please see the "Query or Complaint" section below.

We use organizational, administrative, technical and physical security measures to safeguard your Personal Data and help ensure that your information is processed properly, accurately and completely. We require Service Providers to safeguard your Personal Data and only use it for the purposes we specify.

We will retain your Personal Data only for as long as you or your company are our customers and we need it to perform our contractual relationship with you or your company and to provide you with the corporate card products and services you have requested. After our relationship with you or your company ends (for example, when your account is closed), we will only retain your Personal Data for an appropriate period of time, taking into account the nature and sensitivity of the data and the purposes for which we continue to retain it.

We will only retain Personal Data for specific purposes, including those that allow us to:

comply or demonstrate compliance with our legal and regulatory requirements (for example, laws relating to money laundering);
defend ourselves or initiate legal action;
maintaining business records for analysis or audit purposes; and
keep a record of people who do not wish to receive advertising from us.

For example, your Personal Data will be stored by American Express for 5 years after your account is closed. This is related to the time available to take legal action. Personal Data necessary to fight money laundering will be stored for 10 years after the closure of your account, in accordance with applicable anti-money laundering legislation. We will retain your Personal Data after this period if your account is in default and the balance remains unpaid or unsettled, or for legal or regulatory reasons or requirements.

We will block your Personal Data whenever it must be rectified or deleted in accordance with Article 32 of Organic Law 3/2018, dated December 5, on Personal Data Protection and guarantee of digital rights for the enforcement of possible liabilities arising from the processing during the applicable statute of limitations period.

On the other hand, we will retain the Personal Data of potential customers for 6 months when we need to keep a record of rejected applications.

When your Personal Data is no longer needed for the above purposes, we will securely destroy it or convert it into information that can no longer be associated with you. If you would like more information about our data retention practices, you may contact us; please see the "Query or Complaint" section for more information

We encourage you to periodically check that all Personal Data we hold about you is accurate and up to date. If you believe that any information we have about you is incorrect or incomplete, you may ask us to correct or delete it from our records. We encourage you to visit www.americanexpress.com/en-iec/, log in and update your Personal Data. If you prefer, you may contact us; see the "Query or Complaint" section for more information. Any information found to be incorrect or incomplete will be corrected promptly.

You have the right to access, update, limit, apply for portability, delete or object to the processing of your Personal Data. More specifically, you have the right to:

Withdraw your consent for us to use your Personal Data at any time, when our processing is based on your consent.

This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to offer you certain products or services. We will inform you of this at the time you withdraw your consent.
Request the limitation of the use of your Personal Data in certain cases.

You can ask us to limit the processing of your Personal Data in the following cases:
- if you want us to check the accuracy of the Personal Data;
- when our use of the Personal Data is unlawful, but you do not want us to delete it (for example, for the enforcement of any liabilities arising from the processing during the applicable statute of limitations period for legal action);
- when you need us to keep the Personal Data even though we no longer need it, because you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your Personal Data, but we need to verify whether we have overriding legitimate grounds to use it.

In certain cases, request the deletion of your Personal Data.

This allows you to ask us to erase or delete your Personal Data where there is no good reason for us to continue to process it. You also have the right to ask us to erase or delete your Personal Data where you have successfully exercised your right to object to the processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with applicable law. Please note, however, that in some circumstances we may not be able to comply with your request for specific reasons set out in applicable law, which will be notified to you, if applicable, at the time of your request.
Request a human review of automated decisions that affect your legal or contractual rights or that could have a similar significant effect.

In certain circumstances, you have the right to request a review of an automated decision, to express your views and to challenge the decision. This right only applies to fully automated decisions and will not apply if there has already been human intervention by us as part of the decision-making process.
Request a copy of the Personal Data we hold about you (often referred to as a "data subject access request" or "DSAR").
This allows you to receive a copy of the Personal Data we hold about you and to check that we are processing it lawfully.
Establish guidelines regarding your Personal Data upon your death in accordance with the applicable legislation. In this regard, the persons expressly designated by the deceased data subjects, or the Public Prosecutor's Office in the case of minors or persons with disabilities, may request access to the Personal Data of the deceased data subject or the rectification of the Personal Data of the deceased data subject.

You may also object to our processing of your Personal Data:

for reasons related to your particular situation, where the applicable legal basis is legitimate interests. In some cases, we may demonstrate that we have legitimate grounds to process your Personal Data, which override your rights and freedoms. In such a case, we will inform you; and

when your Personal Data is processed for direct marketing purposes.

If we receive a request from you to exercise your rights, we will respond as soon as possible and at the latest within one calendar month, except in the following case: If, due to the nature or circumstances of your request, we are unable to meet that deadline, we may extend it by up to two additional months (complex requests). In this case, we will send you an e-mail or a letter explaining the reason for the delay.

If you wish to exercise any of your rights, please click here . If you have any questions about how we handle your Personal Data, you can contact us - see the "Query or Complaint" section for more information.

You can choose how American Express collects and uses your Personal Data for advertising purposes. We work with a number of advertising partners, including ad networks, ad-servers, and social media platforms, to display our online advertisements. Your choices will vary depending on whether we show you ads through websites, apps, or social media.

You have the following choices regarding the Personal Data we collect about you:

In connection with cookies and similar technologies:
- If you do not want us to collect Personal Data about you through cookies or similar technologies for advertising purposes, you can choose to reject the installation of cookies through the banner that appears when you first visit our websites, by clicking on "Set Cookie Preferences" or through your browser settings, as explained in the "Information about cookies and similar technologies" policy. To reject the installation of cookies on third-party websites or applications, you should consult the applicable privacy policies and terms and conditions.
- If you reject cookies, purchase a new device, access websites from another device, or change your browser, you will need to choose the option to reject cookies again.
- If you choose to reject cookies, we will continue to show you advertising related to our products or services, but it will not be based on your Personal Data.
You can also change the settings of how we collect your Personal Data in your device settings. For example, you can disable location services and ad-tracking on devices.

If you have any questions about this Corporate Cardmember Privacy Statement or how your information is handled or wish to file a complaint or exercise your rights, please call us at the toll-free number on the back of your corporate card or at the number posted on our website in the "Contact Us" section. You may also contact our Data Protection Officer at DPO-Europe@aexp.com. You can also write to American Express Europe, S.A; with address at Avenida Partenón 12-14. 28042 Madrid.

You also have the right to contact the Spanish Data Protection Authority directly at https://www.aepd.es/ or other competent supervisory authorities. If you are not satisfied with the resolution given to your request, you may also bring your case before the court in the place where you live, work or where an infringement may have occurred.

More Features, Benefits and Information

AMERICAN EXPRESS

American Express® Corporate Cardmember Privacy Statement

Personal Data Collected

Use of Personal Data

Sensitive Personal Data

Open Banking

Automated Decision Making

Personal Data Sharing

Bank of Spain and Fraud Prevention

International Data Transfers

Security

Retention of Personal Data

Accuracy of your Personal Data

Your Rights

Marketing Choices

Query or Complaint

More Features, Benefits and Information

American Express®
Corporate Cardmember Privacy Statement