Although it came into force on 25 May 2018, compliance with the GDPR still remains a challenge for many businesses, particularly franchise networks. Such commercial collaboration between companies inherently involves the processing of personal data to which the GDPR applies, be it customer, staff, or supplier data.
Customers’ personal data is of significant commercial value to both franchisor and franchisee and is often collected on a large scale. Customer data may include contact details, payment and payment card data, geolocation information, purchasing trends, etc … . In combination with analytics, statistical software or algorithms, customer data can be used, amongst other things, to establish personalized loyalty programs, to better identify customer interests and to develop new products.
Such processing of customer data offers clear benefits, but it is not without risk in terms of GDPR compliance.
First and foremost, national supervisory authorities can sanction breaches of the most important provisions of the GDPR with administrative fines, the highest of which can be up to 20 million euros or up to 4% of total worldwide annual turnover, whichever is greater. The Belgian Data Protection Authority (the “APD/GBA”) has already imposed fines of between 30,000 euros (Decision 77/2023) and 100,000 euros (Decision 56/2021). In addition to the risk of significant monetary penalties, failure to comply with data protection and privacy rules can tarnish the reputation of the entire franchise network.
Franchise networks: the role of each party with regard to the GDPR
The first step to GDPR compliance is to identify the data controller: the data controller has responsibility for compliance and must demonstrate that its activities comply with the GDPR (articles 5.2[1] and 24[2] of the GDPR).[3] Identifying the controller (or joint controllers) is therefore crucial in a franchise network, where there are generally many players. In practice we have noticed a great deal of confusion on this subject.
How do you identify the data controller or joint data controllers involved in a franchise network? According to the GDPR, the controller is the person (whether a legal entity, natural person or any other entity) who determines the purposes and means of the processing (article 4.7 of the GDPR). Two or more persons may be considered to be joint controllers when the purposes and means of processing have been decided jointly and at the same time. The processor is the party who will process the data on behalf of and on the instructions of the controller (article 4.8 of the GDPR).
There is therefore no ready-made answer to identifying the data controller(s) that is appropriate to all franchise networks. The concept of data controller is a functional one, and the GDPR requires the data controller(s) to be identified on the basis of factual elements. It is therefore not possible to assert that all franchisors are data controllers, and all franchisees are data processors (or vice versa).
Nor is it possible to impose the role of ‘controller’ by contract when the criteria are not actually met by the person designated as controller. The parties must therefore carry out a case-by-case analysis.
The first criterion is to ask: who has decision-making power or influence over data processing? In other words, who initiated the data processing? Why is the data being processed?
Example 1: A distribution network is planning to develop new products or services. To do this, it would like to have statistics on the customers for its brand(s). It provides all its franchisees with a questionnaire to be completed by their customers, with instructions on the information to be collected. Each franchisee then carries out the survey and sends the statistical results to the network head (franchisor). The data processing involved in this case is the collection of personal data and the production of statistical evaluations using the data collected. The statistical results may be presented as pseudo-anonymised or anonymised data. In such cases, although the franchisor has only received statistical data and no personal data as such, it is still responsible for the processing carried out to perform the analyses. In fact, it was the franchisor who determined the purpose and means of this processing and instructed its franchisees what processing was to be carried out. The fact that the franchisor does not have access to the underlying personal data is not decisive regarding its responsibility as the data controller. [4]
The second criterion concerns the purpose of the decision-making power: who determines the purposes and means of the processing? The purposes and means refer respectively to the “why” and the “how” of the processing operation.[5] There is also a hierarchy between purposes and means: determining the purpose automatically qualifies the person or entity concerned as a data controller. The processor does, however, have some operational flexibility in choosing how to implement the data processing.
However, third, the processor’s room for manoeuvre is not unlimited. Designation as a ‘data controller’ can also result when a party determines essential elements of the data processing. In general, the purpose, the categories of data and the storage period are considered to be essential elements of the processing. Non-essential elements include the choice of software, hardware and specific security measures.
Example 2: In a franchise network, the franchisor provides its franchisees with access to a database tool designed to collect and store data on the brand’s customers. Although the database is hosted on the franchisor’s servers, each franchisee enters his or her customers’ data in the database for his or her own purposes, and independently chooses how long to keep, access, rectify and delete customer data. A franchisee may not access or use the data of other franchisees. The franchisor cannot access the data entered by the franchisees. In such a case, the franchisor is a subcontractor for all the franchisees, since it has merely provided non-essential resources, i.e. an IT tool whose use is left to the choice of the franchisees, while each franchisee is a data controller independently responsible for the use made of the database. The determining factor in this case is the independence of the franchisees in choosing the purpose, types of data and characteristics of the data processing.
The same party may have two different roles: A franchisee may process data on behalf of the franchisor, as a processor, and may also, outside the instructions of the franchisor and for its own purposes, process data as a controller. However, a party cannot accumulate different roles for the same set of processing operations.
Example 3: In example 1 (above), the franchisees are processors for data analysis. However, this data could also have been collected by the franchisees, from their customers, with a view to developing new services or products, and therefore for purposes other than analysis, such as setting up their own loyalty scheme. In this case, each franchisee would be responsible for the processing linked to their own loyalty scheme.
The criteria set out must also be analysed in the light of other factors, such as the negotiating power of each party, the degree of independence of franchisees, the content of the contractual obligations in the franchise agreement, etc.
To sum up, in order to protect the data of the entire network, a prudent franchisor will carry out an analysis of the data flows circulating within its network (while taking into account future projects) and, taking into account the complexity of the allocation of responsibilities as illustrated above, it will be in the franchisor’s interest to put in place the necessary measures to comply with the GDPR. If not, the entire network will be navigating blind and will be at risk with regard to GDPR compliance.
Some points of attention and recommendations related to franchise networks.
Written agreements between controllers and processors
In the case of contracts with processors, Article 28 of the GDPR requires both the controller and the processor to sign a written agreement relating to the processing. The purpose of this agreement is to define the obligations and rights of each party, and also to contain certain information that is set out in Article 28 of the GDPR.
As we have already seen, certain parties may fulfil different roles for different purposes. This obligation can therefore prove difficult to implement and to comply with, given the multiplicity of players and actions pursued in a franchise network.
Given the contractual relationship between them, a franchisor, when it is responsible for processing – and also out of concern for the reputation of its network – should ensure that its franchisees comply with GDPR requirements. To do this, it is strongly recommended that the franchise agreement sets out the reciprocal obligations of the franchisee and the franchisor. In practice, guidelines are included in a separate appendix to the franchise agreement, but all too often the respective roles of each party are not sufficiently specified. Where a franchisee acts as a data processor, in the event of a breach of the GDPR, the simple existence of a general compliance clause is not enough to relieve the franchisor of its responsibilities as data controller: the franchisor still has to implement the clause, effectively monitor the actions of its processors and take the necessary safeguard measures.
GDPR-compliant support from the franchisor
A franchise contract generally requires the franchisor to assist its franchisees by providing technical tools. The franchisor may offer its franchisees GDPR-compliant IT tools (respecting the data minimisation principle, for example), and also compliance tools (model data protection documentation, audit, risk impact analysis, procedure for responding to requests from data subjects, register of processing activities, etc.).
The franchisor could also offer its franchisees the services of a Data Protection Officer (DPO) as a form of assistance. However, the services of an internal DPO (i.e. a member or employee of the franchisor) offered to franchisees could prove problematic. A DPO must be able to act independently and therefore without any conflict of interest with the duties he or she carries out for the franchisor. To ensure that franchisees receive the most appropriate advice, free from any conflict of interest, we suggest calling on the services of an external DPO.
Respect for the rights of the people concerned
Under the GDPR, data subjects have a number of rights that they must exercise by addressing the data controller (right of access, right of rectification, right of erasure, right to restriction, right to portability, right to object, right to object to profiling – Articles 15 to 22 of the GDPR). Processors are obliged to assist the data controller to respond to data subjects.
In a franchise network, customers are likely to exercise their rights directly through franchisees, often without the franchisor’s knowledge. It will therefore be up to the franchisor to set up procedures with its franchisees, so that requests made by customers – relating to processing for which the franchisor is responsible – are forwarded to it in good time.
The controller also has a duty to provide data subjects with information (Articles 13 and 14 of the GDPR) and to facilitate the exercise of data subjects’ rights (Article 12.2 of the GDPR). These duties include the obligation to clearly inform data subjects of the identity of the controller, so that they can exercise their rights effectively. As franchisees are generally in direct contact with customers, the franchisor could then require them to provide customers with the information required by the GDPR. The franchisor will also ensure that it communicates information through its website(s) and by any other appropriate means.
The importance of valid or invalid consent?
It may happen that the franchisor and its franchisees share the same customer database and that this database is used for direct marketing purposes by the franchisor and/or the franchisee.
In practice, direct marketing is generally based on either customer consent or legitimate business interest.[6] Although there is no primacy between the legal bases permitted by the GDPR, many companies rely on consent to carry out advertising campaigns.
Consequently, all parties in a franchise network should be careful about how they process customer data for direct marketing purposes, particularly when they rely on customer consents. Indeed, if a franchisor/franchisee does not comply with the rules regarding informed consent to collect data, the consent cannot be considered valid and a franchisor/franchisee using such data would be likely to be in breach of the GDPR. As a reminder, consent must be informed, free, specific and unambiguous, and be illustrated by a clear positive act. The data controller must also be able to demonstrate the validity of the data subject’s consent.
Recognising that it may be burdensome and impractical to attempt to obtain consent from each and every customer, using a legal basis other than consent for processing of personal data may often be more efficient.[7]
Clearly, compliance with the GDPR can be a challenging exercise in a franchise network. It is therefore important for each franchise network to have a good understanding of the data flows within the network, to regularly update its contractual arrangements and above all, to set up a system for issuing warnings, receiving joint complaints and monitoring and evaluating the actions of franchisees. The sanctions imposed by the ADP/GBA and the risks of damage to the network’s reputation will encourage franchisors to keep the subject under review and to maintain their efforts to raise awareness of this important area.
***
[1] The data controller should be able to demonstrate compliance with the fundamental principles of data protection.
[2] The data controller should implement appropriate technical and organisational measures to ensure and should be able to demonstrate that processing is performed in accordance with GDPR.
[3] On the respective roles of controller and processor, see in particular the EDPS guide: Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 2.0, adopted on 7 July 2021, available at edpb_guidelines_202007_controllerprocessor_final_en.pdf (europa.eu).
[4] CJEU, Wirtschaftsakademie judgment, C-210/16, ECLI:EU:C:2018:388, § 38; CJEU, Jehovah’s witnesses judgment, C-25/17, ECLI:EU:C:2018:551, § 69.
[5] Av. Gen. Bot in Wirtschaftsakademie, C-210/16, ECLI:EU:C:2017:796, § 46.
[6] For information on direct marketing and the legal bases that may be accepted, see Legal bases for your direct marketing processing operations | Data Protection Authority (autoriteprotectiondonnees.be)
[7] It will be recalled that asking for the consent of existing customers for the purpose of sending direct marketing e-mails is not required under certain conditions. These include that the email address was obtained direct from the customer in the context of a sale of a product or service and that the marketing concerns a similar product or service. This is the so-called ‘soft opt-in’ and it is an exception to the principle of prior consent for sending marketing emails. The APD/GBA has explained the limits of the soft opt-in in its Decision 117/2022 of 26 July 2022 which is available in Dutch.
Share us!