Is a Belocal franchisee required to adopt data protection and security policies?

According to Belocal's 2025 Franchise Disclosure Document, franchisees are required to comply with and, if applicable, adopt data protection and security policies. These policies, detailed in the Franchise Brand Standards Manual, govern the collection, use, storage, processing, sharing, or destruction of Franchised Business Data and Personal Information. Belocal has the right to create, supplement, modify, or amend these Data Protection and Security Policies, and franchisees must comply with these changes within 30 days of notice. Belocal may also require franchisees to implement a data privacy policy for their franchised business, but franchisees cannot publish, disseminate, implement, revise, or rescind any data privacy policy without Belocal's prior written consent.

Belocal franchisees must also comply with all applicable industry standards concerning privacy, data protection, confidentiality, and information security, including the Payment Card Industry Data Security Standard (PCI-DSS). They must adhere to mandatory Data Protection and Security Policies and all international, federal, state, and local laws, rules, and regulations related to the privacy, confidentiality, security, management, disclosure, reporting, and use of Personal Information (Privacy Laws). Franchisees are responsible for obtaining consent for the collection, use, storage, processing, and sharing of Personal Information as required by Privacy Laws or Data Protection and Security Policies, and must retain copies of these consents.

Franchisees must comply with Data Protection and Security Policies and Privacy Laws regarding individuals exercising their rights under Privacy Laws. They must also cooperate with Belocal to provide information on how Personal Information has been handled. Franchisees are prohibited from collecting, using, storing, processing, or sharing Personal Information unless permitted by the franchise agreement, Data Protection and Security Policies, the Franchise Brand Standards Manual, Privacy Laws, or with Belocal's written approval. Personal Information can only be used for operating the Franchised Business, and franchisees are prohibited from selling or re-identifying de-identified Personal Information. If a franchisee uses a vendor that handles Personal Information, the vendor must be contractually bound to data protection obligations required by Belocal.

If a Belocal franchisee experiences a security breach involving Personal Information, they must immediately notify Belocal and cooperate to investigate and remedy the issue. Franchisees cannot publicly disclose any unauthorized access or breach unless Belocal authorizes the notice and its form in writing. Franchisees are responsible for reimbursing Belocal for all reasonable Notification and Remediation Related Costs resulting from a Security Breach caused directly or indirectly by the franchisee, its principals, or its independent staff. These costs include notifications, communications, call center services, IT consultants, public relations, legal and accounting fees, and credit reporting services.