Is a Carls franchisee required to comply with CJR's data privacy and security policies?
Carls Franchise · 2024 FDDAnswer from 2024 FDD Document
Franchisee must comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Law(s)"), as well as data privacy and security policies, procedures and other requirements CJR may periodically establish. Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify CJR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with CJR and its counsel in determining the most effective way to meet CJR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Franchisee agrees to utilize administrative, physical, and technical safeguards designed to protect systems and data from unauthorized access, disclosure, acquisition, destruction, use, or modification that are consistent with industry standards and best practices. Franchisee further agrees to adhere to any applicable law relating to data security. In the event of a suspected or actual data breach, Franchisee will notify CJR within 24 hours of becoming aware of the actual or suspected data breach and provide timely updates and information when requested by CJR. Franchisee will comply with industry standards and best practices regarding breach reporting and notification obligations and take all necessary and appropriate corrective action to remedy the data breach, prevent a recurrence of such a breach, and avoid and/or prevent any further loss or damage arising from the data breach.
Franchisee shall accept debit cards, credit cards, stored value gift cards or other non-cash payment systems specified by CJR to enable customers to purchase authorized products and shall obtain all necessary hardware and/or software used in connection with these non-cash payment systems. At all times, Franchisee must maintain relationships with all issuers or service providers that CJR designates as mandatory, and Franchisee must refrain from using any services or providers that CJR has not approved in writing or that CJR has revoked its approval. CJR may modify its requirements and designate additional approved or required methods of payment and vendors for processing such payment. Franchisee shall reimburse CJR for all costs associated with such non-cash payment systems as they pertain to the Franchised Restaurant. In addition to the requirements set forth in Section 13.E. above, Franchisee must also comply with the Fair and Accurate Credit Transactions Act ("FACTA"). Franchisee must comply with all laws and regulations relating to privacy and data protection and must comply with any privacy policies or data protection and breach response policies, or any other policies related to data privacy or data use, that CJR periodically may establish. Franchisee must notify CJR immediately if it is notified of a credit card or data breach related to the Franchised Restaurant and must fully cooperate with CJR and applicable authorities in resolving such breach. Further, Franchisee must cooperate with CJR fully regarding media statements and other items related to managing any such event for the purpose of protecting the Proprietary Marks and System as set forth below.
To determine whether Franchisee and the Franchised Restaurant are in compliance with this Agreement and with all specifications, quality standards and operating procedures prescribed by CJR for the operation of Carl's Jr. Restaurants, CJR or its designees shall have the right at any reasonable time and without prior notice to Franchisee to: (1) inspect the Franchised Location; (2) observe, photograph and videotape the operations of the Franchised Restaurant for such consecutive or intermittent periods as CJR deems necessary; (3) remove samples of any food and beverage product, material or other products for testing and analysis (without paying for the samples); (4) interview personnel of the Franchised Restaurant; (5) interview customers of the Franchised Restaurant; and (6) inspect and copy any books, records and documents, including any electronic records, relating to the operation of the Franchised Restaurant or, upon the request of CJR or its designee, require Franchisee to send copies thereof to CJR or its designee. Franchisee agrees to cooperate fully with CJR or its designee in connection with any such inspections, observations, videotaping, product removal and interviews. Franchisee shall take all necessary steps to immediately correct any deficiencies detected during these inspections, including, without limitation, ceasing further sale of unauthorized menu items and ceasing further use of any equipment, advertising materials or supplies that do not conform with the standards and requirements promulgated by CJR from time to time. If CJR deems such deficiencies to create an imminent health hazard to Franchisee's customers, CJR may direct Franchisee to temporarily close the Franchised Restaurant until all hazards are corrected to CJR's satisfaction pursuant to CJR's Closure Policy, as amended from time to time. Franchisee shall present to its customers such evaluation forms as are periodically prescribed by CJR and shall participate and/or request its customers to participate in any surveys performed by or on behalf of CJR as CJR may direct. Franchisee will reimburse CJR for all costs related to the Franchised Restaurant associated with any and all of these inspections and related activities set forth above.
Franchisee will cooperate with CJR, its internal auditors and external auditors for the purpose of inspecting, examining, and assessing Franchisee's compliance with its obligations under this Section 13(P). This Auditing may be conducted through measures including, but not limited to, manual reviews and automated scans, as well as technical and operational testing.
Source: Item 22 — CONTRACTS (FDD page 80)
What This Means (2024 FDD)
According to Carls's 2024 Franchise Disclosure Document, a franchisee must comply with data privacy and security policies established by CJR. Specifically, the franchisee must adhere to all laws and regulations regarding data protection, privacy, and security, including data breach response requirements, as well as any data privacy and security policies and procedures CJR establishes periodically. This includes maintaining security controls to protect consumer information and immediately notifying CJR of any suspected data breaches.
Carls franchisees are responsible for any financial losses or remedial actions resulting from security breaches or unauthorized access to consumer information under their control. They must also use administrative, physical, and technical safeguards to protect systems and data from unauthorized access, adhering to industry standards and best practices. In the event of a data breach, franchisees must notify CJR within 24 hours and take corrective action to prevent recurrence.
Furthermore, Carls franchisees must accept payment methods specified by CJR and comply with the Fair and Accurate Credit Transactions Act (FACTA). They must also adhere to any privacy policies, data protection, and breach response policies CJR establishes. Franchisees are required to cooperate fully with CJR and applicable authorities in resolving any credit card or data breaches related to the franchised restaurant, including managing media statements to protect the Proprietary Marks and System.
Carls also has the right to inspect the franchisee's restaurant to ensure compliance with these standards and operating procedures. This includes inspecting the location, observing operations, removing samples for testing, interviewing personnel and customers, and inspecting records. Franchisees must correct any deficiencies detected during these inspections and cooperate fully with CJR in these activities. Franchisees must also provide CJR with all information necessary to demonstrate compliance with data privacy obligations and cooperate with audits conducted by CJR and its auditors.