The Regulation (EU) 2016/679 is one of the most complex regulation in the field of personal data protection. The purpose of this European regulation is to explain in a complete and concrete manner the rights of each person regarding their personal data and the obligations of any entity involved in any form of processing of these data.
The GDPR has a general applicability to any activity, whether economic or otherwise, involving the processing of personal data of any citizen or resident within the EU. Thus, the provisions of this regulation apply in exactly the same measure as they do in any other field. The importance of good compliance with the provisions of the GDPR is twofold.
Obligations of the Data Controller (Franchisor or Franchisee) According to GDPR Provisions
Starting from the premise that the Franchisor will be the data controller, or joint controller with the Franchisee, several obligations fall upon them, which will be detailed in various categories in the following lines.
Transparency in Data Processing and Respecting Consent
The concept of transparency is somewhat abstract, but in simple terms, it refers to the entity's prior obligation to inform clients about the purpose for which personal data will be processed, for how long, and in what form (e.g., whether it will be integrated into an automated process or processed by a human).
These explanations are usually found in the generic section called "privacy policy". The recommendation would be for this section to appear to the user before they provide any personal data and to be integrated into every stage where the user will need to input their personal data, so they cannot claim ignorance of what personal data will be processed, for what reasons, in what form, by whom, and for how long.
Data Minimization and Purpose Limitation
Given the sensitivity of personal data, the considerable number of obligations that arise when any entity comes into contact with these data, and the risks that can occur in non-compliant processing, it's important to conduct a cost-opportunity analysis when deciding to start a process of collecting and processing personal data.
Thus, is essential for any franchisor/ franchisee to establish both for themselves and for any beneficiary or third party with whom they come into contact, a strategy to reduce the amount of data collected to the minimum necessary for achieving the purpose and limiting the purposes for which the data are collected and processed strictly to those essential to the economic activity.
Security Measures and Data Protection
In an increasingly digitalized world, the need for privacy protection is more important than ever. Considering that you come into direct contact with data directly linked to the very existence of customers, the risks that can occur in case of a data breach or data theft are unimaginable, both from a public image and financial perspective.
Therefore, it is imperative that at the time of signing a franchise agreement, a series of data protection measures be established, both from a perspective of technical equipment used and operating systems, as well as the procedures that each franchisee must follow.
It is of utmost importance to create a highly secure IT framework and careful train the staff who will come into direct contact with personal data. For an added layer of precaution, the access to these data must be limited to the minimum necessary for the safe and efficient conduct of the process.
Rights of Individuals Regarding Their Personal Data
According to the GDPR, specifically Articles 12 to 23, individuals whose data are processed have a range of rights. In addition to the information already presented in the previous paragraphs, we wish to emphasize the importance of the following rights, without making a distinction in importance between them, as it is the responsibility of the entity in question to equally and simultaneously respect all the rights conferred on individuals by the regulation. This list is illustrative and not exhaustive, and it is recommended to carefully read the previously mentioned provisions for a good and complete understanding of all entities that are in the position of data controller.
Right to be Informed and Access: According to the regulation, every individual has the right to be informed about what data are stored and processed about them and to have access to these data whenever they wish. Thus, the entity in the position of data controller should provide the possibility for interested individuals to request these data and to communicate any complaints regarding the violation of other rights via email, through a form, or via any other form of communication.
Right to Rectification: Individuals have the opportunity to request the rectification of any data that are not in conformity with the reality of the user.
Right to Erasure ('Right to be Forgotten'): This is the way in which any interested individual can ask entities that hold access to personal data of a person to delete these data. However, fulfilling this obligation takes into account several aspects detailed in Article 17 of the regulation.
Right to Restrict Processing: Refers to the possibility for interested individuals to request the limitation of data processing by the holder in certain situations expressly provided by the regulation.
Right to Data Portability: Imposes the obligation on the data controller to transfer data at the request of the interested individual to another entity. This right is commonly exercised, for example, when the individual chooses to change their telephone or television operator.
Data Breaches and the Obligation to Notify
Such an incident is always extremely unpleasant and can cause many problems if not treated with utmost seriousness. In such a situation, it is essential that the franchisor has previously appointed a person responsible for the protection of personal data (Data Protection Officer or DPO) who can draft a procedure for such situations that can signal such an incident and perhaps most importantly, communicate with the National Authority for the Supervision of Personal Data Processing about such an incident in a timely manner. The European Commission has drafted a comprehensive guide on how to approach such a situation, which can be found here.
Recommendations for Franchisors and Franchisees from a GDPR Perspective
I. Executing a Data Processing Agreement
The DPA is a vital tool for good collaboration between the franchisor and the franchisee regarding legal relations involving the processing of personal data. In such an agreement, the obligations of the entity that is the data controller, or the joint controllers are explained in detail, including the purpose for which the personal data will be processed by the responsible entity, the limits and the period during which they will be processed, and who is responsible for a possible data leak.
II. Best Practices Within the Franchise Network. Regular checks
Depending on the complexity of the data processing activities in the franchise network, it is important that regular checks be carried out within the network by a DPO or a specialized firm to verify compliance with the regulation's provisions throughout the entire franchise network. This is vital both to ensure a good reputation from this point of view and to benefit from a holistic perspective on the efficiency of the system and rules integrated into the network.
Conclusions
Personal data can be a key resource in the development of any business, providing commercial entities with a better understanding of consumers, thereby adapting products and services to market needs. However, with great gains come inherent risks. Therefore, to avoid the appearance of these risks and bearing the consequent consequences, it is highly recommended, we might even say imperatively necessary, to invest in a good strategy for protecting personal data, both from an IT and legal perspective, a strategy that you promote along with the business model that you wish to promote or take over. This involves a rather careful analysis of certain provisions of the GDPR, consultation with experts in the field of personal data protection, and a high sense of prudence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
