Disney Worldwide Services, Inc. ("DWS"), whose principal office is located in the United States of America (the "United States"), controls and operates the following data processing systems (referred to herein as the "Systems") that are certified under the voluntary U.S.-EU and U.S.-Swiss Safe Harbor programs (the "Safe Harbor Program"):
(1) a Systems, Applications and Products database ("SAP") for financial and human resources management purposes.
(2) a document management database ("Hummingbird") for finance and human resource management purposes.
(3) a rights and a contracts management database ("Zeus") for administration of international television programming distribution.
(4) an accounts receivables management database ("Get Paid") for the process workflow for invoices and customer management.
(5) a global learning management system ("Disney Development Connection") for the administration of employee training and retention of employee training records.
(6) a global performance management system ("Performance Connection") for the administration and harmonization of employee evaluation and talent planning processes;
(7) the Customer Data Environment ("CDE") processes consumer data, including personally identifiable data collected in the European Union, for marketing purposes.
(8) the Workscape Compensation Management System ("Workscape") processes employee data for the purpose of determining employee compensation.
(9) the Headcount Tool ("Headcount") is an online reporting application which tracks headcount data. (This System was retired in 2011).
(10) the ISOS Travel Locator System ("ISOS") processes employee contact and travel information for the purpose of providing emergency assistance to employees while traveling.
(11) the Disney Store Order Management System processes guest contact information for the purpose of supporting online orders taken through Disney Store online European websites.
(12) an internal employee directory, Disney Rostr ("Rostr"), which shows contact and reporting information for the purpose of expediting in-house communication.
(13) a search engine tool FAST Search ("FAST") which stores an index for performing textual searches of data records in Rostr.
(14) a single sign-on central policy-based authorization/authentication system ("Corporate SiteMinder") for web applications.
(15) an LDAP-based directory ("Enterprise Directory") for user and computer/device authentication and authorization.
(16) a global implementation of Microsoft's Active Directory ("Global Active Directory").
(17) International Labor Standards ("ILS") which is a system for monitoring licensee and vendor compliance with Disney's Code of Conduct.
(18) Disney's implementation of the APEX:First Strike software ("APEX") for management of vendor invoices and payments, including vendor discounts.
(19) a system for management of IT service requests ("Corporate Service Manager").
(20) an internal database ("Send Word Now") processes employee contact information in order to issue emergency notifications.
(21) an emergency notification system ("WebEOC") processes employee contact information to provide communication between company Emergency Operations Centers during emergency or disaster situations.
(22) a system for processing HR data ("Global Staffing) for the recruiting purposes and for applicant information management.
(23) A database containing labor resource information ("HR Analytics"), used for the purpose of reporting and monitoring workforce performance.
(24) a file transfer system ("GlobalScape"), used for the purpose of transferring email files related to labor resource information.
(25) A metadata system ("HD Forms") for managing internal user access requests through a portal-based module.
The Systems contain (or will contain) human resources, financial and operational information of certain companies affiliated with DWS that are located throughout the world. DWS recognizes the privacy protections afforded to individuals in the European Union and the European Economic Area (collectively the "EEA") with regard to Personal Information (as defined below). For that reason, DWS complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. DWS has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement in relation to the Systems, which include a set of frequently asked questions (collectively, the "Principles"). To learn more about the Safe Harbor program, and to view DWS's certification, please visit http://www.export.gov/safeharbor/
SCOPE OF THESE PRINCIPLES
The Principles apply to all Personal Information that is: (1) collected by any Affiliated Entity (as defined below) located in the EEA or Switzerland about an Individual located in the EEA or Switzerland; (2) in the course of the Individual's relationship(s) with the Affiliated Entities and/or with companies that provide goods and services to the Affiliated Entities ("Independent Contractors"); and (3) transferred from the EEA or Switzerland to DWS in the United States after the effective date of these Principles and included in the Systems. The effective date of these Principles is May 6, 2002.
FREQUENTLY ASKED QUESTIONS
What is "Personal Information"?
Personal Information means any information relating to an Individual that identifies that Individual, or could reasonably be used to identify the Individual, and that is recorded in any form (e.g., paper, electronic, video, audio) and included in the Systems. Personal Information also includes information relating to an Individual's dependents, beneficiaries, and emergency contacts that is included in the Systems.
What are Affiliated Entities?
Affiliated Entities are corporations or other business organizations present in the EEA that are affiliated with DWS through direct or indirect common ownership or control.
Who is an Individual for Purposes of these Principles?
An Individual is any natural person whose Personal Information is included in the Systems.
What is the relationship between the Principles and the Safe Harbor Program?
The Principles implement and satisfy the requirements of the Safe Harbor Program and establish the legally required level of protection for Individuals' Personal Information.
NOTICE AND CHOICE
Collection and Use of Personal Information
DWS collects and uses Personal Information only in a lawful manner and in compliance with the Safe Harbor Program and these Principles.
FREQUENTLY ASKED QUESTION
Why is Personal Information transferred to DWS in the Systems?
The collection and use of Personal Information is necessary for the conduct of the human resources, operational and financial management of DWS and the Affiliated Entities. Examples of the purposes for which DWS collects and uses Personal Information about Individuals include, without limitation, making available documentation on personnel, administering stock option plans, addressing the various legal obligations concerning personnel status, tracking the use of temporary workers and independent workers, and establishing a centralized listing of contact people at Independent Contractors that will facilitate future use of the Independent Contractors' services.
Informing the Individual and Obtaining Consent
Except where an applicable legal exception exists, Affiliated Entities are legally required to inform Individuals (or to request that Independent Contractors inform Individuals) of the ways in which their Personal Information will be collected and used and the types of third parties to which such Information will be disclosed, and to obtain the Individuals' consent.
Accordingly, except where an applicable legal exception exists, if DWS either plans to use Personal Information for purposes incompatible with the purposes about which the Affiliated Entities (or Independent Contractors) notified Individuals, or plans to disclose Personal Information to types of third parties other than those about which Affiliated Entities (or Independent Contractors) notified Individuals ("Supplemental Uses"), then DWS shall notify (or shall request the Independent Contractor, as appropriate, to notify) Individuals of the following with respect to such Supplemental Uses:
- The type(s) of Personal Information DWS plans to use;
- The purposes for which DWS will process Personal Information;
- How to contact Affiliated Entities or DWS with any inquiries or complaints about the use and processing of such Personal Information;
- The types of parties to whom DWS will disclose Personal Information;
- The privacy and security safeguards DWS employs; and
- The right of Individuals to access and, if necessary, correct Personal Information about them.
This information will be provided before DWS uses or discloses Personal Information for Supplemental Uses or as soon thereafter as is practicable.
FREQUENTLY ASKED QUESTIONS
Are there cases when DWS may disclose Personal Information about an Individual without obtaining the Individual's consent?
In certain limited or exceptional circumstances, and in accordance with the Safe Harbor Program, DWS may disclose Personal Information about an Individual without the Individual's consent, such as when DWS is required to disclose the Information by law or legal process or when the vital interests of the Individual, such as life or health, are at stake. In such circumstances, and at such time as may be required by law or the Safe Harbor Program, DWS, the relevant Affiliated Entity, or the Independent Contractor, as appropriate, shall inform the Individual concerned regarding whom to contact if the Individual has a legitimate reason to object to the disclosure of the Individual's Personal Information by DWS.
Under what circumstances may DWS disclose Personal Information to agents and contractors, and what steps does DWS take to safeguard that Personal Information?
As a part of its normal business operations, DWS hires agents and contractors to carry out certain functions that require use of Personal Information, such as data processing and benefit administration. DWS is not required by the Safe Harbor Program to provide notice or obtain the relevant Individual's consent in these circumstances, and DWS does not generally do so. DWS does bind such agents and contractors through written agreements to observe the relevant Principles and DWS restricts the use and retention of the Personal Information to the purposes and duration of such functions.
What happens if an Individual objects to the collection, use, or disclosure of his/her Personal Information by DWS?
If an Individual objects to DWS' collection, use, or disclosure of certain Personal Information, DWS or the appropriate Affiliated Entity will make reasonable efforts to address the concerns of the Individual.
Will DWS take any adverse action against an Individual for refusing to permit his/her Personal Information to be collected, used, or disclosed?
The Safe Harbor Program prohibits a company that subscribes to the Safe Harbor Program from taking such adverse action. Accordingly, DWS may not subject an Individual to disciplinary action, sanction, or retaliation for objecting to the collection, use, or disclosure of Personal Information about the Individual.
An Individual withholding Personal Information or prohibiting its collection, use or disclosure, may, however, be disadvantaged as a result of not making the Information available. For example, unwillingness to provide Personal Information required for a benefit may make an employee ineligible to receive that benefit. Likewise, the refusal of an applicant for employment to provide a telephone number for contact purposes may hinder the applicant in the recruitment process.
While recognizing that all Personal Information deserves to be protected in accordance with the Safe Harbor Program, DWS exercises special precautions and safeguards for any sensitive information it may collect, as defined by the Safe Harbor Program.
FREQUENTLY ASKED QUESTIONS
What is "sensitive information"?
"Sensitive information" is Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.
What safeguards are required for "sensitive information"?
Except as provided by the Safe Harbor Program or where legally required, affirmative permission of the Individual ("opt in" consent) is required if "sensitive information" is to be disclosed to a third party or used for purposes other than those for which it was originally collected or subsequently authorized by the Individual.
Is there any Personal Information about an Individual maintained by DWS that such Individual would not be permitted to access?
DWS provides Individuals about whom it maintains Personal Information with a reasonable opportunity to examine their information, to challenge its accuracy, and to have it corrected, amended or deleted as appropriate, subject to certain exceptions.
FREQUENTLY ASKED QUESTIONS
How do Individuals exercise their rights under the Access Principle?
Each employee of an Affiliated Entity will have direct access to Personal Information about him/her contained in the Systems. Each employee will be able to correct his/her Personal Information in the Systems, except where the Personal Information is determined by an Affiliated Entity, such as the employee's salary, type of contract, etc. ("Company Determined Personal Information"). Employees must contact the appropriate Affiliated Entity or DWS to correct Company Determined Personal Information. Similarly, upon request to the appropriate Affiliated Entity or DWS, each independent worker or employee of an Independent Contractor will be given reasonable access to Personal Information about him/her that is contained in the Systems. Reasonable access applies to both the process of accessing Personal Information and the types of Personal Information to be accessed. In terms of process, reasonable access means, for example, that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive. In terms of types of Personal Information to be accessed, reasonable access recognizes certain exceptions discussed in the immediately following FAQ 2. If DWS or the Affiliated Entity denies an Individual access, however, such Individual will be provided with the reason(s) access was denied and a contact point for further inquiries.
If DWS or an Affiliated Entity is notified that Personal Information it maintains is incorrect, is requested to correct the Personal Information, and is provided with appropriate supporting documentation, DWS or the appropriate Affiliated Entity will either correct the information or direct the Individual to the source of the information for correction. If, upon review, DWS or the appropriate Affiliated Entity believes that the existing information is correct, the Individual will be informed accordingly.
Yes, there are some exceptions to the obligation to provide access permitted by the Safe Harbor Program. These include access to confidential or proprietary information of either the relevant Affiliated Entity or DWS, such as business reorganization or succession plans, or situations in which granting access might have to be balanced against the privacy interests of others. In addition, access may be denied when the Personal Information requested relates to an ongoing investigation of the Individual, litigation or potential litigation, or where the burden or expense of providing access would be disproportionate to any risks to the Individual's privacy that would arise from not providing access.
If DWS performs an onward transfer of information to a third party that is acting as an agent, DWS will do so only if DWS verifies that the third party subscribes to the Safe Harbor Principles, or is subject to the Directive or another adequacy finding. Alternatively, DWS will enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles.
DWS employs reasonable steps to keep Personal Information accurate, complete, and up-to-date for the purposes for which such Personal Information is used. Each Individual is responsible for helping to ensure that the Personal Information that DWS holds about him or her is accurate, complete, and up-to-date.
FREQUENTLY ASKED QUESTION
Is there a role for Individuals to play in maintaining the accuracy of Personal Information?
Yes. It is in the best interests of Individuals, Affiliated Entities, and DWS to keep Personal Information accurate, complete and up-to date. DWS and the Affiliated Entities expect all Individuals to assist in keeping the Personal Information that the SAP holds about them accurate, complete and up-to-date, and DWS and the Affiliated Entities facilitate cooperation by Individuals in doing so.
DWS takes reasonable precautions, including administrative, technical, personnel, and physical measures to safeguard Personal Information against loss, theft and misuse, as well as unauthorized access, disclosure, alteration and destruction.
FREQUENTLY ASKED QUESTIONS
Is there a role for Individuals to play in maintaining the security of Personal Information?
Individuals play a vital role in maintaining security and are held accountable for safeguarding Personal Information, including, for example, by protecting passwords used to access corporate computer systems.
How are decisions reached about who has access to Personal Information about Individuals?
It is the policy of DWS to give access to Personal Information about Individuals only to those entities and persons that DWS determines have a legitimate need to know the information to carry out their responsibilities.
What keeps those with access to some of an Individual's Personal Information from browsing through other parts of that Personal Information for other reasons?
It is the policy of DWS to limit the access to Personal Information given to employees, agents, and contractors to such information that DWS determines is needed to carry out their responsibilities.
Changes to the Principles
DWS maintains an active program to ensure compliance with the Principles, Safe Harbor Program, and DWS' contractual agreements and other commitments regarding the handling of Personal Information.
The DWS Privacy Compliance Office is responsible for implementing and overseeing the administration of the Principles.
It is the responsibility of all DWS employees to act in accordance with the Principles with respect to Personal Information. Failure to do so may result in disciplinary action up to and including discharge from employment.
FREQUENTLY ASKED QUESTIONS
What are the responsibilities of the DWS Privacy Compliance Office?
Responsibilities of the DWS Privacy Compliance Office include:
- Ensuring that the privacy guidelines, programs, procedures, training, and other measures necessary to implement the Principles are developed and put into practice;
- Overseeing responses to inquiries and resolution of complaints relating to Personal Information;
- Working with legal advisors to ensure DWS' ongoing compliance with applicable privacy laws and agreements, as well as any obligations DWS may enter into voluntarily, such as the Principles and the Safe Harbor Program; and
- Overseeing periodic assessments of DWS' internal practices to ensure that they conform to the Principles and related company obligations.
What steps are taken to promote compliance with the Principles?
Compliance measures include:
- Educating DWS employees as to the purpose and application of the Principles;
- Training DWS employees with access to Personal Information on the purposes and application of the Principles;
- Ensuring that DWS employees, agents, and contractors with access to Personal Information are legally obligated to abide by the Principles;
- Holding DWS employees, agents, and contractors accountable for violations of the Principles, with sanctions up to and including termination of contracts and employment; and
- Having designated points of contact in DWS to answer questions regarding the Principles and DWS' privacy practices and to investigate complaints regarding conduct inconsistent with the Principles or related obligations.
What types of independent dispute resolution mechanisms are available?
DWS recognizes the importance of having mechanisms in place to address and resolve complaints by Individuals about the processing of Personal Information. Therefore, if an Individual makes a complaint about the processing of his/her Personal Information, and the complaint is not resolved to the Individual's satisfaction through internal DWS procedures, then DWS will refer such Individual to the national data protection authority in the jurisdiction where the Individual works and/or resides as required by the Safe Harbor Program.
FREQUENTLY ASKED QUESTIONS
What are the procedures for filing an internal complaint about the handling of Personal Information by DWS?
Individuals covered by the Principles should contact the DWS Privacy Compliance Office or Human Resources contact (as appropriate) for the relevant Affiliated Entity. These representatives will provide particular information about the mechanics of the complaint process.
Member States of the European Union and the European Economic Area have established data protection authorities overseeing the processing of Personal Information that are willing to assist in the resolution of complaints. DWS cooperates with these EU and EEA Data Protection Authorities, as well as the Swiss Federal Data Protection and Information Commissioner (FDPIC).
DWS reserves the right to modify these Principles at any time and will notify affected individuals of such modifications in accordance with applicable law and the Safe Harbor Program. Nonetheless, as long as DWS continues to store, use, or disclose Personal Information transferred to DWS under these Principles, DWS will apply to such Personal Information either these Principles or safeguards that provide no less privacy protection than the Safe Harbor Program then requires.