Disney Consumer Products Worldwide (Division of Disney Enterprises, Inc.) (“DCP”), whose principal office is located in the United States of America (the “United States”), controls and operates a database for managing licensee product approval requests (the “Product Approval Database”), a database for contract and royalty payment management (“the Insight database”) , the Digital Media Center for management of digital media (“the DMC”), the Financial Analytics Data Warehouse (“FADW”), a database which contains the contact information of employees and licensees for the purpose of auditing contracts, licensee agreements and royalty payments (“TeamMate”), the Contract Lifecycle Management System (“Contract Lifecycle”) a database for tracking contracts with DCP licensees, and a database for tracking DCP licensee product information (“PubWorld”). The applications contain (or will contain) business contact information and information about users’ activity on the site.
DCP recognizes the privacy protections afforded to individuals in the European Union and the European Economic Area (collectively the “EEA”) with regard to Personal Information (as defined below). For that reason, DCP has subscribed and will adhere to the voluntary U.S.-EU Safe Harbor program (“Safe Harbor Program”) by adopting and implementing this set of Safe Harbor Privacy Principles, which include a set of frequently asked questions (collectively, the “Principles”). To learn more about the Safe Harbor program, and to view DCP’s certification, please visit http://www.export.gov/safeharbor/
II. SCOPE OF THESE PRINCIPLES
The Principles apply to all Personal Information that is: (1) collected by any Affiliated Entity (as defined below) located in the EEA about an Individual located in the EEA; (2) in the course of the Individual’s relationship(s) with the Affiliated Entities and/or with companies that provide goods and services to the Affiliated Entities (“Independent Contractors”); and (3) transferred from the EEA to DCP in the United States after the effective date of these Principles and included in the Product Approval Database. The initial effective date of these Principles is April 23, 2004.
FREQUENTLY ASKED QUESTIONS
1. What is “Personal Information”?
Personal Information means any information relating to an Individual that identifies that Individual, or could reasonably be used to identify the Individual, and that is recorded in any form (e.g., paper, electronic, video, audio) and included in the Databases. Personal Information also includes information relating to an Individual’s dependents, beneficiaries, and emergency contacts that is included in the Databases.
2. What are Affiliated Entities?
Affiliated Entities are corporations or other business organizations present in the EEA that are affiliated with DCP through direct or indirect common ownership or control.
3. Who is an Individual for Purposes of these Principles?
An Individual is any current or former employee, independent worker, or temporary agent of an Affiliated Entity, any employee of an Independent Contractor, and any applicant for employment, independent work, temporary work, or employment with an Affiliated Entity or Independent Contractor whose Personal Information is included in the Databases.
4. What is the relationship between the Principles and the Safe Harbor Program?
The Principles implement and satisfy the requirements of the Safe Harbor Program and establish the legally required level of protection for Individuals’ Personal Information.
III. NOTICE AND CHOICE
A. Collection and Use of Personal Information
DCP collects and uses Personal Information only in a lawful manner and in compliance with the Safe Harbor Program and these Principles.
FREQUENTLY ASKED QUESTION
1. Why is Personal Information transferred to DCP in the Product Approval Database?
The collection and use of Personal Information is essential to the conduct of the product licensing approval system of DCP and the Affiliated Entities.
B. Informing the Individual and Obtaining Consent
Except where an applicable legal exception exists, Affiliated Entities are legally required to inform Individuals (or to request that Independent Contractors inform Individuals) of the ways in which their Personal Information will be collected and used and the types of third parties to which such Information will be disclosed, and to obtain the Individuals’ consent.
Accordingly, except where an applicable legal exception exists, if DCP either plans to use Personal Information for purposes incompatible with the purposes about which the Affiliated Entities (or Independent Contractors) notified Individuals, or plans to disclose Personal Information to types of third parties other than those about which Affiliated Entities (or Independent Contractors) notified Individuals (“Supplemental Uses”), then DCP shall notify (or shall request the Independent Contractor, as appropriate, to notify) Individuals of the following with respect to such Supplemental Uses:
- The type(s) of Personal Information DCP plans to use;
- The purposes for which DCP will process Personal Information;
- How to contact Affiliated Entities or DCP with any inquiries or complaints about the use and processing of such Personal Information;
- The types of parties to whom DCP will disclose Personal Information;
- The privacy and security safeguards DCP employs; and
- The right of Individuals to access and, if necessary, correct Personal Information about them.
This information will be provided before DCP uses or discloses Personal Information for Supplemental Uses or as soon thereafter as is practicable.
FREQUENTLY ASKED QUESTIONS
1. Are there cases when DCP may disclose Personal Information about an Individual without obtaining the Individual’s consent?
In certain limited or exceptional circumstances, and in accordance with the Safe Harbor Program, DCP may disclose Personal Information about an Individual without the Individual’s consent, such as when DCP is required to disclose the Information by law or legal process or when the vital interests of the Individual, such as life or health, are at stake. In such circumstances, and at such time as may be required by law or the Safe Harbor Program, DCP, the relevant Affiliated Entity, or the Independent Contractor, as appropriate, shall inform the Individual concerned regarding whom to contact if the Individual has a legitimate reason to object to the disclosure of the Individual’s Personal Information by DCP.
2. Under what circumstances may DCP disclose Personal Information to agents and contractors, and what steps does DCP take to safeguard that Personal Information?
As a part of its normal business operations, DCP hires agents and contractors to carry out certain functions that require use of Personal Information. DCP is not required by the Safe Harbor Program to provide notice or obtain the relevant Individual’s consent in these circumstances, and DCP does not generally do so. DCP does bind such agents and contractors through written agreements to observe the relevant Principles and DCP restricts the use and retention of the Personal Information to the purposes and duration of such functions.
3, What happens if an Individual objects to the collection, use, or disclosure of his/her Personal Information by DCP?
If an Individual objects to DCP’ collection, use, or disclosure of certain Personal Information, DCP or the appropriate Affiliated Entity will make reasonable efforts to address the concerns of the Individual.
4. Will DCP take any adverse action against an Individual for refusing to permit his/her Personal Information to be collected, used, or disclosed?
The Safe Harbor Program prohibits a company that subscribes to the Safe Harbor Program from taking such adverse action. Accordingly, DCP may not subject an Individual to disciplinary action, sanction, or retaliation for objecting to the collection, use, or disclosure of Personal Information about the Individual.
An Individual withholding Personal Information or prohibiting its collection, use or disclosure, may, however, be disadvantaged as a result of not making the Information available.
C. Sensitive Information
While recognizing that all Personal Information deserves to be protected in accordance with the Safe Harbor Program, DCP exercises special precautions and safeguards for any sensitive information it may collect, as defined by the Safe Harbor Program. DCP does not presently believe that it will collect any sensitive information in the Databases.
FREQUENTLY ASKED QUESTIONS
1. What is “sensitive information”?
“Sensitive information” is Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.
2. What safeguards are required for “sensitive information”?
Except as provided by the Safe Harbor Program or where legally required, affirmative permission of the Individual (“opt in” consent) is required if “sensitive information” is to be disclosed to a third party or used for purposes other than those for which it was originally collected or subsequently authorized by the Individual.
DCP provides Individuals about whom it maintains Personal Information with a reasonable opportunity to examine their information, to challenge its accuracy, and to have it corrected, amended or deleted as appropriate, subject to certain exceptions.
FREQUENTLY ASKED QUESTIONS
1. How do Individuals exercise their rights under the Access Principle?
Each individual will have direct access to Personal Information about him/her contained in the Databases. Each individual will be able to correct his/her Personal Information in the Databases. Upon request to the appropriate Affiliated Entity or DCP, each individual will be given reasonable access to any Personal Information about him/her that is not directly available to such individual through the individual’s access to the Databases.
Reasonable access applies to both the process of accessing Personal Information and the types of Personal Information to be accessed. In terms of process, reasonable access means, for example, that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive. In terms of types of Personal Information to be accessed, reasonable access recognizes certain exceptions discussed in the immediately following FAQ 2. If DCP or the Affiliated Entity denies an Individual access, however, such Individual will be provided with the reason(s) access was denied and a contact point for further inquiries.
If DCP or an Affiliated Entity is notified that Personal Information it maintains is incorrect, is requested to correct the Personal Information, and is provided with appropriate supporting documentation, DCP or the appropriate Affiliated Entity will either correct the information or direct the Individual to the source of the information for correction. If, upon review, DCP or the appropriate Affiliated Entity believes that the existing information is correct, the Individual will be informed accordingly.
2. Is there any Personal Information about an Individual maintained by DCP that such Individual would not be permitted to access?
Yes, there are some exceptions to the obligation to provide access permitted by the Safe Harbor Program. These include access to confidential or proprietary information of either the relevant Affiliated Entity or DCP, or situations in which granting access might have to be balanced against the privacy interests of others. In addition, access may be denied when the Personal Information requested relates to an ongoing investigation of the Individual, litigation or potential litigation, or where the burden or expense of providing access would be disproportionate to any risks to the Individual’s privacy that would arise from not providing access.
V. ONWARD TRANSFER
If DCP performs an onward transfer of information to a third party that is acting as an agent, DCP will do so only if DCP verifies that the third party subscribes to the Safe Harbor Principles, or is subject to the Directive or another adequacy finding. Alternatively, DCP will enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles.
VI. DATA INTEGRITY
DCP employs reasonable steps to keep Personal Information accurate, complete, and up-to-date for the purposes for which such Personal Information is used. Each Individual is responsible for helping to ensure that the Personal Information that DCP holds about him or her is accurate, complete, and up-to-date.
FREQUENTLY ASKED QUESTION
1. Is there a role for Individuals to play in maintaining the accuracy of Personal Information?
Yes. It is in the best interests of Individuals, Affiliated Entities, and DCP to keep Personal Information accurate, complete, and up-to date. DCP and the Affiliated Entities expect all Individuals to assist in keeping the Personal Information that the SAP holds about them accurate, complete and up-to-date, and DCP and the Affiliated Entities facilitate cooperation by Individuals in doing so.
DCP takes reasonable precautions, including administrative, technical, personnel, and physical measures to safeguard Personal Information against loss, theft and misuse, as well as unauthorized access, disclosure, alteration and destruction.
FREQUENTLY ASKED QUESTIONS
1. Is there a role for Individuals to play in maintaining the security of Personal Information?
Individuals play a vital role in maintaining security and are held accountable for safeguarding Personal Information, including, for example, by protecting passwords used to access corporate computer systems.
2. How are decisions reached about who has access to Personal Information about Individuals?
It is the policy of DCP to give access to Personal Information about Individuals only to those entities and persons that DCP determines have a legitimate need to know the information to carry out their responsibilities.
3. What keeps those with access to some of an Individual’s Personal Information from browsing through other parts of that Personal Information for other reasons?
It is the policy of DCP to limit the access to Personal Information given to employees, agents, and contractors to such information that DCP determines is needed to carry out their responsibilities.
DCP maintains an active program to ensure compliance with the Principles, Safe Harbor Program, and DCP’s contractual agreements and other commitments regarding the handling of Personal Information.
The DCP Privacy Compliance Office is responsible for implementing and overseeing the administration of the Principles.
It is the responsibility of all DCP employees to act in accordance with the Principles with respect to Personal Information. Failure to do so may result in disciplinary action up to and including discharge from employment.
FREQUENTLY ASKED QUESTIONS
1. What are the responsibilities of the DCP Privacy Compliance Office?
Responsibilities of the DCP Privacy Compliance Office include:
- Ensuring that the privacy guidelines, programs, procedures, training, and other measures necessary to implement the Principles are developed and put into practice;
- Overseeing responses to inquiries and resolution of complaints relating to Personal Information;
- Working with legal advisors to ensure DCP’s ongoing compliance with applicable privacy laws and agreements, as well as any obligations DCP may enter into voluntarily, such as the Principles and the U.S.-EU Safe Harbor Program; and
- Overseeing periodic assessments of DCP’s internal practices to ensure that they conform to the Principles and related company obligations.
2. What steps are taken to promote compliance with the Principles?
Compliance measures include:
- Educating DCP employees as to the purpose and application of the Principles;
- Training DCP employees with access to Personal Information on the purposes and application of the Principles;
- Ensuring that DCP employees, agents, and contractors with access to Personal Information are legally obligated to abide by the Principles;
- Holding DCP employees, agents, and contractors accountable for violations of the Principles, with sanctions up to and including termination of contracts and employment; and
- Having designated points of contact in DCP to answer questions regarding the Principles and DCP’ privacy practices and to investigate complaints regarding conduct inconsistent with the Principles or related obligations.
B. Complaint Resolution
DCP recognizes the importance of having mechanisms in place to address and resolve complaints by Individuals about the processing of Personal Information. Therefore, if an Individual makes a complaint about the processing of his/her Personal Information, and the complaint is not resolved to the Individual’s satisfaction through internal DCP procedures, then DCP will refer such Individual to the national data protection authority in the jurisdiction where the Individual works as required by the Safe Harbor Program.
FREQUENTLY ASKED QUESTIONS
1. What are the procedures for filing an internal complaint about the handling of Personal Information by DCP?
Individuals covered by the Principles should contact the Chief Trust Officer at the following address:
Chief Trust Officer
Disney Corporate Legal – Privacy
500 South Buena Vista Street
Burbank, CA 91521-1359
These representatives will provide particular information about the mechanics of the complaint process.
2. What types of independent dispute resolution mechanisms are available?
All EEA jurisdictions have established data protection authorities overseeing the processing of Personal Information that are willing to assist in the resolution of complaints. To maintain its certification under the Safe Harbor Program, DCP must cooperate with these authorities to resolve any complaint and comply with their decisions in such cases.
C. Changes to the Principles
DCP reserves the right to modify these Principles at any time and will notify affected individuals of such modifications in accordance with applicable law and the Safe Harbor Program. Nonetheless, as long as DCP continues to store, use, or disclose Personal Information transferred to DCP under these Principles, DCP will apply to such Personal Information either these Principles or safeguards that provide no less privacy protection than the Safe Harbor Program then requires.