What are the Carls franchisee's obligations regarding complying with customer data privacy regulations, as potentially outlined in Item 9, and how does this relate to the computer systems requirements for managing customer data in Item 11?
Carls Franchise · 2024 FDDAnswer from 2024 FDD Document
tions under this Agreement during the term hereof and subject to such instructions and restrictions as CJR may from time to time impose and in compliance with all data privacy, security and other applicable laws. "Consumer Information" means any identifiers (including name, address, phone numbers, usernames, birthdates and e-mail addresses), sales, transaction, loyalty and payment history, and all other information about or related to any customer or prospective customer, including any information deemed "personal information" or "personal data" under applicable law. As used in this Agreement, the term "customer" refers to any person or entity (i) whose information is collected by
any CJR system or application or included in any consumer or customer database, file or system owned or controlled by CJR, its parent, subsidiary or affiliate companies; (ii) who is included on any marketing or customer lists Franchisee develops or uses or any customer information generally collected and saved for any reason; (iii) who has purchased, purchases or intends to purchase products or services online, through an CJR application, or at the Franchised Restaurant; or (iv) who has been solicited to purchase any products or services at the Franchised Restaurant. CJR may use the Consumer Information as CJR deems appropriate, including sharing it with CJR's affiliates.
CJR owns all Consumer Information and may use the Consumer Information as it deems appropriate (subject to applicable law), including disclosing it to vendors or sharing it with its affiliates for cross-marketing or other purposes. Franchisee may only use Consumer Information for the purpose of operating the Franchised Restaurant to the extent permitted under this Agreement, including the OPM, during the term hereof and subject to such restrictions as CJR may from time to time impose and in compliance with all data privacy, security and other applicable laws. Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with Franchisee's collection, processing, storage and use of such Consumer Information, including, if required under applicable law, obtaining consents from individuals for CJR's and its affiliates' use of the Consumer Information. Franchisee must comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Law(s)"), as well as data privacy and security policies, procedures and other requirements CJR may periodically establish. Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify CJR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with CJR and its counsel in determining the most effective way to meet CJR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Without limiting the foregoing, Franchisee represents, warrants, and covenants that:
- (1) Franchisee will not "sell" or "share" (as defined under any Privacy Law) any Consumer Information or make Consumer Information available to any third party for valuable consideration;
- (2) Franchisee will retain, use, or disclose Consumer Information only for the specific business purposes specified in this Agreement, and not for any other commercial or noncommercial purpose;
- (3) Franchisee will not retain, use, or disclose Consumer Information outside of the direct business relationship between Franchisee and CJR;
What This Means (2024 FDD)
According to Carls's 2024 Franchise Disclosure Document, franchisees have several obligations regarding customer data privacy and security, which are closely tied to the computer systems they are required to use. Carls owns all consumer information and can use it as deemed appropriate under applicable law. Franchisees can only use this data to operate their franchised restaurant, adhering to restrictions imposed by Carls and complying with all data privacy and security laws. This includes obtaining necessary consents for Carls's and its affiliates' use of consumer information, if required by law. Franchisees must also follow Carls's data privacy and security policies and procedures, including data breach response requirements. They are responsible for maintaining security controls to protect consumer information and must immediately report any suspected data breaches. Franchisees bear the financial responsibility for losses or remedial actions resulting from security breaches or unauthorized access to consumer information under their control.
Carls requires franchisees to use specific computer systems and software, as detailed in Item 11, to manage customer data. Franchisees must utilize proprietary software programs and maintain data as prescribed by Carls in the OPM (Operations Procedures Manual), software programs, or other documentation. They are also required to purchase new or upgraded software and materials whenever Carls adopts them system-wide. Franchisees must comply with Point to Point Credit Encryption Standards (P2PE) and the Payment Card Industry Data Security Standard (PCI DSS) at all times, upgrading their technology as needed to maintain compliance. They must also engage vendors designated by Carls to ensure data security and PCI DSS compliance, providing an annual PCI Attestation of Compliance (AOC).
Carls retains the right to access data from the franchisee's computers, including customer information and daily sales data. Franchisees must back up all data daily and comply with all operational requirements outlined in their Franchise Agreement and manuals. Carls may also mandate upgrades or replacements of the computer system as technology evolves or data limits are reached. Franchisees are responsible for keeping their computer systems in good repair and making necessary changes as directed by Carls to ensure communication capability between their systems and Carls's. These requirements ensure that franchisees maintain adequate data security measures and comply with privacy regulations while using the mandated computer systems.