How do I deal with the GDPR within my franchise organization?

Many entrepreneurs have heard of the General Data Protection Regulation (GDPR). This binding regulation has ensured since May 25, 2018, that the same privacy legislation applies throughout the European Union (EU). This legislation also affects franchise organizations and thus the collaboration between franchisor and franchisee. This should be arranged in the franchise agreement or a data processing agreement.

Processor or controller?

The purpose of the GDPR is to protect individuals' data. This requires making agreements on how and by whom personal data will be processed. Processing of personal data includes all actions; collecting, recording, storing, consulting, using, transmitting, and destroying. The franchise agreement or a separate data processing agreement should specify who is the controller and who is the processor. But what does this mean exactly?

Controller: A natural or legal person (or a public authority, agency, or other body) that alone or jointly with others determines the purposes and means of processing personal data.

Processor: A natural or legal person (or a public authority, agency, or other body) that processes personal data on behalf of the controller.

Franchisors and franchisees often closely collaborate to actively process personal data for marketing purposes. In such a case, you can choose to be jointly responsible. If a franchisee carries out little to no online marketing activities and this is organized centrally by the franchisor, it is more logical for the franchisor to be the controller and the franchisee the processor.

Who owns personal data according to the GDPR?

The only owner of personal data is the individual it pertains to. Legally, under the GDPR, you can never become the owner of a data file. Therefore, the law refers to responsibility instead of ownership. A controller is a company that obtains personal data from the consumer and independently determines how it will be used. A controller may only acquire data based on a legal basis. You may only collect and process data based on one of these grounds:

1. Consent of the data subject (also known as opt-in): This consent must be demonstrable afterward, and the individual must be able to revoke it just as easily. This is legally the most clear basis and also the most used one.
2. Performance of a contract: This concerns the parties entering the contract, and only if it is indispensable for the performance of the contract.
3. Vital interests: Vital means it concerns the person's life, such as in an accident. This basis can and may rarely be used.
4. Legal obligation: Think, for example, of invoices or wage administration that you are required by the tax authorities to keep for seven years.
5. Public interest: This is a ground mainly used by the government. For example, for the Basic Registration of Persons.
6. Legitimate interest: This is primarily a balance of interests. The processing must be necessary for the legitimate interests of the controller (or an associated processor), unless the data subject's privacy interests outweigh this. You should, for example, consider whether the individual could reasonably expect the processing and for what purpose. This ground can be used to enable sales and direct marketing. Keep in mind that a data subject can always object to direct marketing, and the processing must then stop.

Within franchise relationships, the first, second, fourth, or sixth basis usually applies. However, it is important to determine the basis in advance. You are not allowed to collect data first and then look for a basis. The controller must also ensure that personal data is well protected. They clearly communicate in a privacy statement which data they use, for what purpose, and how long it will remain stored.

Personal data at the end of the franchise relationship

When the franchise relationship ends, the controller will be able to continue using the customer database. Who that is, as shown earlier, depends on how the franchise organization is structured and what is stipulated in the franchise contract or data processing agreement. This also affects the value of the franchise business, both for the franchisee and the franchisor. If a franchisee, who operates as a sole proprietorship or partnership, is designated as a processor using the first ground (consent) and sells their business, the new franchisee can continue with the current customer base. This is because the franchisor is ultimately responsible for the personal data and permission was given to that party. The franchisee is only the processor of the personal data, and simply a new processor replaces the old one.

If in this situation (with a sole proprietorship or partnership and using the first ground) the franchisee were the controller, the new franchisee would need to seek permission again from all individuals in the customer base. Permission was only granted to the selling franchisee, and since personal data cannot be owned, they may not be sold or transferred.

Avoid problems, arrange the GDPR between franchisor and franchisee

If the agreements on data protection are well documented and implemented, this can add value to the franchisor and franchisee's businesses. If not well arranged, it can lead to significant sanctions such as fines. All the more reason to ensure it is properly arranged.