Privacy Shield Policy for MGM Companies

Metro-Goldwyn-Mayer Studios Inc., MGM and UA Services Company, Metro-Goldwyn-Mayer Pictures Inc., MGM Domestic Television Distribution LLC, MGM Domestic Branded Services LLC, Orion TV Productions, Inc., Orion Pictures Corporation, Orion Distribution Company LLC, Orion Releasing LLC, LW Media Holdings LLC, Lightworkers Media OTT, LLC, EPIX Entertainment LLC, NW Productions LLC, UAMG, LLC, UAMG Holdings LLC, Thirteen Enterprises, LLC, Raider Productions LLC, MBY Productions LLC, Deeper Productions LLC, Finale Productions LLC, Four Weddings Productions LLC, EFT Media Holdings LLC and EFT Media Productions LLC  (collectively, the “MGM Companies”) comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) from Switzerland or from the European Union (EU) and the other member states of the European Economic Area (EEA).  We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles, which we summarize below in this Privacy Shield Policy (the “Policy”).  If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program and view our certification, please visit https://www.privacyshield.gov/

Definitions

Data Subject” means an individual to whom any Personal Data covered by this Policy refers.

Personal Data” and “personal information” means any information relating to an identified or identifiable person residing in the EEA or Switzerland.

Sensitive Personal Data” means Personal Data regarding an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.

Controller” means a person or organization that, alone or jointly with others, determines the purposes and means of processing Personal Data.

Scope and Responsibilities

This Policy applies to Personal Data transferred from EEA member countries and Switzerland to our operations in the United States in reliance on the respective Privacy Shield framework and does not apply to Personal Data otherwise transferred under Standard Contractual Clauses or an approved derogation under the EU General Data Protection Regulation.

Our employees who have access in the United States to Personal Data covered by this Policy are responsible for handling Personal Data in a manner consistent with this Policy.  Employees responsible for engaging third parties to handle Personal Data covered by this Policy are responsible for obtaining appropriate contractual or other assurances that the Personal Data will be handled in a manner consistent with the Privacy Shield Principles. 

Our adherence to this Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations.

 

Privacy Shield Principles

We commit to process all Personal Data received in the United States subject to the EU-US or Swiss-US Privacy Shield Frameworks in conformance with the following principles:

1. Notice

Our Privacy Shield certification is published at https://www.privacyshield.gov/list.  Our general privacy policy is found at www.mgm.com, or the relevant website of an individual subsidiary or other affiliated company covered by our Privacy Shield certification, and the privacy policy explains the types of Personal Data we collect and for what purposes, the categories of third parties with which we share data and for what purposes, the rights of Data Subjects to access and correct their Personal Data and exercise choices over its use and disclosure, and how to contact us with questions or complaints. That privacy policy also covers Personal Data submitted by applicants who apply for employment positions through our website.

For those we employ, our employee privacy notice is distributed, and available through our Human Resources Department, to our employees, independent contractors, and temporary workers.  It describes the types of Personal Data we routinely collect and for what purposes, the categories of third parties with which we share data and for what purposes, the rights of Data Subjects to access and correct their Personal Data and exercise choices over its use and disclosure, and how to contact us with questions or complaints.  The same kinds of information are provided in privacy notices furnished in specific contexts, such as applications for employment and optional benefits or training programs.   

2. Choice

Apart from fulfilling our legal obligations and engaging agents to perform tasks on our behalf, we will inform you if we share Personal Data with a third party or use it for a new purpose materially different from that for which we originally collected it, or which you have or subsequently authorized, and we will give you a choice of opting out of such disclosure or new use.  However, if such a disclosure or new use involves Sensitive Personal Data, we will not proceed unless you “opt in” by giving us explicit consent.

3. Accountability for Onward Transfer

In the event we transfer Personal Data covered by this Policy to a third party acting as a Controller, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only subject to a contract with the third party providing that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects; (ii) provide the same level of protection as is required by the Privacy Shield Principles and notify us if it determines that it can no longer meet this obligation; and (iii) cease processing the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination.  

When we transfer Personal Data to a third party acting as our agent rather than as a Controller, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with our obligations under the Privacy Shield Principles; and (iv) require the agent to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles.  Upon receiving such a notice from an agent, we will take reasonable and appropriate steps to stop and remediate unauthorized processing. 

We remain liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Policy in a manner inconsistent with the Privacy Shield Principles, except where we can establish that we are not responsible for the event giving rise to the damage.

4. Security

We take reasonable and appropriate measures to protect Personal Data covered by this Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

5. Data Integrity and Purpose Limitation

We limit the collection of Personal Data covered by this Policy to information that is relevant for the purposes of processing, as described in our general or specific privacy notices.  We do not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.

We take reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current.  We take reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain Personal Data in identifiable form only for as long as is needed for the purposes for which it was collected or for which you subsequently authorized it, and additionally for as long as we are required to keep it because of legal obligations, professional accounting and audit standards, legal or insurance claims, or regulatory proceedings.  We adhere to the Privacy Shield Principles for as long as we retain such Personal Data.

6. Access

Data Subjects whose Personal Data is covered by this Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated).  Requests for access, correction, amendment, or deletion should be sent to: privacy@mgm.com.

As noted in our general privacy policy, we work with online analytics and advertising companies. The European Digital Advertising Alliance (“EDAA”) has developed a guide to online behavioral advertising and has developed an opt-out page for participating EDAA member companies available at www.YourOnlineChoices.com. You may also review our cookie policy for Stargate Command at cookie-policy.stargatecommand.co.

7. Recourse, Enforcement, and Liability

Our participation in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.

In compliance with the Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your Personal Data.  If you have questions or complaints regarding this Policy or our practices, you should first contact us at: privacy@mgm.com.

We have further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Frameworks to an independent dispute resolution provider located in the United States.  If you do not receive timely acknowledgement of your complaint from us, or if we have not resolved your complaint, please contact JAMS or visit www.jamsadr.com for more information or to file a complaint.  The services of JAMS are provided at no cost to you. 

We have further committed to cooperate with the panel established by the EEA data protection authorities or the Swiss Federal Data Protection Authority, as applicable, and comply with their advice with regard to human resources data transferred under this Policy in the context of the employment relationship.

Under certain conditions detailed in the Privacy Shield, Annex I, Data Subjects also may be able to invoke binding arbitration before the Privacy Shield Panel created by the US Department of Commerce and the European Commission.

We will periodically review and verify compliance with the Privacy Shield Principles and remedy any issues arising out of failure to comply with the Privacy Shield Principles.