Personal data of Data Subjects shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subjects. American Express is a global payments services and travel company. A description of the types of personal data and special categories of personal data that are processed and the way in which they are processed, may be found in the privacy statements and other notices, terms and conditions that are presented to you when you engage with us.
American Express Group companies shall only collect personal data of Data Subjects for specified, express and legitimate purposes and shall ensure that personal data is not further processed in a manner that is incompatible with such purposes.
3.2. Notice, Fairness and Transparency
American Express Group companies that have an obligation to provide Data Subjects with information relating to processing under GDPR shall provide Data Subjects with a right to easy access to the information required. This information shall be provided to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This information is available in the Online Privacy Statement (for customers) or the Online Recruitment Privacy Statement (for potential employees).
3.3. Data Quality
American Express Group companies that process personal data of Data Subjects shall take reasonable steps to ensure that personal data of Data Subjects which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Personal data of Data Subjects shall be stored in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be retained for a longer period for archiving purposes or as otherwise permitted by the GDPR, or applicable law, and only when appropriate technical and organisational measures are taken.
3.4. Security and Confidentiality
The requirements of this principle shall include reasonable appropriate technical and organizational measures to protect personal data of Data Subjects from unauthorized or unlawful processing and against accidental loss, destruction or damage.
3.5. Openness and Data Access
The companies of the American Express Group shall comply with the following rights conferred on Data Subjects: right of access, right of correction, right to be forgotten, right to restrict processing, right to object to processing, right to withdraw consent and the right not to be subject to decisions based solely on automated decision making, including profiling.
3.6. International Transfers
Personal data of Data Subjects is transferred throughout the American Express Group. This flow of data is legitimized through a combination of EU approved Binding Corporate Rules and data transfer contracts including EU model contracts. Special category data of Data Subjects shall not be onward transferred unless the Data Subject has given their consent to such transfer.
All companies in the American Express Group that process personal data of Data Subjects shall be responsible for, and be able to demonstrate compliance with the GDPR, including the maintenance of electronic records of all categories of processing activities in order to demonstrate such compliance.