What data protection laws must a Springhill Suites By Marriott franchisee comply with?
Springhill_Suites_By_Marriott Franchise · 2025 FDDAnswer from 2025 FDD Document
You must implement reasonable security measures, including any and all security measures that we require, to protect all computer systems and Confidential Information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. In addition, you must comply with all applicable data protection laws pertaining to Personally Identifiable Information and rules and regulations promulgated by the applicable credit card associations. In the event of an actual or suspected information security incident or breach that could involve Personally Identifiable Information of guests at your hotel, you must comply with all applicable data breach notification laws as well as our standards applicable to such incident or breach. You must notify us when you become aware of any such incident or breach and provide credit monitoring for impacted individuals in accordance with our standards. You will be required to reimburse us for all costs incurred by us in connection with a security breach involving Personally Identifiable Information of guests at your hotel.
Source: Item 14 — PATENTS, COPYRIGHTS, AND PROPRIETARY INFORMATION (FDD pages 104–107)
What This Means (2025 FDD)
According to Springhill Suites By Marriott's 2025 Franchise Disclosure Document, franchisees must comply with all applicable data protection laws pertaining to Personally Identifiable Information, as well as the rules and regulations promulgated by applicable credit card associations. This means that franchisees are responsible for understanding and adhering to laws like GDPR (if processing data of European residents) or CCPA (if dealing with California residents' data), along with PCI DSS standards for handling credit card information. These regulations dictate how personal data must be collected, stored, processed, and protected.
Springhill Suites By Marriott franchisees also have a responsibility to implement reasonable security measures to protect all computer systems and Confidential Information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. In the event of an actual or suspected information security incident or breach that could involve Personally Identifiable Information of guests at their hotel, franchisees must comply with all applicable data breach notification laws as well as Springhill Suites By Marriott's standards applicable to such incident or breach. This includes notifying Springhill Suites By Marriott when they become aware of any such incident or breach and providing credit monitoring for impacted individuals in accordance with Springhill Suites By Marriott's standards.
Furthermore, the franchisee will be required to reimburse Springhill Suites By Marriott for all costs incurred by them in connection with a security breach involving Personally Identifiable Information of guests at the franchisee's hotel. This highlights the importance of investing in robust security measures and employee training to prevent data breaches. The FDD emphasizes the franchisee's responsibility in protecting sensitive guest data and the potential financial implications of failing to do so. This is a critical aspect of operating a Springhill Suites By Marriott franchise, as non-compliance can lead to significant legal and financial repercussions.