Disney Shopping, Inc. ("DSI"), whose principal office is located in the United States of America (the "United States"), controls and operates the following data processing system (referred to herein as the "System") that is certified under the voluntary U.S.-EU Safe Harbor program (the "Safe Harbor Program"):

Disney Store Order Fulfillment Management System

The System contains (or will contain) guest contact information for the purpose of supporting online orders taken through Disney Store online European websites. DSI recognizes the privacy protections afforded to individuals in the European Union and the European Economic Area (collectively the "EEA") with regard to Personal Information (as defined below). For that reason, DSI has subscribed and will adhere to the Safe Harbor Program by adopting and implementing this set of Safe Harbor Privacy Principles in relation to the System, which include a set of frequently asked questions (collectively, the "Principles").

The Principles apply to all Personal Information that is: (1) collected by any Affiliated Entity (as defined below) located in the EEA about an Individual located in the EEA; (2) in the course of the Individual's relationship(s) with the Affiliated Entities and/or with companies that provide goods and services to the Affiliated Entities ("Independent Contractors"); and (3) transferred from the EEA to DSI in the United States after the effective date of these Principles and included in the System. The effective date of these Principles is May 6, 2002.

FREQUENTLY ASKED QUESTIONS

1. What is "Personal Information"?

   Personal Information means any information relating to an Individual that identifies that Individual, or could reasonably be used to identify the Individual, and that is recorded in any form (e.g., paper, electronic, video, audio) and included in the System.

2. What are Affiliated Entities?

   Affiliated Entities are corporations or other business organizations present in the EEA that are affiliated with DSI through direct or indirect common ownership or control.

3. Who is an Individual for Purposes of these Principles?

   An Individual is any natural person whose Personal Information is included in the System.

4. What is the relationship between the Principles and the Safe Harbor Program?

   The Principles implement and satisfy the requirements of the Safe Harbor Program and establish the legally required level of protection for Individuals' Personal Information.

1. Collection and Use of Personal Information

   FREQUENTLY ASKED QUESTION

   1. Why is Personal Information transferred to DSI in the System?

      The collection and use of Personal Information is necessary for the conduct of the human resources and operational management of DSI and the Affiliated Entities. Examples of the purposes for which DSI collects and uses Personal Information about Individuals include, without limitation, facilitating the provision of internal goods and services required for employees and contractors to carry out their work duties.

2. Informing the Individual and Obtaining Consent

   Except where an applicable legal exception exists, Affiliated Entities are legally required to inform Individuals (or to request that Independent Contractors inform Individuals) of the ways in which their Personal Information will be collected and used and the types of third parties to which such Information will be disclosed, and to obtain the Individuals' consent.

   Accordingly, except where an applicable legal exception exists, if DSI either plans to use Personal Information for purposes incompatible with the purposes about which the Affiliated Entities (or Independent Contractors) notified Individuals and/or to which the Individuals consented, or plans to disclose Personal Information to types of third parties other than those about which Affiliated Entities (or Independent Contractors) notified Individuals and/or to which the Individuals consented ("Supplemental Uses"), then DSI shall notify (or shall request the Independent Contractor, as appropriate, to notify) Individuals of the following with respect to such Supplemental Uses:

   • The type(s) of Personal Information DSI plans to use;
   • The purposes for which DSI will process Personal Information;
   • How to contact Affiliated Entities or DSI with any inquiries or complaints about the use and processing of such Personal Information;
   • The types of parties to whom DSI will disclose Personal Information;
   • The privacy and security safeguards DSI employs; and
   • The right of Individuals to access and, if necessary, correct Personal Information about them.

   This information will be provided before DSI uses or discloses Personal Information for Supplemental Uses or as soon thereafter as is practicable and, unless an applicable legal exception exists, Individuals' consent to such use and/or disclosure will be obtained.

   FREQUENTLY ASKED QUESTIONS

   1. Are there cases when DSI may disclose Personal Information about an Individual without obtaining the Individual's consent?

      In certain limited or exceptional circumstances, and in accordance with the Safe Harbor Program, DSI may disclose Personal Information about an Individual without the Individual's consent, such as when DSI is required to disclose the Information by law or legal process or when the vital interests of the Individual, such as life or health, are at stake. In such circumstances, and at such time as may be required by law or the Safe Harbor Program, DSI, the relevant Affiliated Entity, or the Independent Contractor, as appropriate, shall inform the Individual concerned regarding whom to contact if the Individual has a legitimate reason to object to the disclosure of the Individual's Personal Information by DSI.

   2. Under what circumstances may DSI disclose Personal Information to agents and contractors, and what steps does DSI take to safeguard that Personal Information?

      As a part of its normal business operations, DSI hires agents and contractors to carry out certain functions that require use of Personal Information, such as data processing and benefit administration. DSI is not required by the Safe Harbor Program to provide notice or obtain the relevant Individual's consent in these circumstances, and DSI does not generally do so. DSI does bind such agents and contractors through written agreements to observe the relevant Principles and DSI restricts the use and retention of the Personal Information to the purposes and duration of such functions.

   3. What happens if an Individual objects to the collection, use, or disclosure of his/her Personal Information by DSI?

      If an Individual objects to DSI's collection, use, or disclosure of certain Personal Information, DSI or the appropriate Affiliated Entity will make reasonable efforts to address the concerns of the Individual.

   4. Will DSI take any adverse action against an Individual for refusing to permit his/her Personal Information to be collected, used, or disclosed?

      The Safe Harbor Program prohibits a company that subscribes to the Safe Harbor Program from taking such adverse action. Accordingly, DSI may not subject an Individual to disciplinary action, sanction, or retaliation for objecting to the collection, use, or disclosure of Personal Information about the Individual.

      An Individual withholding Personal Information or prohibiting its collection, use or disclosure, may, however, be disadvantaged as a result of not making the Information available. For example, unwillingness to provide Personal Information required for a benefit may make an employee ineligible to receive that benefit. Likewise, the refusal of an employee to provide Personal Information reasonably necessary for the performance of his/her employment duties may render the employee unable to fulfill the terms of his/her employment arrangement and/or contract.

3. Sensitive Information

   While recognizing that all Personal Information deserves to be protected in accordance with the Safe Harbor Program, DSI exercises special precautions and safeguards for any sensitive information it may collect, as defined by the Safe Harbor Program.

   FREQUENTLY ASKED QUESTIONS

   1. What is "sensitive information"?

      "Sensitive information" is Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.

   2. What safeguards are required for "sensitive information"?

      Except as otherwise provided by the Safe Harbor Program or where not legally required, affirmative permission of the Individual ("opt in" consent) is required if "sensitive information" is to be disclosed to a third party or used for purposes other than those for which it was originally collected or subsequently authorized by the Individual.

DSI provides Individuals about whom it maintains Personal Information with a reasonable opportunity to examine their information, to challenge its accuracy, and to have it corrected, amended or deleted as appropriate, subject to certain exceptions.

FREQUENTLY ASKED QUESTIONS

1. How do Individuals exercise their rights under the Access Principle?

   Each employee of an Affiliated Entity will have direct access to certain Personal Information about him/her contained in the System. Each employee will be able to correct certain Personal Information pertaining to him/her in the System, except where the Personal Information is determined by an Affiliated Entity, such as the employee's type of contract, etc. ("Company Determined Personal Information"). Employees must contact the appropriate Affiliated Entity or DSI to correct Company Determined Personal Information. Similarly, upon request to the appropriate Affiliated Entity or DSI, each independent worker or employee of an Independent Contractor will be given reasonable access to Personal Information about him/her that is contained in the System. Reasonable access applies to both the process of accessing Personal Information and the types of Personal Information to be accessed. In terms of process, reasonable access means, for example, that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive. In terms of types of Personal Information to be accessed, reasonable access recognizes certain exceptions discussed in the immediately following FAQ 2. If DSI or the Affiliated Entity denies an Individual access, however, such Individual will be provided with the reason(s) access was denied and a contact point for further inquiries.

   If DSI or an Affiliated Entity is notified that Personal Information it maintains is incorrect, is requested to correct the Personal Information, and is provided with appropriate supporting documentation, DSI or the appropriate Affiliated Entity will either correct the information or direct the Individual to the source of the information for correction. If, upon review, DSI or the appropriate Affiliated Entity believes that the existing information is correct, the Individual will be informed accordingly.

2. Is there any Personal Information about an Individual maintained by DSI that such Individual would not be permitted to access?

   Yes, there are some exceptions to the obligation to provide access permitted by the Safe Harbor Program. These include access to confidential or proprietary information of either the relevant Affiliated Entity or DSI, such as business reorganization or succession plans, or situations in which granting access might have to be balanced against the privacy interests of others. In addition, access may be denied when the Personal Information requested relates to an ongoing investigation of the Individual, litigation or potential litigation, or where the burden or expense of providing access would be disproportionate to any risks to the Individual's privacy that would arise from not providing access.

If DSI performs an onward transfer of information to a third party that is acting as an agent, DSI will do so only if DSI verifies that the third party subscribes to the Safe Harbor Program, or is subject to the EU Data Directive or another EU adequacy finding. Alternatively, DSI will enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant provisions of the Safe Harbor Program.

DSI employs reasonable steps to keep Personal Information accurate, complete, and up-to-date for the purposes for which such Personal Information is used. Each Individual is responsible for helping to ensure that the Personal Information that DSI holds about him or her is accurate, complete, and up-to-date.

FREQUENTLY ASKED QUESTION

1. Is there a role for Individuals to play in maintaining the accuracy of Personal Information?

   Yes. It is in the best interests of Individuals, Affiliated Entities, and DSI to keep Personal Information accurate, complete, and up-to date. DSI and the Affiliated Entities expect all Individuals to assist in keeping the Personal Information that the SAP holds about them accurate, complete and up-to-date, and DSI and the Affiliated Entities facilitate cooperation by Individuals in doing so.

DSI takes reasonable precautions, including administrative, technical, personnel, and physical measures to safeguard Personal Information against loss, theft and misuse, as well as unauthorized access, disclosure, alteration and destruction.

FREQUENTLY ASKED QUESTIONS

1. Is there a role for Individuals to play in maintaining the security of Personal Information?

   Individuals play a vital role in maintaining security and are held accountable for safeguarding Personal Information, including, for example, by protecting passwords used to access corporate computer Systems.

2. How are decisions reached about who has access to Personal Information about Individuals?

   It is the policy of DSI to give access to Personal Information about Individuals only to those entities and persons that DSI determines have a legitimate need to know the information to carry out their responsibilities.

3. What keeps those with access to some of an Individual's Personal Information from browsing through other parts of that Personal Information for other reasons?

   It is the policy of DSI to limit the access to Personal Information given to employees, agents, and contractors to such information that DSI determines is needed to carry out their responsibilities.

1. Compliance

   DSI maintains an active program to ensure compliance with the Principles, Safe Harbor Program, and DSI's contractual agreements and other commitments regarding the handling of Personal Information. The DSI Privacy Compliance Office is responsible for implementing and overseeing the administration of the Principles. It is the responsibility of all DSI employees to act in accordance with the Principles with respect to Personal Information. Failure to do so may result in disciplinary action up to and including discharge from employment.

   FREQUENTLY ASKED QUESTIONS

   1. What are the responsibilities of the DSI Privacy Compliance Office?

      Responsibilities of the DSI Privacy Compliance Office include:

      • Ensuring that the privacy guidelines, programs, procedures, training, and other measures necessary to implement the Principles are developed and put into practice;
      • Overseeing responses to inquiries and resolution of complaints relating to Personal Information;
      • Working with legal advisors to ensure DSI's ongoing compliance with applicable privacy laws and agreements, as well as any obligations DSI may enter into voluntarily, such as the Principles and the U.S.-EU Safe Harbor Program; and
      • Overseeing assessments of DSI's internal practices to ensure that they conform to the Principles and related company obligations.

   2. What steps are taken to promote compliance with the Principles?

      Compliance measures include:

      • Educating DSI employees as to the purpose and application of the Principles;
      • Training DSI employees with access to Personal Information on the purposes and application of the Principles;
      • Ensuring that DSI employees, agents, and contractors with access to Personal Information are legally obligated to abide by the Principles;
      • Holding DSI employees, agents, and contractors accountable for violations of the Principles, with sanctions up to and including termination of contracts and employment.

2. Complaint Resolution

   DSI recognizes the importance of having mechanisms in place to address and resolve complaints by Individuals about the processing of Personal Information. Therefore, if an Individual makes a complaint about the processing of his/her Personal Information, and the complaint is not resolved to the Individual's satisfaction through internal DSI procedures, then DSI will refer such Individual to the national data protection authority in the jurisdiction where the Individual works and/or resides as required by the Safe Harbor Program.

   FREQUENTLY ASKED QUESTIONS

   1. What are the procedures for filing an internal complaint about the handling of Personal Information by DSI?

      Individuals covered by the Principles should contact the Chief Trust Officer at the following address:

      Chief Trust Officer
      Disney Corporate Legal – Privacy
      500 South Buena Vista Street
      Burbank, CA 91521-1359
      

      These representatives will provide particular information about the mechanics of the complaint process.

   2. What types of independent dispute resolution mechanisms are available?

      All EEA jurisdictions have established data protection authorities overseeing the processing of Personal Information that are willing to assist in the resolution of complaints. To maintain its certification under the Safe Harbor Program, DSI must cooperate with these authorities to resolve any complaint and comply with their decisions in such cases.

3. Changes to the Principles

   DSI reserves the right to modify these Principles at any time and will notify affected individuals of such modifications in accordance with applicable law and the Safe Harbor Program. Nonetheless, as long as DSI continues to store, use, or disclose Personal Information transferred to DSI under these Principles, DSI will apply to such Personal Information either these Principles or safeguards that provide no less privacy protection than the Safe Harbor Program then requires.