GBT DATA PROTECTION AND PRIVACY PRINCIPLES

American Express Global Business Travel values and respects your privacy. Data protection and information security are one of the top priorities for our company. As a multinational organization, we are committed to protecting personal information, regardless of where it is used, and that all personal information that American Express Global Business Travel collects is managed in accordance with our Data Protection and Privacy Principles. American Express’ Binding Corporate Rules – or BCRs – are a means of transferring personal data internationally within the American Express Group (which includes American Express Global Business Travel) in compliance with applicable data protection legislation in the European Economic Area (EEA) & United Kingdom (UK). The BCRs were approved by the Information Commissioner’s Office, the local Data Protection Authority in the United Kingdom, and have been in effect as of 28 January 2013 and the EU version are overseen by the Spanish Agency for Data Protection (AEPD). The BCRs are our privacy commitment framework and promote a company-wide culture of compliance. They also govern transfers of personal data through American Express Global Business Travel in accordance with our Data Protection and Privacy Principles, thereby ensuring that personal data is always adequately protected without prejudice to where it is transferred. American Express Binding Corporate Rules.

UK BCRs: https://www.americanexpress.com/en-gb/company/legal/privacy-centre/bind…
EEA BCRs: https://www.americanexpress.com/en-pl/company/legal/privacy-centre/bind…

The following Data Protection and Privacy Principles (“Principles”) set out the way that American Express Global Business Travel and its wholly owned direct and indirect subsidiaries (“American Express Global Business Travel”) will collect, use, store, share, transmit, delete or otherwise process (collectively “process”) your personal data. Personal data means any information that relates to an identified or identifiable individual. The standard of personal data protection set out in these Principles will be used by American Express Global Business Travel globally, providing adequate and consistent protection for the processing of your personal data. In these Principles, “you” and “your” means any individual customer or employee of American Express Global Business Travel and any other individual whose personal data we process and “we”, “us”, “our” and “American Express Global Business Travel Group” means American Express Global Business Travel.

  1. Collection

    We will only collect personal data that is needed and by lawful and fair means.

  2. Notice and Processing

    Where it is not apparent from the products or services you require or the nature of your relationship with us, we will tell you how your personal data will be processed and which companies in the American Express Global Business Travel Group are responsible for that processing. We will process your personal data fairly and only for those purposes we have told you, for purposes permitted by you or as permitted by applicable law. In addition, you may object to certain types of processing as expressly permitted by applicable law.

  3. Choice

    We give customers the option of having their personal data included or removed from lists used for marketing as required by applicable law. This includes product and service offers from American Express Global Business Travel and those made in conjunction with our business partners. Of course each of our businesses will continue to send customers information about the products or services they receive from that business.

  4. Data Quality

    We use appropriate technology and well-defined employee practices to process your personal data promptly and accurately. We will not keep your personal data longer than is necessary, except as otherwise required by applicable law.

  5. Security and Confidentiality

    We will keep your personal data confidential and limit access to your personal data to those who specifically need it to conduct their business activities, except as otherwise permitted by applicable law. We refer to industry standards and use reasonable administrative, technical and physical security measures to protect your personal data from unauthorised access, destruction, use, modification or disclosure. We require industry standard data security measures from those third parties who are authorised by us to process your personal data on our behalf.

  6. Data Sharing

    We only share your personal data with third parties where it is necessary to provide you with products or services or as part of the nature of our relationship with you, where we have previously informed or been authorised by you, in connection with our efforts to reduce fraud or criminal activity, or as permitted by law.

  7. Openness and Data Access

    If you ask, we will inform you about how your personal data is processed and the rights and remedies you have under these Principles. You may inquire as to the nature of the personal data stored or processed about you by American Express Global Business Travel. You will be provided access as is required by law in your country, regardless of the location of the data processing and storage. If any data is inaccurate or incomplete, you may request that the data be amended.

  8. International Transfer

    Where it is not apparent from the international products or services you require or the nature of your relationship with us, we will inform you if your personal data may be transferred outside of your country and ensure that such transfer is only performed in accordance with applicable law. Regardless of where your personal data is transferred, your personal data is protected by these Principles.

  9. Responsibility

    Each company in the American Express Global Business Travel Group and their employees may only process your personal data in accordance with these Principles. We conduct training and reviews of our compliance with these Principles. Employees who violate these Principles may be subject to disciplinary action, up to and including dismissal. Employees are expected to report violation of these Principles, and may do so to their managers, to their business unit’s compliance officer, to the legal department, to the Privacy Office or to the company’s Office of the Ombudsperson.

  10. Accountability

    You may enforce these Principles in your country against any company in the American Express Global Business Travel Group that is responsible for your personal data, as a third party contractual beneficiary to these Principles. If you have a complaint that we have breached these Principles and have attempted in good faith to resolve the complaint through our customer service process, but the complaint was not resolved by us within a reasonable amount of time, then you may enforce these Principles against us. If you complain to your local data protection authority and the data protection authority finds that we have breached these Principles, we will abide by the findings of the data protection authority, but we reserve the right to challenge or appeal such findings. These Principles do not affect any rights you have under applicable law, the requirements of any applicable regulatory data protection authority, or any other type of agreement that you may have with us.

 

These Principles emphasize our commitment to protect your personal data. They are binding on all companies in the American Express Global Business Travel Group, demonstrating our commitment to privacy.

If you have questions or comments about these Principles, please contact us.