The policy authorizes transfer of personal information to Walt Disney Family of Companies entities and third parties located anywhere in the world, stating that standard contractual clauses, consent, or other lawful transfer mechanisms will be used where applicable.
This analysis describes what Disney+'s agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the legal transfer mechanisms Disney intends to rely upon for cross-border personal information flows, specifically naming standard contractual clauses (SCCs) and consent as mechanisms, which are recognized under GDPR and UK GDPR for transfers to non-adequate third countries. The adequacy of the transfer mechanisms in practice depends on operational implementation and destination country context.
Interpretive note: The specific transfer mechanisms applied to particular cross-border data flows are not identified in the policy, and the reference to 'other lawful means' requires operational context to assess adequacy under applicable law.
Under this clause, personal information may be transferred to and processed in countries outside the user's country of residence, including countries that may not have equivalent data protection frameworks, with Disney stating it will apply standard contractual clauses, consent, or other lawful transfer mechanisms to safeguard the information.
Cross-platform context
See how other platforms handle Global Data Transfer and Cross-Border Processing and similar clauses.
Compare across platforms →Monitoring
Disney+ has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We operate globally and may transfer your personal information to individual companies of The Walt Disney Family of Companies or third parties in locations around the world for the purposes described in this privacy policy. Wherever your personal information is transferred, stored or processed by us, we will take reasonable steps to safeguard the privacy of your personal information. These steps may include implementing standard contractual clauses where recognized by law, obtaining your consent, or other lawful means of transferring personal information.— Excerpt from Disney+'s Walt Disney Company Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (transfers to third countries), UK GDPR transfer requirements, and Brazil's LGPD transfer provisions. The use of standard contractual clauses is the predominant mechanism for EU/UK to non-adequate country transfers following the Schrems II ruling. The policy's reference to 'other lawful means' introduces interpretive flexibility that should be evaluated for adequacy under applicable law. 2) GOVERNANCE EXPOSURE: Medium. The policy discloses cross-border transfer mechanisms at a high level without specifying destination countries, receiving entities, or which transfer mechanism applies in which context. GDPR requires that data subjects be informed of appropriate safeguards for transfers, and the generality of the policy language may require supplementation in jurisdiction-specific notices. 3) JURISDICTION FLAGS: EU and UK users present the highest exposure, as GDPR and UK GDPR impose strict requirements on transfers to non-adequate third countries, including the US. Brazilian users are subject to LGPD transfer requirements. The policy's disclosure of SCCs as a potential mechanism is consistent with current EU practice, but operational verification of SCC execution with specific receiving entities is required. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations subject to GDPR or UK GDPR that rely on Disney as a data processor or joint controller should confirm that executed SCCs or other adequate transfer mechanisms are in place for data flows from EU/UK to US Disney entities. The reference to transfers to third parties, in addition to Walt Disney Family of Companies entities, indicates that vendor-level SCC execution is also required. 5) COMPLIANCE CONSIDERATIONS: Legal teams should request confirmation of which transfer mechanism applies to which cross-border data flow, particularly for EU-to-US transfers involving Disney DTC LLC. A transfer impact assessment may be required under GDPR for transfers to the US under current EU guidance. The adequacy of 'other lawful means' referenced in the policy should be evaluated against the specific transfer context.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the legal transfer mechanisms Disney intends to rely upon for cross-border personal information flows, specifically naming standard contractual clauses (SCCs) and consent as mechanisms, which are recognized under GDPR and UK GDPR for transfers to non-adequate third countries. The adequacy of the transfer mechanisms in practice depends on operational implementation and destination country context.
Under this clause, personal information may be transferred to and processed in countries outside the user's country of residence, including countries that may not have equivalent data protection frameworks, with Disney stating it will apply standard contractual clauses, consent, or other lawful transfer mechanisms to safeguard the information.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Disney+.