In a previous blog, I wrote about the topics that franchisors must include in the franchise agreement under the Dutch Franchise Act. Since the franchise agreement will be back on the drawing table, this is a great opportunity to make arrangements on the exchange of personal data.
Franchisees often process customer personal data of customers. These personal data are also of interest to the franchisor. Personal data may be of great value for the franchisors’ marketing campaigns or for offering a loyalty program.
Franchisors often ask me: how can I use the personal data collected by the franchisee? Arrangements with the franchisee are decisive for how the franchisor may further process personal data.
Assess the roles of the parties
The main rules on the processing of personal data are included in the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act . Most obligations are incumbent on the data controller. The data controller determines the means and purposes of the data processing. Third parties who process personal data on behalf of and on the instructions of the data controller qualify as data processors.
The division of roles can be different for each franchise formula. In most cases, the franchisor and the franchisee both qualify as data controllers. In order to determine which arrangements to make, you first need to assess whether the data controllers act independently or jointly.
Independent data controllers can individually determine how and why they process personal data. This may be the case when a franchisee decides independently which systems to use and how to process personal data within these systems. A franchisor can offer an overarching loyalty program for which it qualifies as independent data controller.
Joint data controllers determine the purpose and means of data processing in consultation. It is not necessary for the franchisor and franchisee to have an equal share in this. Joint data controllership has been adopted by the Court of Justice of the European Union (CJEU, see C 25/17 and C 210/16) in cases where one party organizes, coordinates or encourages the processing of personal data or enables this though settings.
It is also conceivable that the franchisee or the franchisor (partly) qualify as a data processor. This can be the case when the franchisee processes personal data for the loyalty program on behalf of the franchisor, or when a franchisor offers and manages a system that franchisees use to process personal data.
Moreover, parties can have multiple roles. This may be the case when data processing activities from a different nature can be distinguished.
Which role parties have is essential for making the right arrangements about the processing of personal data. Joint data controllers are obliged under the GDPR to enter into agreements regarding (in any case) informing data subjects and handling data subjects’ requests. If parties qualify as independent data controllers, the GDPR does not require making specific arrangements. In practice, however, this will be necessary in order to comply with other obligations under the GDPR. If there is (partly) a data processor relationship, a data processing agreement is mandatory.
In any case, Franchisors should include the following subjects in their arrangements on the processing of personal data:
- The roles of the parties. Is there an independent or joint data controller relationship or does a party (partly) qualify as a data processor?
- The exchange of personal data. Describe which personal data will be exchanged, why, when and in what format. The franchisee should ensure or guarantee that the personal data are correct and has been lawfully obtained.
- Information to data subjects. The data controller must inform the customers (data subjects) about the data processing activities. Make arrangements about who drafts such information and who provides the information to the data subjects and how this is effectuated.
- Consent. In some cases, consent of the data subject is required prior to the processing of personal data. In most cases, the franchisee has direct contact with the data subject. In such cases, parties can agree that the franchisee asks consent on behalf of the franchisor. Make arrangements on how the franchisee obtains consent and that such consent will be recorded. The franchisor should be able to access records of consent in order to demonstrate the legal ground of the data processing.
- Data breaches. A data breach at a franchisee can cause (reputation) damage to the franchisor and to the other franchisees. Ensure that you make arrangements about how and when the franchisee informs the franchisor of a (suspected) data breach and what information the franchisee must provide.
- Data subjects’ requests. Make arrangements on how the data subjects can invoke their rights under the GDPR. Data subjects have, inter alia, the right of inspection, the right of rectification and the right to erase data. Parties can arrange that the franchisor handles data subjects’ request or that this will be handled at the level of the franchisee.
- Liability and indemnities. What happens in case of non-compliance? A data breach at one franchisee can lead to fines and reputational damage to the franchise formula. This can also harm other franchisees, who may hold the franchisor liable. Agree with franchisees that they take out adequate insurance against damages resulting from security incidents. Make sure that you can hold franchisees liable for the damage you may suffer. Agree that franchisees will indemnify you against claims from third parties in relation to their data processing activities.
Want to know more?
Eva de Vries assists large franchisors in mapping out data flows and the division of responsibilities between franchisors and franchisees. Eva draws up agreements and negotiates them on behalf of franchisors. Would you like to know more? Please feel free to contact us.