What is the Circle K franchisee's responsibility to notify the franchisor of a suspected data breach?

According to Circle K's 2025 Franchise Disclosure Document, a franchisee must immediately notify Circle K of any suspected data breach at or in connection with their store. This requirement is part of the franchisee's broader responsibility to comply with all applicable data protection, privacy, and security laws. This includes data breach response requirements and adherence to any data privacy and security policies established by Circle K.

This immediate notification is crucial because Circle K owns all Customer Information and has the right to use it as deemed appropriate, subject to applicable law. The franchisee's role in collecting, storing, disclosing, and using Customer Information must comply with all relevant laws, including obtaining appropriate customer consent to ensure both the franchisee and Circle K can process this information as outlined in the franchise agreement and business systems manuals.

Furthermore, the franchisee must fully cooperate with Circle K and its legal counsel to determine the most effective way to meet Circle K's standards and policies regarding privacy laws, within the bounds of applicable law. The franchisee is also responsible for any financial losses or remedial actions resulting from a security breach or unauthorized access to Customer Information under their control. This includes implementing reasonable security procedures to protect customer data from unauthorized access, following any minimum requirements set forth in the Business Systems Manuals.

If a franchisee receives a Customer Information data request directly from a consumer, they must inform Circle K of that request within one business day and cooperate to ensure the consumer receives an appropriate and timely response. This coordinated approach ensures that Circle K can maintain consistent data protection practices across all franchise locations and uphold its brand reputation.