Who has responsibility for establishing protections and safeguards for Restricted Data at a Cream franchise?
Cream Franchise · 2025 FDDAnswer from 2025 FDD Document
e to follow our instructions regarding curative actions and public statements relating to the breach. We reserve the right to conduct a data security and privacy audit of any of your Shop and your Computer Systems at any time, from time to time, to ensure that you are complying with our requirements.
Notwithstanding anything to the contrary in this Agreement or otherwise, you agree that we do not control or own any of the following Personal Information (collectively, the "Restricted Data"): (i) any Personal Information of the employees, officers, contractors, owners, or other personnel of you, your affiliates, or your Shop; (ii) such other Personal Information as we from time to time expressly designate as Restricted Data; and/or (iii) any other Personal Information to which we do not have access. Regardless of any guidance we may provide generally and/or any specifications that we may establish for other Personal Information, you have sole and exclusive responsibility for all Restricted Data, including establishing protections and safeguards for such Restricted Data; provided, that in each case you agree to comply with all applicable laws, regulations, orders, and the guidance and codes of practice issued by industry or regulatory agencies applicable to such Restricted Data.
L.
Source: Item 23 — RECEIPTS (FDD pages 61–192)
What This Means (2025 FDD)
According to Cream's 2025 Franchise Disclosure Document, the franchisee has sole and exclusive responsibility for all Restricted Data, including establishing protections and safeguards for such Restricted Data. Restricted Data includes (i) any Personal Information of the employees, officers, contractors, owners, or other personnel of you, your affiliates, or your Shop; (ii) such other Personal Information as we from time to time expressly designate as Restricted Data; and/or (iii) any other Personal Information to which we do not have access.
This means that while Cream may provide general guidance or specifications for other types of personal information, the franchisee is fully accountable for securing the specified Restricted Data. This includes implementing and maintaining appropriate measures to protect this data from unauthorized access, use, or disclosure.
However, even with this responsibility, the franchisee must comply with all applicable laws, regulations, orders, and the guidance and codes of practice issued by industry or regulatory agencies applicable to such Restricted Data. This ensures that the franchisee's data protection measures align with legal and industry standards, even while maintaining sole responsibility for the Restricted Data itself. Cream retains the right to conduct data security and privacy audits of the Shop and Computer Systems to ensure compliance.