What are the information security obligations of a Sonesta Select Sonesta Essential franchisee?
Sonesta_Select_Sonesta_Essential Franchise · 2025 FDDAnswer from 2025 FDD Document
You must comply with all applicable laws, including laws related to data privacy and data security laws and regulations that may be applicable to your Hotel, including any requirements of the credit card processing industry, including PCI DSS and any successor standard, and the information that your Hotel collects from its customers and prospective customers, employees and other such third parties, and any information that can be used to identify an individual, including names, addresses, telephone numbers, email addresses, employee identification numbers, signatures, passwords, financial information, credit card information, biometric or health data, government-issued identification numbers and credit report information ("Personal Information"). All such laws and regulations are hereinafter called "Information Privacy Laws."
You hereby agree that we are the data controller of any and all Personal Information that we share with you or your representatives. You acknowledge and agree that all such Personal Information is Confidential Information subject to Section 6 and may not be shared with any third-party of any kind without our express authorization.
Further, without limiting the generality of the foregoing, during and after the Term, you (and if you are conducting business as an Entity, each of your owners) agree to, and to cause your respective current and former immediate family members, owners, officers, directors, principals, agents, partners, employees, representatives, attorneys, spouses, affiliates, successors and assigns to:
- (1) process, retain, use, or disclose Personal Information strictly to the limited extent, and in such a manner, as is necessary for operating your Hotel in accordance with this Agreement, and not process, retain, use, or disclose Personal Information for any other purpose;
- (2) adopt and implement adequate measures (hereinafter called "Security Measures") to secure the confidentiality of all Personal Information;
- (3) assist us with meeting our compliance obligations under all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies;
Source: Item 22 — CONTRACTS (FDD page 84)
What This Means (2025 FDD)
According to the 2025 Franchise Disclosure Document, Sonesta Select Sonesta Essential franchisees have several obligations regarding information security and data privacy. Franchisees must comply with all applicable laws, including data privacy and security laws and regulations relevant to their hotel. This includes adhering to the requirements of the credit card processing industry, such as PCI DSS or any successor standard.
Franchisees are responsible for protecting the Personal Information collected from customers, prospective customers, employees, and other third parties. Personal Information includes any data that can identify an individual, such as names, addresses, telephone numbers, email addresses, employee identification numbers, signatures, passwords, financial information, credit card information, biometric or health data, government-issued identification numbers, and credit report information. Sonesta Select Sonesta Essential considers itself the data controller for any Personal Information shared with franchisees or their representatives, and this information is classified as Confidential Information.
During and after the franchise term, franchisees must process, retain, use, or disclose Personal Information only to the extent necessary for operating the hotel in accordance with the Franchise Agreement. They must implement adequate Security Measures to ensure the confidentiality of all Personal Information. Franchisees also need to assist Sonesta Select Sonesta Essential in meeting its compliance obligations under federal, state, and foreign laws and regulations related to the processing, protection, or privacy of Personal Information, including following guidance and codes of practice issued by regulatory bodies.
These obligations ensure that franchisees handle sensitive data responsibly and in compliance with applicable laws, protecting both the customers' and the brand's reputation. Franchisees should carefully review and understand these requirements to avoid potential legal and financial repercussions associated with data breaches or non-compliance.