Franchise systems regularly require an extensive exchange of information between franchisor and franchisee. If the information relates to an at least identifiable natural person, the transfer will most likely have to comply with applicable data protection laws.
The European Union’s General Data Protection Regulation (GDPR) applies to any franchisor or franchisee, who is either established in the EU/EEA or processes the personal data of EU citizens.
The data transfer between franchisor and franchisee requires a legal justification for the transfer under GDPR and that the data controller transferring the data to the recipient has informed the natural persons in compliance with Art. 13/14 GDPR. In case of a data transfer from the EU/EEA to a third country, the transferring entity must also ensure that the recipient has an adequate level of data protection.
In an ideal world, the franchisee would control the customer database operated by the franchisor. The franchisor would in this case process the personal data only as instructed by the franchisee. If such processing is based on a Commissioned Data Processing Agreement under Art. 28 GDPR, there is no further need for any additional legal justification. This concept works for general advice, billing and collection services or marketing services rendered by the franchisor to the franchisee.
Franchisors, however, are often interested in using the personal provided by the franchisee for their own purposes, e.g for the improvement of goods or services offered under the franchise system, or to gain intelligence on customer behaviour or customer preferences.
In any of these cases, the data transfer must be based on a statutory legal basis. Consent is not useful to justify a standard process because it can be withdrawn by the data subject at any given time without limitation. Provided that the personal data transferred from the franchisee to the franchisor does not qualify as a special category of personal data (as defined in Art. 9 GDPR), the transfer of personal data can be based on the legitimate interests of the franchisor (as defined in Art. 6 para 1 GDPR).
These interests will not be overridden by the interests or fundamental rights and freedoms of the data subject (in the meaning of Art. 6 para 1 GDPR), unless the personal data is used for direct marketing purposes by other members of the franchise system. Further, the personal data transferred must be ‘necessary’ in order to pursue their interests.
Qualification as ‘necessary’ requires that the processing of personal data is more than just ‘useful’, but not the only option. Franchisors and franchisees have to tailor their IT-systems to the fact that the data subject may object to the data transfer under Art. 21 para 1 GDPR. Unless the personal data is going to be used for direct marketing purposes, the objection to the processing of the personal data must be based on grounds relating to the particular situation of the data subject.
It is, therefore, safe to conclude that the GDPR does not stand in the way of a data transfer between franchisee and franchisor, provided that the data transfer occurs either under a Commissioned Data Processing Agreement in the meaning of Art. 28 GDPR, or is necessary to pursue the legitimate interests of the franchisor. Direct marketing via the franchisor, other than by regular letter mail, will regularly require the consent of the addressees.
This article is part of the IR Global Meet the Members Guide – Germany. To read the full publication, please click HERE