Franchisees beware of data breaches (at the franchisor)
In franchise relationships, the processing of, for example, customer data of the franchisee is often reserved for the franchisor. It is not inconceivable that a franchisee is nevertheless responsible for data breaches of such personal data at the franchisor.
The obligation to report data breaches has recently entered into force, as part of the expansion of the Personal Data Protection Act. Violation of the rules is subject to a fine regime. A fine may also follow if data leaks are properly reported.
According to the law, there is an obligation to report to the Dutch Data Protection Authority if there is a security incident. This could include the loss of a USB stick, theft of hardware or a hacker breaking into the automation system. There must also be a loss of personal data or a (suspected) unlawful processing thereof. Unlawful processing includes, among other things, adjusting and/or changing personal data and unauthorized access to, or disclosure thereof. This concerns, for example, usernames and passwords, work performance and financial data that could lead to damage to honor and good name, (identity) fraud, discrimination or, for example, financial damage.
Franchisees have often stored personal data of their employees, customers or prospects on the franchisor’s network. A franchisee may also be required to do so under the franchise agreement. For example, customer data can be an important resource for the franchisor to, for example, align their marketing strategy. In that context, a franchisor can be qualified as a so-called processor.
Despite the engagement of a processor, such as a franchisor, the franchisee remains responsible for proper compliance with the Personal Data Protection Act and therefore also the data breach notification obligation.
The franchisor is obliged to follow the instructions of the franchisee and to comply with the principles regarding the processing of personal data. This is, for example, the obligation of careful and proportionate processing and having a specific purpose and legal basis for the processing.
It is important to be aware of this issue when drafting and concluding franchise agreements. A careful provision about the method of processing, processing and storage of personal data is advisable. For example, it could be agreed that the franchisor indemnifies the franchisee against fines for any form of data breach that occurs at the franchisor.
mr. AW Dolphijn – Franchise lawyer
Ludwig & Van Dam Franchise attorneys, franchise legal advice.
Do you want to respond? Go to dolphijn@ludwigvandam.nl
Other messages
The manager (employee) who becomes a franchisee – fictitious employment?
On 14 December 2016, the subdistrict court judge of the District Court of Noord-Holland, ECLI:NL:RBNHO:2016:11031 (Employee/Espresso Lounge), considered the situation in which an employee
The Supreme Court sets strict requirements for franchise forecasts
A ruling by the Supreme Court on Friday casts a new light on the provision of profit and turnover forecasts to aspiring franchisees.
Infringement of exclusive service area by franchisor in connection with formula change dated February 27, 2017
On 30 January 2017, the provisional relief judge of the District Court of Noord-Holland, ECLI:NL:RBNHO:2017:688 (Intertoys/franchisee), was asked how to deal with the
Forecasts at startup franchise formula
The Amsterdam Court of Appeal ruled on 14 February 2017, ECLI:NL:GHAMS:2017:455 (Tot Straks/franchisee) on the question whether the franchisor had provided an unsatisfactory prognosis and whether the
Mandatory transfer of franchise business to franchisor?
On January 23, 2017, the District Court of Amsterdam, ECLI:NL:RBAMS:2017:412 (CoffeeCompany/Dam Spirit BV) rendered a judgment on the question whether a franchisee upon termination of the cooperation
Transfer customer data to franchisor
In its judgment of 10 January 2017, ECLI:NL:GHAMS:2017:68 (OnlineAccountants.nl), the Amsterdam Court ruled, among other things, on the question of how customer data should be transferred.