English | Norsk
American Express Binding Corporate Rules (EU BCRs)
Table of Contents
- Introduction
- Binding Nature of the BCRs
- Scope of our BCRs
- How does American Express protect your Personal Data?
- American Express DPO Network
- Training and Awareness
- Control and Audit
- Compliance, Enforcement and Liability
- How can you lodge a complaint and enforce the EU BCRs?
- Duty of cooperation with Supervisory Authorities
- How do we handle potential conflicts of laws?
- Updates to the EU BCRs
- Nature and purposes of Personal data transferred within the scope of the UK BCRs
- Location of the American Express BCR Entities
- Glossary
1.1. Overview
American Express values your trust and respects your privacy.
Data protection and information security are long-standing priorities for our company. As a multinational organization, we are committed to protecting personal data, irrespective of where it is used, and all personal data American Express collects is handled according to our Data Protection and Privacy Principles.
In 2012, American Express was one of the first companies to publish Binding Corporate Rules (BCRs) approved by the Information Commissioner’s Office. Today, these BCRs continue to lay a framework for our strong privacy commitments, promoting a robust compliance culture across our enterprise.
Amongst other things, our BCRs govern the international Transfers of Personal Data within the American Express BCRs Entities in accordance with Applicable Data Protection Legislation and ensure that your Personal Data is always adequately protected regardless of where it is Transferred.
1.2. Easy access to the BCRs
Our BCRs are available on American Express’ websites across Europe. You may also request a copy of our BCRs in an alternative format from our Data Protection Officer (DPO) at the address below or from the local American Express entity responsible for your Personal Data. Please note that the lead Supervisory Authority overseeing our BCRs is the Agencia Española de Protección de Datos (AEPD).
Our BCRs are legally binding on the American Express BCRs Entities and their Employees by an Intra-Group Agreement between American Express Company and American Express Europe, S.A. (AEESA), the legal representative of American Express in the EEA.
Each American Express BCRs Entity and their Employees may only Process Personal Data in accordance with these BCRs. Employees who violate these BCRs may be subject to disciplinary actions.
3.1. Geographical scope
Our BCRs apply to all Processing of Personal Data subject to Applicable Data Protection Legislation. This is, Personal Data of a Data Subject that is or has been Processed in the context of the activities of an American Express BCRs Entity established in the EEA even if the Processing is carried out by an American Express BCRs Entity outside of the EEA.
3.2. Material scope
In its capacity as Data Controller, American Express Processes the Personal Data of past, present and prospective employees, directors, contractors, individual consultants, contingent workers, employed by American Express whether full time, part time, permanent or temporary, as well as retirees (“Employees”) and the Personal Data of past, present and prospective American Express consumers, and natural persons working at the corporate clients, suppliers and partners of American Express (“Customers”).
The purposes for which American Express Processes Personal Data mainly relate to consumer, commercial, merchant, insurance, travel, meetings and events, and network services as well as human resources.
To effectively conduct American Express’ global activities, the Processing of Personal Data by the American Express BCRs Entities, in connection with the purposes identified in these BCRs, may involve international Transfers of Personal Data of Data Subjects, from any EEA American Express BCRs Entity to any other American Express BCRs Entity outside of the EEA (including, from countries in the EEA to the United States, where American Express’ main servers are located), and any other onward Transfer of that received Personal Data to a third party outside of the American Express group.
For a more comprehensive view of American Express’ Processing activities, please refer to Appendix 1. To see where our American Express BCRs Entities are located, please refer to Appendix 2.
When Processing your Personal Data, American Express BCRs Entities are committed to complying with robust data protection principles (section 4.1) and to respecting your data protection rights (section 4.2).
4.1.Data protection principles
4.1.1. Transparency and fairness
The American Express BCRs Entities will collect and Process your Personal Data in a transparent manner and by fair means.
We ensure that You are provided with easy access to the information on our Processing activities as required by the Global Data Protection Regulation (GDPR). This information is provided to You in a concise, transparent, intelligible and easily accessible form, using clear and plain language and is available in the relevant American Express Privacy Statements, as applicable to your relationship with Us. These notices and terms and conditions may also contain additional provisions which are relevant to the Processing of Personal Data, pursuant to national applicable law(s) and regulation(s).
In particular, when the Personal Data is collected from the Data Subject, the following information will be provided at the moment the Personal Data is collected:
- the identity and contact details of the Controller and, where applicable, its representative;
- the contact details of the DPO;
- the purposes of the Processing for which the Personal Data are intended and the legal basis for the Processing;
- the recipients or categories of recipients of the Personal Data, if any;
- the existence of Personal Data Transfers to countries without adequate level of protection and the appropriate safeguards adopted to ensure the same level of protection as required by the GDPR;
- the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; and the existence of the Data Subjects’ rights recognised by the GDPR.
When the Personal Data has not been collected from the Data Subject, the previous information, as well as the categories of Personal Data concerned and the source from which the Personal Data originates, will be timely communicated (unless the Data Subject already has the information, the provision of such information proves impossible or would involve a disproportionate effort, obtaining or disclosure is expressly laid down by Union or Member State law or where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy).
Our BCRs also inform You about the rights You are entitled to enforce against AEESA or any American Express BCRs Entity as third-party beneficiary with regard to the Processing of your Personal Data under these BCRs (“Third-party Beneficiary Rights”) and on the means to exercise such rights (see section 8). In addition, these BCRs will provide You with information on the data protection principles that We apply when Processing your Personal Data (as explained in this section 4) and information about the liability American Express BCRs Entities assume in the event of a breach of these BCRs (see section 8).
In addition, You are always able to obtain, upon request, a copy of our BCRs. A public version will be available on American Express BCRs Entities’ public websites across the EEA as well as on our intranet if You are an Employee.
4.1.2. Lawfulness of Processing
Your Personal Data and Special Categories of Data are collected and Processed fairly and lawfully, in accordance with the Applicable Data Protection Legislation. The lawful bases for Processing your Personal Data are described in more detail in the relevant American Express Privacy Statements, as applicable to your relationship with American Express.
• Processing of Personal Data
Your Personal Data is collected and Processed only where there is a lawful basis for Processing:
- when You have given your explicit Consent (for instance, to send You email communications containing ads, promotions, and offers for American Express products and services);
- when the Processing is necessary for the performance of a contract to which You are a party or in order to take steps at your request prior to entering into a contract (for instance, to administer our contractual relationship with You and process your application for a card, account or other product or to manage your existing accounts);
- when the Processing is necessary for compliance with a legal obligation (for instance, to report certain suspicious transactions to the competent authorities under anti-money-laundering rules or as required by law to perform due diligence on Customers before approving their applications); or
- when the Processing is necessary for the purposes of the legitimate interests pursued by an American Express BCRs Entity or by third-party(ies) (for instance, to deliver products and services, advertise and market products and services, conduct research and analysis, and manage our fraud and security risks), except where such interests are overridden by your interests or fundamental rights and freedoms.
• Processing of Special Categories of Data
We may collect Special Categories of Data including data related to health, biometric data, sexual orientation or race / ethnic origin. This data is collected and Processed to satisfy legal requirements, for purposes essential to administering the employment relationship or where provided with explicit Consent, and only if permitted by applicable law.
Sometimes, You may provide Us with this type of data to improve your journey with Us (for instance, if You inform Us about specific dietary requirements or your need of special assistance during a flight).
To the limited extent that Special Categories of Data are collected, they will only be Processed under one of the lawful basis mentioned above, and provided one of the conditions for Processing Special Categories of Data applies, such as for instance when:
You have given your explicit Consent to the Processing;
- the Processing is necessary for the purpose of carrying out the obligations and specific rights of American Express in the field of employment and social security and social protection law;
- the Processing relates to Special Categories of Data which You have manifestly made public;
- the Processing is necessary for the establishment, exercise or defence of legal claims;
- the Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.
In addition, the American Express BCRs Entities will take reinforced measures to Process Special Categories of Data, as required by the Applicable Data Protection Legislation.
4.1.3. Data minimization, accuracy and storage limitation
The American Express BCRs Entities use appropriate technology and established Employee practices to Process your Personal Data promptly and accurately.
We take reasonable steps to ensure that your Personal Data is:
- Accurate and kept up to date having regard to the purposes for which it is Processed (data accuracy). Inaccurate Personal Data is erased or rectified without delay;
- Adequate, relevant and not excessive in relation to the purpose for which the Personal Data is collected and Processed (data minimization);
- Not kept in an identifiable form for longer than necessary for the purposes for which the Personal Data is Processed, and only retained for a longer period for archival purposes or as otherwise permitted or required to be retained in accordance with applicable law(s), and then only when appropriate administrative, technical and organisational measures are taken.
4.1.4. Purpose limitation
The American Express BCRs Entities only collect Personal Data for specific and legitimate purposes. We Process your Personal Data fairly and only for those purposes We have told You, for purposes permitted by You or by the Applicable Data Protection Legislation. We will ensure that your Personal Data is not further Processed in a manner that is incompatible with such purposes.
4.1.5. Data security and confidentiality
American Express has implemented and commits to maintain a comprehensive written information security program that complies with applicable law(s) and Applicable Data Protection Legislation.
The American Express BCRs Entities implement appropriate administrative, technical and organizational measures to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed. We will keep your Personal Data confidential and limit access to your Personal Data to those who specifically need it to conduct their business activities, except as otherwise required by law applicable to Us.
Such measures ensure a level of security appropriate to the risk and take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, and may include as appropriate:
- the pseudonymisation and encryption of Personal Data of Data Subjects,
- measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- measures to ensure the ability to restore the availability and access to Personal Data of Data Subjects in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
We also require appropriate administrative, technical and organisational measures from those third-parties who are authorised by Us to Process your Personal Data on our behalf and We enter into contractual commitments with internal and external Data Processors that comply with safeguards required by the GDPR.
In particular, Processing by the Data Processor shall be governed by a contract, that is binding on the Data Processor with regard to the Data Controller and that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Data Controller.
The following duties must also be covered in the agreement that must require the Data Processor to:
- Process the Personal Data only on documented instructions from the Data Controller or ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all appropriate technical and organizational measures required to guarantee an acceptable level of security;
- not contract another Data Processor (“Sub-processor”), without prior specific or general written authorisation of the Data Controller and only provided that the same data protection obligations as set out in the contract between the Data Controller and the Data Processor are imposed on that Sub-processor;
- assist the Data Controller with appropriate technical and organizational measures whenever possible for the fulfilment of the duty of the Data Controller to answer Data Subject's requests exercising their rights;
- assist the Data Controller with the fulfilment of its obligations regarding security of Processing, Personal Data Breaches and Data Protection Impact Assessments;
- at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless the applicable law requires storage of the Personal Data;
- make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR regarding Data Processors and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
In addition, the American Express BCRs Entities have implemented administrative, technical and organisational measures to detect, investigate, escalate and remediate Personal Data Breaches. The American Express DPO is notified of Personal Data Breaches by the American Express BCRs Entities without undue delay and the American Express DPO determines whether to notify the competent Supervisory Authority and the Data Subjects in accordance with GDPR requirements. Any Personal Data Breaches are documented (comprising the facts relating to the Personal Data Breach, its effects, and the remedial action taken) and the documentation is made available to the Supervisory Authority on request.
4.1.6. Onward Transfers
Your Personal Data is Transferred throughout American Express BCRs Entities and onward to third-parties, always ensuring an adequate level of protection for the Processing of your data as required by Applicable Data Protection Legislation, regardless of where it is Transferred.
This flow of data is legitimized through our BCRs, which allow Us to Transfer Personal Data from the EEA to the American Express BCRs Entities located outside of the EEA.
In all cases of onward Transfers (i.e., Personal Data that has first been Transferred from an EEA American Express BCRs Entity to a non-EEA American Express BCRs Entity and later transferred to third-party(ies) not covered by the BCRs), the American Express BCRs Entities will ensure that they enter into a written agreement with these third-parties containing provisions that ensure the Personal Data is protected at least to confidentiality and security standard contemplated by these BCRs, or use another valid legal method to ensure that the Transfer is lawful and adequate guarantees are given under Article 46 of the GDPR.
4.1.7. Accountability
All American Express BCRs Entities are responsible for, and must demonstrate compliance with, these BCRs. Compliance with these requirements includes:
- the maintenance of electronic records of Processing activities, available to the Supervisory Authorities on request, which contains the information required by the GDPR, such as the name and contact details of the Data Controller, the purposes of Processing, the categories of Data Subjects and categories of Personal Data, the recipients of the Personal Data, the Transfers to countries outside of the EEA, the time limits for erasure of the categories of Personal Data and the description of the security measures applied);
- the completion of Data Protection Impact Assessments (applicable only when the Processing activities are likely to result in a high risk to the rights and freedoms of the Data Subjects); and
- consultation with the relevant Supervisory Authorities when required to demonstrate such compliance.
In addition, the American Express BCRs Entities have put in place appropriate administrative, technical and organisational measures designed to implement data protection principles and to facilitate compliance with the requirements set up by these BCRs (data protection by design and by default).
4.2. Data Subjects’ rights
• Rights of access, restriction, objection, rectification, erasure, right to withdraw Consent and to data portability
The American Express BCRs Entities comply with your requests to exercise the rights entitled to You by the GDPR, where applicable. More specifically, We ensure that You can exercise your right to:
- access your Personal Data (right of access);
- restrict and/or object to the Processing of your Personal Data (right to restriction of Processing and right to object to Processing);
- rectify your Personal Data (right of rectification);
- erase your Personal Data (right to erasure);
- withdraw a previously provided Consent for Processing, and
- receive your Personal Data in a structured, commonly used and machine-readable format and/or transmit such data to another Data Controller (right to data portability).
The American Express BCRs Entities are subject to policies on how to handle such requests to ensure that You have the means to exercise these rights. If You would like to exercise any of your rights, You may contact our DPO at DPO-Europe@aexp.com.
• Automated decision making
The American Express BCRs Entities ensure that You are not subject to decisions based solely on automated Processing of Personal Data, including Profiling, which produce legal effects or similar significant effects, unless the Processing is:
- necessary for entering into or performing a contract between You and American Express;
- authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- based on your explicit Consent to such Processing.
In accordance with applicable law(s), We will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express your point of view and to contest the decision.
In compliance with these restrictions, We may use automated processes to help Us make certain decisions, for example, to detect and manage fraud (e.g., to help decide whether your account is used for fraud or money laundering purposes or to detect if fraudsters have accessed your account); or to process card applications and assess credit and security risks. These methods are regularly tested to ensure that they remain fair, effective and unbiased.
You may contact our DPO at DPO-Europe@aexp.com to exercise your right to request a manual review of certain automated Processing activities that may impact your legal or other contractual rights or that may have a similar legal effect.
American Express has appointed a DPO who monitors compliance with the BCRs. The DPO has the following tasks:
- informs and advises American Express entities and American Express Employees of their obligations under Applicable Data Protection Legislation;
- monitors compliance with Applicable Data Protection Legislation through the assessment of key risk indicators and controls. The DPO reports the results of these monitoring activities to the relevant internal senior-level governance forum;
- provides advice in connection with Data Protection Impact Assessments and monitors their performance;
- cooperates with Supervisory Authorities; and
- acts as a point of contact for Supervisory Authorities.
The DPO, appointed on the basis on professional qualities, reports to the American Express Chief Privacy Officer. The DPO is appointed by the European American Express entities as a Board Director of AEESA and American Express Payments Europe SA, respectively the group’s primary issuing and acquiring entities in Europe.
The appointment is communicated to the Supervisory Authorities of the European countries where American Express is established.
The DPO works closely with a network of privacy specialists and compliance lawyers located in each European market who monitor compliance with Applicable Data Protection Laws in their region. The DPO is supported in his/her tasks by the Global Privacy Office led by American Express Chief Privacy Officer.
All American Express BCRs Entities provide appropriate training materials and courses for all Employees, and in particular for Employees who collect, Process, have permanent or regular access to Personal Data or who are involved in the development of tools used to Process Personal Data to ensure that they are aware of their obligations under Applicable Data Protection Legislation and these BCRs. Such courses are mandatory, and their completion is monitored.
American Express has implemented a compliance programme that provides for regular compliance checks and audits of American Express BCRs Entities’ operations (by internal or, where needed, by external auditors) to ensure that the BCRs and all related policies and procedures are respected and up to date.
Data protection audits cover all aspects of the BCRs including methods of ensuring that corrective measures will take place.
Additional data protection audits may be requested by the DPO upon his/her own initiative or upon specific request of an American Express BCRs Entity. American Express internal audit group, as an independent control body, will assess the opportunity of these audit requests according to their risk assessment framework.
The results of these compliance checks and audits will be communicated to the Global Privacy Office of American Express, the DPO, the relevant Supervisory Authorities (if requested) and made available to the Audit Committee of the Board of Directors of American Express Company.
Where a compliance gap is found, the relevant American Express BCRs Entity must follow any specific guidance from the DPO. Where the guidance cannot be observed, the American Express BCRs Entity must document the reason for this.
American Express will also co-operate with any compliance checks conducted by any Supervisory Authority with applicable jurisdiction, whether commenced in response to a complaint from a Data Subject, or by the Supervisory Authority’s own initiative .
8.1.Liability of American Express BCRs Entities
The American Express BCRs Entities are responsible for complying with the BCRs. In addition to the individual responsibilities of the American Express BCRs Entities, AEESA will accept responsibility for any breach of the BCRs by an American Express BCRs Entity outside of the EEA that Processes Personal Data as per Applicable Data Protection Legislation. AEESA shall be entitled to take any necessary action to remedy the acts or omissions of any American Express BCRs Entity that Process Personal Data in violation of the BCRs.
AEESA is liable to pay compensation due for any material or non-material damages suffered by Data Subjects arising in connection with any breach of the BCRs. Compensation must be agreed upon by the DPO before an offer of redress or payment is made. All compensation paid will be in full satisfaction of the Data Subject’s claim against all American Express BCRs Entities. For the avoidance of doubt, AEESA’s liability extends to the acts or omissions of any American Express BCRs entity that is not situated in the EEA that breaches the BCRs.
If an American Express BCRs Entity (including when that entity is situated outside of the EEA) violates the BCRs, the competent European courts will have jurisdiction in relation to such violation. To the extent that an American Express BCRs Entity breaches the BCRs, Data Subjects, Supervisory Authorities and courts of applicable jurisdictions may exercise their rights and bring a claim against AEESA as if such conduct had been performed by AEESA in the EEA (for more information about how to lodge a complaint, please refer to section 9 below).
8.2. Third-Party Beneficiary Rights
Each Data Subject may enforce against AEESA or any American Express BCRs Entity, the terms of the following provisions of the BCRs as a third-party beneficiary:
- data protection principles (Section 4.1);
- transparency and easy access to BCRs (Section 1.2 and 4.1.1);
- Data Subjects’ rights (Section 4.2);
- compliance, enforcement and liability (Section 8);
- right to complain through the American Express internal complaint mechanism (Section 9);
- right to lodge a complaint with the Supervisory Authority and before the competent European court (Section 9);
- co-operation with Supervisory Authorities (Section 10); and
- conflict of laws (Section 11.1).
8.3.Burden of proof
AEESA bears the burden of proof in demonstrating that the American Express BCRs Entity situated outside of the EEA is not liable for any purported violation of the BCRs that gives rise to the Data Subject’s claim for compensation for damages. Where AEESA can prove that an American Express BCRs Entity outside of the EEA is not responsible for the event giving rise to the damage, AEESA and such company may discharge itself from such responsibility and liability.
If You want to submit a complaint or claim and exercise your rights in relation to these BCRs, You are encouraged to contact the DPO at any time, in writing at AEESA’s headquarters at American Express Europe SA, Avenida Partenón 12 – 14, 28042 Madrid / SPAIN or via email at DPO-Europe@aexp.com.
Our DPO will address your complaints without undue delay and in any event, within one month. Taking into account the complexity and number of the requests, that one-month period may be extended at maximum by an additional two months, in which case We will inform You accordingly.
For more information on the American Express complaints handling process and on how to submit a complaint please visit our Online Privacy Statement.
If the issue is not resolved to your satisfaction, You may also:
- lodge a complaint with the Supervisory Authority in the Member State of your habitual residence, place of work or place of alleged infringement;
- bring your claim before a competent court of the European country where the relevant American Express BCRs Entity is established or where You have your habitual residence, and where appropriate, obtain compensation for the damages You suffered as a result of the breach of the above-mentioned Third-Party Beneficiary Rights.
All American Express BCRs Entities will co-operate with, and accept to be audited by, any relevant Supervisory Authority and will comply with the advice of these Supervisory Authorities on any issues regarding the Applicable Data Protection Legislation.
If the Supervisory Authority finds that one of the American Express BCRs Entities has breached any of the rights offered to Data Subjects under these BCRs, this American Express BCRs Entity will abide by the findings of the Supervisory Authority, subject to the right to challenge or appeal such findings.
11.1.National legislation preventing compliance with the EU BCRs
In the event an American Express BCRs Entity has reason to believe a law to which it is subject precludes compliance with the BCRs or is likely to have a substantial effect on the guarantees set forth in the BCRs, the relevant contact for this American Express BCRs Entity will inform the DPO at AEESA unless prohibited by applicable law(s). Where necessary, the DPO will notify the competent Supervisory Authority of the conflict of law, save to the extent prohibited by applicable law(s).
If an American Express BCRs Entity receives a request for Personal Data by a law enforcement authority or state security body, the DPO will inform the competent Supervisory Authority about the request (including information about the data requested, the requesting body, and the legal basis for the disclosure). If, in specific cases, the suspension and/or notification to the competent Supervisory Authority is prohibited by applicable law(s), American Express will use its best efforts to waive this prohibition to expeditiously communicate as much information to the competent Supervisory Authority, and be able to demonstrate that it did so.
If, in the above cases, despite having used its reasonable efforts, the American Express BCRs Entity is not in a position to notify the competent Supervisory Authority, it will annually provide general information on the requests it received to the competent Supervisory Authority (such as the number of applications for disclosure, type of Personal Data requested, name of the requestor if possible, etc.).
In any case, Transfers of Personal Data by an American Express BCRs Entity to any public authority will not be massive, disproportionate and indiscriminate. This limitation shall apply to any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body.
11.2. Relationship between national laws and the EU BCRs
Where the Applicable Data Protection Legislation requires a higher level of protection for Personal Data, those data protection laws will take precedence over these BCRs.
We may update the terms of our BCRs to, for instance, consider modifications of the regulatory environment or the company structure. We commit to report material changes to our BCRs without undue delay to all American Express BCRs Entities and to the AEPD. Any changes to the BCRs or to the list of American Express BCRs Entity will be reported once a year to the relevant Supervisory Authorities, via the competent Supervisory Authorities with a brief explanation of the reasons justifying the update. Where a modification would possibly affect the level of the protection offered by these BCRs or significantly affect these BCRs, it will be promptly communicated to the relevant Supervisory Authorities, via the competent Supervisory Authority.
American Express has identified a team that keeps a fully updated list of the American Express BCRs Entities and keeps track of and records any updates to the rules and provides the necessary information to the Data Subjects or Supervisory Authorities upon request. In addition, the American Express BCRs Entities will not make any Transfer to a new American Express BCRs Entity until this new entity is effectively bound by these BCRs and can deliver compliance.
• Description of the types and purposes of Processing activities
American Express is a globally integrated payments and travel company that is principally engaged in four segments: i) Customer payment services, ii) merchant services, iii) network services and operations, and (iv) travel, meetings and events services. Our Processing activities are carried out in the context of these activities, as described below.
i) Customer payment services
American Express issues a wide range of payment services (such as payment cards and credit cards) to individuals, each with related services (such as loyalty programmes, membership and award schemes, and insurance mediation).
---> To this end, We Process Customers’ Personal Data mainly to administer and service our contractual relationship; to manage any benefits, insurance or other programmes in which You are enrolled, to deliver products and services, to conduct research and analysis to improve our products and services; to better understand our Customers and deliver a more personalized service; to manage our fraud and security risks; to promote our products and services (subject to Consent where required by Applicable Data Protection Legislation); or to comply with applicable law(s).
American Express also offers commercial products and services to businesses (including corporate payment, expense management services and loan products).
--->To this end, We Process Customers’ Personal Data mainly to administer and service our contractual relationship; to deliver the commercial products and services; to enable Customers to develop reports that may allow them to maintain effective procurement policies, travel policies and procedures; to develop risk management policies, models and procedures and/or to make decisions about how We manage Customers’ accounts; to exchange information with fraud prevention agencies to trace debtors, recover debts, prevent fraud, manage accounts or insurance policies; to make decisions about offering products such as credit and related services; or to comply with applicable law(s).
ii) Merchant services
American Express operates a global merchant services business, which includes obtaining the agreement of merchants to accept American Express branded cards and other financial products from their customers as a means of payment, as well as permitting American Express to perform processing and settling of card transactions for those merchants.
As a part of this merchant services business, American Express notably assists merchants that accept American Express cards by providing analytical and consulting expertise to identify new trends, enable product innovation, and enable expansion and improvements to marketing through the more effective use of the American Express data infrastructure. The Processing activities carried out for these purposes will create deidentified or aggregated databases where it is appropriate.
--->To this end, We Process Personal Data mainly to administer and service our contractual relationship with merchants; to exchange information with credit reference agencies for preventing fraud or tracing debtors or for the purpose of identity verification; to develop our products and/or, subject to Consent where required by Applicable Data Protection Legislation, to offer products and services; or to comply with applicable law(s), including anti-money laundering and anti-terrorism laws.
iii)Network services and operations
The American Express network authenticates, clears and settles card transactions and provides multi-channel marketing programs and capabilities, services and data analytics. It manages and evolves American Express’ payment network reliability, security, and processing capabilities to enable commerce across the globe. In addition, the American Express network manages a variety of capabilities that enable payments in new forms or channels while implementing policy to govern the many parties that engage with the network.
--->To This end, We Process Personal Data mainly to administer transactions for American Express’ Customers with American Express accepting merchants. Processing activities include steps to prevent fraud and to comply with applicable law(s), including anti-money laundering and anti-terrorism laws.
iv) Travel, meetings and events services
American Express is one of the world’s largest travel agency businesses and annually makes millions of travel reservations for consumers and individual employees of corporate clients and, on an exceptional basis, their travel companions, who may wish to travel anywhere in the world.
American Express Global Business Travel (GBT) also provides travel management expertise to corporate clients and assists Customers in organising meetings and events on a global basis. Details on GBT’s processing activities can be found here - https://privacy.amexgbt.com/.
American Express also provides consumer travel services to individual consumers, but primarily those who are cardholders of an American Express branded card.
--->To this end, We Process Customers’ Personal Data mainly to manage the commercial relationship; to deliver services, to conduct research and analysis to improve our products and services; to better understand our Customers and deliver a more personalized service; to promote our products and services (subject to Consent where required by Applicable Data Protection Legislation); or to comply with applicable law(s).
v) Human resources
American Express BCRs Entities also Process Employees’ Personal Data mainly for the purpose of administering and fulfilling its employment relationship with American Express’ Employees (for instance, appointments or severance, background checks, performance management, work management or other personnel matter in relation to management of Employee relations); and to comply with internal policies and applicable law(s).
• Description of types of Personal Data
The types of Personal Data Processed are described in the various American Express Privacy Statements, as applicable to the Data Subjects’ relationship with American Express and may be generally described as follows:
i) Customers’ Personal Data
Customers’ Personal Data may include personal details (such as name, address, and other contact information), information relating to products and services used and purchased; creditworthiness; online activity including for instance information We collect when Customers access our online account services or via cookies and similar technologies; information relating to lifestyle and social circumstances; etc. To perform travel, meetings and events related services, American Express must Process Personal Data relating to the traveller, including nationality, passport details, gender, date of birth, location and travel preferences (together “Customers’ Personal Data”).
In some cases, Customers’ Personal Data may include Special Categories of Data, such as biometric information for security purposes (e.g., ID voice) or, for travel related services, details of any disability which may affect the ability to travel.
ii) Employees’ Personal Data
Employees’ Personal Data often includes, for instance, personal details (such as name, address, date of birth, phone number), family details, information relating to lifestyle and social circumstances; products and services used; online activity; creditworthiness; public office held; immigration status; and education and employment history and other employment related information such as performance or talent designations and compensation and benefits information (together “Employees’ Personal Data”).
In some cases, and where allowed by national laws, Employees’ Personal Data may include Special Categories of Data, including information about racial and ethnic origin, sexual orientation, information about Employees’ health, occupational health schemes, biometric data, equal opportunities monitoring, information on trade unions and works councils.
The American Express BCRs Entities are located in the following countries:
- Argentina
- Austria
- Australia
- Belgium
- Canada
- China
- Colombia
- Czech Republic
- Denmark
- Finland
- France
- Germany
- Greece
- HongKong
- Hungary
- India
- Ireland
- Italy
- Japan
- Jersey
- Malaysia
- Mexico
- Netherlands
- Norway
- Philippines
- Poland
- Russia
- Singapore
- Slovakia
- Spain
- Sweden
- Switzerland
- Taiwan
- Thailand
- United Kingdom
- United States
“AEESA” – means American Express Europe, S.A., located Avenida Partenón 12 -14, Madrid, 28042. AEESA is the European company within American Express that has assumed responsibility for ensuring that Personal Data is Processed in accordance with the BCRs. AEESA is a signatory party to the Intra-Group Agreement.
“American Express BCRs Entity ” or “American Express BCRs Entities” or “We” or “Us” – means the American Express entity or entities which are bound by the Binding Corporate Rules.
“American Express Company” - means American Express Company, located World Financial Center, 200 Vesey St., New York, NY 10285 USA. American Express Company is a signatory party to the Intra-Group Agreement.
“American Express Privacy Statements” - means the Cardmember Privacy Statement (for cardmembers), the Online Privacy Statement (for Customers and website visitors), the Online Recruitment Privacy Statement (for potential Employees), or the Employee Privacy Notice (for current Employees), and other notices, terms and conditions (such as for merchants and corporate clients) which are applicable to the Data Subject’s relationship with American Express and as amended from time to time.
“Applicable Data Protection Legislation” – means the GDPR (and the national implementing legislations), the e-Privacy Directive 2002/58/EC (and the national implementing legislations), and any other data protection law and regulation applicable in the EEA (all the above as amended and replaced from time to time).
“Consent” – means any freely given, specific, informed and unambiguous indication, through a statement or clear affirmative action, of the Data Subjects’ agreement to the Processing of their Personal Data.
“Data Breach” or “Personal Data Breach” - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Impact Assessment” – means an assessment of the impact of an envisaged Processing operation on the protection of Personal Data carried out where the Processing is likely to result in a high risk to the rights and freedoms of Data Subjects.
“Data Subject(s)” or “You” – refers to an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in scope of these BCRs.
“Data Processor” - means the natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of and under the instructions of the Data Controller.
“EEA” – means the European Economic Area, which includes all EU countries as well as Iceland, Liechtenstein and Norway.
“GDPR” – means the General Data Protection Regulation 2016/679.
“Intra-Group Agreement” – means the intra-group agreement that binds American Express BCRs Entities to the BCRs.
“Personal Data” – means any information relating to an identified or identifiable natural person (Data Subject) that is within the scope of these BCRs.
“Processing” or “Process” – means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Profiling” – means automated Processing of Personal Data intended to analyse, to evaluate certain personal aspects relating to individuals (such as their performance at work, creditworthiness, reliability, conduct) or to make predictions about them.
“Special Categories of Data” – means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data Processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Supervisory Authority” – means an independent public authority which is established by a Member State according to Article 51 GDPR.
“Transfer”– means any transfer of Personal Data from one company in the EEA to another or onward transfer which would otherwise be restricted by the GDPR. A transfer is performed via any communication, copy or disclosure of Personal Data through a network, including remote access to a database or transfer from any medium to another.
AMERICAN EXPRESS
Copyright © 2023 American Express Company