Start of menu
Search United Kingdom website
Close Menu

American Express’ Binding Corporate Rules – or BCRs – are a means of transferring personal data internationally within the American Express Group in compliance with applicable data protection legislation in the European Economic Area (EEA). Our BCRs consist of the American Express Data Protection and Privacy Principles and these additional European Implementing Principles. They were approved by the Information Commission’s Office, the local Data Protection Authority in the United Kingdom and have been in effect as of January 28, 2013.

 

These European Implementing Principles provide information about how American Express ensures compliance with our Data Protection and Privacy Principles in the EEA, and how to make a privacy complaint in the EEA.

PRINCIPLES FOR THE IMPLEMENTATION IN THE EUROPEAN ECONOMIC AREA OF THE AMERICAN EXPRESS DATA PROTECTION AND PRIVACY PRINCIPLES

(THE “EUROPEAN IMPLEMENTING PRINCIPLES”)

1. Scope

 

The Principles for the implementation in the European Economic Area of the American Express Data Protection and Privacy Principles (the “European Implementing Principles”) apply only to personal data of an individual that is or has been: (i) processed in the context of the activities of an American Express company established in the EEA; (ii) processed by an American Express company established outside the EEA where the processing activities specifically relate to the offering of goods or services to individuals in the EEA; or (iii) processed by an American Express company established outside of the EEA where the processing activities specifically relate to the monitoring of individuals’ behaviour in the EEA (the “Data Subjects”).

 

Note, that the processing activities for (ii) and (iii) above, are limited to processing activities that “target” individuals in the EU, either by offering goods or services to them or by monitoring their behavior.

 

In particular, the European Implementing Principles set out (i) how the American Express Data Protection and Privacy Principles (the “Principles”) are to be implemented by American Express Company, with a registered office in World Financial Center, 200 Vesey St. New York, NY 10285 (“American Express” or the “Company”) and each company in the American Express group of companies that process personal data of Data Subjects (together, the “American Express Group”) and (ii) how the American Express Group BCRs take effect. American Express Europe, S.A. (“AEESA”) is the European company within the American Express Group that has assumed responsibility for ensuring that the personal data of Data Subjects is stored or processed in accordance with the Principles and the European Implementing Principles.

 

Any Data Subject who is directly addressed as being subject to a benefit given to them by the Principles or these European Implementing Principles can enforce those provisions against AEESA as a third party beneficiary, as described below.

 

For the purposes of these European Implementing Principles, “personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

2. Availability

 

The Principles and the European Implementing Principles are available on the American Express websites in each country in the EEA. You may also request a copy of the Principles and European Implementing Principles in an alternative format from AEESA’s Data Protection Officer at the address set out below or from the local American Express entity responsible for your data.

 

The Principles and these European Implementing Principles must be read in conjunction with the Online Privacy Statement (for customers) or the Online Recruitment Privacy Statement (for potential employees), and other notices, terms and conditions which are applicable to your relationship with American Express. These notices, and terms and conditions may contain additional provisions which are relevant to the processing of personal data, pursuant to the national applicable laws and regulations.

 

3. Data Subject Rights

 

Under the European Implementing Principles, the Data Protection and Privacy Principles shall be amended as follows to comply with the EU General Data Protection Regulation (“GDPR”) in relation to American Express Group companies that process personal data of Data Subjects.

3.1. Collection

Personal data of Data Subjects shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subjects. American Express is a global payments services and travel company. A description of the types of personal data and special categories of personal data that are processed and the way in which they are processed, may be found in the privacy statements and other notices, terms and conditions that are presented to you when you engage with us.

American Express Group companies shall only collect personal data of Data Subjects for specified, express and legitimate purposes and shall ensure that personal data is not further processed in a manner that is incompatible with such purposes.

 

3.2. Notice, Fairness and Transparency

American Express Group companies that have an obligation to provide Data Subjects with information relating to processing under GDPR shall provide Data Subjects with a right to easy access to the information required. This information shall be provided to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This information is available in the Online Privacy Statement (for customers) or the Online Recruitment Privacy Statement (for potential employees).

 

3.3. Data Quality

American Express Group companies that process personal data of Data Subjects shall take reasonable steps to ensure that personal data of Data Subjects which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Personal data of Data Subjects shall be stored in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be retained for a longer period for archiving purposes or as otherwise permitted by the GDPR, or applicable law, and only when appropriate technical and organisational measures are taken.

 

3.4. Security and Confidentiality

The requirements of this principle shall include reasonable appropriate technical and organizational measures to protect personal data of Data Subjects from unauthorized or unlawful processing and against accidental loss, destruction or damage.

 

3.5. Openness and Data Access

The companies of the American Express Group shall comply with the following rights conferred on Data Subjects: right of access, right of correction, right to be forgotten, right to restrict processing, right to object to processing, right to withdraw consent and the right not to be subject to decisions based solely on automated decision making, including profiling.

 

3.6. International Transfers

Personal data of Data Subjects is transferred throughout the American Express Group. This flow of data is legitimized through a combination of EU approved Binding Corporate Rules and data transfer contracts including EU model contracts. Special category data of Data Subjects shall not be onward transferred unless the Data Subject has given their consent to such transfer.

 

3.7. Accountability

All companies in the American Express Group that process personal data of Data Subjects shall be responsible for, and be able to demonstrate compliance with the GDPR, including the maintenance of electronic records of all categories of processing activities in order to demonstrate such compliance.

 

4. Privacy by Design

 

American Express Group companies that process personal data of Data Subjects shall use technical and organisational measures that are designed to implement data protection principles and to facilitate compliance with the requirements of these European Implementing Principles.

 

5. Compliance programme

5.1. Compliance

In order to ensure compliance with the Principles and European Implementing Principles, a compliance programme has been established that provides for regular compliance checks and audits of the American Express Group operations. The results of these compliance checks and audits will be communicated to the Global Privacy Office of American Express, the AEESA Data Protection Officer, the relevant Supervisory Authorities (if requested) and where appropriate, the Audit Committee of the Board of Directors of American Express Company. Where a compliance gap is determined, the relevant company in the American Express Group in the EEA must comply with any specific requests from AEESA’s Data Protection Officer or where the requests cannot be complied with, documenting the reason for this. The American Express Group shall also co-operate with any compliance checks conducted by any Supervisory Authority with applicable jurisdiction, whether commenced in response to a complaint from a Data Subject, or by the Supervisory Authority’s own initiative.

 

5.2. Co-operation

All companies within the American Express Group that process personal data of Data Subjects will cooperate in dealing with demands, audits, queries and complaints with any relevant Supervisory Authority. If the Supervisory Authority finds that a company in the American Express Group has breached any of the rights under these European Implementing Principles, then the relevant company in the American Express Group will abide by the findings of the Supervisory Authority, subject to the right to challenge or appeal such findings.

 

6. Compliance, enforcement and liability

 

All companies in the American Express Group that process personal data of Data Subjects must comply with the provisions of the European Implementing Principles and other policies and procedures that are binding on the American Express Group. Companies in the American Express Group will ensure compliance with European national data protection and privacy laws and any enforcement will be in compliance with those European national laws.

6.1. Enforcement

Each Data Subject may enforce against AEESA or any American Express Group company that processes personal data of Data Subjects, the terms of the following provisions of the European Implementing Principles as a third party beneficiary:

 

  1. Data Subject Rights (Section 3);
  2. Conflict of laws (Section 8);
  3. Questions or complaints (Section 9);
  4. Co-operation (Section 5.2); and
  5. Compliance, enforcement and liability (Section 6.1 and 6.2).

 

Data Subjects shall have the right to judicial remedies and the right to obtain redress, and where appropriate, compensation up to the actual damages suffered by the complainant as a result of the breach of the above mentioned third party beneficiary rights.

 

Data Subjects can bring their claim before a competent court of the EU member states where the relevant company in the American Express Group is established or where the Data Subject has his or her habitual residence.

 

6.2. Liability

AEESA will accept responsibility for any breach of the Principles or the European Implementing Principles by an American Express Group company outside of the EU that processes personal data of Data Subjects. AEESA will take any necessary action to remedy the acts or omissions of companies in the American Express Group that process personal data of Data Subjects.

 

AEESA is liable to pay compensation for any material or non-material damages suffered by Data Subjects arising in connection with any breach of the Principles or European Implementing Principles. Compensation must be agreed by the AEESA Data Protection Officer before an offer of redress or payment is made. Such compensation shall be in full satisfaction of the Data Subject’s claim against all companies within the American Express Group. For the avoidance of doubt, AEESA’s liability extends to the acts or omissions of any company in the American Express Group that is not situated in the EU.

 

If an American Express Group company situated outside of the EU violates the Principles or European Implementing Principles, the courts or other competent authorities in the EU will have jurisdiction in relation to such violation. To the extent that an American Express Group company that processes personal data of Data Subjects breaches the European Implementing Principles then Data Subjects, Supervisory Authorities and courts of applicable jurisdictions may exercise their rights and bring a claim against AEESA as if such conduct had been performed by AEESA in the EU.

 

AEESA bears the burden of proof in demonstrating that the American Express Group company situated outside of the EU is not liable for any purported violation of the Principles or European Implementing Principles that gives rise to the Data Subject’s claim for compensation for damages. Where AEESA can prove that the American Express Group Company outside of the EU is not responsible for the event giving rise to the damage, it and such company may discharge itself from responsibility and liability.

 

7. Training

 

American Express will provide appropriate training materials and courses for American Express employees who collect, use or have access to personal data of Data Subjects or who develop systems that process personal data of Data Subjects to ensure that they are aware of their obligations under the Principles and these European Implementing Principles.

 

8. Conflict of laws

 

In the event a company within the American Express Group has reason to believe a law to which it is subject precludes compliance with the Principles or the European Implementing Principles or is likely to have a substantial effect on the guarantees set out in the Principles or European Implementing Principles, the relevant contact for the relevant American Express Group company shall inform the Data Protection Officer at AEESA unless prohibited by applicable law(s). Where necessary, the Data Protection Officer shall notify this to the competent Supervisory Authority, save to the extent prohibited by applicable law.

 

9. Questions or complaints

 

A Data Subject may, at any time, submit a complaint or claim and exercise his or her rights in relation to the Principles or these European Implementing Principles. These may be addressed to AEESA’s Data Protection Officer at AEESA’s headquarters at American Express Europe, S.A. Avenida Partenón 12-14, 28042, Madrid, Spain. For more information on the American Express complaints handling process and on how to submit a complaint please click here.