English | Norsk

Cardmember Privacy Statement

Effective Date: 10/07/2025

Cardmember Privacy Statement

What is this document?

American Express Europe S.A (“American Express”) is committed to protecting your privacy. For the contact details of our Data Protection Officer please see the “Query or Complaint” section.

In this Cardmember Privacy Statement, we describe how American Express, in its capacity as data controller, collects, uses, shares and keeps Personal Data about you in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation) and the Norwegian Personal Data Act LOV-2018-06-15-38, as well as any local special laws regulating the processing of personal data, as amended, on data processing, files and freedoms, when you request our products or services and we also explain the rights and choices that are available to you. This Cardmember Privacy Statement includes specific details about how we use information tied to your card and related services.

If you interact with us online, there is a separate Online Privacy Statement that describes how we collect, use, share and keep Personal Data about you in that context. It is not specific to our products or services. It applies whenever we collect information online through: (a) services we operate such as our websites and mobile “apps”; (ii) services or content we offer on third party platforms, such as our electronic communications, social media pages, voice assistant apps and digital ads; and (iii) any other services or content linked to or referenced in the Online Privacy Statement.

The information provided under this Cardmember Privacy Statement explains how we use Personal Data tied to your card and for related services. This Personal Data will be used with information we collect about you online. We therefore ask that you also take time to consider the Online Privacy Statement. If you’re ever unsure about which privacy statement applies to a particular activity, remember that this Cardmember Privacy Statement will take precedence over the Online Privacy Statement and will apply to the extent the activity relates to the processing of Personal Data tied to your card.

From time to time, we may change our Cardmember Privacy Statement. If it’s a material change, we will need to tell you about it. We’ll either do that by contacting you in writing (to ask you to read the updated version – for example by mail or e-mail), by making it clear on your monthly statement, or by letting you know that it has been updated when you visit our website, https://www.americanexpress.com/nb-no/.

This version was last updated on the date set out above.

This privacy statement is provided in a layered format, so if you’re accessing the privacy statement online, you can click through to the specific areas set out below:

Personal Data is any information relating to you as an identified or identifiable natural person, such as your name, addresses, telephone number, and email address and other information specific to you such as demographic details, employment details, your income and/or transaction information. If you do not provide us with Personal Data that we tell you is mandatory (for example, if we need to collect Personal Data by law or if it is necessary to enter into a contract with you), we may not be able to provide you with our products and services. We will notify you if this is the case at the time.

We collect and process various categories of Personal Data about you, throughout your relationship with us as a cardmember (and beyond, subject to appropriate retention periods as further explained below). The types of information we collect will depend on which product or service you request or use. We will only collect Personal Data that is necessary for our business or to comply with our legal obligations. Personal Data may include:

your personal details, including name and address, date of birth, personal identity number, nationality, contact details
financial information, such as your bank account number, card numbers, expiry date and card cryptogram, and details of your transactions (e.g. payments you make and receive)
information about your financial and credit history, including proof of income, employment details, outgoings and credit and borrowing history
information about your preferences (for example, your marketing preferences and the offers you redeem through your Membership Rewards)
biometric data used for fraud prevention and identification purposes
criminal data for collating evidence and investigate about a suspected crime
in limited cases, information about criminal convictions and offences
information about your position as, or relationship with, a Politically Exposed Person

We collect Personal Data directly from you, through the following means:

from your application form;
through the way you communicate with us and use your account (such as information provided during servicing calls);
any research, surveys or competitions you enter or respond to or any marketing offers for which you register; and
from other information you directly provide to us.

We also collect your Personal Data from different sources depending on which product or service you request or use, such as:

when you request or utilize products, goods or services (such as when you use your card to make transactions with merchants, ATM operators, use concierge services or book travel);
from checks at the Gjeldsregisteret and their records and databases and other publicly available records or databases;
if you are a Supplementary Cardmember, from the primary cardmember linked to the card account;
third parties, such as:
- Business Partners. These are third parties with whom we conduct business or have a contractual relationship, such as co-brand partners or merchants; or
- Open banking providers.Information we receive from open banking providers you (or a third party properly authorised on your behalf) have authorised. Open banking providers provide payment-initiation or account-information services (for example, you may authorise such providers to collect account information from your bank, which is subsequently shared with American Express for the purpose of completing our underwriting verifications to issue you with a card).

In addition, we also collect digital data, such as your IP address or other information about your online interactions, as described in the Online Privacy Statement.

We sometimes process Personal Data so that it no longer identifies any individual. Once processed in this manner, it will no longer constitute Personal Data and will be aggregated and anonymized information. We process Personal Data to aggregate and anonymize it to:

analyze patterns among groups of people, such as cardmembers;
create business insights or statistical research reports; and/or
improve our advertising and our business.

We sometimes share aggregated and anonymized information with Business Partners or other trusted third parties, for many of the same reasons mentioned above.

We use your Personal Data either on its own or combined with other information. We need a “lawful reason” under data protection laws to process your Personal Data, which are as follows: (i) where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract with you; (ii) where necessary for our legitimate interests, such as to prevent fraud and/or enhance our products or services; (iii) where we have obtained your consent, such as for marketing purposes when you opt-in to receive marketing from us; or (iv) for compliance with legal obligations and we are required by law to process your Personal Data, such as for the due diligence that financial institutions are required to perform before approving card accounts.

The table below sets out what we use your Personal Data for and our legal basis for doing so. Please note that we consider and balance any potential impact on you and your rights before processing your Personal Data for our legitimate interests. The legitimate interest relied upon is also set out in the table below.

Please note that we may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your Personal Data. Please contact us if you need details about the specific legal basis we are relying upon to process your Personal Data where more than one basis has been set out in the table below.

What we use your information for	The legal basis for using your Personal Data
To process applications for our products, including making decisions about whether to approve your application.	Where necessary to perform our contract with you or to take steps to enter into a contract with you.
To comply with our regulatory obligations when reviewing your application.	Where required by law.
To administer and manage your account and provide our services to you, such as whether to process, approve and complete individual transactions.	Where necessary to perform our contract with you or to take steps to enter into a contract with you. It is in our legitimate interests to manage our business risks (such as fraud and security risks) and to ensure you are provided with a high standard of customer care and service.
To provide you with the location-based services you requested (if any).	Where necessary to perform our contract with you or to take steps to enter into a contract with you.
To communicate with you through email, SMS or any other electronic methods, by post and/or phone about your accounts, products, and services for legal, regulatory or servicing purposes (such as updating you about features attached to your existing products or services).	Where necessary to perform our contract with you or to take steps to enter into a contract with you. To comply with our legal obligations including with respect to payment services and consumer protection and other complementary laws and other consumer regulations relevant for payment institutions. It is in our legitimate interests to ensure we provide you with information you need to know about your existing products and services.
To provide a more appropriate service and/or protecting your best interests by making reasonable adjustments, such as sending or providing you with information in an appropriate format (for example, if you have a visual disability), and to improve our websites and apps and make them more user-friendly.	It is in our legitimate interests to improve your customer experience and ensure our service meets and is appropriate for your needs. To comply with our legal obligations, including with respect to equality and accessibility and other complementary laws relating for example to equal treatment and protection against discrimination as well as other equality and accessibility regulations.
To service and manage any benefits and insurance programmes provided along with the products or services that you requested.	Where necessary to perform our contract with you or to take steps to enter into a contract with you.
When interacting with some of our Business Partners available in your card benefits programme, to connect you to your Membership Rewards account (if applicable) and, depending on your card product, enable you to use Membership Rewards points to pay for products or services with a Business Partner.	It is in our legitimate interests to improve your customer experience, to promote the use of the benefits we offer to you and to facilitate the use of these benefits with our Business Partners (as applicable).
To carry out checks for the purpose of keeping your account and Personal Data secure, detecting and preventing fraud or criminal activity (including the review and approval of individual transactions) and to check your identity before providing services to you (including through “know your customer” screening and monitoring).	To comply with our legal obligations including with respect to anti-money laundering and strong customer authentication, and any other laws and regulations relevant to and for payment institutions. It is in our legitimate interests to manage our business risks, such as operational and security risks and to detect, prevent and investigate fraud.
This may include using the location and other technical features of your mobile device or browser.	We have your permission to do so (for example, where use of your biometric data is optional and there is a legitimate need for secure identification, and the method is necessary to achieve such identification).
To answer questions submitted to us by you, respond to your requests (customer service) and manage and deal with any complaints you may have.	Where necessary to perform our contract with you or to take steps to enter into a contract with you. It is in our legitimate interests to make sure complaints are investigated and you are provided with a high level of service. To comply with our legal obligations including with respect to consumer protection and other complementary laws and other Consumer regulations.
To protect our business interests, recover debt and exercise other rights we have under any contract with you.	Where necessary to perform our contract with you or to take steps to enter into a contract with you. It is in our legitimate interests to ensure we manage and protect our business, including recovering any debts owed to us.
To manage mergers, acquisitions, sales of business assets and generally management of extraordinary corporate operations.	It is in our legitimate interests to manage our corporate operations.
To establish, exercise, or defend legal rights or claims and assist in dispute resolution.	It is in our legitimate interests to ensure we manage and protect our business and interests.
To develop and improve our products and services, including for the purpose of better understanding our customers, their needs, preferences and behaviours; place you in groups with similar customers to deliver products or services which may be more suitable for you or suit your preferences; and assess and analyse whether our ads, promotions and offers are effective.	It is in our legitimate interests to improve our products and services (for example, to make sure our products and services remain competitive and relevant for our customers).
To help us better understand your financial circumstances and behaviour so that we can make decisions about how we manage your existing accounts and what other products or services can be extended to you.	It is in our legitimate interests to improve our products and services and ensure our products and services are suitable for your needs. Where required by law.
To check we have carried out your instructions correctly, to develop and improve our services and for training and quality purposes.	It is in our legitimate interests to improve our products and services and ensure we provide you with a consistently high standard of customer service. Compliance with our legal obligations (where applicable).
To record, transcribe and monitor calls for the following purposes: training, quality, compliance, fraud prevention and complaint handling.	It is in our legitimate interests to improve our products and services and ensure we provide you with a consistently high standard of customer service.
To provide you with open banking services (for more information, please see the “Open Banking” section).	Where necessary to perform our contract with you or to take steps to enter into a contract with you. To comply with our legal obligations.
For the purpose of conducting testing (to ensure security and when we update our systems), website administration, information technology system support and development and to safeguard the security of your Personal Data.	It is in our legitimate interests to manage our business risks, such as compliance, regulatory, operational and security risks.
To develop and refine our risk management policies, models and procedures for applications and customer accounts, relying upon information in your application or relating to your creditworthiness (including any information provided by third parties, such as Gjeldsregisteret, fraud risk and account history (if applicable).	It is in our legitimate interests to manage our business risk, including credit, regulatory and fraud risks.
To inform our collection practice and share information with the Gjeldsregisteret (for example, information on delinquent payments).	To comply with our legal obligations.
To conduct research and analytics, including allowing you to give feedback by rating and reviewing our products and services and those of our Business Partners and to produce data analytics, statistical research and reports on an aggregated basis.	It is in our legitimate interest to conduct research and analytics, to improve and develop our business and the services and products we offer to customers.
To respond to queries from regulators, law enforcement and other authorities and/or to cooperate with them.	To comply with our legal obligations pursuant to any laws that mandate us to cooperate with regulators, law enforcement and any other authorities. It is in our legitimate interests to support and/or cooperate with regulators, law enforcement and other authorities in the detection and prevention of fraud and crime, particularly where it impacts our cardmembers.
To comply with legal and regulatory obligations (such as performing due diligence on you before approving your application).	Where required to comply with our legal obligations including with respect to anti-money laundering and any other laws and regulations relevant to and for payment institutions. It is in our legitimate interests to perform due diligence to ensure our interests (as a business) are appropriately protected.
To market products and services which we think you will be interested in based on your relationship with us (by email, SMS or telephone (for example - if you call us)).	It is in your legitimate interests to market products and services which we think you will be interested in, based on your relationship with us (where the law allows us to do so, on the basis of opt-out). Your consent.
To advertise, market and send you promotions and offers about products and services for or from the American Express Group (i.e., any affiliate, subsidiary, joint venture, and any company owned or controlled by our parent company) and our Business Partners, including to present content that is personalised and tailored to your preferences and interests, including targeted advertising across multiple devices or showing you offers in your Manage Your Card Account (MYCA) environment.	It is in our legitimate interests to advertise and market products and services which we think you will be interested in, based on your relationship with us (where the law allows us to do so, on the basis of opt-out). Your consent when we provide you with varied offers of products and services when we provide these offers to you by any means different from those mentioned above.

What we use your Sensitive Personal Data for	The legal basis for doing so and the relevant condition allowing the processing
Criminal data for the purpose of collating evidence and investigate about a suspected crime to establish, exercise or defend Amex’s legal rights.	Where necessary to establish, exercise or defend legal rights.
Biometric data for the purpose of identifying you, for security verification and to detect and prevent fraud.	Your express consent - we have your permission for any optional use of biometrics in cases where there is a legitimate need for secure identification, and the method is necessary to achieve such identification (for example, to identify you by face recognition).
We may use information you’ve given us about your personal circumstances (including health and medical information) for some of the purposes set out in the above table. For example, to enable us to provide a more appropriate service to you and to make reasonable adjustments.	Your express consent. Establishment, exercise or defence of legal claims.
To comply with relevant laws and regulations and to cooperate with regulators, law enforcement and any other authorities.	Establishment, exercise or defence of legal claims.

When you use open banking services (when available), we process your Personal Data to provide our open banking services, such as:

during the card application process, for income check and verification purposes; or
providing you with consolidated information on the payment account(s) that you hold with one or more bank(s) or payment institution(s), or (where applicable) complying with a request made on your behalf by a payment initiation services provider, when they initiate a payment to pay a merchant on your behalf.

In this context, we will process your Personal Data to provide you with the regulated open banking services or as otherwise described in the “Use of Personal Data” section.

We use fully automated processes to help us make certain decisions about you, including to evaluate certain attributes about you to provide our services. This may also involve profiling. What this means is that we will use software and/or artificial intelligence to automatically evaluate your personal circumstances to identify or predict risks or certain outcomes. For example, we use automated processes to make decisions about you in relation to the following:

detect, monitor and manage fraud;
process card applications (such as determining whether to approve or decline your application for a card); and
assess credit risks, including to check if you meet our eligibility criteria and decide whether we can issue you a card, or to assess if we need to take any responsible lending action in relation to your account (for example, to decrease your credit line)

This is known as “automated decision-making”. Some of those decisions that are made solely by automated means have legal effects or similar effects, which we explain further below. However, we will only perform such processing if it is:

- necessary for entering into or performing a contract between you and American Express. For example, we may decide that some of our products and/or services may not be suitable for you, based on your credit history and if you do not meet our eligibility criteria;

- authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests (for example, to prevent fraud); or

- based on your explicit consent to such processing.

How we make decisions with automated processes

Application process

We take several factors into account in determining whether to approve or decline an application for one of our cards, including information provided on your application form, your income, and your outgoings. We will use this information to determine the likelihood of you (if approved) defaulting on your account. In order to manage our credit risk exposure, we may decline your application if we consider that there is a high likelihood you may default during this period. If your application is approved, we will also use this information to determine your credit limit.

Fraud

We will assess payments to and from your account to identify any payments that are unusual. For example, if there is a payment you would not usually make (such as a payment of a significant sum, which is not in accordance with your transaction history), we may take action to stop us from making a payment that is likely to be fraudulent.

We will also assess your spending behaviour and transaction history to identify if you are likely to be a fraud risk (for example, if a sudden change in your spending and repayment behaviour suggests you have no intention of paying any outstanding balances owed to American Express). This may mean that we take steps to mitigate the risk to us, including declining charges you make using your card.

Assessing credit risks

As part of managing our relationship with you, we will assess if we need to take any responsible lending actions (for example, to decrease your credit line). We take several factors into account to assess if there is a credit risk, or if you are getting into financial difficulties. This may include assessing the activity on your account, your payment history (for example, if you’ve missed payments due and payable), information you provided on your application form (for example, your income) and information we obtain from the Gjeldsregisteret. We will use this information to decide whether to take any actions in relation to your card to manage any credit risk. This may involve us decreasing your credit line if we reasonably consider that you are likely to default on future payments.

Our automated decision-making methods are regularly tested to ensure that they remain fair, effective and unbiased.

Where we use automated decision making for entering into or performing a contract with you, as authorized by law or based on your explicit consent, you have the right to express your point of view, contest the decision made and request human intervention. Please see the section “Your Rights” for more information about your rights related to automated decision making.

We will only share your Personal Data with others where it is lawful for us to do so, and for a specific purpose (as set out in the above table or below), including with:

the Gjeldsregisteret to report or ask about your financial circumstances, and to report debts you owe to us;
police, regulatory authorities, courts, governmental agencies, tax authorities and any other third party (for example, third parties specified in a court order) to comply with legal orders, legal or regulatory requirements, law enforcement requests and/or otherwise in connection with actual or suspected fraud or criminal activities, or investigation of the same;
collection agencies and external legal counsel to collect debts on your account;
our Service Providers (including their subcontractors) who perform services for us and help us manage your account and/or operate our business (i.e., any vendor, third party and/or company that provides services or performs business operations on our behalf such as communications services, fraud checks, marketing, data processing and outsourced technology, servicing, ad management, auditors, consultants and professional advisors such as external legal counsel and accountants);
companies or other lines of products and services within the American Express Group. For example, where those companies provide services to us and/or where it is necessary for us to lawfully carry out our business activities;
Business Partners, such as parties that accept American Express branded cards for payments of goods/services purchased by you (i.e., merchants), your bank or other payment card issuers to provide, deliver, offer, customise or develop products and services to you, and address or resolve claims. We will not share your contact information with Business Partners for them to independently market their own products or services to you without your consent. However, we may send you offers on their behalf with your consent. Please note that if you take advantage of an offer provided by a Business Partner and become their customer, they may independently send communications to you. In this case, you will need to review their privacy statement and inform them separately if you wish to decline receiving future communications from them;
any party approved by you, such as third parties for the provision of open banking and related services upon your request, for example where you seek to connect your account information to another platform or to initiate payments from other accounts;
our loyalty partners to connect your Membership Rewards account (if applicable) and dependent on your card product, with any partners available in your card benefits programme;
your advisers (such as accountants, lawyers and other professional advisers) who you have authorized to represent you, or any other person you have told us is authorized to give instructions or use the account (for example, a Supplementary Cardmember or under a power of attorney); or
anyone to whom we transfer or assign our contractual rights.

The provisions of this privacy statement apply to any Supplementary Cardmember(s) who you have approved to use your account. Where you have approved the issue of a Supplementary Card:

we will use the information of a Supplementary Cardmember to process their application, issue their card, manage the account, and comply with our legal or regulatory obligations; and
the Supplementary Cardmember may need to provide us with your Personal Data for identity verification when they contact us about activating or using their card, register for on-line services and access new or updated services and benefits.

Supplementary Cardmembers will not be permitted to make any alteration to any of your Personal Data unless you have provided us with a mandate for them to do so (which may be in a form reasonably requested by us).

Where applicable, we will exchange your Personal Data as part of customer due diligence and to prevent fraudulent conduct or behaviour that contravenes international sanctions and to comply with regulations against money laundering, terrorism financing and tax fraud with the centralized information files kept by the Gjeldsregisteret and Fraud Prevention Agencies. We may obtain Personal Data about you from the Gjeldsregisteret, including, where relevant, your household (such as your spouse), and any business in which you are involved (including details of your co-directors or partners in business). For these purposes you may be treated as financially linked to such persons ("financial associates") and you will be assessed with reference to their "associated records". You must be sure that you have your financial associates’ agreement to disclose information about them.

When you apply

Where applicable, we seek confirmation from the centralized information files kept by the Gjeldsregisteret that no incident of payment has been reported towards you.

During the lifetime of your account

We will continue to make searches at the registers held by the Gjeldsregisteret to assist in managing your account and this will include looking at the associated records of your financial associates. These searches will not be seen or used by other organisations to assess your ability to obtain credit. We will also carry out further credit checks whilst any money is owed by you on your account.

We will tell the Gjeldsregisteret if you do not make payments when due. They will record this information on the centralized information files (such as FICP) and it may be shared with other organisations for the purpose of assessing applications from you, and applications from any other party with a financial association with you, for credit or other facilities, for other risk management purposes and for preventing fraud and tracing debtors. Records shared with the Gjeldsregisteret remain on file for 5 years maximum unless they are closed and settled by you earlier.

We will analyse your Personal Data to assist in managing your account and to prevent fraud or any other unlawful activity. If fraud is detected, you could be refused certain services, finance, or employment. We and other organisations, including fraud prevention agencies, may access and use your Personal Data to prevent fraud and money laundering and to verify your identity, for example, when:

verifying the information you provide on applications for insurance, credit and credit related or other facilities;
managing credit, credit related accounts or facilities, and insurance policies;
recovering debt; or
checking details on applications, proposals and claims for all types of insurance.

We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.

For additional information about how the Gjeldsregisteret gather and use your Personal Data, please review the Incident File Information at https://www.gjeldsregisteret.com/pages/personvernsdeklarasjon

We transfer your Personal Data to organisations in other countries and (where permitted by applicable law) to regulatory authorities in other countries. Some of these jurisdictions may not provide the same level of protection for Personal Data as provided in the European Economic Area (EEA). Some countries will have different data protection laws. This includes transfers to countries outside of the EEA, such as into the United States where our main operational data centres are located. We undertake these transfers to operate our business, process transactions on foreign purchases, administer your account and to provide our products and services to you.

Keep in mind, no matter where we process your Personal Data, we will always protect it in the manner described in our privacy statements and in accordance with applicable laws. When we transfer your Personal Data to certain countries outside of the EEA:

If that country has received an adequacy decision from the European Commission (please see the list of countries here), we will rely on that decision to undertake our transfer; or
In the case of transfers of Personal Data to a third party in the United States, we may rely on that third party’s certification to the EU-US Data Privacy Framework to transfer your Personal Data.

In other cases, we are required to put in place an “appropriate safeguard”. In particular:

When we share Personal Data with other companies within the American Express Group that are outside of the EEA, we ensure an adequate level of protection through our Binding Corporate Rules, available here. Our Binding Corporate Rules ensure your Personal Data is protected by requiring all of our group companies to follow the same rules when processing your Personal Data.
When we share your Personal Data with third parties (or American Express Group non-participating Binding Corporate Rules companies) outside the EEA to countries which have not received an adequacy decision from the European Commission, we include appropriate contractual protections (including the European Commission standard contractual clauses) in those agreements. In addition, we assess whether other technical and organizational measures are required for those transfers. If we are dealing with public authorities or regulators we won’t need to have contractual protections in place but that doesn’t mean your data is not protected by appropriate security measures when it’s transferred.

You can receive a copy of such contractual protections by contacting us, see the “Query or Complaint” section below.

We use organisational, administrative, technical and physical security measures to safeguard your Personal Data and to help ensure that your information is processed promptly, accurately and completely. We require Service Providers to safeguard your Personal Data and only use your Personal Data for the purposes we specify.

We will keep your Personal Data only for as long as you are a customer of ours and we need to perform the contractual relationship with you and deliver the products and services that you requested. Once our relationship with you has ended (for example, your account has closed), we will only keep your Personal Data for a period of time that is appropriate, taking into account the nature and the sensitivity of the data and what we continue to hold it for.

We will only keep Personal Data for specific purposes, including where it allows us to:

comply or evidence compliance with our legal and regulatory requirements (for example, laws relating to money laundering)
defend or take legal action
maintain business records for analysis or audit purposes
keep records of anyone who does not want to receive marketing from us

When your Personal Data is no longer necessary for the above purposes, we will securely destroy such information. For more information about our data retention practices, you can contact us – please see the “Query or Complaint” section.

We encourage you to check regularly that all Personal Data held by us is accurate and up to date. If you believe that any information we hold about you is incorrect or incomplete, you may ask us to correct or remove this information from our records. We recommend that you go to www.americanexpress.com/nb-no/ , log in and update your Personal Data. If you prefer, you can contact us – please see the “Query or Complaint” section. Any information which is found to be incorrect or incomplete will be corrected promptly.

You have the right to access, update, restrict, port, erase or object to the processing of your Personal Data. More specifically, you have the right to:

Withdraw your consent for our use of your Personal Data at any time, where our processing is based on your consent.

This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Request restriction of the use of your Personal Data in certain cases.

You can ask us to restrict the processing of your Personal Data in the following scenarios:
- if you want us to establish the accuracy of the Personal Data;
- where our use of the Personal Data is unlawful, but you do not want us to erase it;
- where you need us to hold the Personal Data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your Personal Data but we need to verify whether we have overriding legitimate grounds to use it.
In certain cases, request the erasure of your Personal Data.

This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with applicable law. However, please note that we may not always be able to comply with your request for specific reasons set out in the law which will be notified to you, if applicable, at the time of your request.
Request a human review of automated decisions that impact your legal or contractual rights or that may have a similarly significant effect.

In certain circumstances, you have the right to request for an automated decision to be reviewed, to express your point of view and to contest the decision. This right only applies to fully automated decisions, so it won’t apply if there has already been input from someone as part of the decision-making process.
Request the transfer of your Personal Data to you or to a third party.

We will provide to you, or (where technically feasible) a third party you have chosen, your Personal Data in a structured, commonly used and machine-readable format. Note that this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.
Request a copy of your Personal Data we have about you (often referred to as a “data subject access request” or a “DSAR”).

This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

Subject to applicable law you may establish guidelines regarding your Personal Data for when you become deceased in accordance with applicable law. In this regard, persons expressly designated by deceased data subjects or the public prosecutor in the case of minors or people with disabilities may request to access the Personal Data of the deceased data subject or the rectification of the Personal Data of the deceased data subject.

You can also object to our processing of your Personal Data:

on grounds relating to your particular situation when the applicable legal basis is legitimate interests; In some cases, we may demonstrate that we have compelling legitimate grounds to process your Personal Data, which override your rights and freedoms. If this is the case, we will let you know; and
when your Personal Data is processed for direct marketing purposes.

If we receive a request from you, we will respond as soon as possible but no later than one calendar month except as follows. If, due to the nature or circumstances of your request, we can’t meet that deadline, we may extend it by up to a further two months (complex requests). In this case, we will send you an email or letter explaining the cause of the delay.

If you have any questions about how we process your Personal Data, you can contact us – please see the “Query or Complaint” section.

You can choose how you would like to receive marketing communications, including direct marketing - whether we send them to you through postal mail, email, SMS and/or telephone. Please see the above section for our lawful reasons which justify using your information to send you marketing communications. The lawful reasons for sending direct marketing communications to you will differ depending on a number of factors, including the marketing channel used (e.g., SMS, email, telephone), whether we have an existing relationship with you, or if you are an individual customer or a business customer.

If after making your preferences you wish to opt out of receiving marketing, we recommend you go to https://www.americanexpress.com/nb-no/, log in, and update your privacy preferences. If you prefer, you can also contact us – please see the “Query or Complaint” section below. If you choose not to receive marketing communications from us, we will honour your choice.

Please be aware that if you choose not to receive such communications, certain offers attached to the products or services you have chosen could be affected.

We will still communicate with you in connection with servicing your account, fulfilling your requests, or administering any promotion or program in which you have elected to participate. These communications are necessary to provide the service you expect to receive from us and you may not opt out of receiving them.

If you have questions about this Cardmember Privacy Statement or how your information is handled or wish to make a complaint or exercise your rights, please contact our Data Protection Officer at DPO-Europe@aexp.com or by referring to the "Contact Us" page of our website. You may also write to the following address and specify the American Express entity you would like to submit your query to: Avenida Partenón 12-14, 28042, Madrid, Spain.

You also have the right to contact the Norwegian Data Protection Authority “Datatilsynet” directly at www.datatilsynet.no or the authority of the European Member State where you live, work or where there may have been an infringement. If your request is not resolved to your satisfaction, you may also take your case to court.