English | Dutch
AMERICAN EXPRESS EU BINDING CORPORATE RULES (EU BCRs)
Table of Contents
- Introduction
- Binding Nature of the BCRs
- Scope of our BCRs
- How does American Express protect your Personal Data?
- Data Protection Officer
- Training and information
- Checks and audits
- Compliance, Enforcement and Liability
- How can you submit a complaint and enforce compliance with the EU BCRs?
- Duty of cooperation with Supervisory Authorities
- How do we deal with potential conflicts of law?
- Changes to the EU BCRs
- Appendix 1 - Nature and purpose of Personal Data transferred within the scope of the BCRs
- Appendix 2 - Locations of American Express Group Companies to which the BCRs apply
- Glossary
1.1. Overview
American Express values the trust you place in it and respects your privacy.
Data protection and information security have long been a focal point of our company. As a multinational organisation, we are committed to protecting your Personal Data wherever it is used. All Personal Data collected by American Express is processed in compliance with our Data Protection and Privacy Principles.
In 2012, American Express was one of the first companies to publish binding corporate rules that were approved by the UK Information Commissioner's Office. These "binding corporate rules", hereafter referred to as BCRs, form the basis of all our privacy activities and ensure strict compliance within all areas of our activities.
These BCRs apply, among other things, to the international transfer of Personal Data within American Express Group Companies to which the BCRs apply according to applicable data protection legislation, which ensures that your Personal Data is always adequately protected, regardless of the place to which it is transferred.
1.2. Easy access to BCRs
You can check our BCRs on American Express websites across Europe. You can also request a copy of these BCRs from our data protection officer, or the local American Express Group Company that is responsible for your Personal Data, at the address below. The supervisory authority that primarily monitors our BCRs is the Agencia Española de Protección de Datos (AEPD).
Our BCRs are legally binding for all American Express Group Companies to which the BCRs apply and their employees, pursuant to an Intragroup Agreement entered into between American Express Company and American Express Europe, S.A. (AEESA) - the legal representative of American Express in the EEA.
Any American Express Group Companies to which the BCRs apply and their employees may only process Personal Data according to these BCRs. Employees who violate these BCRs may be subject to disciplinary action.
3.1. Geographic scope
Our BCRs apply to any processing of Personal Data carried out under applicable data protection legislation. This includes Personal Data of data subjects processed or to be processed in the course of the activities of an American Express Group company based in the EEA to which the BCRs apply, even if the processing is carried out by an American Express Group company based outside the EEA to which the BCRs apply.
3.2. Material scope
In its capacity as a Data Controller, American Express processes the Personal Data of former, current and future employees, directors, contractors, individual consultants, contractors, as well as retired persons employed by American Express on a full-time, part-time, permanent or temporary basis ("employees") and of former, existing and future customers of American Express and natural persons employed by American Express' business relations, suppliers and partners ("customers").
The purposes for which American Express processes Personal Data mainly relate to consumer services, business services, insurance, travel, meetings and events, and networking services, as well as human resources.
To effectively conduct American Express' international operations, the processing of Personal Data by the American Express Group Companies to which the BCRs apply in connection with the purposes set out in those BCRs may also include the transfer of personal data of data subjects from an American Express Group company located in the EEA to which the BCRs apply to an American Express Group Companies to which the BCRs apply outside the EEA (including from countries within the EEA to the United States, where American Express’ main servers are located), and any onward transfer of that received personal data to a third party outside the American Express Group.
• See Appendix 1 for a more comprehensive overview of American Express' processing activities.
• See Appendix 2 for an overview of where our American Express Group Companies to which the BCRs apply are located.
In processing your Personal Data, the American Express Group Companies to which the BCRs apply undertake to adhere to strict Personal Data protection principles (chapter 4.1) and to respect your data protection rights (chapter 4.2).
4.1. Principles of data protection
4.1.1. Transparency and propriety
The American Express Group Companies to which the BCRs apply collect and process your Personal Data transparently and properly.
We ensure that you have easy access to information about our processing activities, as required by the General Data Protection Regulation (GDPR). This information is made available to you in a concise, transparent, understandable, easily accessible format and clear and simple language and is available in American Express' relevant privacy statements as applicable to your relationship with us. These statements and general terms and conditions may contain additional provisions relevant to the processing of Personal Data, according to the provisions of national applicable laws and regulations.
In particular, when we collect Personal Data from data subjects, we provide the following information:
- the identity and contact details of the Data Controller and, if applicable, its representative;
- the contact details of the data protection officer;
- the purposes of the processing for which the Personal Data is collected and the legal basis for the processing;
- the recipients or categories of recipients of the Personal Data, if applicable;
- whether Personal Data is transferred to countries where there an adequate level of protection is not in place and the appropriate safeguards are taken to ensure the same level of protection as prescribed in the GDPR;
- the period for which Personal Data will be retained or, if it is not possible to specify this, the criteria applicable to the determination of that period and the existence of the data subjects' rights, as referred to in the GDPR.
Where the Personal Data has not been provided by the data subjects themselves, the data subjects should be informed in due time of the above information and of the categories of relevant Personal Data and their origin (unless the data subject already has this information, the provision of this information proves impossible or would involve a disproportionate effort, the obtaining or provision of the data is expressly required by Union or Member State law, or where the Personal Data must remain confidential by virtue of professional confidentiality under Union or Member State law, including a statutory duty of confidentiality).
Our BCRs also inform you of the rights you have as a third-party beneficiary with respect to the processing of your Personal Data under these BCRs against AEESA or any other American Express Group Companies to which the BCRs apply ("third-party beneficiary rights") and how to exercise such rights (see chapter 8). In addition, these BCRs contain information on the data protection principles applied by us when processing your Personal Data (as explained in more detail in this chapter 4) and information on the liability of the American Express Group Companies to which the BCRs apply in the event of a breach of these BCRs (see chapter 8).
You may further request to receive a copy of our BCRs. A public version of the BCRs is also available at any time on the public websites of the EEA-based American Express Group Companies to which the BCRs apply and on our intranet, if you are an employee.
4.1.2. Legality of processing
Your Personal Data and special categories of data will be processed properly and lawfully, according to the provisions of applicable data protection legislation. The legal grounds for processing your Personal Data are described in more detail in American Express’ privacy statements that apply to your relationship with American Express.
• Processing of Personal Data
Your Personal Data will only be collected and processed if there is a legal basis for doing so, for example:
- when you have provided express consent (for example, to send you an e-mail with advertisements, promotions and offers for American Express products and services);
- where such processing is necessary for the performance of a contract to which you are a party or to take action at your request prior to the conclusion of a contract (for example, to manage our contractual relationship with you and process your application for a card, account or other product or to manage your existing accounts);
- where such processing is necessary for the fulfilment of a legal obligation (e.g. to report certain suspicious transactions to competent authorities under anti-money laundering rules or as otherwise required by law to carry out an investigation of customers before their application is approved); or
- where such processing is necessary for the legitimate interests of an American Express Group company to which the BCRs apply or third parties (for example, to provide products and services, advertise and market products and services, conduct research and analysis, and manage our fraud and security risks) unless your interests or rights and freedoms outweigh such interests.
• Processing of special categories of data
We may collect special categories of data, including data on health, biometric data, sexual orientation and/or racial/ethnic origin. This data is collected and processed to comply with legal requirements for purposes essential to the management of the employment relationship or if transmitted with express consent, and only to the extent permitted by applicable legislation.
For example, you may provide us with data to specify your relationship with us in more detail (e.g. data on specific dietary requirements or the need for special assistance during a flight).
Insofar as special categories of data are collected, they will only be processed on one of the legal grounds stated above, provided that one of the conditions for processing special categories of data applies, for example when:
- you have provided express consent to the processing;
- such processing is necessary for the fulfilment of obligations and the exercise of specific rights by American Express under labour law and social security and social protection law;
- such processing relates to special categories of data that you have manifestly disclosed;
- such processing is necessary for the establishment, exercise or defence of legal claims;
- such processing is necessary for reasons of substantial public interest based on Union law or Member State law.
In addition, the American Express Group Companies to which the BCRs apply will take additional measures to process special categories of data as required under applicable data protection legislation.
4.1.3. Data minimisation, correctness and storage limitation
The American Express Group Companies to which the BCRs apply appropriate technology and proven employee practices to process your Personal Data promptly and appropriately.
We take reasonable steps to ensure that your Personal Data:
- is accurate and up-to-date, given the purposes for which they are processed (accuracy of data). Incorrect Personal Data will be deleted or rectified without delay;
- is adequate, relevant and not excessive to the purpose for which the Personal Data was collected and processed (data minimisation);
- is retained in an identifiable form for no longer than necessary for the purposes for which the Personal Data is processed, and is retained only for a longer period for archiving purposes or as otherwise permitted or required under applicable legislation, and in such case only when appropriate administrative, technical and organisational measures have been taken.
4.1.4. Purpose
The American Express Group Companies to which the BCRs apply collect Personal Data only for specific and legitimate purposes. We process your Personal Data properly and only for the purposes we have communicated to you and which are authorised by you or by applicable data protection legislation. We will ensure that your Personal Data is not further processed in a manner that is incompatible with these purposes.
4.1.5. Data security and confidentiality
American Express has implemented and is committed to maintaining a comprehensive written information security programme that complies with local legislation and applicable data protection legislation.
The American Express Group Companies to which the BCRs apply take appropriate administrative, technical and organisational measures to protect your Personal Data from accidental or unlawful destruction, damage or alteration and from unauthorised disclosure or access. We keep your Personal Data confidential and restrict access to your Personal Data to those who specifically need it for their business activities, unless otherwise required under applicable legislation.
Such measures should ensure a level of security that is appropriate to the risk and should take into account the state of technology, the costs of implementation and the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of data subjects that vary in their likelihood and seriousness. Depending on the instance, these measures include:
- the pseudonymisation and encryption of Personal Data of data subjects,
- measures to ensure, on an ongoing basis, the confidentiality, integrity, availability and resilience of our processing systems and services;
- measures that enable the timely restoration of availability of and access to data subjects' Personal Data after a physical or technical incident; and
- a procedure for periodically testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.
We require third parties appointed by us to process your Personal Data on our behalf to also take appropriate administrative, technical and organisational measures. We only enter into contractual commitments with internal and external processors that provide the safeguards prescribed under the GDPR.
Processing by the processor should only take place based on an agreement that is binding on the processor towards the data controller that specifies the subject matter and duration of the processing, the nature and purposes of the processing, the type of Personal Data processed, the categories of data subjects and the obligations and rights of the controller.
The contract with the processor should additionally contain the following obligations, pursuant to which:
- the Personal Data may only be processed based on written instructions from the Data Controller, or it is ensured that the persons authorised to process the Personal Data have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality;
- appropriate technical and organisational measures are taken to ensure an adequate level of security;
- no other processor ("sub-processor") may be appointed without the prior specific or general written consent of the Data Controller and only if the same data protection obligations are imposed on this sub-processor as described in the contract between the Data Controller and the processor;
- where possible, the processor should assist the Data Controller through appropriate technical and organisational measures in fulfilling its duty to carry out requests from data subjects that exercise their rights;
- the processor assists the Data Controller in fulfilling its obligations in relation to the security of processing, Personal Data breaches and data protection impact assessments;
- the processor deletes or returns the Personal Data to the Data Controller at the Data Controller's discretion after providing the services related to the processing and destroys existing copies, unless the Personal Data is required to be retained under applicable legislation;
- the processor provides the Data Controller with all the information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR relating to processors and allows and cooperates with the Data Controller or any other controller authorised by the Data Controller to carry out audits and other inspections.
In addition, the American Express Group Companies to which the BCRs apply have administrative, technical and organisational measures in place to detect, investigate, escalate and resolve Personal Data breaches. The American Express Data Protection Officer should be promptly notified of any Personal Data breaches by the American Express Group Companies to which the BCRs apply. American Express' data protection officer will then determine whether the competent supervisory authority and the data subjects must be notified according to the regulations of the GDPR. All Personal Data breaches should be recorded (including all details thereof, consequences and corrective actions taken), which record should be made available to the supervisory authority upon request.
4.1.6. Continued transfer
Your Personal Data may be transferred to other American Express Group Companies to which the BCRs apply and further transferred to third parties, while always ensuring an appropriate level of protection for the processing of your data as required under applicable data protection legislation, regardless of where it is transferred to.
This transfer is permitted by our BCRs, under which we are authorised to transfer Personal Data from the EEA to American Express Group Companies that are covered by the BCRs and are located outside the EEA.
In all cases of onward transfer (i.e. Personal Data initially transferred from an American Express Group Company located in the EEA to which the BCRs apply to an American Express Group Company to which the BCRs apply outside the EEA and subsequently transferred to one or more third parties to which the BCRs do not apply, the American Express Group Companies to which the BCRs apply should ensure that a written agreement is entered into with these third parties that contains provisions ensuring that the protection of the Personal Data in terms of confidentiality and security is at least of the same level as envisaged in these BCRs, or that these third parties use another valid lawful method to ensure that the transfer is lawful and that appropriate safeguards as referred to in Article 46 of the GDPR are provided.
4.1.7. Accountability
All American Express Group Companies to which the BCRs apply must comply with these BCRs and should be able to demonstrate this. Compliance with these regulations includes:
- maintenance of an electronic register of processing activities, to be made available to the supervisory authorities upon request, which contains the information required under the GDPR, e.g. the name and contact details of the Data Controller, the purposes of the processing, the categories of data subjects and categories of Personal Data, the recipients of the Personal Data, the transfer to countries outside the EEA, the time limits for erasure of Personal Data and the description of the security measures applied;
- carrying out data protection impact assessments (applicable only where the processing activities pose an increased risk to the rights and freedoms of data subjects); and
- consultation with relevant supervisory authorities where required to demonstrate such compliance.
In addition, the American Express Group companies to which the BCRs apply have taken appropriate administrative, technical and organisational measures to apply data protection principles and enable compliance with the regulations of these BCRs (data protection by design and by default).
4.2. Rights of data subjects
• Right to access, restriction of processing, objection, rectification, oblivion, right to withdraw consent and right to data portability
Your requests to exercise your rights under the GDPR will be met, where applicable, by the American Express Group Companies to which the BCRs apply. In particular, we ensure that you can exercise the following rights:
- access to your Personal Data (right of inspection);
- restriction of processing of your Personal Data and/or the right to object to it (right to restrict processing and right to object to processing);
- rectification of your Personal Data (right to rectification and completion);
- removal of your Personal Data (right to be forgotten);
- withdrawal of a previously provided consent for processing, and
- obtaining your Personal Data in a structured, common and machine-readable form and/or transferring such data to another Data Controller (right to data portability).
The American Express Group Companies to which the BCRs apply must comply with policies regarding processing such requests to ensure that you have the opportunity to exercise these rights. To exercise these rights, please contact our data protection officer at DPO-Europe@aexp.com.
• Automated decision-making
The American Express Group Companies to which the BCRs apply should ensure that no decisions based solely on automated processing of Personal Data are made concerning you, including profiling, which produce legal effects or otherwise significantly affect you, unless such processing:
- is necessary for the conclusion of an agreement between you and American Express;
- is permitted under a law that American Express is required to comply with and which contains appropriate measures to protect your rights and freedoms, and legitimate interests;
- is done based on your explicit consent to such processing.
We take appropriate measures to protect your rights, freedoms, and legitimate interests according to applicable legislation, and, at minimum, the right to human intervention and the right to express your point of view and challenge the decision.
Subject to these restrictions, we may use automated processes to make certain decisions, e.g. to detect and counter fraud (e.g. to help determine whether your account is being used for fraudulent purposes or money laundering or to check whether fraudsters have accessed your account); or to process card applications and assess credit and security risks. These methods are regularly tested to ensure they remain fair, effective and unbiased.
You can contact our data protection officer at DPO-Europe@aexp.com to exercise your right to request a manual review of certain automated processing activities that may affect your legal or other contractual rights or may have a comparable legal effect.
American Express has appointed a data protection officer, who is responsible for monitoring compliance with BCRs. The data protection officer has the following duties:
- inform and advise American Express Group Companies and American Express employees of their obligations under applicable data protection legislation;
- monitor compliance with applicable data protection legislation by assessing major risk
- indicators and means of control. The data protection officer reports on these supervisory activities to the relevant management;
- advise on data protection impact assessments and monitor their implementation;
- cooperate with supervisory authorities; and
- act as a contact person for supervisory authorities.
The Data Protection Officer, who has professional competence, reports to the Chief Privacy Officer of American Express. The European American Express Group Companies appointed the data protection officer as a member of the board of AEESA and of American Express Payments Europe SA, respectively, the group's main issuing and acquiring Group Company in Europe.
Such appointment will be notified to all supervisory authorities of the European countries where American Express is based.
The data protection officer works closely with a network of privacy experts and compliance lawyers in each European market, monitoring compliance with applicable data protection legislation in their jurisdictions. The Data Protection Officer is supported in their duties by the Global Privacy Office, headed by the Chief Privacy Officer of American Express.
All American Express Group Companies to which the BCRs apply should make appropriate training materials and courses available to all employees, in particular to those employees who collect and process Personal Data, have standing or regular access to it or who are involved in the development of tools used to process Personal Data, to ensure that they are aware of their obligations under applicable data protection legislation and these BCRs. Such courses are mandatory, and their completion will be monitored.
American Express has implemented a compliance programme under which the activities of American Express Group Companies to which the BCRs apply are regularly audited (by internal or, if necessary, external auditors) to ensure that all BCRs and related policies and procedures are respected and up-to-date.
These data protection audits cover all aspects of BCRs and include methods to ensure corrective action is taken where necessary.
The Data Protection Officer may request additional data protection checks on their own initiative or at the specific request of an American Express Group company to which the BCRs apply. American Express' internal audit group, as an independent audit body, will then assess, based on their risk assessment framework, whether such additional monitoring is appropriate.
The results of these compliance reviews and audits are communicated to American Express' Global Privacy Office, the Data Protection Officer, relevant supervisory authorities (if requested) and made available to the audit committee of the American Express Company board of directors.
If there is a failure to comply, the relevant American Express Group company to which the BCRs apply must follow any specific guidance issued by the Data Protection Officer. If the guidelines cannot be followed, the American Express Group company to which the BCRs apply must state the reasons.
American Express should further cooperate with all compliance checks carried out by an appropriate supervisory authority, regardless of whether the check is carried out in response to a complaint from a data subject or on the supervisory authority's own initiative
8.1. Liability of American Express Group Companies to which the BCRs apply
The American Express Group Companies to which the BCRs apply are responsible for compliance with the BCRs. In addition to the individual responsibilities of the American Express Group Companies to which the BCRs apply, AEESA accepts responsibility for any breaches of the BCRs by non-EEA-based American Express Group Companies to which the BCRs apply that process Personal Data under applicable data protection legislation. AEESA may take all necessary measures to remedy the breaching acts or omissions of any American Express Group Companies to which the BCRs apply that processes Personal Data.
AEESA is liable to compensate all material and immaterial damages suffered by data subjects in connection with breaches of the BCRs. Such compensation should be agreed upon with the data protection officer before any offer of compensation or payment is made. All damages paid constitute complete satisfaction of the data subject's claim against all American Express Group Companies to which the BCRs apply. To eliminate any doubt, AEESA's liability also applies to the acts or omissions of American Express Group companies to which the BCRs apply that are not located in the EEA and which are in breach of the BCRs.
If an American Express Group Company to which the BCRs apply breaches the BCRs (even if the Group Company is located outside the EEA), the competent European courts will have jurisdiction concerning such breach. To the extent that an American Express Group company to which the BCRs apply breaches the BCRs, data subjects, supervisory authorities and courts in the relevant jurisdiction may exercise their rights and bring an action against AEESA where the act has been committed by AEESA within the EEA (see chapter 9 below for more information on how to file a complaint).
8.2. Rights of third-party beneficiaries
Any data subject may, as a third-party beneficiary, require compliance with the following provisions of the BCRs by AEESA or any other American Express Group Companies to which the BCRs apply:
- data protection principles (chapter 4.1);
- transparency and easy access to BCRs (chapter 1.2 and 4.1.1);
- rights of data subjects (chapter 4.2);
- compliance, enforcement and liability (Chapter 8);
- the right to submit a complaint through American Express' internal complaints procedure (chapter 9);
- the right to submit a complaint to the supervisory authority and the competent European court (chapter 9);
- cooperation with supervisory authorities (Chapter 10); and
- conflict of laws (chapter 11.1).
8.3. Burden of proof
AEESA bears the burden of proof to show that a non-EEA-based American Express Group Companies to which the BCRs apply is not liable for any alleged breaches of the BCRs based on which data subjects may be entitled to compensation. Where AEESA can demonstrate that a non-EEA-based American Express Group Company to which the BCRs apply is not responsible for the incident that gave rise to the loss, AEESA and that Group Company may disclaim such responsibility and liability.
How can you submit a complaint and enforce compliance with the EU BCRs?
If you wish to submit a complaint or claim about these BCRs or exercise your rights, you can contact the data protection officer for that purpose at any time. To do so, you can send a letter to AEESA's headquarters at the following address: American Express Europe SA, Avenida Partenón 12 - 14, 28042 Madrid / SPAIN or contact us at the e-mail address DPO-Europe@aexp.com.
Our data protection officer will promptly address your complaints and, in any event, within one month. Considering the complexity and number of applications, the one-month may be extended by up to two months. We will notify you in this case.
You can find more information about American Express' procedure for handling complaints and how to file a complaint in our Online Privacy Statement.
If the problem is not resolved to your satisfaction, you can also:
• submit a complaint with the supervisory authority in the Member State where you habitually reside, work or where the alleged infringement took place;
• institute proceedings before a competent court in the European country where the relevant American Express Group company to which the BCRs apply is located or where you habitually reside, and where applicable, obtain compensation for the damage you have suffered as a result of the infringement of the third-party beneficiary rights stated above.
Duty of cooperation with supervisory authorities
All American Express Group Companies to which the BCRs apply should cooperate with and accept that they may be subject to investigation by a relevant supervisory authority and will follow the advice of such supervisory authority on all matters relating to applicable data protection legislation.
If the supervisory authority determines that any of the American Express Group Companies to which the BCRs apply has infringed the rights of data subjects under these BCRs, the American Express Group Company to which the BCRs apply should comply with the findings of the supervisory authority, subject to the right to challenge or appeal those findings.
11.1. National legislation that prevents compliance with EU BCRs
When an American Express Group Companies to which the BCRs apply has reason to believe that legislation that applies to that Group Company makes it impossible to comply with the BCRs or is likely to have a significant impact on the safeguards contained in the BCRs, the relevant contact person of that American Express Group Companies to which the BCRs apply should inform the Data Protection Officer at AEESA unless prohibited by applicable legislation. Where necessary, the data protection officer should inform the competent supervisory authority of conflicts of laws unless the applicable legislation prohibits such.
If an American Express Group Companies to which the BCRs apply receives a request from an investigative body or state security agency to hand over Personal Data, the Data Protection Officer should notify the competent supervisory authority (specifying information on the data requested, the requesting body and the legal basis for the disclosure). Where applicable legislation prohibits suspension and/or reporting to the competent supervisory authority, American Express will make every effort to derogate from this prohibition in order to provide as much information as possible to the competent supervisory authority as soon as possible and be able to demonstrate that this has been done.
If, in the above cases, the American Express Group Company to which the BCRs apply is unable, despite reasonable efforts, to notify the competent supervisory authority, the Group Company should, on an annual
basis, provide general information to the supervisory authority about the requests it has received (e.g. the number of requests for disclosure, the type of Personal Data requested, the name of the requester if possible, etc.)
In any case, the transfer of Personal Data by an American Express Group company subject to the BCRs to a public authority must not be extensive, disproportionate and indiscriminate. This restriction applies to any legally binding request to disclose Personal Data from an investigative or state security agency.
11.2. Relationship between national legislation and EU BCRs
To the extent that applicable data protection legislation requires a higher level of Personal Data protection, such legislation will take precedence over these BCRs.
For example, we may revise the terms of our BCRs to reflect changes in laws and regulations or corporate structure. We undertake to promptly notify all American Express Group Companies to which the BCRs apply and AEPD of any material changes to our BCRs. Any changes to the BCRs or the list of American Express Group Companies to which the BCRs apply are reported annually to the relevant supervisory authorities, accompanied by a brief explanation of the reasons that justify the revision. Should a change significantly affect the level of protection provided by these BCRs or have a significant impact on these BCRs, it will be communicated to the supervisory authorities through the competent supervisory authority without delay.
American Express has established a team that maintains a fully updated list of all American Express Group Companies to which the BCRs apply and identifies and records any changes therein and provides the necessary information to data subjects or supervisory authorities upon request. No onward transfer will be made by the American Express Group Companies to which the BCRs apply to a new American Express Group Companies to which the BCRs apply until that new Group company is effectively bound by and in a position to comply with those BCRs.
• Description of the types and purposes of processing activities
American Express is a global company that offers integrated payment and travel services. It operates mainly in four segments: (i) customer payment services, (ii) merchant services, (iii) network services and operations, and (iv) travel, meetings and events services. Our processing activities are carried out as part of these activities, as described below.
i) Payment services for customers
American Express makes a wide range of payment services (e.g. debit and credit cards) available to individuals, with related services (e.g. loyalty programmes, membership and rewards schemes, and insurance brokerage).
• To that effect, we process customers' Personal Data, in particular for managing and maintaining our contractual relationship and any benefits, insurance or other programmes you may have enrolled in, to deliver products and provide services, to carry out research and analysis to improve our products and services, to gain a better understanding of our customers and be able to offer a more personalised service, to manage our fraud and security risks, to promote our products and services (based on consent if required under applicable data protection legislation) or to comply with applicable legislation.
American Express also offers products and services to the corporate market (e.g. corporate payment solutions, spending management and credit products).
• To this end, we process customers' Personal Data, in particular, to manage and maintain our contractual relationship and deliver business products and provide services, provide customers with reporting capabilities in connection with maintaining effective procurement and travel policies and procedures, establish policies models and procedures for risk management and/or making decisions on how we manage customers' accounts, exchanging information with anti-fraud services to identify debtors, collect debts, prevent fraud, manage accounts or insurance policies, making decisions on offering products such as credit and related services or to comply with applicable legislation.
ii) Services for merchants
American Express offers merchant services worldwide, whereby merchants agree to accept American Express cards and other financial products as a means of payment and authorise American Express to process and settle card transactions.
As part of these merchant services, American Express supports merchants who accept American Express cards by providing analytics and consulting expertise to identify new trends, enable product innovation and deliver growth and marketing improvement through more effective use of American Express' data infrastructure. Processing activities carried out for these purposes will, where appropriate, compile databases of anonymised or aggregated data.
• To this end, we process Personal Data in particular to manage and maintain our contractual relationship with merchants, to exchange information with credit reporting agencies to prevent fraud or detect debtors or to verify a person's identity, to develop our products and/or, based on consent if required under applicable data protection legislation, to offer products or services or to comply with applicable legislation, including anti-money laundering and counter-terrorism legislation.
iii) Network services and activities
Through its network, American Express verifies, clears, and settles card transactions and makes its marketing programmes, capabilities, services, and data analytics available through multiple channels. It monitors and builds on the reliability, security and processing capabilities of American Express' payment network to enable global merchant transactions. In addition, the American Express network manages a variety of capabilities that enable payments through new methods or channels and applies policies that the many parties involved in the network must adhere to.
• To this end, we process Personal Data in particular to settle transactions carried out by American Express customers with merchants that accept American Express. Processing activities include measures to prevent fraud and to comply with applicable legislation, including anti-money laundering and counter-terrorism legislation.
iv) Travel, meeting and event services
American Express is one of the largest travel organisations in the world. Every year, we handle millions of reservations from consumers and employees of corporate customers - and in exceptional cases, for their travel companions - related to trips around the world.
American Express Global Business Travel (GBT) also makes its travel expertise available to corporate customers and supports customers worldwide in organising meetings and events. Details on GBT’s processing activities can be found here -https://privacy.amexgbt.com/.
American Express also offers travel services to individual consumers, but mainly to consumers holding an American Express branded card.
• To this end, we process Personal Data in particular for managing the business relationship, providing services, conducting research and analysis to improve our products and services, to gain a better understanding of our customers and to be able to offer more personalised services, to manage our fraud and security risks, to promote our products and services (based on consent if required under applicable data protection legislation) or to comply with applicable legislation.
v) Human resources
American Express Group Companies to which the BCRs apply also process employee Personal Data, in particular, to manage and maintain the employment relationship with American Express employees (e.g., hiring or firing, background checks, performance management, work management or other personnel matters related to the management of the employee's employment relationship) and to comply with internal policies and applicable legislation.
• Description of the types of Personal Data
The types of Personal Data processed are described in the various American Express Privacy Statements as they apply to data subjects' relationship with American Express, which can generally be described as follows:
i) Personal Data of customers
Personal Data of customers may include Personal Data (e.g. name, address and other contact information), information relating to products and services purchased and purchased, creditworthiness, online activities, including, for example, the information we collect when customers access our online account services or through cookies and similar technologies, information on lifestyle and social circumstances, etc. In order to provide travel, meetings and events services, American Express must process Personal Data that relates to the traveller, e.g. nationality, passport details, gender, date of birth, destination and travel preferences (collectively referred to as "customer Personal Data").
In some cases, customer Personal Data may include special categories of data, e.g. biometric information for security purposes (e.g. voice identification) or for travel services, data on disabilities that may affect the ability to travel.
ii) Personal Data of employees
Personal Data of employees normally includes Personal Data (e.g. name, address, date of birth, telephone number), data on family composition, information on lifestyle and social circumstances, products and services purchased, online activities, creditworthiness, public offices held, immigration status, education and employment history and other work-related information, e.g. performance or talent assessments and information on compensation and benefits (collectively referred to as" Personal Data of employees").
In certain cases, and if allowed by national law, Personal Data of employees may include special categories of data, e.g. information on racial and ethnic origin, sexual orientation, information on health, occupational health schemes, biometric data, equal opportunities monitoring, information on trade unions and works councils.
The American Express Group Companies to which the BCRs apply are located in the following countries:
- Argentina
- Austria
- Australia
- Belgium
- Canada
- China
- Colombia
- Czech Republic
- Denmark
- Finland
- France
- Germany
- Greece
- HongKong
- Hungary
- India
- Ireland
- Italy
- Japan
- Jersey
- Malaysia
- Mexico
- Netherlands
- Norway
- Philippines
- Poland
- Russia
- Singapore
- Slovakia
- Spain
- Sweden
- Switzerland
- Taiwan
- Thailand
- United Kingdom
- United States
“AEESA” – means American Express Europe, S.A., located at Avenida Partenón 12 -14, Madrid, 28042, Spain. AEESA is responsible within American Express for ensuring that Personal Data is Processed according to the BCRs. AEESA is a party to the Intra-Group Agreement.
“American Express Group Company/Companies to which the BCRs apply", ” or “we/our” or “us/our” – means the Company/Companies of American Express that are bound by the BCRs.
“American Express Company” - means American Express Company, located at World Financial Center, 200 Vesey St., New York, NY 10285 USA. American Express Company is a party to the Intra-Group Agreement.
“American Express Privacy Statements” - means the Cardholder Privacy Statement (for cardholders), the Online Privacy Statement (for customers and website visitors), the Online Recruitment Privacy Statement (for prospective Employees), or the Employee Privacy Statement (for existing Employees), as well as all other statements, terms and conditions applicable to the relationship between Data Subject’s and American Express (e.g. for merchants and business customers), as amended from time to time.
“Applicable Data Protection Legislation” – means the GDPR (and national implementing legislation), the e-Privacy Directive 2002/58/EC (and national implementing legislation), and any other data protection legislation and regulations applicable in the EEA (all as amended and replaced from time to time).
“Consent” – means any freely provided, specific, informed and unambiguous expression, by means of a statement or a clear active action, indicating that the Data Subjects consents to the Processing of their Personal Data.
“Data Breach” or “Personal Data Breach” - means a security breach that results in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” - is the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
“Data Protection Impact Assessment” – means an assessment of the impact of an intended Processing on the protection of Personal Data carried out when the Processing is associated with a high risk to the rights and freedoms of Data Subjects.
“Data Subject(s)” or “You” – refers to an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, e.g. a name, an identification number, location data, an online identifier or to one or more elements characterising the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person within the scope of these BCRs.
“Data Processor” - means the natural or legal person, public authority, agency or any other body that Processes Personal Data on behalf of and at the instruction of the Data Controller.
“EEA” – means the European Economic Area, which includes all EU countries including Iceland, Liechtenstein and Norway.
“GDPR” – the General Data Protection Regulation 2016/679.
“Intra-Group Agreement” – means the intragroup agreement by which American Express Group Companies to which the BCRs apply are bound by the BCRs.
“Personal Data” – means any information relating to an identified or identifiable natural person (Data Subject) within the scope of the BCRs.
“Processing” or “Process” – means any operation or set of operations carried out on Personal Data or on set of Personal Data, whether or not by automated means, e.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data;
“Profiling” – means any form of automated Processing of Personal Data with the intention of analysing it, to evaluate certain personal aspects of individuals (e.g. their job performance, creditworthiness, reliability, behaviour) or to make predictions about them.
“Special Categories of Data” – means any Personal Data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric dataProcessed to uniquely identify a person, or data concerning health, or data relating to a person's sexual behaviour or sexual orientation.
“Supervisory Authority” – means an independent public authority established by a Member State pursuant to Article 51 of the GDPR.
“Transfer”– means any transfer of Personal Data from one company within the EEA to another or the onward transfer that would otherwise be restricted by the GDPR. A transfer occurs by communicating, copying or providing Personal Data over a network, including remote access to a database or transmission from one medium to another.
AMERICAN EXPRESS
All users of our online services subject to Privacy Statement and agree to be bound by Terms of Service. Please review.
© 2023 American Express Company. All rights reserved