Franchisors (and franchisees) that control and/or process the data of individuals within the European Union should be aware of the General Data Protection Regulation (“GDPR”) and take affirmative steps to prepare for its imminent roll-out. The GDPR requires businesses to, among other things, implement strict measures to protect the personal data and privacy of EU residents. Failure to comply with the GDPR may result in significant fines and open noncompliant companies to class action lawsuits. Billed as a landmark global standard for data protection and privacy, the GDPR will likely apply to any company that conducts business in Europe and/or collects or processes the personal data of residents of the EU member states, irrespective of where in the world the company is located.

The GDPR was approved by the European Parliament on April 14, 2016, with enforcement to begin on May 25, 2018. Once effective, it will replace the EU Data Directive. Unlike its predecessor, the GDPR does not require EU member states to pass any enabling legislation. Therefore, it is directly binding and applicable to businesses subject to the law. Several of the more significant features of the GDPR are highlighted below in the context of customer transactions:

  • Wide Scope. The GDPR will apply to and impose new obligations on “data
    controllers” – persons or entities that determine the purpose, conditions, and
    10 means of processing personal data – and “data processors” – persons or entities that process personal data on behalf of the data controller. Under the GDPR, non-EU based franchisors and franchisees, and the third party companies they use to process this data, could be deemed data controllers and/or data
    processors to the extent they collect, maintain, and share data related to EU
    customers including, for example, vis-à-vis customer analytics data and customer
    loyalty programs.
  • Consent. The GDPR contains more stringent rules regarding the quality of consent that companies must obtain from customers. For businesses, customer consent must be given by a statement or a clear affirmative action, and the data controller must be able to show that the consent was given. The customer must be able to withdraw his or her consent easily and at any time. Moreover, companies must obtain express consent from customers to share their personal data with third parties. They must also notify those third parties about any changes to the customer’s consent
  • Customer Access to Data and Privacy Notices. Data controllers must readily provide any information they possess on a customer, free of charge, and within one month of the customer’s request for the information. They must also follow and adhere to rules which mandate that data controllers delete or allow customers to delete their information on request. The GDPR also strengthens current requirements regarding the content of privacy notices to customers about how their personal data will be processed.
  • Data Protection Officers. Certain types of data controllers or data processors must appoint or hire one or more “data protection officers” where data processing is a core activity and where sensitive data is processed on a large scale.
  • Data Breach Notification. Data controllers must notify the competent supervisory authority of a data breach without undue delay and, in most instances, no later than 72 hours after discovery of the breach. If more than 72 hours elapses from the discovery of the breach to the notification, the notification must indicate the reason for the delay. If the breach is likely to result in a high risk to the rights and freedoms of customers, the data controller must also inform the customers subject to the breach without undue delay, unless an exception applies. Data processors must notify data controllers without undue delay after becoming aware of the breach. Notably, the GDPR fails to define high risk in this context.
  • Cross Border Transfers Still Restricted. Under the current EU Data Directive, 11 the transfer of personal data to a location outside the EU remains restricted, unless the company adheres to the EU-US Privacy Shield and/or other applicable data protection and privacy rules.
  • Fines for Noncompliance and Potential Suits. The GDPR allows new fines and penalties for potential violations. For example, violations of certain requirements, such as those for consent or cross border data transfer restrictions, can be up to the greater of 20 million Euros or four percent of a company’s total worldwide annual turnover for the preceding fiscal year. Other violations may result in fines up to the greater of 10 million Euros or two percent of the company’s turnover. Customers also have right to participate in class action lawsuits and seek judicial relief against noncompliant data controllers and data processors.