GBT Global Privacy Rules
Effective as of 06 March 2024
At American Express Global Business Travel (GBT), our business depends on protecting and respecting privacy. We know that our corporate and direct customers and their travellers and meeting attendees, our employees, and our service providers entrust us with their personal information and trust us to safeguard it.
GBT treats traveller personal information in accordance with the GBT Global Privacy Statement (at http://privacy.amexgbt.com/statement). GBT treats employee personal information in accordance with its employee and contractor privacy statements. These Rules will be published on GBT's Privacy Portal (at http://privacy.amexgbt.com/). For a detailed description of the material scope of the data processing under the Rules, please refer to Appendix 1.
We provide travel management, travel consultancy and meetings & events services in more than 100 countries around the world. To provide travel services on such a scale, it is necessary for us to transfer personal information to other countries. Those who entrust us with their personal information can be sure that wherever it is transferred and used, it will be treated with consistently high standards of data protection.
GBT BV III (GBT Netherlands) and other GBT companies have signed an agreement to respect and adhere to the obligations and safeguards described in these GBT Global Privacy Rules ("Rules") which makes these Rules binding on and enforceable against all GBT companies internally, and where indicated in these Rules and the agreement, enforceable by external parties. The list of GBT companies is attached in Appendix 2.
Personal Information
We use the term personal information throughout our privacy materials, instead of EU law's personal data, to make it clearer to our people around the world. Wherever we use personal information, it is as defined in the EU law: any information relating to a natural person who can be identified from that information, directly or indirectly, and in particular by reference to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
SCOPE AND PURPOSE
These Rules apply to all personal information received and processed by any GBT company or transferred between GBT companies and their employees, wherever those companies are in the world and are designed to provide a global framework and a baseline set of requirements to protect the personal information of all corporate and direct customers and their travellers, meeting attendees, service providers and employees regardless of the requirements of applicable data protection law.
The transfers of personal information that are made subject to these Rules are necessary for GBT's business activities, which include the following:
- Providing services: We store personal information such as employee identity and contact details, payment information, travel preferences and booking information in order to provide the services requested by our travellers or by someone else on their behalf. For travel to happen, we must store and share this information with airlines, hotels and other travel suppliers who could be located anywhere in the world.. We use this personal information for the purpose of managing travels and bookings, processing payments, preparing accounts and financial records (including invoices), operating our websites and applications and marketing our products and services.
- Adapting and improving: We capture, integrate and analyse personal information to make our tools and services smarter, by creating aggregated data that helps us assess and receive services from service providers and travel suppliers, identify savings and compliance opportunities, negotiate better rates and lower travel program costs.
- Looking after our staff: This includes recruiting, managing, developing, communicating with and remunerating employees, managing employee records, conducting performance reviews, licensing and registration, assessment and collection of taxes and other revenue, information and system administration, crime prevention and prosecution of offenders, accounting and auditing. (By employees, we mean GBT's current, former and prospective employees, interns and contractors).
The nature of a travel management business means that we provide services both directly to travellers and meeting attendees (who are the data subjects) and to our corporate customers (who are independent controllers), and so GBT acts as a controller in relation to the personal information described here.
SPECIAL AND SENSITIVE CATEGORIES OF PERSONAL INFORMATION
When processing special or sensitive categories of personal information, GBT companies comply with additional legal and regulatory steps required by data protection law to protect data subject's privacy. GBT companies commit to only process such personal information if and to the extent it is legally permitted to do so and insofar necessary for the specific purpose of the processing. GBT companies also commit to taking security measures appropriate to the sensitive nature of the personal information processed to safeguard that any special and sensitive information is adequately protected.
Pursuant to the EU General Data Protection Regulation 2016/679 (the GDPR), special categories of personal information include personal information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics and biometrics, information concerning an individual's health, and sexual life or orientation. The GDPR also imposes restrictions on the processing of personal information revealing criminal behavior. In addition, local laws applicable in the country where data subjects reside or where GBT companies operate may impose additional requirements or restrictions to the processing of this information or other (sensitive) types of personal information (for example social security numbers or other personal identification numbers). GBT companies ensure that any such special or sensitive personal information is only processed in compliance with the legal requirements and restrictions applicable, so that data subject's privacy is protected.
DATA PROTECTION AND PRIVACY PRINCIPLES
GBT's Data Protection and Privacy Principles govern everything we do with personal information.
LAWFULNESS FAIRNESS AND TRANSPARENCY |
We collect and use only personal information insofar that is necessary for the provision of our services and, where legally required, permitted by them, or permitted by law, and we do it lawfully and fairly. This means that we only process personal information if and to the extent we have a legal basis to do so. TransparencyWe ensure that we are transparent towards individuals whose personal information we process. This means that we make it clear via our GBT Global Privacy Statement how personal information will be processed and which GBT companies are responsible for the processing of personal information. Where we collect personal information from data subjects, we provide them with the information contained in our privacy statement, available at: https://privacy.amexgbt.com/statement and our employee and contractor privacy statements. These notices provide the information required by Articles 13 and 14 of the GDPR and other applicable laws. In particular, we provide the data subject with all of the following information:
If the personal information was not obtained directly from the data subject, we also provide information about the categories of personal information concerned and from which source the personal information originate, and, if applicable, whether it came from publicly accessible sources. Where the personal data is obtained directly from the data subject, we provide the above information at the time the data are obtained. Where the personal information is not obtained from the data subject directly, we provide the notice within a reasonable period after obtaining the personal information, but at the latest within one month, having regard to the specific circumstances of the processing. If the personal information is to be used for communication with the data subject, we provide the notice at the latest at the time of the first communication to the data subject, or if a disclosure to another recipient is envisaged, at the latest when the personal information is first disclosed. Legal basis for processingWe use the following legal bases for the processing of the personal information at hand, depending on the circumstances and as further described in the privacy statements we provide during interactions with data subjects:
In addition, we only process special or sensitive categories of personal information in compliance with the legal requirements and restrictions applicable, as further detailed above. A list of GBT companies is attached in Appendix 2 and a more detailed description of the material scope of the data processing under the Rules is provided for in Appendix 1. |
PURPOSE LIMITATION |
We do not use the personal information for other purposes that are incompatible with the purposes for which such personal information was collected or processed by us - as further detailed in our privacy notice and additional applicable privacy statements we provide. |
DATA MINIMISATION |
We ensure that the personal information we collect is adequate, relevant and limited to what is necessary for the purposes for which it is processed. |
ACCURACY |
We use appropriate technology and well-defined employee practices to process personal information accurately and ensure it is correct and up to date, including when shared with relevant third parties. We apply privacy-by-design practices in our product development lifecycle, which means that we take into account the privacy aspects of the products and services we develop. |
STORAGE LIMITATION |
We do not keep personal information in a form that allows identification of individuals for longer than is necessary for the purposes for which the personal information is being processed. The retention and deletion of personal information is governed by a written policy, tailored to the legal requirements applicable. |
INTEGRITY AND CONFIDENTIALITY |
We keep personal information confidential and limit access to those who need it for the purposes we've made clear. We use appropriate administrative, technical and physical security measures to protect personal information against unlawful processing taking into account the principles of privacy by design and by default. Where we pass personal information to other internal or external processors to process the personal information that we control on our behalf, we require them to enter into a data processing agreement that complies with the requirements of applicable law before the processing begins. The data processing agreement shall be binding on the processor with regard to GBT and set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal information and categories of data subjects and the obligations and rights of GBT. Moreover, data processing agreement stipulates, at minimum, that the processor:
The data processing agreement also requires the processor to notify us of any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed (a personal information breach) by notifying our Security Operations Centre. All personal information breaches are handled in accordance with our incident response plan and assessed by the GBT privacy team. Where we become aware of a personal information breach, we notify, without undue delay and in any case not later than 72 hours after having become aware of it, the personal information breach to the competent supervisory authority, unless the personal information breach is unlikely to result in a risk to the rights and freedoms of natural persons. In addition to our internal notification obligation (on basis of our incident response plan) and our notification obligation to the competent supervisory authority, where the personal information breach is likely to result in a high risk to the rights and freedoms of data subjects, we communicate the personal information breach to the data subject without undue delay. We keep a record of personal information breaches, comprising the facts relating to the personal information breach, its effects and remedial action taken. The record is made available to the supervisory authority on request, to enable it to verify compliance. |
DATA SUBJECT RIGHTS |
We respond promptly and accurately to individuals' requests in respect of their personal information, to understand how it is processed or to exercise other data protection rights regardless of where that personal information is processed and stored. Individuals have the right to:
|
INTERNATIONAL TRANSFERS |
No matter where we process and store personal information, it continues to be protected by these principles. We make it clear when personal information is transferred out of the country, and we make sure such transfers are compliant with law and apply appropriate safeguards to any onward transfers to third parties outside the EEA. This means that we only transfer personal information outside the EEA:
In addition to the foregoing, we take into account the level of protection of personal information data in the country or territory to which personal information subject to the GDPR is transferred or onward transferred - regardless of the legal basis of the transfer under the GDPR - and take supplementary measures appropriate to safeguard that personal information transferred benefits from a level of protection equivalent to the standards applicable to it under EU law. We do not transfer personal information subject to countries or territories outside the EU which we believe do not, even with supplementary measures, offer an adequate level of protection. In more detail, we abide by the following: The parties involved in the data transfer, i.e. the data exporter (i.e. the party providing (access to) the personal information) and the data importer (i.e. the party receiving (access to) the personal information), shall warrant that they have no reason to believe that the laws and practices in the country or territory of destination applicable to the processing of the personal information by the data importer, including any requirements to disclose personal information or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Rules. This based on the data importer's and data exporter's understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the GDPR, are not in contradiction with these Rules. Assessment of level of protection of personal information transferred To establish this, the data exporter and the data importer make an assessment of the level of protection of personal information in the country or territory to which personal information is transferred, and take supplementary measures appropriate to safeguard that personal information transferred benefits from a level of protection equivalent to the standards applicable to it under EU law. In this assessment, all relevant circumstances are taken into account, including in particular:
The data importer further warrants that, in carrying out this assessment, it has made its best efforts to provide the data exporter with all relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Rules. The assessment is documented and made available to the competent supervisory authority upon request. Notification of public authority access Following the receipt of such notification, or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Rules, the data exporter promptly identifies appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. In case the data importer and the data exporter are data processors within the meaning of the GDPR, the data exporter does so in consultation with the controller. Information duties Suspension and termination of the transfer
Effect of termination In case the data exporter is a data processor and the data importer is a data controller within the meaning of the GDPR, personal information collected by the data exporter in the EU that has been transferred prior to the termination of the contract is immediately deleted in its entirety, including any copy thereof. The data importer certifies the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer continues to ensure compliance with these Rules. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal information, the data importer warrants that it will continue to ensure compliance with these Rules and only process the data to the extent and for as long as required under that local law. |
RESPONSIBILITY |
These principles are binding on everyone at GBT through our Code of Conduct. We provide appropriate annual privacy training on the BCRs to personnel and third parties (such as contractors) that have (regular or permanent) access to GBT personal data, who are involved in the collection of data or in the development of tools used to process personal data. We regularly review compliance, and employees who violate these principles may be subject to disciplinary action. Employees must report violations of these principles to their managers, the privacy team or other compliance personnel, or by using the Ethics Helpline. |
ACCOUNTABILITY |
We have appointed a Chief Privacy Officer to head the Global Privacy Team. The global privacy team plays a formal oversight role in business activities impacting personal information, including product development, vendor onboarding, marketing reviews and data governance decisions. Contact details of the Global Privacy Team are provided below. Where required by EU or Member State law, we also have a formally appointed Data Protection Officer ("DPO") who monitors compliance with these Rules and is responsible for administering training and complaints. Contact details of the DPO are provided in the GBT Global Privacy Statement (at http://privacy.amexgbt.com/statement ) We apply effective measures to monitor and enforce compliance all aspects of these Rules and our data protection obligations, including methods of ensuring that corrective actions take place. This includes:
Results are reported to the Chief Risk & Compliance Officer, Chief Privacy Officer, and/or DPO and shared with the Board and are shared with supervisory authorities on request. We keep a record of processing activities carried out under our responsibility. The record is made available to the supervisory authority on request, to enable it to verify compliance. That record contains all of the following information:
|
PRIVACY BY DESIGN |
We review new uses of personal information using privacy-by-design programme which is embedded in GBT's product development lifecycle. GBT's product development lifecycle requires a privacy review for every new product or product change, and a full data protection impact assessment (DPIA) for products assessed at high or medium privacy risk. GBT consults the relevant supervisory authority prior to processing personal information where a DPIA indicates that there is a high risk to individuals' privacy/ from the intended processing and GBT cannot mitigate this risk. |
RIGHTS GRANTED TO INDIVIDUALS
Where the processing of personal information under these Rules is subject to the GDPR, we comply with the specific requirements of the GDPR wherever in the world the processing takes place and data subjects have special rights to enforce these Rules as third-party beneficiaries. This means that data subjects who have rights under the GDPR and as described in the section below, and whose personal information is transferred to a country or territory in which the GDPR does not apply directly, can still invoke these rights after their personal information is transferred to such country or territory. In other words, these rights travel with the data wherever the data goes. Particularly, these individuals can enforce the following elements of these Rules as third-party beneficiaries:
- the "Data Protection and Privacy Principles" above;
- the right to receive the information set out in the GBT Global Privacy Statement (if you are a customer) or the employee and contractor privacy statements and to enforce the rights they describe, and which are also described in the “Data Subject Rights” principle in these Rules, namely correction, deletion, access to and portability of data; restriction of and objection to processing; and the right not to be subject to decisions based solely on automated processing;
- the "Conflict of Laws" section below;
- the right to complain through our internal complaint mechanism and to lodge a complaint with a supervisory authority or court (explained under "Questions, Complaints or Concerns" below);
- the "Ensuring Accountability" section below;
- the "Cooperation" section below; and
- the rights in relation to judicial remedies and other forms of redress as set out under "Enforcement and Liability" below.
- the right to have an easy access to these Global Privacy Rules and the Privacy Statement. GBT shall ensure that these documents are made available publicly at http://privacy.amexgbt.com.
QUESTIONS, COMPLAINTS OR CONCERNS
Any individual with a complaint about the processing of personal information or who wants to enforce the above rights is requested contact us so that we can try to resolve any concerns. We can be reached using https://privacy.amexgbt.com/contact by email at [email protected] or at the following address:
Global Privacy TeamAmerican Express Global Business Travel
Hoogoorddreef 15,
Atlas-Arena
1101 BA
Amsterdam Zuidoost
Individuals that are GBT employees with complaints or concerns, or who want to enforce the above rights, can also use our internal reporting tools. The Global Privacy Team is responsible for dealing with such complaints and all responses will be reviewed by the Chief Privacy Officer and/or DPO.
We promptly respond to and escalate all privacy-related questions, requests, complaints and concerns as soon as possible, and in any event within the legally and contractually required response time. Where an individual is exercising their rights in relation to correction, deletion, access to and portability of data; restriction of and objection to processing; or the right not to be subject to decisions based solely on automated processing, we respond within one month of receiving the request or query. This can be extended by two more months if necessary due to complexity or number of requests. If this is the case, within one month of the initial request we will contact the individual to explain the reason and the expected date for a response.
We investigate all complaints and provide redress for any legitimate grievances. If we find that the individual's complaint is not legitimate, we contact the complainant to explain.
While we encourage individuals to contact us first to try and resolve any complaints, individuals also have the right to lodge a complaint before:
- a supervisory authority, in particular in the country where they work or are habitually resident, or where the alleged infringement took place; or
- the courts, as described under "Enforcement and Liability" below.
ENFORCEMENT AND LIABILITY
In addition to any other rights the individual has, any individual whose personal information has been transferred on the basis of the BCR, who considers that his or her rights under these principles have been infringed have the right to take action in the courts:
- in the country where they work or are habitually resident; or
- where the GBT entity that is the controller of the personal information has an establishment.
GBT Netherlands takes responsibility for any alleged violations of these Rules by any GBT company outside of the EEA affecting individuals whose personal information has been transferred on the basis of the BCR. GBT Netherlands ensures that the necessary actions are taken to address violations. GBT Netherlands is responsible for paying compensation for any damages and paying any fine or penalty arising out of a breach of these Rules by any GBT company.
If a GBT company outside of the EEA violates these Rules, the courts or other competent authorities in the EEA will have jurisdiction and the individual whose personal information has been transferred on the basis of the BCR will have the rights and remedies against GBT Netherlands as if GBT Netherlands had violated the Rules.
Where an individual whose personal information has been transferred on the basis of the BCR considers that his or her rights under these principles have been infringed by any GBT company, he or she may bring a claim against GBT Netherlands as a third-party beneficiary to seek remedies for such a breach, including compensation for the damages suffered as a result of the breach. Such claims may be brought:
- in the courts of Amsterdam, the Netherlands; or
- in the courts of the EEA country in which the individual works or is habitually resident.
If an individual whose personal information has been transferred on the basis of the BCR can demonstrate that he or she has suffered damage and establish facts showing that the damage is likely to have occurred because of a breach of these Rules by a GBT company outside of the EEA, then a breach of these Rules will be deemed to have occurred unless GBT Netherlands demonstrates that either:
- no breach of the Rules has occurred, or
- the GBT company outside of the EEA was not responsible for the alleged breach.
As stated above under "Questions, Complaints or Concerns" above, individuals also have the right to lodge a complaint before a supervisory authority, in particular in the country where they work or are habitually resident, or where the alleged infringement took place.
ENSURING ACCOUNTABILITY
Appropriate senior management are responsible for overseeing and ensuring compliance with these Rules, and enjoy the highest management support for the fulfilling of this task. GBT's Global Privacy Team is overseen by the Chief Privacy Officer. The team's responsibilities include managing GBT's privacy program, monitoring compliance, including all aspects of the BCRs, due diligence and compliance controls in relation to processors engaged, handling complaints and ensuring training remains up-to-date. The Group’s DPO is appointed by GBT III B.V. in the Netherlands and registered as such by the Dutch supervisory authority.
Privacy at GBT is governed through a binding policy framework that includes a top-level policy on privacy risk management, along with standards tailored to specific countries or areas of privacy risk. The Risk & Compliance Office applies a robust control environment built on comprehensive risk management best practices.
Independent assurance is provided by a central internal audit function, which ensures that privacy processes and procedures, including all aspects of the BCRs, are well-designed and operating as intended and incorporates procedures for correcting identified issues. GBT commits to having data protection audits periodically (on average on a biennial basis but no less than every three years), although the frequency thereof will depend on the level of risk attaching to a particular process. Audit results are communicated to the Chief Privacy Officer and/or DPO, Chief Risk and Compliance Officer, executive management and the Audit Committee of the Board of Directors.
In addition, the supervisory authorities who have jurisdiction over GBT's practices under these Rules have a right to verify our compliance with them, including by way of data protection audits. GBT will share the results of its data protection audits with such authorities upon request.
COOPERATION
Each GBT company co-operates with, and submits to audits by, the supervisory authority in the country where it is located or in the case of non-EEA GBT companies, relevant supervisory authorities in the EEA competent for the EEA data exporter(s) of the transfer at stake. Each GBT company complies with the advice and decisions of any such authority relating to the interpretation and application of these Rules. GBT reserves the right to challenge or appeal such decisions.
CONFLICT OF LAWS
Where a GBT company has reason to believe that applicable law in a third country prevents that company from fulfilling its obligations under these Rules or has a substantial effect on the guarantees provided by these Rules, that company promptly informs GBT Netherlands and the GBT Privacy Team unless it is prohibited from doing so by law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
If that GBT company or GBT Netherlands considers that such law is likely to have a substantial adverse effect on the guarantees provided by these Rules, it notifies the supervisory authorities unless or to the extent that it is prohibited from doing so by law. This includes any legally binding request for disclosure of the personal data by a law enforcement authority or state security body. In such a case, the supervisory authorities are clearly informed about the request, including information about the data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).
If in such cases the suspension and/or notification are prohibited, the GBT company uses its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so.
If, in the above cases, despite having used its best efforts, the requested GBT company is not in a position to notify the competent supervisory authority, it commits to annually providing general information on the requests it received to the competent supervisory authority (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.).
Where a GBT company is required to transfer personal information to a public authority, it ensures the transfer is not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.
If local legislation requires a higher level of protection for personal information than these Rules, GBT complies with such legislation over and above these Rules.
Where individuals have the protection of the GDPR in relation to the processing of their personal information, that protection will not be diminished when the personal information is transferred outside the EEA on the basis of these Rules.
CHANGES TO THE RULES
These Rules, including its Appendices, may be amended, for example to take into account changes in the regulatory environment or GBT's company structure. For the latter, no transfer is made to a new GBT company, until the company is effectively bound by the BCRs and can deliver compliance. We draw such changes to the attention of all GBT companies without undue delay following the amendment. GBT's Global Privacy Team keeps record of all changes of the Rules.
We report changes to the Rules, to the list of GBT companies and/or the other Appendices annually to the relevant supervisory authorities via the lead supervisory authority, unless the modifications affect the level of protection offered by the Rules or otherwise significantly affect the Rules, in which case we promptly communicate such changes to the relevant supervisory authorities via the lead supervisory authority. Where we report changes to the Rules, we provide an explanation on the reasons justifying those changes.
We also use appropriate means to inform data subjects of relevant changes to the BCR.
GBT's Global Privacy Team maintains a publicly available, up-to-date list of all GBT companies subject to these Rules. We do not transfer any personal information to a new GBT company until it is effectively bound by the Rules.
Data subjects’ rights to enforce these Rules shall survive any termination of the intracompany agreement that makes them binding on the GBT companies.
Effective date: 06 March 2024
APPENDIX 1: DESCRIPTION OF PROCESSING AND DATA FLOWS
Nature of the data covered by the BCRs.
Customer data
To perform travel-related services, GBT must process personal information relating to the traveller, including his/her name, address, phone, email, nationality, age, passport details, dietary preferences and details of any disability which may affect his/her ability to travel etc. and potentially emergency contact details. Traveller data is also used to provide event management services as part of performance of the GBT Meetings & Events service or, on an aggregated basis, to advise how to structure a customer's travel management policy and reduce company travel costs, as part of the GBT consultancy service. That information must be transferred around the world to wherever travellers wish to go.
Employee data
GBT employs and retains many employees, directors, individual consultants, contingent workers and staff. The nature of the data covered by the BCRs are all the human resource records and information that relate to former, current and prospective employees, directors, individual consultants, contingent workers, retirees, job applicants as well as any data given to GBT by such persons relating to third parties, for example dependants, and beneficiaries under employees' life insurance policies or for their emergency contacts.
Service provider data
GBT contracts various service providers in the course of business. During service provider review, GBT receives basic information for contact purposes, including name, business email and business phone. If determined that the provider has anti-corruption or sanctions risk, information about the service provider's beneficial owner(s) is required to perform proper screening activities.
Nature of the personal information being transferred
Travel is inherently personal and global and travel services involve a multitude of personal information – from names, addresses and passport numbers, to travel preferences that disclose sensitive characteristics like religion or health (when provided). That information must be transferred around the world to wherever travellers wish to go. Please see above for more information on the nature of the personal information being transferred.
Data flow description
Customer data
Customer data that originates within the EEA will in most cases flow to GBT entities located in the EEA to be stored in GBT or third-party data centres located in the EEA, the UK, and the US. Where GBT receives data in a data feed directly from its customers. EEA customers sign a contract with a local GBT entity in one of GBT's proprietary markets, and so this initial data feed occurs within the EEA. Travellers then use the shell profile created by this initial data feed to create their traveller profile, which is stored in databases operated by the providers of online booking tools and by the independent global distribution system ("GDS") in use in that region. The traveller profile is also synced back to GBT servers to provide consistent servicing to travellers across tools and GDSs, and can then be accessed by GBT entities in other countries where travellers choose to travel. The GDSs are subject to the EU Code of Conduct on the use of computerised reservation systems and are regulated as data controllers.
When GBT makes a reservation using the GDS, the passenger information stored in the GDS will permit the creation of a reservation, a Passenger Name Record ("PNR"). PNRs must be shared with travel suppliers (like airlines, hotels and transportation providers) for travel services to operate.
GBT uses data from the traveller profile and the PNR to power its services back to the customer and to the traveller, including invoice and itinerary delivery, a mobile travel app, reporting systems for customers, duty of care programs and emergency travel services. The data and applications that provide these services are hosted in data centres located in Germany and the US.
Employee data
GBT receives employee data from employees located in every proprietary country where it operates. This data is transferred to central HR operations based on a Workday-operated database maintained in the US and accessed by HR employees in the country of employment, in the UK and in the US. Information in corporate directories and other business applications is available across the GBT global footprint. Employee information is also shared with parties who carry out IT system support, payroll, training, compliance, ethics helpline administration, organisational programs and other activities on GBT's behalf.
Service provider data
Service provider data relate to employees or owners of service providers located anywhere in the world where our services are provided. They are processed and stored centrally in the US in databases internally housed within GBT or in databases associated with our e-GRC tool provided by a service provider in the US.
Type of processing and the purposes for which the data covered by the BCRs
Customer data
Data is processed forthe following purposes:
- To provide GBT's products and services, including:
- to book travel, organise meetings and events, prepare itineraries and invoices, communicate with travellers about products and services, provide customer service, manage customers' accounts, and provide travellers and their employers with emergency services; and
- to provide travel, meetings and events, consulting, business insights, and other related services to travellers' employers or travel sponsors, to comply with GBT's agreements with them, to communicate about GBT products and services, and to help travellers' employers or travel sponsors ensure compliance with their policies.
- To market goods and services to prospective customers;
- To process payments and transactions and provide related customer service;
- To operate websites and mobile applications, including using device data to monitor and improve the performance and content of services, provide updates, analyse trends and usage in connection with services, and measure whether ads and offers are effective; and
- To operate and improve GBT's business, using travellers' information for compliance with GBT company policies and procedures; for accounting and financial purposes; to detect or prevent fraud or criminal activity; to perform, analyse and improve GBT's business and services; and otherwise as required by law.
Employee data
Personal information is transferred for the following purposes:
- Administration of employment contracts, payroll and employee benefits, including insurance and pensions;
- Compliance with employment-related legal requirements such as income tax, national insurance deduction and employment and immigration laws and responding to requests and legal demands from regulators or other authorities;
- Administration of the workforce, including training and development, evaluation, rewards, assigning tasks, managing activities, planning, travel and expenses;
- Implementing and maintaining IT systems, including providing IT support, ensuring business continuity, and managing security services and IT access rights and administration of GBT's ethics helpline;
- Verification of the personal information related to former employment, educational history, and professional standing, and completion of background checks;
- Administering health and safety programmes and policies and corporate resource planning; and
- Monitoring GBT's premises and property.
Post-transfer processing: The personal information transferred will be processed for the administration of human resources functions and the maintenance of GBT's workforce and may be further processed by third party service providers who provide payroll services, health and other insurance, and other benefits to employees.
Service provider data
Service provider data is maintained in our GBT systems, including compliance tools, payment, expenses and finance systems, so that we can engage, screen manage and pay our vendors.
Purposes for which the data covered by the BCRs are transferred to third countries
Data covered by the BCRs are transferred to third countries for the same reasons as they are transferred within the EEA as described above. The cross-border flow of personal information is inherent to the operation of global travel agency activities.
APPENDIX 2: LIST OF GBT ENTITIES
Region | Country | Company Name | Registered Office Address |
---|---|---|---|
GBT UK BCR SUMMARY
Effective as of 06 March 2024
American Express Global Business Travel (“GBT”) has approved binding corporate rules (“EU BCR”), which are an internationally recognized standard providing adequate protection of personal data in multinational companies. The EU BCR were reviewed and approved by data protection authorities across Europe. A copy of GBT’s EU BCR is available on our Global Privacy Rules page.
GBT has entered into the UK BCR Addendum to the approved EU BCR. The UK BCR Addendum is a formal legal mechanism which extends the scope of the EU BCR to include transfers of personal data from the UK. Together, the EU BCR and the UK BCR Addendum form GBT’s UK BCR (“UK BCR”). Further information about the UK BCR addendum process is available on the UK Information Commissioner’s Office (“ICO”) website at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/guide-to-binding-corporate-rules/a-uk-bcr-addendum/
The purpose of this UK BCR summary is to provide information to individuals whose personal data is transferred under the UK BCR so that they know how their information is processed, what rights they have under the UK BCR and how to enforce them.
Contact details for queries about GBT’s UK BCR |
GBT can be reached using privacy.amexgbt.com/contact, by email at [email protected] or at the following addresses Global Privacy TeamAmerican Express Global Business Travel Hoogoorddreef 15, Atlas-Arena 1101 BA Amsterdam Zuidoost Or GBT Travel Services UK Limited (Lead UK BCR Member)FAO: Chief Privacy Officer 5 Churchill Place Canary Wharf London E14 5HU Amsterdam Zuidoost |
||||
Data transfers covered by GBT’s UK BCR |
A description of the data transfers covered by GBT’s BCR (including the UK BCR) can be found in Appendix 1: Description of Processing and Data Flows of the EU BCR. The relevant information from the EU BCR is repeated below with minor changes to reflect data transfers from/to the UK where necessary (in red). Nature of the data covered by the BCRs.
Nature of the personal information being transferred Travel is inherently personal and global and travel services involve a multitude of personal information – from names, addresses and passport numbers, to travel preferences that disclose sensitive characteristics like religion or health (when provided). That information must be transferred around the world to wherever travellers wish to go. Please see above for more information on the nature of the personal information being transferred. Data flow description
When GBT makes a reservation using the GDS, the passenger information stored in the GDS will permit the creation of a reservation, a Passenger Name Record ("PNR"). PNRs must be shared with travel suppliers (like airlines, hotels and transportation providers) for travel services to operate. GBT uses data from the traveller profile and the PNR to power its services back to the customer and to the traveller, including invoice and itinerary delivery, a mobile travel app, reporting systems for customers, duty of care programs and emergency travel services. The data and applications that provide these services are hosted in data centres located in Germany and the US.
Type of processing and the purposes for which the data covered by the BCRs Customer data: Data is processed for the following purposes:
Employee data: Personal information is transferred for the following purposes:
Service provider data Service provider data is maintained in our GBT systems, including compliance tools, payment, expenses and finance systems, so that we can engage, screen manage and pay our vendors. Purposes for which the data covered by the BCRs are transferred to third countries Data covered by the BCRs are transferred to third countries for the same reasons as they are transferred within the EEA and/or UK as described above. The cross-border flow of personal information is inherent to the operation of global travel agency activities. |
||||
LIST OF COUNTRIES WHERE PERSONAL DATA IS TRANSFERRED TO UNDER THE UK BCR |
|
||||
THE RIGHTS OF INDIVIDUALS WHOSE PERSONAL DATA IS TRANSFERRED UNDER THE UK BCR, INCLUDING THIRD PARTY BENEFICIARY RIGHTS, AND THE MEANS TO EXERCISE THOSE RIGHTS. |
The rights of individuals whose personal data is transferred under the GBT’s BCR (including the UK BCR) are as described in the following sections of the EU BCR:
|
||||
HOW TO COMPLAIN TO GBT BCR MEMBERS |
Details of how to complain to GBT about the BCR (including the UK BCR) is as set out in the section “Questions, Complaints or Concerns” of the EU BCR. As indicated in this section and specifically in a UK context, any individual with a complaint about the processing of personal information or who wants to enforce the above rights is requested contact us so that we can try to resolve any concerns. We can be reached using privacy.amexgbt.com/contact, by email at [email protected] or at the following addresses: Global Privacy TeamAmerican Express Global Business Travel Hoogoorddreef 15, Atlas-Arena 1101 BA Amsterdam Zuidoost Or GBT Travel Services UK Limited (Lead UK BCR Member)FAO: Chief Privacy Officer 5 Churchill Place Canary Wharf London E14 5HU Individuals that are GBT employees with complaints or concerns, or who want to enforce the above rights, can also use our internal reporting tools. The Global Privacy Team is responsible for dealing with such complaints and all responses will be reviewed by the Chief Privacy Officer and/or DPO. |
||||
HOW TO COMPLAIN TO THE UK INFORMATION COMMISSIONER’S OFFICE ABOUT GBT’S UK BCR |
Individuals have the right to make a complaint about GBT’s UK BCR to the ICO – for more information please see https://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/ Information Commissioner’s Office Wycliffe House Water LaneWilmslow Cheshire SK9 5AF Telephone: 0303 123 1113 Textphone: 01625 545860 Monday to Friday, 9am to 4:30pm |
||||
INFORMATION ABOUT UK COURT CLAIMS |
Below we provide information about how to bring a claim in the UK courts against GBT for redress and, where appropriate, compensation for a breach of the UK BCR Addendum by GBT Travel Services UK Limited (the Lead UK BCR Member) and any Non-UK BCR Member. The individual court systems provide guidance on how to bring a claim in England and Wales, Scotland and Northern Ireland. Citizens Advice provides information on taking legal action in England and Wales, Scotland and Northern Ireland. Finally, you can find further information at:
|