Franchisees often process personal data of customers. This personal data is also of interest to the franchisor. For example, a franchisor will want to use personal data for marketing campaigns or offering a loyalty program. In my practice, I get franchisors who ask: what may I do with the personal data collected by the franchisee? What the franchisor is allowed to do is determined by the agreements with the franchisees.
The General Data Protection Regulation (AVG) and the AVG Implementation Act (UAVG) contain rules regarding the processing of personal data. Most obligations rest with the data controller. The controller determines the purposes of data processing. Third parties that process personal data on behalf of and at the instruction of the controller are the processors.
The division of roles may be different with each franchise formula. In most cases, the franchisor and franchisee are both data controllers. To determine what arrangements you should make, you should test whether there is independent or joint processing responsibility.
Independent controllers can independently determine how and why they process personal data. Consider a franchisee who decides for himself which systems he uses and how he processes personal data therein. A franchisor may offer an umbrella loyalty program and be an independent data controller for this.
Joint controllers jointly determine the purpose and means of data processing. It is not necessary that franchisor and franchisee have an equal share in this. Jointness is also assumed by the Court of Justice of the European Union (CJEU, see C 25/17 and C 210/16) when one party organizes, coordinates, encourages or facilitates through institutions the processing operations of the other party.
It is also possible for the franchisee or franchisor to be (partially) a processor. Think of the franchisee processing personal data on behalf of the franchisor for the loyalty program. Or consider a franchisor that provides and operates a system in which franchisees process personal data.
Finally, it occurs in practice that parties have different roles. There are then different processing operations that can be distinguished from each other.
Which role parties have is essential for making the right agreements about the processing of personal data. Joint controllers are obliged under the AVG to make arrangements regarding (at least) informing data subjects and handling data subjects' requests. If the parties each qualify as an independent data controller, the AVG does not impose an obligation to make an arrangement. In practice, however, this will be necessary to comply with the obligations under the AVG. When there is (partly) a processor relationship, a processor agreement is mandatory.
Franchisors must document at least the following topics with respect to the processing of personal data:
The roles of the parties. Is there independent or joint processing responsibility or is there a (partial) processor relationship?
Personal data exchange. Record what personal data is exchanged, why, when and in what format. Agree that the franchisee will vouch for the personal data being accurate and lawfully obtained.
Information towards data subjects. The controller must inform customers (data subjects) about the data processing. Make agreements about who prepares the information and who provides the information to data subjects and how this is done.
Consent. Some data processing requires you to obtain consent. Often the franchisee has direct contact with the data subject. If so, agree that the franchisee will ask for consent on behalf of the franchisor. Record the manner in which the franchisee requests, records and discloses consent. This allows you to prove in retrospect that consent was lawful.
Data breaches. A data breach at a franchisee can cause (reputational) damage to the franchisor and to the other franchisees. Make sure you have agreements on how and when the franchisee informs the franchisor of a (suspected) data breach and what information to provide.
Data Subject Requests. Agree where a data subject can go when exercising their rights. These include the right to inspect, the right to rectification or the right to data erasure. This can be arranged centrally with the franchisor, but also at the franchisee level.
Liability and indemnities. What happens when things go wrong? A data breach at one franchisee can result in fines and reputational damage to the franchise formula. This can also harm other franchisees, who hold the franchisor accountable for this. Agree with franchisees to obtain adequate insurance against damages from security incidents. Ensure that you can hold franchisees liable for damages you suffer. Agree that franchisees will indemnify you for third-party claims regarding data processing.
More articles by SOLV Lawyers
