- Collection of your personal information
- Use of your personal information and lawful basis
- Sensitive personal information
- Change of purpose
- International data transfers
- How your personal information will be secured
- With whom your personal information will be shared
- How long we retain your personal information
- Application of local laws
- Voluntary or mandatory provision
- Your rights with respect to your personal information including:
- Your right to object;
- Additional rights
- Contact us
- Effective date
American may, (where applicable and in accordance with applicable laws and regulations), collect and maintain, as part of your relationship with American, certain types of personal information about you.
The information that may be collected and maintained at different stages of your engagement as a contractor with American includes, without limitation:
- Engagement information: including any information shared during the engagement process: such as details of your employer, residency and curriculum vitae information. Prior to and/or during your engagement, we may also be provided with information about a work permit/visa application you are making if the Secretary of State in the US asks us to verify certain information about you or where you or your employer ask us directly for assistance in relation to that application. The Secretary of State will make us aware that an application is being made but will not provide us with a copy of that application. Where we help your employer file the Labor Condition Application as part of your US visa application process, we may be provided with details of your job title and salary which we will use solely for that purpose.
- Background and drug / alcohol check information: before you start work at American, we may require your employer to confirm that you have passed certain background checks that are relevant to your proposed engagement with us, such as credit, criminal record and educational background checks and/or drug and alcohol screening. We use a third party provider, Thomson Reuters, to carry out these checks. Thomson Reuters may audit your employer to ensure the above checks have been carried out correctly, and the results of your checks may therefore be used by Thomson Reuters for that purpose. Further information about the checks that will be carried out should be provided to you by your employer. In most cases, we will not receive any information relating to the results of these checks, except for confirmation that you have passed. However, in rare cases, where an issue arises and where permitted by applicable laws, your employer may provide us with the results of a specific check. For example, your employer may provide American a copy of your drug or background report and request confirmation from American on whether you are eligible to be onboarded. American will only use these reports to consider whether you are eligible to be onboarded and, if so, to manage your engagement thereafter.
- Identity verification: We will ask for a copy of your driver’s license which will be validated to confirm your identity before we issue you with a security pass for one of our sites.
- Criminal records and fingerprints: Where required by law in the US, for example if your role requires you to access controlled areas of an airport, then we will also need to carry out a security threat assessment. In order to do this, we will ask you to complete a Fingerprint Application which will request certain personal information from you, including your social security number, passport information and information about certain criminal offences. You will also be asked to provide your fingerprints. We will use the information you provide to carry out a criminal records and background check in order to comply with the law. More information will be provided in the Fingerprint Application form.
When we onboard you as a contractor, we may collect the following information, directly from you or your employer, when you or they complete our online onboarding process:
- Contact information: name, address, email address, telephone number and other contact details, the last four digits of your social security number (or we will ask you to create a 4-digit PIN number), day and month of birth and emergency contacts;
- Work information: information about your engagement at American, including hire date, position title, which area you will be employed in, your sponsoring work group and personnel sub area, manager, location and whether you have signed our Non-Disclosure Agreement;
- Financial information: taxpayer identification number(s), banking details and details of how much they will be paid.
- Skills and experience information: ID number, job title, job grade and function, hours worked, work location, direct manager/supervisor information, technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended and training assessment and complaints;
- Performance and absence information: We do not maintain specific records of your absences and sickness. However, you may provide us with information about absences and sickness from time to time, for example, to inform us that you will be out of the office on a certain day. We may also collect information about you relating to performance such as in your exit interview or where you or other third parties provide this information to us;
- Physical information: height, weight, clothing sizes (ie. for uniform), photographs including for use on badges, biometric data for security purposes and details of accidents at work;
- Compliance information: as required to comply with laws, including the requests and directions of law enforcement authorities or court orders including acknowledgements regarding American policies;
- Automatically collected information: information captured on security systems, including CCTV and key card entry systems (including biometric data, such as fingerprints for entry access), voicemails, e-mails, correspondence and other work product and communications created, stored or transmitted by you when you are using American’s computer or communications equipment or company issued mobile devices, including Internet browsing history, mobile app usage, and precise geo-location;
- Separation information: date of termination of engagement, reason for termination and information relating to administering termination of engagement.
The personal information we collect and process is information that you knowingly provide to us, or information about you that we may receive from a third party, such as information provided from your employer.
Where required, we will only use your personal data where we have a lawful basis to do so under data protection laws. The lawful bases under which we can process your personal data include:
- (a) Consent: where you have provided your clear consent for us to process your personal data for a specific purpose;
- (b) Contract: where the processing is necessary for us to perform a contract which we have with you, or to take specific steps at your request before entering into a contract;
- (c) Legal obligation: where the processing is necessary for us to comply with the law (not including contractual obligations);
- (d) Vital interests: where the processing is necessary to protect someone’s life;
- (e) Public task: where the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law; and
- (f) Legitimate interests: where the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless these interests are overridden by your rights and freedoms.
Most commonly, we will use your personal data:
- Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; and/or
- Where we need to comply with legal obligations.
Where we rely on legitimate interests to process your personal information this may include American using your personal information for purposes related to your provision of services to American, including:
- Internal contractor management: To manage all aspects of a contractor’s relationship with American - including without limitation, engagement, payment, corporate travel and other reimbursable expenses, training, credit/bondability requirements (for assignments at the American Airlines Federal Credit Union (“AAFCU”)), administer termination of the contractor relationship, resource planning and allocation, and other general administrative related processes;
- Business communication: To communicate with you for business reasons such as to provide you with instructions relating to your engagement with American and to communicate changes in our policies or when responding to your queries;
- Facility / resource monitoring: To monitor usage of American’s facilities and resources; To the extent permitted by law, we monitor contractors’ use of American information technology (IT) systems, the use of American’s resources, and communications, including without limitation internet use, in accordance with our internal policies (which will be provided to you as part of your onboarding process) and any other applicable policies that may replace, amend or supplement those policies from time to time. As a result, within the limits provided for by relevant, applicable law, contractors should not have a reasonable expectation of privacy while at work while using or accessing company equipment, information, computer or communication systems, as those systems may be accessed at any time in accordance with our monitoring policies;
- Security management: To secure American’s assets and information, to protect your safety and security and the safety and security of American’s customers, staff and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using American’s computers, communications and other resources), and to investigate and respond to claims against American and its customers, including any internal complaints;
- Audit trail records: To evaluate internal control and audits for compliance (including those conducted by American’s internal and external audit service providers).
There are Closed Circuit Television (CCTV) cameras in operation within and around our Headquarters, administrative offices, training facilities, airports and other premises, which are used for the following purposes:
- To prevent and detect crime;
- To protect your health and safety and the health and safety of American customers, contractors and employees;
- To manage and protect American’s property and the property of American’s guests and other visitors; and
- For quality assurance purposes.
To the extent that any of the personal information we collect is considered to be ‘sensitive’ under applicable privacy laws (such as “special category information” or criminal convictions data under EEA and other applicable data privacy laws), American will collect and process this information within the limits provided for by relevant, applicable law, and only after establishing appropriate security safeguards for such sensitive information. Where required by law, American will seek your consent before processing special category information about you.
“Special category information” (under EEA data privacy laws) includes any information about a contractor that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, health, sex life or sexual orientation.
We may process special category information about you in the following circumstances (usually where we need to process this data in order to exercise our rights or comply with our obligations in the field of employment):
- Health data – Where it is relevant to the provision of your services to American, such as for health and safety purposes, if you have an accident at work or if you are unable to provide your services at American due to a sickness absence;
- Biometric data – Access to some of American’s premises is controlled by biometric data such as fingerprint access. As explained above, where required by law in the US, we will also collect your fingerprints in order to carry out a security threat assessment;
- Criminal convictions data or drug and alcohol tests – As set out above, we may on rare occasions receive the results of your background or drug and alcohol check in order to check suitability to work at American and we will obtain information about relevant criminal convictions where we are required by law to carry out a security threat assessment to allow you to be engaged in certain roles in the US. We may also use information relating to criminal convictions where it is necessary in relation to legal claims; or
- Racial or ethnic origin data – As set out above, we may on rare occasions receive details about your visa application which may reveal your race or ethnic origin. We may, where required or permitted under applicable laws, also process personal data about your race or ethnic origin for diversity purposes. Information about race is also required on our Fingerprint Application form.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for another purpose, we will usually notify you and we will explain the legal basis that allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
- (a) the transfer is to a country which has been the subject of an adequacy-decision by the European Commission;
- (b) the transfer is covered by a contractual agreement which has been approved by the European Commission as providing adequate safeguards for personal data transferred outside the EEA, such as the EU Standard Contractual Clauses entered into by American and all of its branches located in the EU;
- c) the transfer is to an organisation in the US that is EU-US Privacy-Shield certified; or
- d) an exemption applies, such as where the transfer is necessary to perform a contract with you (or concluded in your interests) or to take pre-contractual measures at your request.
If you wish to obtain further details about the safeguards in place to protect your privacy, please contact us using the contact details below.
We will only retain your personal information for as long as is strictly necessary to fulfill the purposes we collected it for, including to satisfy any legal and auditing requirements.
American will generally retain your personal data for the duration of your relationship as a contractor with American and for longer if required for legal, accounting, reporting or contractor management purposes. For further information about our retention of contractor data, please contact us, using the details provided below.
When collecting personal information from you, American will, where required by applicable law, inform you whether your provision of the requested information is voluntary or mandatory and if it is mandatory, the consequences of not providing it.
The provision of certain information is necessary for us to engage you as a contractor, for you to provide your services to American, or for us to perform our obligations under our contract with you or your employer, such as to pay for your services. If you choose not to provide certain information, you will not be able to work as a contractor for American.
You may have certain rights under local privacy laws in relation your personal information, such as:
Right to object
If you are located in the EEA you have the right to object to our use of your personal data, on grounds relating to your particular situation, to the extent the processing is based on our (or another party’s) legitimate interests. If we receive an objection, then we will stop processing the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defense of legal claims.
If you are located in the EEA, you have the following rights under applicable data privacy laws (unless exemptions apply), which can be exercised by contacting American using the details provided below. To:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you, for example to check that it is accurate;
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal information. This enables you to ask us to delete or remove your personal information, for example, where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see above);
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request the transfer of your personal information to another party; and
- The right to withdraw consent at any time where we have relied on it to process your personal data.
Similar rights may exist under local data protection laws outside the EEA. For further details please contact us using the details below.
c/o Privacy Office
1 Skyview Drive
Fort Worth, TX 76155 USA
Data Protection Officer
American has assigned a data protection officer, Russell Hubbard, who is responsible for overseeing American’s compliance with EU data protection law, whom you may contact at email@example.com or via the postal address above in case of any questions or concerns regarding the processing of your personal data.
American in the US has appointed the following representative in the EU:
American Airlines, Inc.
BP 35 060
95716 Roissy CDG Cedex
If American’s processing of your personal data is covered by EEA data privacy laws you may also contact or lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant supervisory authority name and contact details on the European Commission website.
Where you process personal data pursuant to your engagement with American (for example, personal data relating to American’s employees or customers), you shall keep that data secure and comply with all of American’s data protection related policies and procedures when processing that data.