What are the Carls franchisee's obligations regarding complying with data privacy regulations, as potentially outlined in Item 9, and how does this relate to the computer systems requirements outlined in Item 11?
Carls Franchise · 2024 FDDAnswer from 2024 FDD Document
tions under this Agreement during the term hereof and subject to such instructions and restrictions as CJR may from time to time impose and in compliance with all data privacy, security and other applicable laws. "Consumer Information" means any identifiers (including name, address, phone numbers, usernames, birthdates and e-mail addresses), sales, transaction, loyalty and payment history, and all other information about or related to any customer or prospective customer, including any information deemed "personal information" or "personal data" under applicable law. As used in this Agreement, the term "customer" refers to any person or entity (i) whose information is collected by
any CJR system or application or included in any consumer or customer database, file or system owned or controlled by CJR, its parent, subsidiary or affiliate companies; (ii) who is included on any marketing or customer lists Franchisee develops or uses or any customer information generally collected and saved for any reason; (iii) who has purchased, purchases or intends to purchase products or services online, through an CJR application, or at the Franchised Restaurant; or (iv) who has been solicited to purchase any products or services at the Franchised Restaurant. CJR may use the Consumer Information as CJR deems appropriate, including sharing it with CJR's affiliates.
CJR owns all Consumer Information and may use the Consumer Information as it deems appropriate (subject to applicable law), including disclosing it to vendors or sharing it with its affiliates for cross-marketing or other purposes. Franchisee may only use Consumer Information for the purpose of operating the Franchised Restaurant to the extent permitted under this Agreement, including the OPM, during the term hereof and subject to such restrictions as CJR may from time to time impose and in compliance with all data privacy, security and other applicable laws. Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with Franchisee's collection, processing, storage and use of such Consumer Information, including, if required under applicable law, obtaining consents from individuals for CJR's and its affiliates' use of the Consumer Information. Franchisee must comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Law(s)"), as well as data privacy and security policies, procedures and other requirements CJR may periodically establish. Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify CJR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with CJR and its counsel in determining the most effective way to meet CJR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Without limiting the foregoing, Franchisee represents, warrants, and covenants that:
- (1) Franchisee will not "sell" or "share" (as defined under any Privacy Law) any Consumer Information or make Consumer Information available to any third party for valuable consideration;
- (2) Franchisee will retain, use, or disclose Consumer Information only for the specific business purposes specified in this Agreement, and not for any other commercial or noncommercial purpose;
- (3) Franchisee will not retain, use, or disclose Consumer Information outside of the direct business relationship between Franchisee and CJR;
- (4) Franchisee will not combine Consumer Information received from or on behalf of CJR with personal information received from another source or collected from Franchisee's interactions with a consumer outside the operation of the Franchised Restaurant, except as specifically allowed under applicable Privacy Law;
- (5) Franchisee shall not allow any person or entity (other than Franchisee's direct employees) to process Consumer Information without the express prior approval of CJR, and any such subcontracting shall be performed strictly in accordance with a written agreement that imposes obligations on such subcontractor that are at least as restrictive as those imposed on Franchisee under this Agreement. Franchisee shall be liable for the acts and omissions of all such
subcontractors to the same extent Franchisee would be liable if performing the services of each subcontractor directly under the Agreement;
- (6) When required by applicable Privacy Law, CJR will inform Franchisee of any consumer request (e.g., deletion, correction, access, and opt-out) that requires Franchisee's compliance and will provide Franchisee with the information within CJR's possession that is necessary for Franchisee to comply with the request. Franchisee will cooperate with CJR, and promptly (and in any event within ten days following notice by CJR) provide any information and documents requested by Franchisee to respond to requests by customers under Applicable Laws. Franchisee will delete, modify, or correct any Consumer Information upon CJR's request unless Franchisee can prove that such request is subject to an exception under applicable law;
- (7) Franchisee shall make available to CJR all information necessary for Franchisee to demonstrate compliance with its obligations under this Section 13(P). Franchisee will cooperate with CJR, its internal auditors and external auditors for the purpose of inspecting, examining, and assessing Franchisee's compliance with its obligations under this Section 13(P). This Auditing may be conducted through measures including, but not limited to, manual reviews and automated scans, as well as technical and operational testing. Auditing may take place at least once every twelve (12) months; and
- (8) If Franchisee receives a Consumer Information request directly from a consumer under their state Privacy Law (e.g. a request to access, delete or correct Consumer Information ) that may pertain to Consumer Information , Franchisee shall inform CJR of that request within one business day and cooperate with CJR to ensure that the consumer receives an appropriate and timely acknowledgement and response. Typically, an acknowledgement is required within 10 business days and a final response is required within 45 calendar days.
Franchisee certifies that it understands the restrictions in Paragraphs (1) – (5) of this section and will comply with them. Franchisee shall immediately (and in any event within five business days) notify CJR if it determines that it can no longer meet its obligations under this Section 13(P).Franchisee also acknowledges and agrees that CJR may modify the restrictions by written notice to Franchisee, including adding other similar privacy restrictions that may be required under other federal, state or local privacy laws.
To the extent Franchisee's business is independently subject to any Privacy Laws, Franchisee must comply with all standards, laws, rules, regulations or any equivalent thereof relating to personal information, data privacy, and data protection that may apply to personal information not encompassed by the definition of "Consumer Information," above (for example, as relates to Franchisee's employees or job applicants). The requirements of this Section 13(P) are not intended to constitute legal advice or to imply that compliance with this Agreement fulfills all of Franchisee's potential obligations under the Privacy Laws. Franchisee should consider applicable federal, state and local laws, and consult its own legal counsel or advisors, as it deems necessary.
14. PROPRIETARY MARKS
The term "Proprietary Marks" as used in this Agreement refers to all trade names, trademarks, service marks, trade dress, logos, insignias, slogans, emblems, symbols, designs, and any combination thereof or any other indicia of source designated by CJR as identifying the System and the products sold and services provided in connection with the System. You acknowledge that CJR owns all rights, title, and interest in and to the Proprietary Marks and you have only such rights to use the Proprietary Marks as this Agreement grants. CJR shall, from time to time, advise Franchisee as to any additions or deletions to the
Proprietary Marks and Franchisee's right to use the Proprietary Marks shall be deemed modified by those additions or deletions.
What This Means (2024 FDD)
According to the 2024 FDD, Carls franchisees have several obligations regarding data privacy and security, which are closely tied to the computer systems they are required to use. Carls owns all Consumer Information and may use it as it deems appropriate, subject to applicable law. Franchisees may only use Consumer Information for operating the Franchised Restaurant as permitted under the agreement, including the OPM, and must comply with all data privacy, security, and other applicable laws. This includes obtaining consents from individuals for Carls's and its affiliates' use of Consumer Information, if required by law. Franchisees must also adhere to Carls's data privacy and security policies and procedures, and maintain reasonable security controls to protect Consumer Information.
Carls franchisees are responsible for complying with all laws and regulations relating to data protection, privacy, and security, including data breach response requirements. They must notify Carls immediately of any suspected data breach and fully cooperate with Carls in determining the most effective way to meet Carls's standards and policies pertaining to Privacy Laws. Franchisees are financially responsible for any losses or remedial actions resulting from a security breach or unauthorized access to Consumer Information in their control.
To ensure data security, Carls requires franchisees to procure and install specific data processing equipment, computer hardware, and software as outlined in the OPM or otherwise specified. Franchisees must keep their computer systems in good repair and make any necessary additions, changes, or modifications as directed by Carls. They must also comply with the Payment Card Industry Data Security Standard (PCI-DSS) at all times and engage any vendor designated by Carls to ensure data security and PCI-DSS compliance. Franchisees must maintain continuous PCI compliance and provide Carls with an annual PCI Attestation of Compliance.
Carls may also mandate upgrades or replacements to the computer systems as technology evolves or as data limits are reached. Franchisees are responsible for the costs associated with these upgrades. The requirements of this section are not intended to constitute legal advice or to imply that compliance with this Agreement fulfills all of Franchisee's potential obligations under the Privacy Laws. Franchisee should consider applicable federal, state and local laws, and consult its own legal counsel or advisors, as it deems necessary.