American Express UK Binding Corporate Rules (UK BCRs)

Return to top

These BCRs are legally binding on the American Express BCRs Entities and their Employees by an Intra-Group Agreement between American Express Company and American Express Europe Limited (AESEL), the legal representative of American Express in the United Kingdom. 

Each American Express BCRs Entity and their Employees may only Process Personal Data in accordance with these BCRs. Employees who violate these BCRs may be subject to disciplinary actions. 

Return to top

3.1. Geographical scope

These BCRs apply to all Processing of Personal Data subject to Applicable Data Protection Legislation. This is, Personal Data of a Data Subject that is or has been Processed in the context of the activities of an American Express BCRs Entity established in the United Kingdom even if the Processing is carried out by an American Express BCRs Entity outside of the United Kingdom. 

3.2. Material scope 

In its capacity as Data Controller, American Express Processes the Personal Data of past, present and prospective employees, directors, contractors, individual consultants, contingent workers, employed by American Express whether full time, part time, permanent or temporary, as well as retirees ("Employees”) and the Personal Data of past, present and prospective American Express consumers, and natural persons working at the corporate clients, suppliers and partners of American Express (“Customers”).

The purposes for which American Express Processes Personal Data mainly relate to consumer, commercial, merchant, insurance, travel, meetings and events, and network services as well as human resources.

To effectively conduct American Express’ global activities, the Processing of Personal Data by the American Express BCRs Entities, in connection with the purposes identified in these BCRs, may involve international Transfers of Personal Data of Data Subjects, from any  United Kingdom American Express BCRs Entity to any other American Express BCRs Entity outside of the  United Kingdom (including, from the  United Kingdom to the United States, where American Express’ main servers are located), and any other onward Transfer of that received Personal Data to a third party outside of the American Express group. 

For a more comprehensive view of American Express’ Processing activities, please refer to Appendix 1. To see where our American Express BCRs Entities are located, please refer to Appendix 2.

Return to top

When Processing your Personal Data, American Express BCRs Entities are committed to complying with robust data protection principles (section 4.1) and to respecting your data protection rights (section 4.2).  

4.1. Data protection principles

4.1.1. Transparency and fairness

The American Express BCRs Entities will collect and Process your Personal Data in a transparent manner and by fair means. 

We ensure that You are provided with easy access to the information on our Processing activities as required by the United Kingdom’s General Data Protection Regulation (UK GDPR). This information is provided to You in a concise, transparent, intelligible and easily accessible form, using clear and plain language and is available in the relevant American Express Privacy Statements, as applicable to your relationship with Us. These notices and terms and conditions may also contain additional provisions which are relevant to the Processing of Personal Data, pursuant to national applicable law(s) and regulation(s).  

In particular, when the Personal Data is collected from the Data Subject, the following information will be provided at the moment the Personal Data is collected: 

- the identity and contact details of the Controller and, where applicable, its representative;

- the contact details of the DPO; 

- the purposes of the Processing for which the Personal Data are intended and the legal basis for the Processing ; 

- the recipients or categories of recipients of the Personal Data, if any; 

- the existence of Personal Data Transfers to countries without adequate level of protection and the appropriate safeguards adopted to ensure the same level of protection as required by the UK GDPR; 

- the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; and the existence of the Data Subjects’ rights recognised by the UK GDPR.

When the Personal Data has not been collected from the Data Subject, the previous information, as well as the categories of Personal Data concerned and the source from which the Personal Data originates, will be timely communicated (unless the Data Subject already has the information, the provision of such information proves impossible or would involve a disproportionate effort, obtaining or disclosure is expressly laid down by Union or Member State law or where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy).

These BCRs also inform You about the rights You are entitled to enforce against  AESEL or any American Express BCRs Entity as third-party beneficiary with regard to the Processing of your Personal Data under these BCRs (“Third-party Beneficiary Rights”) and on the means to exercise such rights (see section 8). In addition, these BCRs will provide You with information on the data protection principles that We apply when Processing your Personal Data (as explained in this section 4) and information about the liability American Express BCRs Entities assume in the event of a breach of these BCRs (see section 8).

In addition, You are always able to obtain, upon request, a copy of these BCRs. A public version will be available on American Express BCRs Entities’ public websites  in the United Kingdom as well as on our intranet if You are an Employee.

4.1.2. Lawfulness of Processing 

Your Personal Data and Special Categories of Data are collected and Processed fairly and lawfully, in accordance with the Applicable Data Protection Legislation. The lawful bases for Processing your Personal Data are described in more detail in the relevant American Express Privacy Statements, as applicable to your relationship with American Express.

• Processing of Personal Data

Your Personal Data is collected and Processed only where there is a lawful basis for Processing : 

- when You have given your explicit Consent (for instance, to send You email communications containing ads, promotions, and offers for American Express products and services); 

- when the Processing is necessary for the performance of a contract to which You are a party or in order to take steps at your request prior to entering into a contract (for instance, to administer our contractual relationship with You and process your application for a card, account or other product or to manage your existing accounts); 

- when the Processing is necessary for compliance with a legal obligation (for instance, to report certain suspicious transactions to the competent authorities under anti-money-laundering rules or as required by law to perform due diligence on Customers before approving their applications); or

- when the Processing is necessary for the purposes of the legitimate interests pursued by an American Express BCRs Entity or by third-party(ies) (for instance, to deliver products and services, advertise and market products and services, conduct research and analysis, and manage our fraud and security risks), except where such interests are overridden by your interests or fundamental rights and freedoms. 

• Processing of Special Categories of Data

We may collect Special Categories of Data including data related to health, biometric data, sexual orientation or race / ethnic origin. This data is collected and Processed to satisfy legal requirements, for purposes essential to administering the employment relationship or where provided with explicit Consent, and only if permitted by applicable law.

Sometimes, You may provide Us with this type of data to improve your journey with Us (for instance, if You inform Us about specific dietary requirements or your need of special assistance during a flight).

To the limited extent that Special Categories of Data are collected, they will only be Processed under one of the lawful basis mentioned above, and provided one of the conditions for Processing Special Categories of Data applies, such as for instance when: 

- You have given your explicit Consent to the Processing,

- the Processing is necessary for the purpose of carrying out the obligations and specific rights of American Express in the field of employment law, 

- the Processing relates to Special Categories of Data which You have manifestly made public,

- the Processing is necessary for the establishment, exercise or defence of legal claims,

- the Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. 

In addition, the American Express BCRs Entities will take reinforced measures to Process Special Categories of Data, as required by the Applicable Data Protection Legislation.

4.1.3. Data minimization, accuracy and storage limitation

The American Express BCRs Entities use appropriate technology and established Employee practices to Process your Personal Data promptly and accurately. 

We take reasonable steps to ensure that your Personal Data is: 

- Accurate and kept up to date having regard to the purposes for which it is Processed (data accuracy). Inaccurate Personal Data is erased or rectified without delay; 

- Adequate, relevant and not excessive in relation to the purpose for which the Personal Data is collected and Processed (data minimization); 

- Not kept in an identifiable form for longer than necessary for the purposes for which the Personal Data is Processed, and only retained for a longer period for archival purposes or as otherwise permitted or required to be retained in accordance with applicable law(s), and then only when appropriate administrative, technical and organisational measures are taken.

4.1.4. Purpose limitation 

The American Express BCRs Entities only collect Personal Data for specific and legitimate purposes. We Process your Personal Data fairly and only for those purposes We have told You, for purposes permitted by You or by the Applicable Data Protection Legislation. We will ensure that your Personal Data is not further Processed in a manner that is incompatible with such purposes.

4.1.5. Data security and confidentiality

American Express has implemented and commits to maintain a comprehensive written information security program that complies with applicable law(s) and Applicable Data Protection Legislation.

The American Express BCRs Entities implement appropriate administrative, technical and organizational measures to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed. We will keep your Personal Data confidential and limit access to your Personal Data to those who specifically need it to conduct their business activities, except as otherwise required by law applicable to Us.

Such measures ensure a level of security appropriate to the risk and take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, and may include as appropriate:

- the pseudonymisation and encryption of Personal Data of Data Subjects, 

- measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

- measures to ensure the ability to restore the availability and access to Personal Data of Data Subjects in a timely manner in the event of a physical or technical incident; and

- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

We also require appropriate administrative, technical and organisational measures from those third-parties who are authorised by Us to Process your Personal Data on our behalf and We enter into contractual commitments with internal and external Data Processors that comply with safeguards required by the UK GDPR. 

In particular, Processing by the Data Processor shall be governed by a contract, that is binding on the Data Processor with regard to the Data Controller and that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Data Controller. 

The following duties must also be covered in the agreement that must require the Data Processor to: 

- Process the Personal Data only on documented instructions from the Data Controller or ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

- take all appropriate technical and organizational measures required to guarantee an acceptable level of security;

- not contract another Data Processor (“Sub-processor”), without prior specific or general written authorisation of the Data Controller and only provided that the same data protection obligations as set out in the contract between the Data Controller and the Data Processor are imposed on that Sub-processor;

- assist the Data Controller with appropriate technical and organizational measures whenever possible for the fulfilment of the duty of the Data Controller to answer Data Subject's requests exercising their rights;

- assist the Data Controller with the fulfilment of its obligations regarding security of Processing, Personal Data Breaches and Data Protection Impact Assessments;

- at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless the applicable law requires storage of the Personal Data;

- make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR regarding Data Processors and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

In addition, the American Express BCRs Entities have implemented administrative, technical and organisational measures to detect, investigate, escalate and remediate Personal Data Breaches. The American Express DPO is notified of Personal Data Breaches by the American Express BCRs Entities without undue delay and the American Express DPO determines whether to notify the ICO and the Data Subjects in accordance with the UK GDPR requirements. Any Personal Data Breaches are documented (comprising the facts relating to the Personal Data Breach, its effects, and the remedial action taken) and the documentation is made available to the ICO on request.

4.1.6. Onward Transfers 

Your Personal Data is Transferred throughout American Express BCRs Entities and onward to third-parties, always ensuring an adequate level of protection for the Processing of your data as required by Applicable Data Protection Legislation, regardless of where it is Transferred.

This flow of data is legitimized through these BCRs, which allow Us to Transfer Personal Data from the  UK to the American Express BCRs Entities located outside of the United Kingdom. 

In all cases of onward Transfers (i.e., Personal Data that has first been Transferred from a UK American Express BCRs Entity to a non-UK American Express BCRs Entity and later transferred to third-party(ies) not covered by these BCRs), the American Express BCRs Entities will ensure that they enter into a written agreement with these third-parties containing provisions that ensure the Personal Data is protected at least to confidentiality and security standard contemplated by these BCRs, or use another valid legal method to ensure that the Transfer is lawful and adequate guarantees are given under Article 46 of the UK GDPR. 

4.1.7. Accountability 

All American Express BCRs Entities are responsible for, and must demonstrate compliance with, these BCRs. Compliance with these requirements includes: 

- the maintenance of electronic records of Processing activities, available to the ICO on request, contains the information required by the UK GDPR, such as the name and contact details of the Data Controller, the purposes of Processing ,the  categories of Data Subjects and categories of Personal Data ,the recipients of the Personal Data ,the Transfers to countries outside of the UK, the time limits for erasure of the categories of Personal Data and the description of the security measures applied);

- the completion of Data Protection Impact Assessments (applicable only when the Processing activities are likely to result in a high risk to the rights and freedoms of the Data Subjects); and 

- consultation with the  ICO when required to demonstrate such compliance.

In addition, the American Express BCRs Entities have put in place appropriate administrative, technical and organisational measures designed to implement data protection principles and to facilitate compliance with the requirements set up by these BCRs (data protection by design and by default).

4.2. Data Subjects’ rights 

• Rights of access, restriction, objection, rectification, erasure, right to withdraw Consent and to data portability 

The American Express BCRs Entities comply with your requests to exercise the rights entitled to You by the UK GDPR, where applicable. More specifically, We ensure that You can exercise your right to: 

- access your Personal Data (right of access);

- restrict and/or object to the Processing of your Personal Data (right to restriction of Processing and right to object to Processing); 

- rectify your Personal Data (right of rectification); 

- erase your Personal Data (right to erasure); 

- withdraw a previously provided Consent for Processing, and

- receive your Personal Data in a structured, commonly used and machine-readable format and/or transmit such data to another Data Controller (right to data portability). 

The American Express BCRs Entities are subject to policies on how to handle such requests to ensure that You have the means to exercise these rights. If You would like to exercise any of your rights, You may contact our DPO at amexukdpo@aexp.com.

• Automated decision making

The American Express BCRs Entities ensure that You are not subject to decisions based solely on automated Processing of Personal Data , including Profiling, which produce legal effects or similar significant effects, unless the Processing is: 

- necessary for entering into or performing a contract between You and American Express; 

- authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

- based on your explicit Consent to such Processing. 

In accordance with applicable law(s), We will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express your point of view and to contest the decision.

In compliance with these restrictions, We may use automated processes to help Us make certain decisions, for example, to detect and manage fraud (e.g., to help decide whether your account is used for fraud or money laundering purposes or to detect if fraudsters have accessed your account); or to process card applications and assess credit and security risks. These methods are regularly tested to ensure that they remain fair, effective and unbiased.

You may contact our DPO at  amexukdpo@aexp.com to exercise your right to request a manual review of certain automated Processing activities that may impact your legal or other contractual rights or that may have a similar legal effect.

BACK TO TOP

American Express has appointed a DPO who monitors compliance with these BCRs. The DPO has the following tasks: 

- informs and advises American Express entities and American Express Employees of their obligations under Applicable Data Protection Legislation; 

- monitors compliance with Applicable Data Protection Legislation through the assessment of key risk indicators and controls. The DPO reports the results of these monitoring activities to the relevant internal senior-level governance forum; 

- provides advice in connection with Data Protection Impact Assessments and monitors their performance; - cooperates with the ICO; and

- acts as a point of contact for the ICO.                        

The DPO is appointed by the American Express entities as a Board Advisor of AESEL and American Express Payments Services Limited (AEPSL), respectively the group’s issuing and acquiring entities in the UK.

The appointment is communicated to the ICO.

The DPO works closely with a network of privacy specialists and compliance lawyers who monitor compliance with Applicable Data Protection Laws in the UK. The DPO is supported in his/her tasks by the Global Privacy Office led by American Express Chief Privacy Officer.

BACK TO TOP

All American Express BCRs Entities provide appropriate training materials and courses for all Employees, and in particular for Employees who collect, Process, have permanent or regular access to Personal Data or who are involved in the development of tools used to Process Personal Data to ensure that they are aware of their obligations under Applicable Data Protection Legislation and these BCRs. Such courses are mandatory, and their completion is monitored.

BACK TO TOP

American Express has implemented a compliance programme that provides for regular compliance checks and audits of American Express BCRs Entities ’ operations (by internal or, where needed, by external auditors) to ensure that these BCRs and all related policies and procedures are respected and up to date.  

Data protection audits cover all aspects of these BCRs including methods of ensuring that corrective measures will take place. 

Additional data protection audits may be requested by the DPO upon his/her own initiative or upon specific request of an American Express BCRs Entity. American Express internal audit group, as an independent control body, will assess the opportunity of these audit requests according to their risk assessment framework.

The results of these compliance checks and audits will be communicated to the Global Privacy Office of American Express, the DPO, the ICO (if requested) and made available to the Audit Committee of the Board of Directors of American Express Company. 

Where a compliance gap is found, the relevant American Express BCRs Entity must follow any specific guidance from the DPO. Where the guidance cannot be observed, the American Express BCRs Entity must document the reason for this. 

American Express will also co-operate with any compliance checks conducted by the ICO whether commenced in response to a complaint from a Data Subject, or by the ICO’s own initiative.

BACK TO TOP

8.1. Liability of American Express BCRs Entities 

The American Express BCRs Entities are responsible for complying with these BCRs. In addition to the individual responsibilities of the American Express BCRs Entities,  AESEL will accept responsibility for any breach of these BCRs by an American Express BCRs Entity outside of the  UK that Processes Personal Data as per Applicable Data Protection Legislation.  AESEL shall be entitled to take any necessary action to remedy the acts or omissions of any American Express BCRs Entity that Process Personal Data in violation of these BCRs.

AESEL is liable to pay compensation due for any material or non-material damages suffered by Data Subjects arising in connection with any breach of these BCRs. Compensation must be agreed upon by the DPO before an offer of redress or payment is made. All compensation paid will be in full satisfaction of the Data Subject’s claim against all American Express BCRs Entities . For the avoidance of doubt, AESEL’s liability extends to the acts or omissions of any American Express BCRs Entity that is not situated in the  UK that breaches these BCRs.

If an American Express BCRs Entity (including when that entity is situated outside of the UK) violates these BCRs, the competent  UK courts will have jurisdiction in relation to such violation. To the extent that an American Express BCRs Entity breaches these BCRs, Data Subjects, the ICO and courts of applicable jurisdictions may exercise their rights and bring a claim against  AESEL as if such conduct had been performed by  AESEL in the UK (for more information about how to lodge a complaint, please refer to section 9 below).

8.2. Third-Party Beneficiary Rights 

Each Data Subject may enforce against  AESEL or any American Express BCRs Entity, the terms of the following provisions of these BCRs as a third-party beneficiary:

- data protection principles (Section 4.1);

- transparency and easy access to BCRs (Section 1.2 and 4.1.1);

- Data Subjects’ rights (Section 4.2);

- compliance, enforcement and liability (Section 8); 

- right to complain through the American Express internal complaint mechanism (Section 9);

- right to lodge a complaint with the ICO and before the competent UK court (Section 9);

- co-operation with the ICO (Section 10); and

- conflict of laws (Section 11.1).

8.3. Burden of proof

 AESEL bears the burden of proof in demonstrating that the American Express BCRs Entity situated outside of the  UK is not liable for any purported violation of these BCRs that gives rise to the Data Subject’s claim for compensation for damages. Where  AESEL can prove that an American Express BCRs Entity outside of the  UK is not responsible for the event giving rise to the damage,  AESEL and such company may discharge itself from such responsibility and liability.

BACK TO TOP

If You want to submit a complaint or claim and exercise your rights in relation to these BCRs, You are encouraged to contact the DPO at any time, in writing at AESEL’s headquarters at American Express Services Limited at Belgrave House, 76 Buckingham Palace Rd, Belgravia, London SW1W 9AX or via email at amexukdpo@aexp.com. 

Our DPO will address your complaints without undue delay and in any event, within one month. Taking into account the complexity and number of the requests, that one-month period may be extended at maximum by an additional two months, in which case We will inform You accordingly. 

For more information on the American Express complaints handling process and on how to submit a complaint please visit our Online Privacy Statement.

If the issue is not resolved to your satisfaction, You may also:

- lodge a complaint with the ICO; 

- bring your claim before a competent court of the UK, and where appropriate, obtain compensation for the damages You suffered as a result of the breach of the above-mentioned Third-Party Beneficiary Rights.

BACK TO TOP

All American Express BCRs Entities   will co-operate with, and accept to be audited by,  the ICO and will comply with  its advice on any issues regarding the Applicable Data Protection Legislation.

If the  ICO finds that one of the American Express BCRs Entities  has breached any of the rights offered to Data Subjects under these BCRs, this American Express BCRs Entity will abide by the findings of the ICO, subject to the right to challenge or appeal such findings.

BACK TO TOP

11.1. National legislation preventing compliance with the UK BCRs

In the event an American Express BCRs Entity has reason to believe a law to which it is subject precludes compliance with these BCRs or is likely to have a substantial effect on the guarantees set forth in these BCRs, the relevant contact for this American Express BCRs Entity will inform the DPO at  AESEL unless prohibited by applicable law(s). Where necessary, the DPO will notify the ICO of the conflict of law, save to the extent prohibited by applicable law(s). 

If an American Express BCRs Entity receives a request for Personal Data by a law enforcement authority or state security body, the DPO will inform the ICO about the request (including information about the data requested, the requesting body, and the legal basis for the disclosure). If, in specific cases, the suspension and/or notification to the  ICO is prohibited by applicable law(s), American Express will use its best efforts to waive this prohibition to expeditiously communicate as much information to the ICO, and be able to demonstrate that it did so. 

If, in the above cases, despite having used its reasonable efforts, the American Express BCRs Entity is not in a position to notify the ICO, it will annually provide general information on the requests it received to the  ICO (such as the number of applications for disclosure, type of Personal Data requested, name of the requestor if possible, etc.). 

In any case, Transfers of Personal Data by an American Express BCRs Entity to any public authority will not be massive, disproportionate and indiscriminate. This limitation shall apply to any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body. 

11.2. Relationship between national laws and the UK BCRs

Where the Applicable Data Protection Legislation requires a higher level of protection for Personal Data , those data protection laws will take precedence over these BCRs.

BACK TO TOP

We may update the terms of these BCRs to, for instance, consider modifications of the regulatory environment or the company structure. We commit to report material changes to these BCRs without undue delay to all American Express BCRs Entities and to the ICO. Any changes to the BCRs or to the list of American Express BCRs Entity will be reported once a year to the ICO with a brief explanation of the reasons justifying the update. Where a modification would possibly affect the level of the protection offered by these BCRs or significantly affect these BCRs, it will be promptly communicated to the ICO.

American Express has identified a team that keeps a fully updated list of the American Express BCRs Entities and keeps track of and records any updates to the rules and provides the necessary information to the Data Subjects or ICO upon request. In addition, the American Express BCRs Entities will not make any Transfer to a new American Express BCRs Entity until this new entity is effectively bound by these BCRs and can deliver compliance.

BACK TO TOP

The American Express BCRs Entities are located in the following countries: 

• Argentina
• Austria
• Australia
• Belgium
• Brazil
• Canada
• Chile
• China
• Colombia
• Czech Republic
• Denmark
• Finland
• France
• Germany
• Greece
• Hong Kong
• Hungary
• India
• Indonesia
• Ireland
• Italy
• Japan
• Jersey
• Malaysia
• Mexico
• Netherlands
• New Zealand
• Norway
• Philippines
• Poland
• Russia
• Singapore
• Slovakia
• Spain
• Sweden
• Switzerland
• Taiwan
• Thailand
• United Kingdom
• United States