Disney Entertainment Productions ("DEP"), whose principal office is located in the United States of America (the "United States"), controls and operates the following data processing system (referred to herein as the "System") that is certified under the voluntary U.S.-EU Safe Harbor program (the "Safe Harbor Program"):

Bluefoot, a project management tool that processes personal data for the purpose of tracking theme park entertainment

The System contains (or will contain) contact information for certain companies affiliated with DEP that are located throughout the world. DEP recognizes the privacy protections afforded to individuals in the European Union and the European Economic Area (collectively the "EEA") with regard to Personal Information (as defined below). For that reason, DEP has subscribed and will adhere to the Safe Harbor Program by adopting and implementing this set of Safe Harbor Privacy Principles in relation to the System, which include a set of frequently asked questions (collectively, the "Principles").

The Principles apply to all Personal Information that is: (1) collected by any Affiliated Entity (as defined below) located in the EEA about an Individual located in the EEA; (2) in the course of the Individual's relationship(s) with the Affiliated Entities and/or with companies that provide goods and services to the Affiliated Entities ("Independent Contractors"); and (3) transferred from the EEA to DEP in the United States after the effective date of these Principles and included in the System. The effective date of these Principles is March 6, 2002.

FREQUENTLY ASKED QUESTIONS

1. What is "Personal Information"?

   Personal Information means any information relating to an Individual that identifies that Individual, or could reasonably be used to identify the Individual, and that is recorded in any form (e.g., paper, electronic, video, audio) and included in the System. Personal Information also includes information relating to an Individual's dependents, beneficiaries, and emergency contacts that is included in the System.

2. What are Affiliated Entities?

   Affiliated Entities are Corporations or other business organizations present in the EEA that are affiliated with DEP through direct or indirect common ownership or control.

3. Who is an Individual for Purposes of these Principles?

   An Individual is any natural person whose Personal Information is included in the System.

4. What is the relationship between the Principles and the Safe Harbor Program?

   The Principles implement and satisfy the requirements of the Safe Harbor Program and establish the legally required level of protection for Individuals' Personal Information.

1. Collection and Use of Personal Information

   DEP collects and uses Personal Information only in a lawful manner and in compliance with the Safe Harbor Program and these Principles.

   FREQUENTLY ASKED QUESTIONS

   1. Why is Personal Information transferred to DEP in the System?

      The collection and use of Personal Information is necessary for the conduct of DEP and the Affiliated Entities. Examples of the purposes for which DEP collects and uses Personal Information about Individuals include, without limitation, managing and scheduling theme park entertainment events.

2. Informing the Individual and Obtaining Consent

   Except where an applicable legal exception exists, Affiliated Entities are legally required to inform Individuals (or to request that Independent Contractors inform Individuals) of the ways in which their Personal Information will be collected and used and the types of third parties to which such Information will be disclosed, and to obtain the Individuals' consent.

   Accordingly, except where an applicable legal exception exists, if DEP either plans to use Personal Information for purposes incompatible with the purposes about which the Affiliated Entities (or Independent Contractors) notified Individuals, or plans to disclose Personal Information to types of third parties other than those about which Affiliated Entities (or Independent Contractors) notified Individuals ("Supplemental Uses"), then DEP shall notify (or shall request the Independent Contractor, as appropriate, to notify) Individuals of the following with respect to such Supplemental Uses:

   • The type(s) of Personal Information DEP plans to use;
   • The purposes for which DEP will process Personal Information;
   • How to contact Affiliated Entities or DEP with any inquiries or complaints about the use and processing of such Personal Information;
   • The types of parties to whom DEP will disclose Personal Information;
   • The privacy and security safeguards DEP employs; and
   • The right of Individuals to access and, if necessary, correct Personal Information about them.

   This information will be provided before DEP uses or discloses Personal Information for Supplemental Uses or as soon thereafter as is practicable.

   FREQUENTLY ASKED QUESTIONS

   1. Are there cases when DEP may disclose Personal Information about an Individual without obtaining the Individual's consent?

      In certain limited or exceptional circumstances, and in accordance with the Safe Harbor Program, DEP may disclose Personal Information about an Individual without the Individual's consent, such as when DEP is required to disclose the Information by law or legal process or when the vital interests of the Individual, such as life or health, are at stake. In such circumstances, and at such time as may be required by law or the Safe Harbor Program, DEP, the relevant Affiliated Entity, or the Independent Contractor, as appropriate, shall inform the Individual concerned regarding whom to contact if the Individual has a legitimate reason to object to the disclosure of the Individual's Personal Information by DEP.

   2. Under what circumstances may DEP disclose Personal Information to agents and contractors, and what steps does DEP take to safeguard that Personal Information?

      As a part of its normal business operations, DEP hires agents and contractors to carry out certain functions that require use of Personal Information, such as data processing and benefit administration. DEP is not required by the Safe Harbor Program to provide notice or obtain the relevant Individual's consent in these circumstances, and DEP does not generally do so. DEP does bind such agents and contractors through written agreements to observe the relevant Principles and DEP restricts the use and retention of the Personal Information to the purposes and duration of such functions.

   3. What happens if an Individual objects to the collection, use, or disclosure of his/her Personal Information by DEP?

      If an Individual objects to DEP collection, use, or disclosure of certain Personal Information, DEP or the appropriate Affiliated Entity will make reasonable efforts to address the concerns of the Individual.

   4. Will DEP take any adverse action against an Individual for refusing to permit his/her Personal Information to be collected, used, or disclosed?

      The Safe Harbor Program prohibits a company that subscribes to the Safe Harbor Program from taking such adverse action. Accordingly, DEP may not subject an Individual to disciplinary action, sanction, or retaliation for objecting to the collection, use, or disclosure of Personal Information about the Individual.

      An Individual withholding Personal Information or prohibiting its collection, use or disclosure, may, however, be disadvantaged as a result of not making the Information available. For example, unwillingness to provide Personal Information required for a benefit may make an employee ineligible to receive that benefit. Likewise, the refusal of an applicant for employment to provide a telephone number for contact purposes may hinder the applicant in the recruitment process.

3. Sensitive Information

   While recognizing that all Personal Information deserves to be protected in accordance with the Safe Harbor Program, DEP exercises special precautions and safeguards for any sensitive information it may collect, as defined by the Safe Harbor Program.

   FREQUENTLY ASKED QUESTIONS

   1. What is "sensitive information"?

      "Sensitive information" is Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.

   2. What safeguards are required for "sensitive information"?

      Except as provided by the Safe Harbor Program or where legally required, affirmative permission of the Individual ("opt in" consent) is required if "sensitive information" is to be disclosed to a third party or used for purposes other than those for which it was originally collected or subsequently authorized by the Individual.

DEP provides Individuals about whom it maintains Personal Information with a reasonable opportunity to examine their information, to challenge its accuracy, and to have it corrected, amended or deleted as appropriate, subject to certain exceptions.

FREQUENTLY ASKED QUESTIONS

1. How do Individuals exercise their rights under the Access Principle?

   Each employee of an Affiliated Entity will have direct access to Personal Information about him/her contained in the System. Each employee will be able to correct his/her Personal Information in the System, except where the Personal Information is determined by an Affiliated Entity, such as the employee's salary, type of contract, etc. ("Company Determined Personal Information"). Employees must contact the appropriate Affiliated Entity or DEP to correct Company Determined Personal Information. Similarly, upon request to the appropriate Affiliated Entity or DEP, each independent worker or employee of an Independent Contractor will be given reasonable access to Personal Information about him/her that is contained in the System. Reasonable access applies to both the process of accessing Personal Information and the types of Personal Information to be accessed. In terms of process, reasonable access means, for example, that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive. In terms of types of Personal Information to be accessed, reasonable access recognizes certain exceptions discussed in the immediately following FAQ 2. If DEP or the Affiliated Entity denies an Individual access, however, such Individual will be provided with the reason(s) access was denied and a contact point for further inquiries.

   If DEP or an Affiliated Entity is notified that Personal Information it maintains is incorrect, is requested to correct the Personal Information, and is provided with appropriate supporting documentation, DEP or the appropriate Affiliated Entity will either correct the information or direct the Individual to the source of the information for correction. If, upon review, DEP or the appropriate Affiliated Entity believes that the existing information is correct, the Individual will be informed accordingly.

2. Is there any Personal Information about an Individual maintained by DEP that such Individual would not be permitted to access?

   Yes, there are some exceptions to the obligation to provide access permitted by the Safe Harbor Program. These include access to confidential or proprietary information of either the relevant Affiliated Entity or DEP, such as business reorganization or succession plans, or situations in which granting access might have to be balanced against the privacy interests of others. In addition, access may be denied when the Personal Information requested relates to an ongoing investigation of the Individual, litigation or potential litigation, or where the burden or expense of providing access would be disproportionate to any risks to the Individual's privacy that would arise from not providing access.

If DEP performs an onward transfer of information to a third party that is acting as an agent, DEP will do so only if DEP verifies that the third party subscribes to the Safe Harbor Principles, or is subject to the Directive or another adequacy finding. Alternatively, DEP will enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles.

DEP employs reasonable steps to keep Personal Information accurate, complete, and up-to-date for the purposes for which such Personal Information is used. Each Individual is responsible for helping to ensure that the Personal Information that DEP holds about him or her is accurate, complete, and up-to-date.

FREQUENTLY ASKED QUESTIONS

1. Is there a role for Individuals to play in maintaining the accuracy of Personal Information?

   Yes. It is in the best interests of Individuals, Affiliated Entities, and DEP to keep Personal Information accurate, complete, and up-to date. DEP and the Affiliated Entities expect all Individuals to assist in keeping the Personal Information that the SAP holds about them accurate, complete and up-to-date, and DEP and the Affiliated Entities facilitate cooperation by Individuals in doing so.

DEP takes reasonable precautions, including administrative, technical, personnel, and physical measures to safeguard Personal Information against loss, theft and misuse, as well as unauthorized access, disclosure, alteration and destruction.

FREQUENTLY ASKED QUESTIONS

1. Is there a role for Individuals to play in maintaining the security of Personal Information?

   Individuals play a vital role in maintaining security and are held accountable for safeguarding Personal Information, including, for example, by protecting passwords used to access Corporate computer systems.

2. How are decisions reached about who has access to Personal Information about Individuals?

   It is the policy of DEP to give access to Personal Information about Individuals only to those entities and persons that DEP determines have a legitimate need to know the information to carry out their responsibilities.

3. What keeps those with access to some of an Individual's Personal Information from browsing through other parts of that Personal Information for other reasons?

   It is the policy of DEP to limit the access to Personal Information given to employees, agents, and contractors to such information that DEP determines is needed to carry out their responsibilities.

1. Compliance

   DEP maintains an active program to ensure compliance with the Principles, Safe Harbor Program, and DEP contractual agreements and other commitments regarding the handling of Personal Information.

   The DEP Privacy Compliance Office is responsible for implementing and overseeing the administration of the Principles.

   It is the responsibility of all DEP employees to act in accordance with the Principles with respect to Personal Information. Failure to do so may result in disciplinary action up to and including discharge from employment.

   FREQUENTLY ASKED QUESTIONS

   1. What are the responsibilities of the DEP Privacy Compliance Office?

      Responsibilities of the DEP Privacy Compliance Office include:

      • Ensuring that the privacy guidelines, programs, procedures, training, and other measures necessary to implement the Principles are developed and put into practice;
      • Overseeing responses to inquiries and resolution of complaints relating to Personal Information;
      • Working with legal advisors to ensure DEP ongoing compliance with applicable privacy laws and agreements, as well as any obligations DEP may enter into voluntarily, such as the Principles and the U.S.-EU Safe Harbor Program; and
      • Overseeing periodic assessments of DEP internal practices to ensure that they conform to the Principles and related company obligations.
      
      
   2. What steps are taken to promote compliance with the Principles?

      Compliance measures include:

      • Educating DEP employees as to the purpose and application of the Principles;
      • Training DEP employees with access to Personal Information on the purposes and application of the Principles;
      • Ensuring that DEP employees, agents, and contractors with access to Personal Information are legally obligated to abide by the Principles;
      • Holding DEP employees, agents, and contractors accountable for violations of the Principles, with sanctions up to and including termination of contracts and employment; and
      • Having designated points of contact in DEP to answer questions regarding the Principles and DEP privacy practices and to investigate complaints regarding conduct inconsistent with the Principles or related obligations.
   
   
2. Complaint Resolution

   DEP recognizes the importance of having mechanisms in place to address and resolve complaints by Individuals about the processing of Personal Information. Therefore, if an Individual makes a complaint about the processing of his/her Personal Information, and the complaint is not resolved to the Individual's satisfaction through internal DEP procedures, then DEP will refer such Individual to the national data protection authority in the jurisdiction where the Individual works and/or resides as required by the Safe Harbor Program.

   FREQUENTLY ASKED QUESTIONS

   1. What are the procedures for filing an internal complaint about the handling of Personal Information by DEP?

      Individuals covered by the Principles should contact Ms Kim Richardson, by phone to 818-560-4026, or email to privacycontact@disney.com, or Human Resources contact (as appropriate) for the relevant Affiliated Entity. These representatives will provide particular information about the mechanics of the complaint process.

   2. What types of independent dispute resolution mechanisms are available?

      All EEA jurisdictions have established data protection authorities overseeing the processing of Personal Information that are willing to assist in the resolution of complaints. To maintain its certification under the Safe Harbor Program, DEP must cooperate with these authorities to resolve any complaint and comply with their decisions in such cases.

3. Changes to the Principles

   DEP reserves the right to modify these Principles at any time and will notify affected individuals of such modifications in accordance with applicable law and the Safe Harbor Program. Nonetheless, as long as DEP continues to store, use, or disclose Personal Information transferred to DEP under these Principles, DEP will apply to such Personal Information either these Principles or safeguards that provide no less privacy protection than the Safe Harbor Program then requires.