Swapping details
Jimmy Desai reports on Green Thumb Ltd and data transfer clauses in contracts
The business of Green Thumb (UK) Ltd (the franchisor) consisted to a large degree of granting franchises to franchisees. Grow With Us Ltd (the franchisee) wanted to extend its franchise agreement for a further period of seven years, as it was entitled to do under the terms of the agreement provided that the franchisee had complied with the terms of the agreement ([2006] All ER (D) 435). However, the franchisor refused because, among other things, the franchisee had not provided it with the franchisee's customer details as it was obliged to do under the agreement. The franchisee argued that it would have been in breach of the agreement and the Data Protection Act 1998 (DPA) had it done so.
Clause 5 of the agreement contained the obligations of the franchisee. They included:
'5.1.30 to supply to the Franchisor by electronic means (if required by the Franchisor) monthly sales reports and other information in the form stipulated by the Franchisor in the Manual concerning the business;...
'5.1.34 to keep a list of actual and potential customers of the Business and the supply of a copy of it to the Franchisor on request.'
Customer data
The franchisee argued that providing details of its customers' names and addresses would contravene cl 5.1.43, which obliged the franchisee to comply with general law. In particular, it would contravene s 4(4) of the DPA: 'It shall be the duty of the data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.'
The first data protection principle notes that 'personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Sched 2 is met'. If the communication of the names and addresses of customers fell within one of the conditions set out in Sched 2 of the DPA, the franchisee could transfer these details to the franchisor.
Schedule 2, DPA
The conditions in Sched 2 include:
'1. the data subject giving his consent to the processing.
'2. The processing is necessary '“
for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract
'3. the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract'¦.
'6(1) The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of the prejudice to the rights and freedoms or legitimate interests of the data subject.'
The court held that:
- Condition 1 could have been satisfied if the franchisee had obtained customer consents (but the franchisee had not obtained the relevant consents). The franchisee argued that it was difficult to obtain consent practically, but failed to demonstrate this as it visited customers regularly, at which time an attempt could have been made to obtain consent.
- While the franchisee no doubt complied with condition 2 in relation to its own recording, holding and use of the customer details, that condition was not satisfied in respect of the communication of the information to the franchisor.
- The franchisor was not itself in contractual relations with the customers or taking steps with a view to entering into contractual negotiations.
- It was clear from condition 3 that the fact that the contractual obligation was owed to the franchisor itself was not sufficient justification for passing on the information by the franchisee to the franchisor
- Condition 6 might have been satisfied. The court held that, based on evidence, the franchisor would have needed to audit the turnover and ensure correct returns from the franchisee to protect the franchisor's business.
Notification
The franchisee argued that the franchisor's data protection certificate only allowed the franchisor to receive information for 'advertising, marketing and public relations'. However, the court held that it did not seem to it that the DPA required the applicant for registration to set out exhaustively what it proposed to do with the data obtained, but rather to give an understanding of the general nature of the processing intended. Here, in broad terms, the franchisor wished to receive the franchisee's customer details for 'marketing' (which fell within the purposes mentioned in its data protection certificate).
The court held that, in view of the above, the franchisor's objection to renewing the agreement due to the franchisee being in breach of the agreement (by the franchisee failing to provide electronically the names and addresses of its current customers to the franchisor) was made out.