Rules - German | GLOBAL BUSINESS TRAVEL

Effective as of 06 March 2024

At American Express Global Business Travel (GBT), our business depends on protecting and respecting privacy. We know that our corporate and direct customers and their travellers and meeting attendees, our employees, and our service providers entrust us with their personal information and trust us to safeguard it.

GBT treats traveller personal information in accordance with the GBT Global Privacy Statement (at http://privacy.amexgbt.com/statement). GBT treats employee personal information in accordance with its employee and contractor privacy statements. These Rules will be published on GBT's Privacy Portal (at http://privacy.amexgbt.com/). For a detailed description of the material scope of the data processing under the Rules, please refer to Appendix 1.

We provide travel management, travel consultancy and meetings & events services in more than 100 countries around the world. To provide travel services on such a scale, it is necessary for us to transfer personal information to other countries. Those who entrust us with their personal information can be sure that wherever it is transferred and used, it will be treated with consistently high standards of data protection.

GBT BV III (GBT Netherlands) and other GBT companies have signed an agreement to respect and adhere to the obligations and safeguards described in these GBT Global Privacy Rules ("Rules") which makes these Rules binding on and enforceable against all GBT companies internally, and where indicated in these Rules and the agreement, enforceable by external parties. The list of GBT companies is attached in Appendix 2.

Personal Information

We use the term personal information throughout our privacy materials, instead of EU law's personal data, to make it clearer to our people around the world. Wherever we use personal information, it is as defined in the EU law: any information relating to a natural person who can be identified from that information, directly or indirectly, and in particular by reference to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

SCOPE AND PURPOSE

These Rules apply to all personal information received and processed by any GBT company or transferred between GBT companies and their employees, wherever those companies are in the world and are designed to provide a global framework and a baseline set of requirements to protect the personal information of all corporate and direct customers and their travellers, meeting attendees, service providers and employees regardless of the requirements of applicable data protection law.

The transfers of personal information that are made subject to these Rules are necessary for GBT's business activities, which include the following:

Providing services: We store personal information such as employee identity and contact details, payment information, travel preferences and booking information in order to provide the services requested by our travellers or by someone else on their behalf. For travel to happen, we must store and share this information with airlines, hotels and other travel suppliers who could be located anywhere in the world.. We use this personal information for the purpose of managing travels and bookings, processing payments, preparing accounts and financial records (including invoices), operating our websites and applications and marketing our products and services.
Adapting and improving: We capture, integrate and analyse personal information to make our tools and services smarter, by creating aggregated data that helps us assess and receive services from service providers and travel suppliers, identify savings and compliance opportunities, negotiate better rates and lower travel program costs.
Looking after our staff: This includes recruiting, managing, developing, communicating with and remunerating employees, managing employee records, conducting performance reviews, licensing and registration, assessment and collection of taxes and other revenue, information and system administration, crime prevention and prosecution of offenders, accounting and auditing. (By employees, we mean GBT's current, former and prospective employees, interns and contractors).

The nature of a travel management business means that we provide services both directly to travellers and meeting attendees (who are the data subjects) and to our corporate customers (who are independent controllers), and so GBT acts as a controller in relation to the personal information described here.

SPECIAL AND SENSITIVE CATEGORIES OF PERSONAL INFORMATION

When processing special or sensitive categories of personal information, GBT companies comply with additional legal and regulatory steps required by data protection law to protect data subject's privacy. GBT companies commit to only process such personal information if and to the extent it is legally permitted to do so and insofar necessary for the specific purpose of the processing. GBT companies also commit to taking security measures appropriate to the sensitive nature of the personal information processed to safeguard that any special and sensitive information is adequately protected.

Pursuant to the EU General Data Protection Regulation 2016/679 (the GDPR), special categories of personal information include personal information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics and biometrics, information concerning an individual's health, and sexual life or orientation. The GDPR also imposes restrictions on the processing of personal information revealing criminal behavior. In addition, local laws applicable in the country where data subjects reside or where GBT companies operate may impose additional requirements or restrictions to the processing of this information or other (sensitive) types of personal information (for example social security numbers or other personal identification numbers). GBT companies ensure that any such special or sensitive personal information is only processed in compliance with the legal requirements and restrictions applicable, so that data subject's privacy is protected.

DATA PROTECTION AND PRIVACY PRINCIPLES

GBT's Data Protection and Privacy Principles govern everything we do with personal information.

LAWFULNESS FAIRNESS AND TRANSPARENCY	We collect and use only personal information insofar that is necessary for the provision of our services and, where legally required, permitted by them, or permitted by law, and we do it lawfully and fairly. This means that we only process personal information if and to the extent we have a legal basis to do so. *Transparency* We ensure that we are transparent towards individuals whose personal information we process. This means that we make it clear via our GBT Global Privacy Statement how personal information will be processed and which GBT companies are responsible for the processing of personal information. Where we collect personal information from data subjects, we provide them with the information contained in our privacy statement, available at: https://privacy.amexgbt.com/statement and our employee and contractor privacy statements. These notices provide the information required by Articles 13 and 14 of the GDPR and other applicable laws. In particular, we provide the data subject with all of the following information: the identity and the contact details of the data controller, and where applicable, the controller's representative and contact details of the data protection officer. the purposes of the processing for which the personal information is intended as well as the legal basis for the processing (see more information on legal basis below). Where the processing is based on the legitimate interest legal basis, a description of the legitimate interest pursued. Where the processing is based on consent, information about the data subject's right to withdraw consent and how to exercise such right. the recipients or categories of recipients of the personal information (if any) and whether the data controller intends to transfer personal data to a third country or international organisation and if so, the legal basis for such data transfer and information on how to receive or find a copy of the appropriate or suitable safeguards in place. the period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period the existence of data subject rights and how to exercise those rights, including information about the right to lodge a complaint with a supervisory authority whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal information and the possible consequences of failure to provide such information the existence of automated decision-making, including profiling, and in those cases, meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject. where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected or obtained, we inform the data subject in advance about that other purpose and provide the data subject with any of the above relevant further information concerning that further processing. If the personal information was not obtained directly from the data subject, we also provide information about the categories of personal information concerned and from which source the personal information originate, and, if applicable, whether it came from publicly accessible sources. Where the personal data is obtained directly from the data subject, we provide the above information at the time the data are obtained. Where the personal information is not obtained from the data subject directly, we provide the notice within a reasonable period after obtaining the personal information, but at the latest within one month, having regard to the specific circumstances of the processing. If the personal information is to be used for communication with the data subject, we provide the notice at the latest at the time of the first communication to the data subject, or if a disclosure to another recipient is envisaged, at the latest when the personal information is first disclosed. *Legal basis for processing* We use the following legal bases for the processing of the personal information at hand, depending on the circumstances and as further described in the privacy statements we provide during interactions with data subjects: The data subject has given consent to the processing of his or her data for one or more specified purposes The data subject has given consent to the processing of his or her data for one or more specified purposes Processing is necessary for the performance of a contract to the which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Processing is necessary for compliance with a legal obligation to which GBT is subject Processing is necessary in order to protect the vital interests of the data subject or another natural person Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in GBT Processing is necessary for the purposes of legitimate interests pursued by GBT or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal information, particularly where the data subject is a child In addition, we only process special or sensitive categories of personal information in compliance with the legal requirements and restrictions applicable, as further detailed above. A list of GBT companies is attached in Appendix 2 and a more detailed description of the material scope of the data processing under the Rules is provided for in Appendix 1.
PURPOSE LIMITATION	We do not use the personal information for other purposes that are incompatible with the purposes for which such personal information was collected or processed by us - as further detailed in our privacy notice and additional applicable privacy statements we provide.
DATA MINIMISATION	We ensure that the personal information we collect is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
ACCURACY	We use appropriate technology and well-defined employee practices to process personal information accurately and ensure it is correct and up to date, including when shared with relevant third parties. We apply privacy-by-design practices in our product development lifecycle, which means that we take into account the privacy aspects of the products and services we develop.
STORAGE LIMITATION	We do not keep personal information in a form that allows identification of individuals for longer than is necessary for the purposes for which the personal information is being processed. The retention and deletion of personal information is governed by a written policy, tailored to the legal requirements applicable.
INTEGRITY AND CONFIDENTIALITY	We keep personal information confidential and limit access to those who need it for the purposes we've made clear. We use appropriate administrative, technical and physical security measures to protect personal information against unlawful processing taking into account the principles of privacy by design and by default. Where we pass personal information to other internal or external processors to process the personal information that we control on our behalf, we require them to enter into a data processing agreement that complies with the requirements of applicable law before the processing begins. The data processing agreement shall be binding on the processor with regard to GBT and set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal information and categories of data subjects and the obligations and rights of GBT. Moreover, data processing agreement stipulates, at minimum, that the processor: processes the personal information only on documented instructions from GBT, including with regard to transfers of personal information to a third country, unless required to do so by the laws of the European Union or a Member State to which the processor is subject; ensures that persons authorised to process the personal information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk; taking into account the nature of the processing, assists GBT by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of GBT's obligation to respond to requests for exercising the data subject's rights laid down in the GDPR; assists GBT in ensuring compliance with the obligations under the GDPR; at the choice of GBT, deletes or returns all the personal information to GBT after the end of the provision of services relating to processing, and deletes existing copies unless required by law to which the processor is subject; and respects the conditions referred to above for engaging another processor. makes available to GBT all information necessary to demonstrate compliance with its obligations and allow for and contribute to audits, including inspections, conducted by GBT or another auditor mandated by the GBT. The data processing agreement also requires the processor to notify us of any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed (a personal information breach) by notifying our Security Operations Centre. All personal information breaches are handled in accordance with our incident response plan and assessed by the GBT privacy team. Where we become aware of a personal information breach, we notify, without undue delay and in any case not later than 72 hours after having become aware of it, the personal information breach to the competent supervisory authority, unless the personal information breach is unlikely to result in a risk to the rights and freedoms of natural persons. In addition to our internal notification obligation (on basis of our incident response plan) and our notification obligation to the competent supervisory authority, where the personal information breach is likely to result in a high risk to the rights and freedoms of data subjects, we communicate the personal information breach to the data subject without undue delay. We keep a record of personal information breaches, comprising the facts relating to the personal information breach, its effects and remedial action taken. The record is made available to the supervisory authority on request, to enable it to verify compliance.
DATA SUBJECT RIGHTS	We respond promptly and accurately to individuals' requests in respect of their personal information, to understand how it is processed or to exercise other data protection rights regardless of where that personal information is processed and stored. Individuals have the right to: require us to receive confirmation whether or not their personal information is being processed, a copy of their personal information and receive the following information about the processing of that personal information: the purposes of the processing; the categories of personal information concerned; the recipients or categories of recipients to whom the information is disclosed, in particular recipients located in a third country. If the third country is not recognized by the European Commission as ensuring an adequate level of protection, individuals shall have the right to be informed of the appropriate safeguards authorizing such transfers; the envisaged period for which the personal information will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request rectification or erasure of personal information, or restriction of processing of personal information, or to object to such processing; the right to lodge a complaint with a Supervisory Authority; any available information as to the source of personal information which has not been collected from the individual; and the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved in any automatic processing as well as the significance and the envisaged consequences of such processing for the individual. Without undue delay, require from us the rectification of personal information about them where it is inaccurate, taking into account the purposes of the processing, individuals have the right to have incomplete personal information completed, including by means of a supplementary statement; Without undue delay, require from us the erasure of the personal information where: it is no longer necessary for the purpose for which was processed; the legal basis for processing is consent, consent is withdrawn and there is no other legal basis for the processing; the individual objects to processing, including profiling undertaken on the basis of legitimate interests of the controller or a third party and there are no overriding legitimate grounds for the processing; the individual objects to processing, including profiling, for direct marketing purposes; the personal information has been unlawfully processed; the personal information has to be erased to comply with EU Member State law to which GBT is subject; or personal information has been collected in relation to the offer of information society services to children. Require us to restrict the processing of their personal information where: the accuracy of the personal information is disputed for a period enabling GBT to verify the accuracy of the personal information; the processing is unlawful and the individual opposes the erasure of the personal information and requests restriction instead; GBT no longer needs the personal information, but it is required by the individual for the establishment, exercise or defence of legal claims; or the individual has objected to processing including profiling undertaken on the basis of legitimate interests of the controller or a third party, pending verification that there are no overriding legitimate grounds for the processing. Receive his or her personal information in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from GBT, where: personal information is processed based on consent or on a contract with the individual; or the processing is carried out by automated means. Grant their objection to processing, including profiling: based on GBT’s legitimate interests, unless GBT can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims, to the processing, including profiling of personal information for direct marketing purposes; based on public interests or official authority that may be vested in GBT; or for direct marketing purposes, which includes profiling related to such direct marketing. Not be subject to a decision based solely on automated processing including profiling, which produces legal effects concerning him or her or significantly affects him or her, unless the decision: is necessary for entering into, or performing a contract between GBT and the individual; is authorised by applicable EU Member State law; or is based on the individual’s explicit consent. Where such decision is necessary for entering into, or performing, a contract between GBT and the individual or based on the individual's consent, we implement suitable measures to safeguard the individual's rights and freedoms and legitimate interests, at least the right to obtain human intervention on GBT's part, to express the individual's point of view and to contest the decision. Furthermore, automated individual decision-making, including profiling, is not based on special categories of personal information referred to in Article 9(1) of the GDPR, unless (a) the individual has given explicit consent to the processing of those personal information for one or more specified purposes (except where EU or Member State law provide that the prohibition for processing special categories of personal information may not be lifted by the data subject), or (b) the processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the individual, and - in each case - GBT ensures that suitable measures to safeguard the individual's rights and freedoms and legitimate interests are in place.
INTERNATIONAL TRANSFERS	No matter where we process and store personal information, it continues to be protected by these principles. We make it clear when personal information is transferred out of the country, and we make sure such transfers are compliant with law and apply appropriate safeguards to any onward transfers to third parties outside the EEA. This means that we only transfer personal information outside the EEA: where the recipient is located in a country whose laws have been deemed by the EU Commission to offer adequate protection to the privacy of data subjects (Article 45 of the GDPR); or where we are transferring the personal information to one of the GBT companies that is bound by these Rules (Article 47 of the GDPR), or in the case of vendors and travel suppliers, subject to standard data protection clauses adopted by the EU Commission (Article 46 (d) of the GDPR); or in the case of travel suppliers such as hotels or airlines, where ad hoc, non-systematic transfers are made, subject to either the explicit consent of the data subject, or the derogation in Article 49 (1) b of the GDPR: that the transfer is necessary for the performance of a contract between the data subject and GBT or the derogation in Article 49 (1) c of the GDPR: the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between GBT and the client; or in any other circumstances, a valid ground is available under Article 48 of the GDPR or an applicable derogation applies subject to Article 49 of the GDPR. In addition to the foregoing, we take into account the level of protection of personal information data in the country or territory to which personal information subject to the GDPR is transferred or onward transferred - regardless of the legal basis of the transfer under the GDPR - and take supplementary measures appropriate to safeguard that personal information transferred benefits from a level of protection equivalent to the standards applicable to it under EU law. We do not transfer personal information subject to countries or territories outside the EU which we believe do not, even with supplementary measures, offer an adequate level of protection. In more detail, we abide by the following: The parties involved in the data transfer, i.e. the data exporter (i.e. the party providing (access to) the personal information) and the data importer (i.e. the party receiving (access to) the personal information), shall warrant that they have no reason to believe that the laws and practices in the country or territory of destination applicable to the processing of the personal information by the data importer, including any requirements to disclose personal information or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Rules. This based on the data importer's and data exporter's understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the GDPR, are not in contradiction with these Rules. Assessment of level of protection of personal information transferred To establish this, the data exporter and the data importer make an assessment of the level of protection of personal information in the country or territory to which personal information is transferred, and take supplementary measures appropriate to safeguard that personal information transferred benefits from a level of protection equivalent to the standards applicable to it under EU law. In this assessment, all relevant circumstances are taken into account, including in particular: The specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal information; the economic sector in which the transfer occurs and the storage location of the data transferred. The laws and practices of the third country of destination (including those requiring the disclosure of data to public authorities or authorising access by such authorities) relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards. This includes for example the existence of data protection and privacy laws, regulations and supervision of such laws in the country concerned, and the powers of local authorities to gain access to the personal information processed in the country. Any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Rules, including measures applied during transmission and to the processing of the personal Information in the country of destination. The data importer further warrants that, in carrying out this assessment, it has made its best efforts to provide the data exporter with all relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Rules. The assessment is documented and made available to the competent supervisory authority upon request. Notification of public authority access The data importer notifies the data exporter promptly, for as long as the transfer takes place, if it has reason to believe that it is or has become subject to laws or practices not in line with the applicable requirements (as above), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with these requirements. In case the data importer and the data exporter are data processors within the meaning of the GDPR, the data exporter forwards the notification from the data importer to the controller. Following the receipt of such notification, or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Rules, the data exporter promptly identifies appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. In case the data importer and the data exporter are data processors within the meaning of the GDPR, the data exporter does so in consultation with the controller. Information duties In addition, the data importer promptly notifies the data exporter if it receives a legally binding request to disclose transferred personal information from, or becomes aware of direct access thereto by, a public or judicial authority in the country of destination, unless the data importer is legally prohibited from notifying the data exporter in which case it uses its best efforts to obtain a waiver of the prohibition. The data importer agrees to review the legality of such disclosure requests or direct access, and make use of any opportunity to suspend, challenge, object or appeal it if it concludes that there are reasonable grounds to consider that the request or access is unlawful. The data importer provides the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. The data importer adequately documents and preserve all relevant information pertaining to authority disclosure and access of transferred personal information with a view to communicating to the data exporter as much information as possible, as soon as possible. Suspension and termination of the transfer The data exporter suspends the data transfer if it considers that no appropriate safeguards for the transfer can be ensured, or if instructed by the data controller (where applicable) or by the competent supervisory authority to do so. In case the data transferred is subject to a contract (e.g. standard data protection clauses between the data exporter and the data importer), the data exporter is entitled to terminate the contract, insofar as it concerns the processing of personal information under such contract. If such contract involves more than two parties, the data exporter may exercise this right to termination only with respect to the relevant party, unless the parties have agreed otherwise. Effect of termination In case of such termination, personal information that has been transferred prior to the termination of the contract is, at the choice of the data exporter, immediately returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. In case the data exporter is a data processor and the data importer is a data controller within the meaning of the GDPR, personal information collected by the data exporter in the EU that has been transferred prior to the termination of the contract is immediately deleted in its entirety, including any copy thereof. The data importer certifies the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer continues to ensure compliance with these Rules. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal information, the data importer warrants that it will continue to ensure compliance with these Rules and only process the data to the extent and for as long as required under that local law.
RESPONSIBILITY	These principles are binding on everyone at GBT through our Code of Conduct. We provide appropriate annual privacy training on the BCRs to personnel and third parties (such as contractors) that have (regular or permanent) access to GBT personal data, who are involved in the collection of data or in the development of tools used to process personal data. We regularly review compliance, and employees who violate these principles may be subject to disciplinary action. Employees must report violations of these principles to their managers, the privacy team or other compliance personnel, or by using the Ethics Helpline.
ACCOUNTABILITY	We have appointed a Chief Privacy Officer to head the Global Privacy Team. The global privacy team plays a formal oversight role in business activities impacting personal information, including product development, vendor onboarding, marketing reviews and data governance decisions. Contact details of the Global Privacy Team are provided below. Where required by EU or Member State law, we also have a formally appointed Data Protection Officer ("DPO") who monitors compliance with these Rules and is responsible for administering training and complaints. Contact details of the DPO are provided in the GBT Global Privacy Statement (at http://privacy.amexgbt.com/statement ) We apply effective measures to monitor and enforce compliance all aspects of these Rules and our data protection obligations, including methods of ensuring that corrective actions take place. This includes: Regular formal assessments to identify strategic and operational privacy risks. Annual documented planning based on the output of these assessments, adjusted through the year; Proactive testing, monitoring and reporting of risk and control metrics designed to identify potential gaps, trends or increasing risk areas that may require new or improved processes; Periodic review by GBT's Internal Audit Function, on average on a biennial basis (but no less than every three years); and An Annual Privacy Risk Management Report. Results are reported to the Chief Risk & Compliance Officer, Chief Privacy Officer, and/or DPO and shared with the Board and are shared with supervisory authorities on request. We keep a record of processing activities carried out under our responsibility. The record is made available to the supervisory authority on request, to enable it to verify compliance. That record contains all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal information; the categories of recipients to whom the personal information have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards; and where possible, the envisaged time limits for erasure of the different categories of data; and where possible, a general description of the technical and organisational security measures taken.
PRIVACY BY DESIGN	We review new uses of personal information using privacy-by-design programme which is embedded in GBT's product development lifecycle. GBT's product development lifecycle requires a privacy review for every new product or product change, and a full data protection impact assessment (DPIA) for products assessed at high or medium privacy risk. GBT consults the relevant supervisory authority prior to processing personal information where a DPIA indicates that there is a high risk to individuals' privacy/ from the intended processing and GBT cannot mitigate this risk.

RIGHTS GRANTED TO INDIVIDUALS

Where the processing of personal information under these Rules is subject to the GDPR, we comply with the specific requirements of the GDPR wherever in the world the processing takes place and data subjects have special rights to enforce these Rules as third-party beneficiaries. This means that data subjects who have rights under the GDPR and as described in the section below, and whose personal information is transferred to a country or territory in which the GDPR does not apply directly, can still invoke these rights after their personal information is transferred to such country or territory. In other words, these rights travel with the data wherever the data goes. Particularly, these individuals can enforce the following elements of these Rules as third-party beneficiaries:

the "Data Protection and Privacy Principles" above;
the right to receive the information set out in the GBT Global Privacy Statement (if you are a customer) or the employee and contractor privacy statements and to enforce the rights they describe, and which are also described in the “Data Subject Rights” principle in these Rules, namely correction, deletion, access to and portability of data; restriction of and objection to processing; and the right not to be subject to decisions based solely on automated processing;
the "Conflict of Laws" section below;
the right to complain through our internal complaint mechanism and to lodge a complaint with a supervisory authority or court (explained under "Questions, Complaints or Concerns" below);
the "Ensuring Accountability" section below;
the "Cooperation" section below; and
the rights in relation to judicial remedies and other forms of redress as set out under "Enforcement and Liability" below.
the right to have an easy access to these Global Privacy Rules and the Privacy Statement. GBT shall ensure that these documents are made available publicly at http://privacy.amexgbt.com.

QUESTIONS, COMPLAINTS OR CONCERNS

Any individual with a complaint about the processing of personal information or who wants to enforce the above rights is requested contact us so that we can try to resolve any concerns. We can be reached using https://privacy.amexgbt.com/contact by email at [email protected] or at the following address:

Global Privacy Team
American Express Global Business Travel
Hoogoorddreef 15,
Atlas-Arena
1101 BA
Amsterdam Zuidoost

Individuals that are GBT employees with complaints or concerns, or who want to enforce the above rights, can also use our internal reporting tools. The Global Privacy Team is responsible for dealing with such complaints and all responses will be reviewed by the Chief Privacy Officer and/or DPO.

We promptly respond to and escalate all privacy-related questions, requests, complaints and concerns as soon as possible, and in any event within the legally and contractually required response time. Where an individual is exercising their rights in relation to correction, deletion, access to and portability of data; restriction of and objection to processing; or the right not to be subject to decisions based solely on automated processing, we respond within one month of receiving the request or query. This can be extended by two more months if necessary due to complexity or number of requests. If this is the case, within one month of the initial request we will contact the individual to explain the reason and the expected date for a response.

We investigate all complaints and provide redress for any legitimate grievances. If we find that the individual's complaint is not legitimate, we contact the complainant to explain.

While we encourage individuals to contact us first to try and resolve any complaints, individuals also have the right to lodge a complaint before:

a supervisory authority, in particular in the country where they work or are habitually resident, or where the alleged infringement took place; or
the courts, as described under "Enforcement and Liability" below.

ENFORCEMENT AND LIABILITY

In addition to any other rights the individual has, any individual whose personal information has been transferred on the basis of the BCR, who considers that his or her rights under these principles have been infringed have the right to take action in the courts:

in the country where they work or are habitually resident; or
where the GBT entity that is the controller of the personal information has an establishment.

GBT Netherlands takes responsibility for any alleged violations of these Rules by any GBT company outside of the EEA affecting individuals whose personal information has been transferred on the basis of the BCR. GBT Netherlands ensures that the necessary actions are taken to address violations. GBT Netherlands is responsible for paying compensation for any damages and paying any fine or penalty arising out of a breach of these Rules by any GBT company.

If a GBT company outside of the EEA violates these Rules, the courts or other competent authorities in the EEA will have jurisdiction and the individual whose personal information has been transferred on the basis of the BCR will have the rights and remedies against GBT Netherlands as if GBT Netherlands had violated the Rules.

Where an individual whose personal information has been transferred on the basis of the BCR considers that his or her rights under these principles have been infringed by any GBT company, he or she may bring a claim against GBT Netherlands as a third-party beneficiary to seek remedies for such a breach, including compensation for the damages suffered as a result of the breach. Such claims may be brought:

in the courts of Amsterdam, the Netherlands; or
in the courts of the EEA country in which the individual works or is habitually resident.

If an individual whose personal information has been transferred on the basis of the BCR can demonstrate that he or she has suffered damage and establish facts showing that the damage is likely to have occurred because of a breach of these Rules by a GBT company outside of the EEA, then a breach of these Rules will be deemed to have occurred unless GBT Netherlands demonstrates that either:

no breach of the Rules has occurred, or
the GBT company outside of the EEA was not responsible for the alleged breach.

As stated above under "Questions, Complaints or Concerns" above, individuals also have the right to lodge a complaint before a supervisory authority, in particular in the country where they work or are habitually resident, or where the alleged infringement took place.

ENSURING ACCOUNTABILITY

Appropriate senior management are responsible for overseeing and ensuring compliance with these Rules, and enjoy the highest management support for the fulfilling of this task. GBT's Global Privacy Team is overseen by the Chief Privacy Officer. The team's responsibilities include managing GBT's privacy program, monitoring compliance, including all aspects of the BCRs, due diligence and compliance controls in relation to processors engaged, handling complaints and ensuring training remains up-to-date. The Group’s DPO is appointed by GBT III B.V. in the Netherlands and registered as such by the Dutch supervisory authority.

Privacy at GBT is governed through a binding policy framework that includes a top-level policy on privacy risk management, along with standards tailored to specific countries or areas of privacy risk. The Risk & Compliance Office applies a robust control environment built on comprehensive risk management best practices.

Independent assurance is provided by a central internal audit function, which ensures that privacy processes and procedures, including all aspects of the BCRs, are well-designed and operating as intended and incorporates procedures for correcting identified issues. GBT commits to having data protection audits periodically (on average on a biennial basis but no less than every three years), although the frequency thereof will depend on the level of risk attaching to a particular process. Audit results are communicated to the Chief Privacy Officer and/or DPO, Chief Risk and Compliance Officer, executive management and the Audit Committee of the Board of Directors.

In addition, the supervisory authorities who have jurisdiction over GBT's practices under these Rules have a right to verify our compliance with them, including by way of data protection audits. GBT will share the results of its data protection audits with such authorities upon request.

COOPERATION

Each GBT company co-operates with, and submits to audits by, the supervisory authority in the country where it is located or in the case of non-EEA GBT companies, relevant supervisory authorities in the EEA competent for the EEA data exporter(s) of the transfer at stake. Each GBT company complies with the advice and decisions of any such authority relating to the interpretation and application of these Rules. GBT reserves the right to challenge or appeal such decisions.

CONFLICT OF LAWS

Where a GBT company has reason to believe that applicable law in a third country prevents that company from fulfilling its obligations under these Rules or has a substantial effect on the guarantees provided by these Rules, that company promptly informs GBT Netherlands and the GBT Privacy Team unless it is prohibited from doing so by law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

If that GBT company or GBT Netherlands considers that such law is likely to have a substantial adverse effect on the guarantees provided by these Rules, it notifies the supervisory authorities unless or to the extent that it is prohibited from doing so by law. This includes any legally binding request for disclosure of the personal data by a law enforcement authority or state security body. In such a case, the supervisory authorities are clearly informed about the request, including information about the data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).

If in such cases the suspension and/or notification are prohibited, the GBT company uses its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so.

If, in the above cases, despite having used its best efforts, the requested GBT company is not in a position to notify the competent supervisory authority, it commits to annually providing general information on the requests it received to the competent supervisory authority (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.).

Where a GBT company is required to transfer personal information to a public authority, it ensures the transfer is not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

If local legislation requires a higher level of protection for personal information than these Rules, GBT complies with such legislation over and above these Rules.

Where individuals have the protection of the GDPR in relation to the processing of their personal information, that protection will not be diminished when the personal information is transferred outside the EEA on the basis of these Rules.

CHANGES TO THE RULES

These Rules, including its Appendices, may be amended, for example to take into account changes in the regulatory environment or GBT's company structure. For the latter, no transfer is made to a new GBT company, until the company is effectively bound by the BCRs and can deliver compliance. We draw such changes to the attention of all GBT companies without undue delay following the amendment. GBT's Global Privacy Team keeps record of all changes of the Rules.

We report changes to the Rules, to the list of GBT companies and/or the other Appendices annually to the relevant supervisory authorities via the lead supervisory authority, unless the modifications affect the level of protection offered by the Rules or otherwise significantly affect the Rules, in which case we promptly communicate such changes to the relevant supervisory authorities via the lead supervisory authority. Where we report changes to the Rules, we provide an explanation on the reasons justifying those changes.

We also use appropriate means to inform data subjects of relevant changes to the BCR.

GBT's Global Privacy Team maintains a publicly available, up-to-date list of all GBT companies subject to these Rules. We do not transfer any personal information to a new GBT company until it is effectively bound by the Rules.

Data subjects’ rights to enforce these Rules shall survive any termination of the intracompany agreement that makes them binding on the GBT companies.

Effective date: 06 March 2024

APPENDIX 1: DESCRIPTION OF PROCESSING AND DATA FLOWS

Nature of the data covered by the BCRs.

Customer data

To perform travel-related services, GBT must process personal information relating to the traveller, including his/her name, address, phone, email, nationality, age, passport details, dietary preferences and details of any disability which may affect his/her ability to travel etc. and potentially emergency contact details. Traveller data is also used to provide event management services as part of performance of the GBT Meetings & Events service or, on an aggregated basis, to advise how to structure a customer's travel management policy and reduce company travel costs, as part of the GBT consultancy service. That information must be transferred around the world to wherever travellers wish to go.

Employee data

GBT employs and retains many employees, directors, individual consultants, contingent workers and staff. The nature of the data covered by the BCRs are all the human resource records and information that relate to former, current and prospective employees, directors, individual consultants, contingent workers, retirees, job applicants as well as any data given to GBT by such persons relating to third parties, for example dependants, and beneficiaries under employees' life insurance policies or for their emergency contacts.

Service provider data

GBT contracts various service providers in the course of business. During service provider review, GBT receives basic information for contact purposes, including name, business email and business phone. If determined that the provider has anti-corruption or sanctions risk, information about the service provider's beneficial owner(s) is required to perform proper screening activities.

Nature of the personal information being transferred

Travel is inherently personal and global and travel services involve a multitude of personal information – from names, addresses and passport numbers, to travel preferences that disclose sensitive characteristics like religion or health (when provided). That information must be transferred around the world to wherever travellers wish to go. Please see above for more information on the nature of the personal information being transferred.

Data flow description

Customer data

Customer data that originates within the EEA will in most cases flow to GBT entities located in the EEA to be stored in GBT or third-party data centres located in the EEA, the UK, and the US. Where GBT receives data in a data feed directly from its customers. EEA customers sign a contract with a local GBT entity in one of GBT's proprietary markets, and so this initial data feed occurs within the EEA. Travellers then use the shell profile created by this initial data feed to create their traveller profile, which is stored in databases operated by the providers of online booking tools and by the independent global distribution system ("GDS") in use in that region. The traveller profile is also synced back to GBT servers to provide consistent servicing to travellers across tools and GDSs, and can then be accessed by GBT entities in other countries where travellers choose to travel. The GDSs are subject to the EU Code of Conduct on the use of computerised reservation systems and are regulated as data controllers.

When GBT makes a reservation using the GDS, the passenger information stored in the GDS will permit the creation of a reservation, a Passenger Name Record ("PNR"). PNRs must be shared with travel suppliers (like airlines, hotels and transportation providers) for travel services to operate.

GBT uses data from the traveller profile and the PNR to power its services back to the customer and to the traveller, including invoice and itinerary delivery, a mobile travel app, reporting systems for customers, duty of care programs and emergency travel services. The data and applications that provide these services are hosted in data centres located in Germany and the US.

Employee data

GBT receives employee data from employees located in every proprietary country where it operates. This data is transferred to central HR operations based on a Workday-operated database maintained in the US and accessed by HR employees in the country of employment, in the UK and in the US. Information in corporate directories and other business applications is available across the GBT global footprint. Employee information is also shared with parties who carry out IT system support, payroll, training, compliance, ethics helpline administration, organisational programs and other activities on GBT's behalf.

Service provider data

Service provider data relate to employees or owners of service providers located anywhere in the world where our services are provided. They are processed and stored centrally in the US in databases internally housed within GBT or in databases associated with our e-GRC tool provided by a service provider in the US.

Type of processing and the purposes for which the data covered by the BCRs

Customer data

Data is processed forthe following purposes:

To provide GBT's products and services, including:
- to book travel, organise meetings and events, prepare itineraries and invoices, communicate with travellers about products and services, provide customer service, manage customers' accounts, and provide travellers and their employers with emergency services; and
- to provide travel, meetings and events, consulting, business insights, and other related services to travellers' employers or travel sponsors, to comply with GBT's agreements with them, to communicate about GBT products and services, and to help travellers' employers or travel sponsors ensure compliance with their policies.
To market goods and services to prospective customers;
To process payments and transactions and provide related customer service;
To operate websites and mobile applications, including using device data to monitor and improve the performance and content of services, provide updates, analyse trends and usage in connection with services, and measure whether ads and offers are effective; and
To operate and improve GBT's business, using travellers' information for compliance with GBT company policies and procedures; for accounting and financial purposes; to detect or prevent fraud or criminal activity; to perform, analyse and improve GBT's business and services; and otherwise as required by law.

Employee data

Personal information is transferred for the following purposes:

Administration of employment contracts, payroll and employee benefits, including insurance and pensions;
Compliance with employment-related legal requirements such as income tax, national insurance deduction and employment and immigration laws and responding to requests and legal demands from regulators or other authorities;
Administration of the workforce, including training and development, evaluation, rewards, assigning tasks, managing activities, planning, travel and expenses;
Implementing and maintaining IT systems, including providing IT support, ensuring business continuity, and managing security services and IT access rights and administration of GBT's ethics helpline;
Verification of the personal information related to former employment, educational history, and professional standing, and completion of background checks;
Administering health and safety programmes and policies and corporate resource planning; and
Monitoring GBT's premises and property.

Post-transfer processing: The personal information transferred will be processed for the administration of human resources functions and the maintenance of GBT's workforce and may be further processed by third party service providers who provide payroll services, health and other insurance, and other benefits to employees.

Service provider data

Service provider data is maintained in our GBT systems, including compliance tools, payment, expenses and finance systems, so that we can engage, screen manage and pay our vendors.

Purposes for which the data covered by the BCRs are transferred to third countries

Data covered by the BCRs are transferred to third countries for the same reasons as they are transferred within the EEA as described above. The cross-border flow of personal information is inherent to the operation of global travel agency activities.

APPENDIX 2: LIST OF GBT ENTITIES

Region	Country	Company Name	Registered Office Address
AMERICAS	Argentina	GBT II Argentina S.R.L.	Carlos Pellegrini, 855, Piso 4, Buenos Aires, C1001AAN, Argentina
APAC	Australia	Egencia Australia Pty Limited	Level 7, 20 Bond Street, Sydney, NSW, 2000, Australia
APAC	Australia	Egencia New Zealand Limited - Branch - Australia	Level 7, 20 Bond Street, Sydney, NSW, 2000, Australia
APAC	Australia	GBT Australia Pty Ltd	Level 7, 20 Bond Street, Sydney, NSW, 2000, Australia
APAC	Australia	Hogg Robinson Australia Holdings Pty Limited	Level 8, 459 Collins Street, Melbourne, VIC, VIC 3000, Australia
APAC	Australia	Hogg Robinson Australia Pty Ltd	Level 8, 459 Collins Street, Melbourne, VIC, VIC 3000, Australia
EMEA	Belgium	Egencia Belgium SA	Avenue des Arts 19 A-D, 1000 Brussels, Belgium
EMEA	Belgium	Global Business Travel BV	Kunstlaan 19 A-D, 1000 Brussels, Belgium
AMERICAS	Canada	Egencia Canada Corp.	145 Wellington St. W,Suite 501, Toronto, ON, M5V 1J9, Canada
AMERICAS	Canada	GB Travel Canada Inc.	145 Wellington St. W,Suite 501, Toronto, ON, M5V 1J9, Canada
AMERICAS	Canada	Hogg Robinson Holdings Canada Inc.	145 Wellington St. W,Suite 501, Toronto, ON, M5V 1J9, Canada
AMERICAS	Cayman Islands	Egencia Cayman Holdings Ltd.	c/o Walkers Corporate Limited, 190 Elgin Avenue, George Town, Grand Cayman, KY1-9008, Cayman Islands
APAC	China	CITS GBT Air Services Limited	7th floor, Central Place, No. 16, He Nan Road South, Shanghai, 200002, China
APAC	China	CITS GBT Southern China Air Services Limited	12th floor, East Tower, Fortune Plaza 116, East Ti YuRoad, Guangzhou, 510620, China
APAC	China	CITS GBT Travel Services Limited	7F and 8F, Yiqing building, #38 GuangQu Road, Chao Yang District, Beijing, 100022, China
AMERICAS	Colombia	GBT Travel Services Colombia S.A.S.	Carrera 11B #99-25, WeWork Piso 12, D.C. Col., Bogota, CP 110211, Colombia
EMEA	Czech Republic	GBT CR, s.r.o.	Revoluční 1003/3, Staré Město, 110 00 Prague 1, Czech Republic
EMEA	Denmark	Egencia Denmark A/S	Langebrogade 3H, 2nd Floor, Copenhagen, DK-1411, Denmark
EMEA	Denmark	Global Business Travel ApS	Langebrogade 3H, 2nd Floor, Copenhagen, DK-1411, Denmark
EMEA	Finland	Egencia Finland Oy	Tietotie 9, Vantaa, FI-01530, Finland
EMEA	Finland	GBT Finland Limited	Tietotie 9, Vantaa, FI-01530, Finland
EMEA	France	Egencia Europe SAS	11 chemin de Bretagne, Issy Les Moulineaux, 92130, France
EMEA	France	Egencia France SAS	11 chemin de Bretagne, Issy Les Moulineaux, 92130, France
EMEA	France	Global Business Travel France	Immeuble La Noda, 11 Chemin de Bretagne, Issy Les Moulineaux, 92130, France
EMEA	France	Klee Data System SAS	11 chemin de Bretagne, Issy Les Moulineaux, 92130, France
EMEA	Germany	ATLAS REISEN GmbH	Mollendorffstr. 52, Berlin, 10367, Germany
EMEA	Germany	ATLAS/ RVS Reisebuero Verwaltungs Service GmbH	Mollendorffstr. 52, Berlin, 10367, Germany
EMEA	Germany	DFB-Reisebuero GmbH	Otto Fleck Schneise 6A, Frankfurt, 60528, Germany
EMEA	Germany	Egencia GmbH	Schellingstrasse 1, Floor 3, Berlin, 10785, Germany
EMEA	Germany	FC Bayern Tours GmbH	Saebener Strasse 57, Munich, 81547, Germany
EMEA	Germany	GBT Deutschland Beteiligungs GmbH	Solmstrasse 73, Frankfurt, 60486, Germany
EMEA	Germany	GBT Deutschland GmbH	Solmstrasse 73, Frankfurt, 60486, Germany
EMEA	Germany	Hanseat Reisebuero GmbH	Mollendorffstr. 52, Berlin, 10367, Germany
EMEA	Germany	KDS Deutschland GmbH	c/o KBHT Kalus + Hilger PartG, Amtsgericht, Essen PR 3948, Europadamm 4, Neuss, 41460, Germany
EMEA	Germany	Liga Travel GmbH	Eschersheimer Landstraße 14, Frankfurt am Main, 60322, Germany
APAC	Hong Kong	Egencia Hong Kong Limited	Unit 01-A, 16/F., Millennium City 6, 392 Kwun Tong Toad, Kowloon, Kowloon, Hong Kong
APAC	Hong Kong	Global Business Travel Holdings (Hong Kong) Limited	16/F., Millennium City 6, 392 Kwun Tong Toad, Kwun Tong, Kowloon, Hong Kong
APAC	Hong Kong	Global Business Travel Hong Kong Limited	16/F., Millennium City 6, 392 Kwun Tong Toad, Kwun Tong, Kowloon, Hong Kong
EMEA	Hungary	Global Business Travel Hungary Ltd.	Vaci ut 99., Budapest, 1139, Hungary
APAC	India	Egencia Travel India Private Limited	c/o Perfect Accounting & Shared Services Pvt. Ltd, E-20, 1st Floor, Hauz Khas, New Delhi, 110016, India
APAC	India	GBT India Private Limited	G-21, Ground Floor, Salcon Rasvilas, Plot No. D-1, Saket District Centre, Saket, New Delhi, 110017, India
EMEA	Ireland	GBT III B.V. - Branch - Ireland	c/o Leman Secretarial Limited, Percey Exchange, 8-34 Percy Place, Dublin 4, Dublin, DO4P5PKS, Ireland
EMEA	Italy	Hogg Robinson Italia S.r.L.	Via Gotto, 1, Cormano, Milan, 20032, Italy
APAC	Japan	Global Business Travel Holding (Japan) Ltd	3-8 Taihei 4-chome, Sudimoda-ku, Tokyo, 130-0012, Japan
APAC	Japan	Kabushiki Kaisha Nihon Ryoko Global Business Travel	SD Building, 6F 4-3-8, Taihei, Sumidaku, Tokyo, 130-0012, Japan
EMEA	Jersey	GBT JerseyCo Limited	3rd Floor, 44 Esplanade, St Helier, JE4 9WG, Jersey
AMERICAS	Mexico	GBT Travel Services Mexico S. de R.L. de C.V.	Montes Urales 505, local 004, Lomas de Chapultepec II Seccio, Miguel Hidalgo, CDMX, 11000, Mexico
EMEA	Netherlands	Egencia Netherlands B.V.	Atlas Arena, Hoogoorddreef 5, Amsterdam, 1101BA, Netherlands
EMEA	Netherlands	GBT Euro Travel Holdings B.V.	Kennyplein 6, Eindhoven, 5611 ZS, Netherlands
EMEA	Netherlands	GBT Group Services B.V.	Kennyplein 6, Eindhoven, 5611 ZS, Netherlands
EMEA	Netherlands	GBT II B.V.	Kennyplein 6, Eindhoven, 5611 ZS, Netherlands
EMEA	Netherlands	GBT III B.V.	Kennyplein 6, Eindhoven, 5611 ZS, Netherlands
EMEA	Netherlands	Hogg Robinson Holdings B.V.	Kennyplein 6, Eindhoven, 5611 ZS, Netherlands
APAC	New Zealand	Egencia New Zealand Limited	Quigg Partners, Floor 7, Brandon Street, Wellington, 6011, New Zealand
EMEA	Norway	Egencia AS	Tordenskioldsgate 8, Oslo, 0160, Norway
EMEA	Norway	Egencia Norway AS	Tordenskioldsgate 8, Oslo, 0160, Norway
EMEA	Norway	Global Business Travel AS	Tordenskioldsgate 8, Oslo, 0160, Norway
APAC	Philippines	Egencia Philippines, Inc.	Unit 631 & 632, The Executive Centre, Level 6, Ayala Triangle Gardens Tower, 2, Paseo de Roxas corner, Makati Avenue, Makati City, Metro Manila, 1226, Philippines
EMEA	Poland	Global Business Travel Poland Sp. z.o.o.	Al. Solidamosci 173, Warszawa, 00-877, Poland
APAC	Singapore	Egencia Singapore Pte. Ltd.	80 Bendemeer Road, Singapore, 339949, Singapore
APAC	Singapore	Global Business Travel (Singapore) Pte. Ltd.	80 Bendemeer Road, Singapore, 339949, Singapore
EMEA	Slovakia	GBT CR, s.r.o. - Branch - Slovakia	Mlynske nivy 48, Bratislava, 82109, Slovakia
EMEA	South Africa	Egencia South Africa (PTY) LTD	The Travel House, Ground Floor, 6 Hood Avenue, Rosebank, Johannesburg, 2196, South Africa
EMEA	Spain	Global Business Travel Spain, S.L.U.	Edifico ALVENTO Calle Via de los Poblados 1, D Building, planta 6, Madrid, 28033, Spain
EMEA	Spain	TripNavigator-Egencia Spain SL	Torre Diagonal Mar, B1, Carrer Josep Pla 2, floor 4, Barcelona, 08019, Spain
EMEA	Sweden	Egencia Sweden AB	Fredsborgsgatan 24, Stockholm, 117 43, Sweden
EMEA	Sweden	GBT Sweden AB	Fredsborgsgatan 24, Stockholm, 117 43, Sweden
EMEA	Switzerland	Egencia Switzerland Sarl	Avenue des Morgines 12, Petit-Lancy, Lancy, Geneva, 1213, Switzerland
EMEA	Switzerland	Global Business Travel Switzerland Ltd.	Avenue des Morgines 12, Petit-Lancy, Lancy, Geneva, 1213, Switzerland
APAC	Taiwan	Taiwan Global Business Travel Agency Taiwan Limited	5Fl., No.365, Fu Hsing North Road, Songshan District, Taipei, 10543
APAC	Thailand	30 SecondsToFly (Thailand) Co., Ltd.	No. 8, No. 8, T-One Building, 15th Floor, room no. 15-104, Soi Sukhumvit 40, Phra Khanong, Khlong Toei, Bangkok, 10110, Thailand
APAC	Thailand	GBT (Thailand) Co. Ltd.	388, S.P. Building, 11th Floor, Phaholyothin Road, Samsennai, Phayathai, Bangkok, 10400, Thailand
APAC	Thailand	GBT 2 (Thailand) Co. Ltd.	388, S.P. Building, 11th Floor, Phaholyothin Road, Samsennai, Phayathai, Bangkok, 10400, Thailand
EMEA	United Kingdom	Chartwell Travel Ltd	15 Little Portland Street, 1st Floor, London, W1W 8BW, England
EMEA	United Kingdom	Egencia Holdings UK Ltd	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	Egencia UK Ltd	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	GBT JerseyCo Limited – Branch – United Kingdom	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	GBT Travel Services UK Limited	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	GBT UK Topco Limited	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	Global Business Travel Holdings Limited	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	Hogg Robinson (1987) Pension Scheme Trustee Limited	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	Hogg Robinson (Travel) Limited	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	KDS UK Limited	5 Churchill Place, Canary Wharf, London, E14 5HU, England
EMEA	United Kingdom	Ovation Travel Group UK Limited	15 Little Portland Street, 1st Floor, London, W1W 8BW, England
AMERICAS	United States	Egencia LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	Executive Travel Associates LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	GBT US III LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	GBT US LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	Global Business Travel Group, Inc.	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	Hogg Robinson USA Holdings LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	Hogg Robinson USA LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States
AMERICAS	United States	Ovation Travel, LLC	666 Third Avenue, 4th Floor, New York, NY, NY 10017, United States

GBT UK BCR SUMMARY

Effective as of 06 March 2024

American Express Global Business Travel (“GBT”) has approved binding corporate rules (“EU BCR”), which are an internationally recognized standard providing adequate protection of personal data in multinational companies. The EU BCR were reviewed and approved by data protection authorities across Europe. A copy of GBT’s EU BCR is available on our Global Privacy Rules page.

GBT has entered into the UK BCR Addendum to the approved EU BCR. The UK BCR Addendum is a formal legal mechanism which extends the scope of the EU BCR to include transfers of personal data from the UK. Together, the EU BCR and the UK BCR Addendum form GBT’s UK BCR (“UK BCR”). Further information about the UK BCR addendum process is available on the UK Information Commissioner’s Office (“ICO”) website at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/guide-to-binding-corporate-rules/a-uk-bcr-addendum/

The purpose of this UK BCR summary is to provide information to individuals whose personal data is transferred under the UK BCR so that they know how their information is processed, what rights they have under the UK BCR and how to enforce them.

Contact details for queries about GBT’s UK BCR

GBT can be reached using privacy.amexgbt.com/contact, by email at [email protected] or at the following addresses

Global Privacy Team
American Express Global Business Travel
Hoogoorddreef 15,
Atlas-Arena
1101 BA
Amsterdam Zuidoost

Or

GBT Travel Services UK Limited (Lead UK BCR Member)
FAO: Chief Privacy Officer
5 Churchill Place
Canary Wharf
London E14 5HU
Amsterdam Zuidoost

Data transfers covered by GBT’s UK BCR

A description of the data transfers covered by GBT’s BCR (including the UK BCR) can be found in Appendix 1: Description of Processing and Data Flows of the EU BCR. The relevant information from the EU BCR is repeated below with minor changes to reflect data transfers from/to the UK where necessary (in red).

Nature of the data covered by the BCRs.

Customer data: To perform travel-related services, GBT must process personal information relating to the traveller, including his/her name, address, phone, email, nationality, age, passport details, dietary preferences and details of any disability which may affect his/her ability to travel etc. and potentially emergency contact details. Traveller data is also used to provide event management services as part of performance of the GBT Meetings & Events service or, on an aggregated basis, to advise how to structure a customer's travel management policy and reduce company travel costs, as part of the GBT consultancy service. That information must be transferred around the world to wherever travellers wish to go.
Employee data: GBT employs and retains many employees, directors, individual consultants, contingent workers and staff. The nature of the data covered by the BCRs are all the human resource records and information that relate to former, current and prospective employees, directors, individual consultants, contingent workers, retirees, job applicants as well as any data given to GBT by such persons relating to third parties, for example dependants, and beneficiaries under employees' life insurance policies or for their emergency contacts.
Service provider data: GBT contracts various service providers in the course of business. During service provider review, GBT receives basic information for contact purposes, including name, business email and business phone. If determined that the provider has anti-corruption or sanctions risk, information about the service provider's beneficial owner(s) is required to perform proper screening activities.

Nature of the personal information being transferred

Travel is inherently personal and global and travel services involve a multitude of personal information – from names, addresses and passport numbers, to travel preferences that disclose sensitive characteristics like religion or health (when provided). That information must be transferred around the world to wherever travellers wish to go. Please see above for more information on the nature of the personal information being transferred.

Data flow description

Customer data: Customer data that originates within the EEA and UK will in most cases flow to GBT entities located in the EEA and UK to be stored in GBT or third-party data centres located in the EEA, the UK, and the US. Where GBT receives data in a data feed directly from its customers. EEA and UK customers sign a contract with a local GBT entity in one of GBT's proprietary markets, and so this initial data feed occurs within the EEA and / or UK. Travellers then use the shell profile created by this initial data feed to create their traveller profile, which is stored in databases operated by the providers of online booking tools and by the independent global distribution system ("GDS") in use in that region. The traveller profile is also synced back to GBT servers to provide consistent servicing to travellers across tools and GDSs, and can then be accessed by GBT entities in other countries where travellers choose to travel. The GDSs are subject to the EU Code of Conduct on the use of computerised reservation systems and are regulated as data controllers.

When GBT makes a reservation using the GDS, the passenger information stored in the GDS will permit the creation of a reservation, a Passenger Name Record ("PNR"). PNRs must be shared with travel suppliers (like airlines, hotels and transportation providers) for travel services to operate.

GBT uses data from the traveller profile and the PNR to power its services back to the customer and to the traveller, including invoice and itinerary delivery, a mobile travel app, reporting systems for customers, duty of care programs and emergency travel services. The data and applications that provide these services are hosted in data centres located in Germany and the US.

Employee data: GBT receives employee data from employees located in every proprietary country where it operates. This data is transferred to central HR operations based on a Workday-operated database maintained in the US and accessed by HR employees in the country of employment, in the UK and in the US. Information in corporate directories and other business applications is available across the GBT global footprint. Employee information is also shared with parties who carry out IT system support, payroll, training, compliance, ethics helpline administration, organisational programs and other activities on GBT's behalf.
Service provider data: Service provider data relate to employees or owners of service providers located anywhere in the world where our services are provided. They are processed and stored centrally in the US in databases internally housed within GBT or in databases associated with our e-GRC tool provided by a service provider in the US.

Type of processing and the purposes for which the data covered by the BCRs

Customer data:

Data is processed for the following purposes:

To provide GBT's products and services, including:
1. to book travel, organise meetings and events, prepare itineraries and invoices, communicate with travellers about products and services, provide customer service, manage customers' accounts, and provide travellers and their employers with emergency services; and
2. to provide travel, meetings and events, consulting, business insights, and other related services to travellers' employers or travel sponsors, to comply with GBT's agreements with them, to communicate about GBT products and services, and to help travellers' employers or travel sponsors ensure compliance with their policies.
3. To market goods and services to prospective customers;
4. To process payments and transactions and provide related customer service;
5. To operate websites and mobile applications, including using device data to monitor and improve the performance and content of services, provide updates, analyse trends and usage in connection with services, and measure whether ads and offers are effective; and
6. To operate and improve GBT's business, using travellers' information for compliance with GBT company policies and procedures; for accounting and financial purposes; to detect or prevent fraud or criminal activity; to perform, analyse and improve GBT's business and services; and otherwise as required by law.

Employee data:

Personal information is transferred for the following purposes:

Administration of employment contracts, payroll and employee benefits, including insurance and pensions;
Compliance with employment-related legal requirements such as income tax, national insurance deduction and employment and immigration laws and responding to requests and legal demands from regulators or other authorities;
Administration of the workforce, including training and development, evaluation, rewards, assigning tasks, managing activities, planning, travel and expenses;
Implementing and maintaining IT systems, including providing IT support, ensuring business continuity, and managing security services and IT access rights and administration of GBT's ethics helpline;
Verification of the personal information related to former employment, educational history, and professional standing, and completion of background checks;
Administering health and safety programmes and policies and corporate resource planning; and
Monitoring GBT's premises and property.
Post-transfer processing: The personal information transferred will be processed for the administration of human resources functions and the maintenance of GBT's workforce and may be further processed by third party service providers who provide payroll services, health and other insurance, and other benefits to employees.

Service provider data

Service provider data is maintained in our GBT systems, including compliance tools, payment, expenses and finance systems, so that we can engage, screen manage and pay our vendors.

Purposes for which the data covered by the BCRs are transferred to third countries

Data covered by the BCRs are transferred to third countries for the same reasons as they are transferred within the EEA and/or UK as described above. The cross-border flow of personal information is inherent to the operation of global travel agency activities.

LIST OF COUNTRIES WHERE PERSONAL DATA IS TRANSFERRED TO UNDER THE UK BCR

The countries where personal data is transferred to under GBT’s BCR (including the UK BCR) is as follows:

AMERICAS

Argentina
Canada
Cayman Islands
Colombia
Mexico
United States

EMEA

Belgium
Czech Republic
Denmark
Finland
France
Germany
Hungary
Ireland
Italy
Jersey
Netherlands

Norway
Poland
Slovakia
South Africa
Spain
Sweden
Switzerland
United Kingdom

APAC

Australia
China
Hong Kong
India
Japan
New Zealand
Philippines
Singapore
Taiwan
Thailand

THE RIGHTS OF INDIVIDUALS WHOSE PERSONAL DATA IS TRANSFERRED UNDER THE UK BCR, INCLUDING THIRD PARTY BENEFICIARY RIGHTS, AND THE MEANS TO EXERCISE THOSE RIGHTS.

The rights of individuals whose personal data is transferred under the GBT’s BCR (including the UK BCR) are as described in the following sections of the EU BCR:

“Data Protection and Privacy Principles” under the heading “Data Subject Rights”
“Rights Granted to Individuals.
Information about the means to exercise those rights is set out in the section “Questions, Complaints or Concerns”.

HOW TO COMPLAIN TO GBT BCR MEMBERS

Details of how to complain to GBT about the BCR (including the UK BCR) is as set out in the section “Questions, Complaints or Concerns” of the EU BCR.

As indicated in this section and specifically in a UK context, any individual with a complaint about the processing of personal information or who wants to enforce the above rights is requested contact us so that we can try to resolve any concerns.

We can be reached using privacy.amexgbt.com/contact, by email at [email protected] or at the following addresses:

Global Privacy Team
American Express Global Business Travel
Hoogoorddreef 15,
Atlas-Arena
1101 BA
Amsterdam Zuidoost

Or

GBT Travel Services UK Limited (Lead UK BCR Member)
FAO: Chief Privacy Officer
5 Churchill Place
Canary Wharf
London E14 5HU

Individuals that are GBT employees with complaints or concerns, or who want to enforce the above rights, can also use our internal reporting tools. The Global Privacy Team is responsible for dealing with such complaints and all responses will be reviewed by the Chief Privacy Officer and/or DPO.

HOW TO COMPLAIN TO THE UK INFORMATION COMMISSIONER’S OFFICE ABOUT GBT’S UK BCR

Individuals have the right to make a complaint about GBT’s UK BCR to the ICO – for more information please see https://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/

Information Commissioner’s Office

Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4:30pm

INFORMATION ABOUT UK COURT CLAIMS

Below we provide information about how to bring a claim in the UK courts against GBT for redress and, where appropriate, compensation for a breach of the UK BCR Addendum by GBT Travel Services UK Limited (the Lead UK BCR Member) and any Non-UK BCR Member.

The individual court systems provide guidance on how to bring a claim in England and Wales, Scotland and Northern Ireland.

Citizens Advice provides information on taking legal action in England and Wales, Scotland and Northern Ireland.

Finally, you can find further information at:

www.justice.gov.uk (England and Wales)
www.scotcourts.gov.uk (Scotland)
www.courtsni.gov.uk (Northern Ireland)

GBT Global Privacy Rules

Personal Information

SCOPE AND PURPOSE

SPECIAL AND SENSITIVE CATEGORIES OF PERSONAL INFORMATION

DATA PROTECTION AND PRIVACY PRINCIPLES

LAWFULNESS FAIRNESS AND TRANSPARENCY

PURPOSE LIMITATION

DATA MINIMISATION

ACCURACY

STORAGE LIMITATION

INTEGRITY AND CONFIDENTIALITY

DATA SUBJECT RIGHTS

INTERNATIONAL TRANSFERS

RESPONSIBILITY

ACCOUNTABILITY

PRIVACY BY DESIGN

RIGHTS GRANTED TO INDIVIDUALS

QUESTIONS, COMPLAINTS OR CONCERNS

ENFORCEMENT AND LIABILITY

ENSURING ACCOUNTABILITY

COOPERATION

CONFLICT OF LAWS

CHANGES TO THE RULES

APPENDIX 1: DESCRIPTION OF PROCESSING AND DATA FLOWS

Customer data

Employee data

Service provider data

Customer data

Employee data

Service provider data

Customer data

Employee data

Service provider data

APPENDIX 2: LIST OF GBT ENTITIES

GBT UK BCR SUMMARY