How do I handle the GDPR within my franchise organization?

Many entrepreneurs have heard of the General Data Protection Regulation (GDPR). Since May 25, 2018, this binding regulation ensures that the same privacy legislation applies throughout the European Union (EU). This legislation also affects franchise organizations and the collaboration between franchisors and franchisees. This should be arranged in the franchise contract or a data processing agreement.

Processor or data controller?

The goal of the GDPR is to protect individuals' data. As a result, agreements must be made about how and by whom personal data is processed. Processing personal data includes all actions such as collecting, recording, storing, consulting, using, transmitting, and destroying. The franchise contract or a separate data processing agreement must specify who is the data controller and who is the processor. But what does this mean exactly?

Data controller: A natural or legal person (or a governmental agency, service, or other body) which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor: A natural or legal person (or a governmental agency, service, or other body) which processes personal data on behalf of the data controller.

Franchisors and franchisees often work closely together to actively process personal data for marketing purposes. In such cases, both can opt to be jointly responsible. If the franchisee engages in little to no online marketing activities and this is organized centrally by the franchisor, it makes more sense for the franchisor to be the data controller and the franchisee to be the processor.

Who owns personal data under the GDPR?

The only owner of personal data is the individual to whom the data pertains. Legally, according to the GDPR, neither a company nor a person can ever become the owner of a data file. The law, therefore, refers to responsibility rather than ownership. A data controller is a business that receives personal data from the consumer and independently determines how this data is used. A controller can only obtain data based on a legal ground. You can only collect and process data based on one of these grounds:

1. Consent of the individual concerned (also known as opt-in): This opt-in consent must be demonstrable afterward, and the individual must be able to withdraw it just as easily. This is legally the clearest and most frequently used legal basis.
2. Performance of a contract: This concerns the parties entering into the contract, and only if it is indispensable for fulfilling the contract.
3. Vital Interests: Vital refers to matters affecting the person's life, such as in an accident. This ground is rarely, if ever, used or allowed to be used.
4. Legal Obligation: For example, invoices or payroll records that must be retained for seven years by the tax authority.
5. Public Interest: This is a ground mainly used by the government. For example, for the Municipal Personal Records Database.
6. Legitimate Interest: This is primarily a balance of interests. The processing must be necessary for the legitimate interests of the data controller (or an associated processor), unless the privacy interests of the data subject outweigh it. Consider, for example, to what extent the individual could have expected the processing to take place and for what purpose. This interest can be used, for instance, to enable sales and direct marketing. Note that a data subject may always object to direct marketing, and such processing must then cease.

In franchise relationships, the first, second, fourth, or sixth ground is usually applicable. However, it is crucial to establish the legal ground in advance. You may not first collect the data and then find a legal basis for it. The data controller must also ensure that personal data is well-protected. They must clearly communicate in a privacy statement which data is used, for what purpose, and for how long it will be retained.

Personal data at the termination of the franchise relationship

When the franchise relationship is terminated, the data controller will be able to continue using the customer database. Who this is depends, as indicated above, on how the franchise organization is structured and what is stipulated in the franchise contract or the data processing agreement. This also impacts the value of the franchise business, both for the franchisee and the franchisor. If a franchisee, for example, operating as a sole trader or general partnership, is designated as the processor and the first ground (consent) is used, when selling the business, the new franchisee can continue with the current customer database. This is because the franchisor is the ultimate controller of the personal data, and consent was given to that party. The franchisee is only the processor of the personal data and is simply replaced by a new processor.

In this situation (as a sole trader or general partnership using the first ground), if the franchisee were the data controller, the new franchisee would need to seek new consent from all individuals included in the customer database. This is because consent was originally given only to the franchisee selling the business, and as personal data cannot be owned, it also cannot be sold or transferred.

Avoid problems, arrange the GDPR between franchisor and franchisee

If the agreements regarding data protection are well-documented and implemented, it can contribute to the value of the franchisor's and franchisee's businesses. If not properly arranged, it could lead to significant penalties such as fines. This is all the more reason to ensure it is properly managed.