What is a Cream franchisee required to do if they become aware of a security breach involving Personal Information?

According to Cream's 2025 Franchise Disclosure Document, if a franchisee becomes aware of a suspected or actual breach of security or unauthorized access involving Personal Information, they must immediately notify Cream and specify the extent to which Personal Information was compromised or disclosed. Furthermore, the franchisee is obligated to follow Cream's instructions regarding curative actions and public statements related to the breach. Cream retains the right to conduct data security and privacy audits of the franchisee's shop and computer systems at any time to ensure compliance with these requirements.

Cream emphasizes that franchisees must process, retain, use, collect, and disclose all Personal Information in strict accordance with all applicable laws, regulations, orders, the guidance and codes of practice issued by industry or regulatory agencies, and the privacy policies and terms and conditions of any applicable Digital Presence. Franchisees are also required to assist Cream in meeting its compliance obligations under all applicable laws, regulations, and orders relating to Personal Information. This includes promptly notifying Cream of any communication or request from any customer or other person to access, correct, delete, opt-out of, or limit activities relating to any Personal Information.

Cream distinguishes between general Personal Information and "Restricted Data," which includes Personal Information of the franchisee's employees, officers, contractors, owners, or other personnel, as well as any other Personal Information that Cream does not have access to or expressly designates as Restricted Data. While Cream may provide general guidance, the franchisee has sole and exclusive responsibility for all Restricted Data, including establishing protections and safeguards, while still complying with all applicable laws and regulations. This division of responsibility highlights the importance of franchisees understanding their obligations regarding data protection and security, particularly concerning data they directly control.

In practical terms, a Cream franchisee must have systems in place to detect and respond to potential data breaches, maintain compliance with privacy laws, and cooperate with Cream in addressing any security incidents. The franchisee should also be prepared for potential audits by Cream to ensure ongoing compliance with data security and privacy requirements. Understanding the distinction between general Personal Information and Restricted Data is crucial for implementing appropriate safeguards and fulfilling their responsibilities under the franchise agreement.