Franchise organisations collect a lot of data from their customers. Often this even happens unnoticed. When customers order products through a web shop, subscribe to a newsletter or to offers, apply for a loyalty card or make a reservation, they are invariably asked for data such as name, sex, age and (e-mail) address. All these data are often exchanged between the franchisor and the franchisee and are used for a variety of purposes. For example, a customer base can be created, the product range may be tailored to the consumers' preferences and personalised offers can be made.
It is important that all these data are collected and processed properly. Both the franchisor and the franchisee must comply with data protection laws and regulations. The most important regulations can be found in the General Data Protection Regulation (hereinafter: GDPR).
The GDPR not only strengthens and extends the rights of those whose data are processed, but also brings more responsibilities for organisations. If an organisation does not comply with the regulations, this may have far-reaching consequences. Under the GDPR, the regulator has the possibility to impose fines of up to EUR 20 million.
Below a few important points of attention are explained regarding the processing of personal data in light of the GDPR.
The purpose of the GDPR is to protect natural persons. As soon as personal data of natural persons are collected, stored or used, the GDPR applies. Personal data means all information relating to an identified or identifiable natural person. This definition is interpreted broadly and inter alia includes the name, identification number, residential address, e-mail address, IP address, telephone number and date of birth.
Given the broad definition of both the term processing and of the term personal data, the processing of personal data within the meaning of the GDPR is a common phenomenon. Most franchisors and franchisees also process personal data, regardless as to whether they run fashion shops, hotels, restaurants, fitness centres or supermarkets. Every franchisor and franchisee will at least have a database with data of their customers.
Franchisors and franchisees can be data controllers, processors or joint controllers. This distinction is important, because under the GDPR, the controller is responsible for compliance with the GDPR.
The data controller is the party that alone or together with others determines the purpose and the means of the data processing. The processor is the party that processes the personal data on behalf of the controller. This distinction looks simple on paper, but in practice it is not always easy to determine who plays which role. After all, in reality, the franchisor and the franchisee often work closely together and both are the processors of personal data.
The franchisor and the franchisee would be wise to draft and set down arrangements regarding the processing of personal data. If the franchisor is the data controller and the franchisee is the data processor, they should conclude a processing agreement. If both the franchisor and the franchisee are regarded as data controllers and are therefore joint controllers, they must make arrangements regarding their responsibilities for compliance with the GDPR.
The processing of personal data is governed by a number of rules. A few regulations are briefly listed below. Firstly, the GDPR prescribes that personal data may be processed only in a way that is lawful, proper and transparent. Personal data may be collected and processed only for specified, explicit and legitimate purposes on the basis of consent, or if the processing is necessary. In addition, the processing should remain confined to what is necessary for the purposes for which they are processed. The controller should also ensure that incorrect personal data are rectified or erased. Furthermore, personal data should not be kept longer than is strictly necessary. Finally, the persons whose personal data are processed must always be fully informed about the processing.
The GDPR requires that the data controller can demonstrate that the GDPR is complied with. The data controller must be able to demonstrate, by means of documents, that it has taken the right organisational and technical measures to comply with the GDPR. For example, the data controller must have a security policy, must draw up a processing register and must have drawn up a data breach protocol. In some cases, carrying out a Data Protection Impact Assessment (DPIA) is mandatory. In addition, some organisations must appoint a Data Protection Officer (DPO).
The GDPR contains many obligations that may apply to both the franchisor and the franchisee. Only a few of them have been briefly touched upon above. Franchisors and franchisees would be well advised to carefully map out the processing of personal data and to make sure that they act in line with the GDPR. In so doing, it is advisable to call in the help of a privacy expert.