GBT DATA PROTECTION AND PRIVACY PRINCIPLES

We will only collect personal data that is needed and by lawful and fair means.

Where it is not apparent from the products or services you require or the nature of your relationship with us, we will tell you how your personal data will be processed and which companies in the American Express Global Business Travel Group are responsible for that processing. We will process your personal data fairly and only for those purposes we have told you, for purposes permitted by you or as permitted by applicable law. In addition, you may object to certain types of processing as expressly permitted by applicable law.

We give customers the option of having their personal data included or removed from lists used for marketing as required by applicable law. This includes product and service offers from American Express Global Business Travel and those made in conjunction with our business partners. Of course each of our businesses will continue to send customers information about the products or services they receive from that business.

We use appropriate technology and well-defined employee practices to process your personal data promptly and accurately. We will not keep your personal data longer than is necessary, except as otherwise required by applicable law.

We will keep your personal data confidential and limit access to your personal data to those who specifically need it to conduct their business activities, except as otherwise permitted by applicable law. We refer to industry standards and use reasonable administrative, technical and physical security measures to protect your personal data from unauthorised access, destruction, use, modification or disclosure. We require industry standard data security measures from those third parties who are authorised by us to process your personal data on our behalf.

We only share your personal data with third parties where it is necessary to provide you with products or services or as part of the nature of our relationship with you, where we have previously informed or been authorised by you, in connection with our efforts to reduce fraud or criminal activity, or as permitted by law.

If you ask, we will inform you about how your personal data is processed and the rights and remedies you have under these Principles. You may inquire as to the nature of the personal data stored or processed about you by American Express Global Business Travel. You will be provided access as is required by law in your country, regardless of the location of the data processing and storage. If any data is inaccurate or incomplete, you may request that the data be amended.

Where it is not apparent from the international products or services you require or the nature of your relationship with us, we will inform you if your personal data may be transferred outside of your country and ensure that such transfer is only performed in accordance with applicable law. Regardless of where your personal data is transferred, your personal data is protected by these Principles.

Each company in the American Express Global Business Travel Group and their employees may only process your personal data in accordance with these Principles. We conduct training and reviews of our compliance with these Principles. Employees who violate these Principles may be subject to disciplinary action, up to and including dismissal. Employees are expected to report violation of these Principles, and may do so to their managers, to their business unit’s compliance officer, to the legal department, to the Privacy Office or to the company’s Office of the Ombudsperson.

You may enforce these Principles in your country against any company in the American Express Global Business Travel Group that is responsible for your personal data, as a third party contractual beneficiary to these Principles. If you have a complaint that we have breached these Principles and have attempted in good faith to resolve the complaint through our customer service process, but the complaint was not resolved by us within a reasonable amount of time, then you may enforce these Principles against us. If you complain to your local data protection authority and the data protection authority finds that we have breached these Principles, we will abide by the findings of the data protection authority, but we reserve the right to challenge or appeal such findings. These Principles do not affect any rights you have under applicable law, the requirements of any applicable regulatory data protection authority, or any other type of agreement that you may have with us.