English | Česky
American Express®
Binding Corporate Rules (EU BCR)
Table of Contents
- Introduction
- Binding Nature of the BCRs
- Scope of our BCRs
- How does American Express protect your Personal Data?
- American Express Data Protection Officer Network
- Training and Awareness
- Auditing and Control
- Compliance, Enforcement and Liability
- How Can You Lodge a Complaint and Enforce the BCRs?
- Duty of Cooperation with Supervisory Authorities
- How Do We Handle Potential Conflicts of Laws?
- Updates to the BCRs
- Nature and Purposes of Personal Data Transferred within the Scope of the BCRs
- Location of the American Express BCR Entities
- Glossary
1.1. Outline
American Express values your trust and respects your privacy.
Data protection and information security are top priorities for our company. As a multinational organisation, we are committed to protecting personal data, irrespective of where it is used, and all personal data American Express collects is handled according to our Data Protection and Privacy Principles.
In 2012, American Express was one of the major companies to publish Binding Corporate Rules (BCRs), approved by the “Information Commissioner’s Office” (ICO). Today, these BCRs continue to lay a framework for our strong privacy commitments, promoting a robust compliance culture across our enterprise.
Amongst other things, our BCRs govern Transfers of Personal Data within the American Express BCR Entities in accordance with Applicable Data Protection Legislation and ensure that your Personal Data is always adequately protected regardless of where it is Transferred.
1.2. Easy access to the BCRs
Our BCRs are available on American Express’ European pages. You may also request a copy of these BCRs in an alternative format from our Data Protection Officer (DPO) at the address below or from the local American Express entity responsible for your Personal Data.
Please note that the Supervisory Authority for these BCRs is the Spanish Data Protection Agency (AEPD).
These BCRs are legally binding on the American Express BCR Entities and their employees by an Intra-Group Agreement between the American Express Company and American Express Europe, S.A. (AEESA), the legal representative of American Express in the EEA.
Each American Express BCR Entity and their employees may only Process Personal Data in accordance with these BCRs. Employees who violate these BCRs may be subject to disciplinary actions.
3.1. Geographical scope
Our BCRs apply to all Processing of Personal Data subject to Applicable Data Protection Legislation. That is, Personal Data of an Individual that are or have been Processed in the context of the activities of an American Express BCR Entity established in the EEA, even if the Processing is carried out by an American Express BCR Entity outside of the EEA.
3.2. Material scope
In its capacity as Data Controller, American Express Processes the Personal Data of past, present and prospective employees, directors, contractors, individual consultants, workers, employed by American Express whether full time, part time, permanently or temporarily, as well as retired employees (“Employees”) and the Personal Data of past, present and prospective requesters of American Express products and services – consumers – and natural persons working at the corporate clients, suppliers and partners of American Express (“Customers”).
The purposes for which American Express Processes Personal Data mainly relate to consumers, corporate clients, merchants, insurance, travel, meetings and events, and network services as well as human resources.
To conduct American Express’ global activities effectively, the Processing of Personal Data by the American Express BCR Entities, in connection with the purposes identified in these BCRs, may involve international Transfers of Personal Data from any American Express BCR Entity to any other American Express BCR Entity outside the EEA (including from the EEA to the United States, where American Express’ main servers are located), and any other onward Transfer of that received Personal Data to a third party outside of the American Express group.
For a more comprehensive view of American Express’ Processing activities, please refer to Appendix 1. To see where our American Express BCR Entities are located, please refer to Appendix 2.
When Processing your Personal Data, American Express BCR Entities are committed to complying with robust data protection principles (section 4.1) and to respecting your data protection rights (section 4.2).
4.1.Data protection principles
4.1.1. Transparency and fairness
The American Express BCR Entities will collect and Process your Personal Data in a transparent manner and by fair means.
We ensure that You are provided with easy access to the information on our Processing activities as required by the General Data Protection Regulation (GDPR). This information is provided to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and is available in the relevant American Express Privacy Statements, as applicable to your relationship with Us. These notices and terms and conditions may also contain additional provisions which are relevant to the Processing of Personal Data, pursuant to national applicable law(s) and regulation(s).
In particular, when the Personal Data is provided directly by the Data Subject, the following information will be provided at the moment the Personal Data are collected:
- the identity and contact details of the Controller and, where applicable, its representative;
- the contact details of the Data Protection Officer;
- the purposes of the Processing for which the Personal Data are intended and the legal basis for the Processing;
- the recipients or categories of recipients of the Personal Data, if any;
- the existence of international Transfers of Personal Data to countries without adequate level of protection and the appropriate safeguards adopted to ensure the same level of protection as required by the GDPR;
- the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; and the existence of the Data Subjects’ rights recognised by the GDPR.
When the Personal Data has not been collected directly from the Data Subject, the previous information, as well as the categories of Personal Data concerned, and the source from which the Personal Data originate, must be communicated promptly (unless the Individual already has the information, the provision of such information proves impossible or would involve a disproportionate effort, obtaining or disclosure is expressly laid down by European Union or Member State law or where the Personal Data must continue to be confidential in nature based on an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy).
Our BCRs also inform you about the rights you are entitled to enforce against AEESA or any American Express BCR Entity as third-party beneficiary with regard to the Processing of your Personal Data under these BCRs (“Third-party Beneficiary Rights”) and on the means to exercise such rights (see section 8). In addition, these BCRs will provide you with information on the data protection principles we apply when processing your Personal Data (as explained in this section 4) and information about the liability the American Express BCR Entities assume in the event of a breach of these BCRs (see section 8).
In addition, you will always be able to obtain a copy of these BCRs on request. A public version is available on the websites of EEA American Express BCR Entities, as well as in our intranet if you are an employee.
4.1.2. Lawfulness of Processing
Your Personal Data and Special Categories of Data are collected and Processed fairly and lawfully, in accordance with the Applicable Data Protection Legislation. The lawful bases for processing your Personal Data are described in more detail in the relevant American Express Privacy Statements, as applicable to your relationship with American Express.
• Processing of Personal Data
Your Personal Data is collected and Processed only where there is a lawful basis for that Processing:
- when You have given your explicit Consent (for instance, to send you email communications containing ads, promotions and offers for American Express products and services);
- when the Processing is necessary for the performance of a contract to which You are a party or in order to take steps at your request prior to entering into a contract (for instance, to administer our contractual relationship with You and process your application for a card, account or other product or to manage your existing accounts);
- when the Processing is necessary for compliance with a legal obligation (for instance, to report certain suspicious transactions to the competent authorities under anti-money-laundering rules or as required by law to perform due diligence on Customers before approving their applications); or
- when the Processing is necessary for the purposes of the legitimate interests pursued by an American Express BCR Entity or by third-party(ies) (for instance, to deliver products and services, advertise and market products and services, conduct research and analysis, and manage our fraud and security risks), except where such interests are overridden by your interests or fundamental rights and freedoms.
• Processing of Special Categories of Data
We may collect Special Categories of Data, including data related to health, biometric data, sexual orientation or race/ethnic origin. This data is collected and Processed to satisfy legal requirements, for purposes essential to administering the employment relationship or where provided with explicit Consent, and only if permitted by applicable law.
Sometimes, You may provide us with this type of data to improve your journey with Us (for instance, if you inform us about specific dietary requirements or your need for special assistance during a flight).
To the limited extent that Special Categories of Data are collected, they will only be Processed under one of the lawful bases mentioned above, and provided one of the conditions for processing Special Categories of Data applies, such as for instance when:
- You have given your explicit Consent to the Processing;
- the Processing is necessary for the purpose of carrying out the obligations and specific rights of American Express in the field of labour, social security and social protection provisions;
- the Processing relates to Special Categories of Data which You have manifestly made public;
- the Processing is necessary for the establishment, exercise or defence of legal claims;
- the Processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law.
In addition, the American Express BCR Entities will take reinforced measures to Process Special Categories of Data, as required by the Applicable Data Protection Legislation.
4.1.3. Data minimisation, accuracy and storage time limitation
The American Express BCR Entities use appropriate technology and established employee practices to Process your Personal Data promptly and accurately.
We take reasonable steps to ensure that your Personal Data is:
- Accurate and kept up to date, having regard to the purposes for which it is Processed (data accuracy). Inaccurate Personal Data is erased or rectified without delay;
- Adequate, relevant and not excessive in relation to the purpose for which the Personal Data is collected and Processed (data minimisation);
- Not kept in an identifiable form for longer than necessary for the purposes for which the Personal Data is Processed, and only retained for a longer period for archival purposes or as otherwise permitted or required to be retained in accordance with applicable law(s), and then only when appropriate administrative, technical and organisational measures are taken.
4.1.4. Purpose limitation
The American Express BCR Entities only collect Personal Data for specific and legitimate purposes. We will Process your Personal Data fairly, and only for those purposes we have told you, for purposes permitted by you or by the Applicable Data Protection Legislation. We will ensure that your Personal Data is not further Processed in a manner that is incompatible with such purposes.
4.1.5. Data security and confidentiality
American Express has implemented and commits to maintaining a comprehensive written information security programme that complies with applicable law(s) and Applicable Data Protection Legislation.
The American Express BCR Entities implement appropriate administrative, technical and organisational measures to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data transmitted, stored or otherwise Processed. We will keep your Personal Data confidential and limit access to them to those who specifically need it to conduct their business activities, except as otherwise required by law applicable to us.
Such measures ensure a level of security appropriate to the risk and take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the likelihood of risks to the rights and freedoms of Individuals, and may include as appropriate:
- the pseudonymisation and encryption of Personal Data;
- measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- measures to ensure the ability to restore the availability and access to Personal Data of Individuals in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, reviewing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
We also require appropriate administrative, technical and organisational measures from those third-parties who are authorised by Us to Process your Personal Data on our behalf and we enter into contractual commitments with internal and external Data Processors that comply with safeguards required by the GDPR.
In particular, Processing by the Data Processor shall be governed by a contract, which is binding on the Data Processor with regard to the Data Controller and that sets out the subject matter and duration of the Processing, the nature and purpose of the processing, the type of Personal Data and categories of Individuals and the obligations and rights of the Controller.
The following duties shall also be covered in the agreement that must require the Data Processor to:
- Process the Personal Data only on documented instructions from the Data Controller or ensure that people authorised to Process the Personal Data have committed themselves to the duty of confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all appropriate technical and organisational measures required to guarantee an acceptable level of security;
- not contract another Data Processor (“sub-processor”), without prior specific or general written authorisation from the Data Controller and only provided that the same data protection obligations as set out in the contract between the Controller and the Processor are imposed on that sub-processor;
- assist the Data Controller with appropriate technical and organisational measures whenever possible for the fulfilment of the duty of the Data Controller to answer the Data Subjects’ requests exercising their rights;
- assist the Data Controller with the fulfilment of its obligations regarding security of Processing, security breaches and Data Protection Impact Assessments;
- at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless the applicable law requires storage of the Personal Data;
- make available to the Data Controller all the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR regarding Data Processors and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
In addition, the American Express BCR Entities have implemented administrative, technical and organisational measures to detect, investigate, escalate and remedy Personal Data violations. The American Express BCR Entities are to notify the American Express Data Protection Officer of a Personal Data breach without delay and the Officer determines whether the competent Supervisory Authority and the Individuals must be notified in accordance with the requirements of the GDPR. Any Personal Data violations are to be documented (comprising the facts relating to the incident, its effects and the remedial actions taken) and the documentation is made available to the Supervisory Authority on request.
4.1.6. Onward Transfers
When your Personal Data are transferred through American Express BCR Entities and then onward to third-parties, regardless of where it is Transferred, the same level of protection for the Processing of your data will always be provided, as required by the Applicable Data Protection Legislation.
This flow of data is legitimised by our BCRs, which allow us to transfer Personal Data from the EEA to the American Express BCR Entities located outside the EEA.
In all cases of onward Transfers (e.g. Personal Data that have firstly been Transferred from an American Express BCR Entity located in the EEA to another American Express BCR Entity outside the EEA and later transferred to a third party not covered by these BCRs), the American Express BCR Entities will ensure that they enter into a written agreement with that third party that contains provisions to ensure the Personal Data are protected at least under the same confidentiality and security standards as contained in these BCRs, or use another valid legal method to ensure that the Transfer is lawful and adequate guarantees are given under Article 46 of the GDPR.
4.1.7. Accountability
All American Express BCR Entities are responsible for, and must demonstrate compliance with, these BCRs. Compliance with these requirements includes:
- the maintenance of electronic records of Processing activities, available to the Supervisory Authorities on request, containing the information required by the GDPR, such as the name and contact details of the Data Controller, the purposes of processing, the categories of Data Subjects and of Personal Data, the recipients of the Personal Data, the Transfers to countries outside the EEA, the time limits for erasure of the categories of Personal Data and the description of the security measures applied;
- the completion of Data Protection Impact Assessments (to be carried out only when the processing activities are likely to result in a high risk to the rights and freedoms of the individuals); and
- consultation with the Supervisor Authority when required to demonstrate such compliance.
In addition, the American Express BCR Entities have put in place appropriate administrative, technical and organisational measures designed to implement data protection principles and to facilitate compliance with the requirements set up by these BCRs (data protection by design and by default).
4.2. Data Subjects’ rights
• Rights of access, restriction, objection, rectification, erasure, right to withdraw Consent and to data portability
The American Express BCR Entities will respond to your requests to exercise rights. More specifically, we ensure that you can exercise your right to:
- access your Personal Data (right of access);
- restrict and/or object to the Processing of your Personal Data (right to restriction of Processing and right to object to Processing);
- rectify your Personal Data (right of rectification);
- erase your Personal Data (right to erasure);
- withdraw a previously provided Consent for Processing; and
- receive your Personal Data in a structured, commonly used and machine-readable format and/or transmit such data to another Data Controller (right to data portability).
The American Express BCR Entities are subject to policies on how to handle such requests to ensure that you have the means to exercise these rights. If you would like to exercise any of your rights, you can contact our Data Protection Officer at DPO-Europe@aexp.com.
• Automated decision making
The American Express BCR Entities ensure that You are not subject to decisions based solely on automated Processing, including profiling, which produce legal effects or similar significant effects, unless the Processing is:
- necessary for entering into or performing a contract between You and American Express;
- authorised by European Union or Member State law and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- based on your explicit Consent to such Processing.
In accordance with the applicable regulations, we will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express your point of view and to contest the decision.
In compliance with these restrictions, we may use automated processes to help us make certain decisions, for example, to detect and manage fraud (it helps us detect whether your account has been used for fraud or money laundering purposes or to detect if fraudsters have accessed your account); or to process card applications and assess credit and security risks. These methods are tested regularly to ensure that they remain fair, effective and unbiased.
You may contact our Data Protection Officer at DPO-Europe@aexp.com to exercise your right to request a manual review of certain automated Processing activities that may impact your legal or other contractual rights or that may have a similar legal effect.
American Express has appointed a Data Protection Officer who monitors compliance with these BCRs. The Data Protection Officer has the following responsibilities:
- informs and advises American Express entities and American Express Employees of their obligations under Applicable Data Protection Legislation;
- monitors compliance with Applicable Data Protection Legislation through the assessment of key risk indicators and controls. The Data Protection Officer reports the results of these monitoring activities to the organisation’s most senior-level governance bodies through their respective forums;
- provides advice in connection with Data Protection Impact Assessments and monitors their performance;
- cooperates with the Supervisory Authority; and
- acts as a point of contact for the Supervisory Authority.
The Data Protection Officer is appointed based on their professional qualities and reports to American Express' Chief Privacy Officer. The Data Protection Officer has been appointed by the European entities of American Express on the Boards of Directors of AEESA and American Express Payments Europe, SA, which are the main issuing and acquiring entities – respectively – of the group in Europe.
The appointment is communicated to the Supervisory Authority for the European countries where American Express is established.
The Data Protection Officer works closely with a network of privacy specialists and compliance lawyers located in each of the European markets and who monitor compliance with Applicable Data Protection Legislation in their region. The Data Protection Officer is supported in their functions by the Global Privacy Office led by American Express' Chief Privacy Officer.
All American Express BCR Entities provide appropriate training materials and courses for all employees, and in particular for employees who collect, process and have permanent or regular access to Personal Data or who are involved in the development of tools used to Process Personal Data to ensure that they are aware of their obligations under Applicable Data Protection Legislation and these BCRs. Such courses are mandatory and their completion is monitored.
American Express has implemented a compliance programme that provides for regular compliance checks and audits of American Express BCR Entities’ operations (by internal or, where necessary, by external auditors) to ensure that these BCRs and all related policies and procedures are respected and up to date.
Data protection audits cover all aspects of these BCRs, including methods of ensuring that corrective actions take place.
Additional data protection audits may be requested by the Data Protection Officer upon their own initiative or upon specific request of an American Express BCR Entity. American Express' internal audit group, as an independent control body, will assess the opportunity for conducting these audit requests according to its risk analysis framework.
The results of these compliance checks and audits will be communicated to the American Express’ Global Privacy Office, the Data Protection Officer, the Supervisory Authority (if requested) and will be made available to the Audit Committee of the American Express Company's Board of Directors.
Where a non-compliances are found, the relevant American Express BCR Entity must follow the instructions and guidance from the Data Protection Officer. Where the guidance cannot be observed, the American Express BCR Entity must document the reason for this.
American Express will also co-operate with any compliance checks conducted by the Supervisory Authority and which have the aim of confirming the level of compliance, whether commenced in response to a complaint from an Individual or at the Supervisory Authority’s own initiative.
8.1.Liability of American Express BCR Entities
The American Express BCR Entities are responsible for complying with these BCRs. In addition to the individual responsibilities of the American Express BCR Entities, AEESA will accept responsibility for any breach of these BCRs by one of the American Express BCR Entities outside the EEA that processes Personal Data as per the Applicable Data Protection Legislation. AEESA will be entitled to take any necessary action to remedy the acts or omissions of any American Express BCR Entities that Process Personal Data in violation of these BCRs.
AEESA will be liable to pay compensation due for any material or non-material damages suffered by Data Subjects arising from any breach of these BCRs. Compensation must be agreed upon by the Data Protection Officer before an offer of redress or payment is made. All compensation paid will be in full satisfaction of the Data Subjects’ claim against all American Express BCR Entities. For purposes of clarity, AEESA’s liability extends to the acts or omissions of any American Express BCR Entity not situated in the EEA that breaches these BCRs.
If an American Express BCR Entity (including when that entity is situated outside of the EEA) violates these BCRs, the competent European courts will have jurisdiction in relation to such violation. To the extent that an American Express BCR Entity breaches these BCRs, the Data Subjects, the Supervisory Authorities and the courts of applicable jurisdictions may exercise their rights and bring a claim against AEESA as if such conduct had been performed by AEESA in the EEA (for further information about how to lodge a complaint, please refer to section 9 below).
8.2. Third-Party Beneficiary Rights
Each Data Subject may enforce against AEESA, or any American Express BCR Entity, the terms of the following provisions of these BCRs as a third-party beneficiary:
- data protection principles (Section 4.1);
- transparency and easy access to the BCRs (Sections 1.2. and 4.1.1);
- Individuals’ rights (Section 4.2);
- compliance, enforcement and liability (Section 8);
- right to complain through the American Express internal complaint mechanism (Section 9);
- right to lodge a complaint with the Supervisory Authority and before the competent European court (Section 9);
- co-operation with the Supervisory Authorities (Section 10); and
- conflict of laws (Section 11.1).
8.3.Burden of proof
AEESA bears the burden of proof in demonstrating that the American Express BCR Entities situated outside of the EEA are not liable for any purported violation of these BCRs that gives rise to the claims for compensation for damages. Where AEESA can prove that an American Express BCR Entity outside of the EEA is not responsible for the event giving rise to the damage, AEESA and such company may discharge themselves from such responsibility and liability.
If You wish to submit a complaint or claim and exercise your rights in relation to these BCRs, you are encouraged to contact the Data Protection Officer at any time, either in writing to AEESA’s headquarters: American Express Europe SA, Avenida del Partenón 12– 14, 28041 Madrid, Spain or via email to DPO-Europe@aexp.com
Our Data Protection Officer will address your complaints without undue delay and within one month in any event. Taking into account the complexity and number of the requests, that one-month period may be extended at maximum by an additional two months, in which case we will inform you accordingly.
For further information on the American Express complaints handling process and on how to submit a complaint, please visit our Online Privacy Statement.
If the issue is not resolved to your satisfaction, you may also:
- lodge a complaint with the Supervisory Authority of the member state where you have your usual residence, your place of work or the place where the infringement occurred;
- bring your claim before a competent European court where the American Express BCR Entity is located or where You have your usual residence and, where appropriate, obtain compensation for the damages suffered as a result of the breach of the above-mentioned Third-Party Beneficiary Rights.
All American Express BCR Entities will co-operate with, and accept to be audited by, the Supervisory Authority and will comply with its advice on any issues regarding the Applicable Data Protection Legislation.
If the Supervisory Authority finds that one of the American Express BCR Entities has breached any of the rights offered to Individuals under these BCRs, this American Express BCR Entity will abide by the findings of the Supervisory Authority, subject to the right to challenge or appeal such findings.
11.1.National legislation preventing compliance with the BCRs
In the event that an American Express BCR Entity has reason to believe a law to which it is subject precludes compliance with these BCRs or is likely to have a substantial effect on the guarantees set forth in these BCRs, the American Express BCR Entity will inform the AEESA Data Protection Officer, unless prohibited by the applicable law(s). Where necessary, the Data Protection Officer will notify the Supervisory Authority of the conflict of law, unless this is prohibited by applicable law(s).
If an American Express BCR Entity receives a request for Personal Data by a law enforcement authority or state security body, the Data Protection Officer will inform the Supervisory Authority about the request (including information about the data requested, the requesting body and the legal basis for the disclosure). If, in specific cases, the notification to the Supervisory Authority is prohibited by applicable law(s), American Express will use its best efforts to waive this prohibition to expeditiously communicate all the information to the competent Supervisory Authority, and to be able to demonstrate that it did so.
If, in the above cases, despite having used its reasonable efforts, the American Express BCR Entity is not in a position to notify the Supervisory Authority, it will provide the Supervisory Authority with general information annually on the requests it received (such as the number of applications for disclosure, type of Personal Data requested, name of the requester if possible, etc.).
In any case, Transfers of Personal Data by an American Express BCR Entity to any public authority will not be massive, disproportionate and indiscriminate. This limitation shall apply to any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body.
11.2. Relationship between national laws and the BCRs
Where the Applicable Data Protection Legislation requires a higher level of protection for Personal Data, those data protection laws will take precedence over these BCRs.
We may update the terms of these BCRs to, for instance, consider modifications in the regulatory environment or the company structure. We commit to report material changes to these BCRs without undue delay to all American Express BCR Entities and to the Spanish Data Protection Agency (AEPD). Any changes to the BCRs or to the list of American Express BCR Entities will be reported once a year to the Supervisory Authorities, through the competent Supervisory Authority with a brief explanation of the reasons justifying the update. Where a modification would possibly affect the level of the protection offered by these BCRs or significantly affect these BCRs, it will be promptly communicated to the Supervisory Authorities, through the competent Supervisory Authority.
American Express has a team that keeps a fully updated list of the American Express BCR Entities and records any updates to the contents and provides the necessary information to the Individuals and Supervisory Authorities on request. In addition, the American Express BCR Entities will not make any Transfer to a new American Express BCR Entity until this new entity is effectively bound by these BCRs and can deliver compliance.
• Description of the types and purposes of processing activities
American Express is a globally integrated payments and travel company. that is principally engaged in four segments: (i) Customer payment services, (ii) merchant services, (iii) network services oroperations, and (iv) travel, meetings and events services. Our Processing activities are carried out in the context of these activities, as described below.
(i) Customer payment services
American Express issues a wide range of payment services (such as payment cards and credit cards) to individuals, each with related services (such as loyalty programmes, membership and award schemes and insurance mediation).
-To this end, we Process customers’ Personal Data mainly to administer and service our contractual relationship; to manage any benefits, insurance or other programmes in which You are enrolled; to deliver products and services; to conduct research and analysis to improve our products and services; to better understand our customers and deliver a more personalised service; to manage our fraud and credit risks; to promote our products and services (subject to Consent where required by Applicable Data Protection Legislation); or to comply with applicable law(s).
American Express also offers commercial products and services to businesses (including corporate payments, expense management services and loan products).
-To this end, we Process customers’ Personal Data mainly to administer and service our contractual relationship; to deliver the commercial products and services; to enable Customers to develop reports that may allow them to maintain effective procurement policies, travel policies and procedures; to develop risk management policies, models and procedures and/or to make decisions about how we manage Customers’ accounts; to exchange information with fraud prevention agencies to trace debtors, recover debts, prevent fraud or manage accounts or insurance policies; to make decisions about offering products such as credit and related services; or to comply with applicable law(s).
(ii) Merchant services
American Express operates a global merchant services business, which includes obtaining the agreement of merchants to accept American Express branded cards and other financial products from their customers as a means of payment, as well as permitting American Express to perform processing and settling of card transactions for those merchants.
As a part of this merchant services business, American Express notably assists merchants that accept American Express cards by providing analytical and consulting expertise to identify new trends, enable product innovation and permit expansion and improvements to marketing through more effective use of the American Express data infrastructure. The Processing activities carried out for these purposes will create deidentified or aggregated databases where it is appropriate.
-To this end, we Process Personal Data mainly to administer and service our contractual relationship with merchants; to exchange information with credit reference agencies for preventing fraud or identifying potential debtors or for the purpose of identity verification; to develop our products and/or, subject to Consent where required by Applicable Data Protection Legislation, to offer products and services; or to comply with applicable law(s), including anti-money laundering and anti-terrorism laws.
(iii)Network services and operations
The American Express network authenticates, clears and settles card transactions and provides multi-channel marketing programmes and capabilities, services and data analytics. It manages and evolves the reliability, security and processing capabilities of American Express’ payment network, to facilitate commerce worldwide. In addition, the American Express network manages a variety of capabilities that enable payments in new forms or channels, while implementing policy to govern the many parties that engage with this network.
-To this end, we Process Personal Data mainly to administer transactions for American Express’ customers with American Express-accepting merchants. Processing activities include measures to prevent fraud and to comply with applicable law(s), including anti-money laundering and anti-terrorism laws.
(iv) Travel, meetings and events services
American Express is one of the world’s largest travel agency businesses and makes millions of travel reservations annually for consumers and individual employees of corporate clients and, on an exceptional basis, their travel companions, who may wish to travel anywhere in the world.
American Express Global Business Travel (GBT) also provides travel management expertise to corporate clients and assists Customers in organising meetings and events on a global basis. Details on GBT’s processing activities can be found here - https://privacy.amexgbt.com/.
American Express also provides travel services to individual consumers, but primarily those who are holders of an American Express branded card.
--->To this end, we Process Customers’ Personal Data mainly to manage the commercial relationship; to deliver services, to conduct research and analysis to improve our products and services; to better understand our customers and deliver a more personalized service; to promote our products and services (subject to Consent where required by Applicable Data Protection Legislation); or to comply with applicable law(s).
(v) Human resources
American Express BCR Entities also Process Employees’ Personal Data mainly for the purpose of administering and fulfilling its employment relationship with American Express’ employees (for instance, appointments or severance, background checks, performance management, work management or other personnel matters in relation to management of employee relations); and to comply with internal policies and applicable law(s).
• Description of types of personal data
The types of Personal Data Processed are described in the various American Express Privacy Statements, as applicable to the Data Subjects’ relationship with American Express and may be generally described as follows:
(i) Customers’ personal data
Customers’ Personal Data may include personal details (such as name, address and other contact information), information relating to products and services used and purchased; creditworthiness; online activity including for instance information we collect when Customers access our online account services or via cookies and similar technologies; information relating to lifestyle and social circumstances; etc. To perform services related to travel, meetings and events, American Express must Process Personal Data relating to the traveller, including nationality, passport details, gender, date of birth, location and travel preferences (together “Customers’ Personal Data”).
In some cases, Customers’ Personal Data may include Special Categories of Data, such as biometric information for security purposes (e.g.,Voice ID) or, for travel-related services, details of any disability which may affect the ability to travel.
(ii) Employee data
Employees’ Personal Data often includes, for instance, personal details (such as name, address, date of birth, phone number), family details, information relating to lifestyle and social circumstances; products and services used; online activity; creditworthiness; public offices held; immigration status; and education and employment history and other employment-related information such as performance or talent designations and compensation and benefits information (together “Employees’ Personal Data”).
In some cases, and where allowed by national laws, Employees’ Personal Data may include Special Categories of Data, including information about racial and ethnic origin, sexual orientation, information about employees’ health, occupational health schemes, biometric data, equal opportunities monitoring, information on trade unions and works councils.
The American Express BCR Entities are located in the following countries:
- Germany
- Argentina
- Austria
- Australia
- Belgium
- Canada
- China
- Colombia
- Czech Republic
- Denmark
- Slovakia
- Spain
- United States
- Finland
- France
- Greece
- HongKong
- Hungary
- India
- Ireland
- Italy
- Japan
- Jersey
- Malaysia
- Mexico
- Norway
- The Netherlands
- Philippines
- Poland
- United Kingdom
- Russia
- Singapore
- Sweden
- Switzerland
- Taiwan
- Thailand
“AEESA” – means American Express Europe, S.A. located at Avenida del Partenón 12 -14, Madrid, 28042, Spain. AEESA is the European company within American Express that has assumed responsibility for ensuring that Personal Data are Processed in accordance with these BCRs. AEESA is a signatory party to the Intra-Group Agreement.
“American Express BCR Entity” or “American Express BCR Entities” or “We” or “Us” – means the American Express entity or entities which are bound by these BCRs.
“American Express Company” – means American Express Company, located World Financial Center, 200 Vesey St., New York, NY 10285 USA. American Express Company is a signatory party to the Intra-Group Agreement.
“American Express Privacy Statements” – means the Cardmember Privacy Statement (for cardmembers), the Online Privacy Statement (for Customers and website visitors), the Online Recruitment Privacy Statement (for potential employees) or the Employee Privacy Notice (for current Employees) and other notices, terms and conditions (such as for merchants and corporate clients) which are applicable to the Individuals’ relationship with American Express and as amended from time to time.
“Applicable Data Protection Legislation” – means the GDPR (and national legislation), the Privacy and Electronic Communications Directive, 2002/58/EC (as well as the local regulations that transpose it) and any other data protection law and regulation applicable in the EEA (all the above as amended and replaced from time to time).
“Consent” – means any freely given, specific, informed and unambiguous indication, through a statement or clear affirmative action, of the Data Subject’s agreement to the Processing of their Personal Data.
“Breach of Personal Data security” or “Personal Data Breach” – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Impact Assessment” – means an assessment of the impact of an envisaged Processing operation on the protection of Personal Data carried out where the processing is likely to result in a high risk to the rights and freedoms of Data Subjects.
“Data Subject(s)” , “Individual(s)” or “You” – means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in the scope of these BCRs.
“Data Processor” – means the natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of and under the instructions of the Data Controller.
“EEA” – European Economic Area, which includes all EU countries as well as Iceland, Liechtenstein and Norway.
“GDPR” – means the General Data Protection Regulation, 2016/679.
“Intra-Group Agreement” – means the intra-group agreement that binds American Express BCR Entities to these BCRs.
“Personal Data” – means any information relating to an identified or identifiable natural person (Data Subject) that is within the scope of these BCRs.
“Processing” or “Process” – means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Profiling” – means automated Processing of Personal Data intended to analyse, to evaluate certain personal aspects relating to individuals (such as their performance at work, creditworthiness, reliability, conduct) or to make predictions about them.
“Special Categories of Data” – means any Personal Datum revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data Processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Supervisory Authority” – means any independent public authority established by a Member State in accordance with Article 51 of the GDPR.
“Transfer” – means any transfer of Personal Data from one company in the EEA to another or onward transfer which would otherwise be restricted by the GDPR. A transfer is performed via any communication, copy or disclosure of Personal Data through a network, including remote access to a database or transfer from any medium to another.
AMERICAN EXPRESS
Copyright © 2021 American Express Company