Understanding Your Data Rights: Who Owns the Customer Data You Collect?

It’s a scene playing out in thousands of franchise outlets across the Philippines every day. A friendly cashier at a milk tea shop asks, “Ma’am, would you like to join our loyalty program? Just need your name and mobile number to get your first stamp.” The customer agrees, taps their details into a tablet, and a new stream of data is born. That single entry—a name, a number, a purchase preference—joins a vast, invisible ocean of information being collected by businesses. But it also raises a question that, for years, most Filipino franchisees have found uncomfortably ambiguous: Who actually owns that data?

For a long time, the answer was assumed to be simple: the business. Customer lists were treated like any other asset, a proprietary resource to be used for marketing, sold as part of the business, and controlled by the owner. In the complex world of franchising, this led to a quiet tug-of-war. Was it the franchisee, who personally signed up the customer in their store? Or the franchisor, who owned the brand, the loyalty program, and the central database where the information was stored?

This murky understanding is now facing a dramatic reckoning. A powerful comeback of data privacy awareness, driven by the Philippines' own robust legislation and a global shift in consumer attitudes, is forcing a new clarity. The Data Privacy Act of 2012 (DPA), once a piece of legislation that seemed distant to frontline business, is now asserting its authority, and its central message is revolutionary for many: the business doesn't own the data. The customer does. And for franchisees, understanding this shift is no longer optional—it's critical for survival.

The Legal Revolution: How the Data Privacy Act Changed Everything

Enacted as Republic Act No. 10173, the Data Privacy Act is the Philippines’ comprehensive law governing how personal information is handled. Its core principle is unequivocal: individuals—or "data subjects," in legal terms—have ownership and control over their personal data. Businesses that collect and use this data are merely custodians, granted temporary and specific permission to process it.

The law applies to virtually every franchise in the country, from a single food cart to a multi-branch retail empire. Any business that collects, processes, or stores "personal information" must comply. This includes obvious identifiers like names, addresses, and phone numbers, but also extends to "sensitive personal information" which receives even stricter protection, such as government-issued ID numbers, health information, and financial details. Overseeing this entire framework is the National Privacy Commission (NPC), the regulatory body armed with the power to investigate violations and impose significant penalties, including fines that can run into millions of pesos and even imprisonment.

This legal landscape introduces two key roles that every franchisee must understand: the Personal Information Controller (PIC) and the Personal Information Processor (PIP).

• A Personal Information Controller (PIC) is the entity that decides what data to collect and for what purpose. They control the data.
• A Personal Information Processor (PIP) is the entity that processes the data on behalf of the PIC. They act on instructions.

In a franchise system, these roles can be complex and overlapping, creating a web of responsibility that needs to be carefully untangled.

The Franchise Paradox: A Tangled Web of Control

The franchise model creates a unique and often confusing data governance structure. A customer interacts with a local store, owned by an independent franchisee, but they are also interacting with a national or even global brand, owned by the franchisor. So, who is the PIC?

The answer is often "both."

• The Franchisee as PIC: When a franchisee collects customer data for their own local purposes—for example, running a store-specific raffle or building a contact list for local SMS blasts—they are acting as the PIC. They decide what information to collect from their direct customers and how to use it for their outlet's benefit.
• The Franchisor as PIC/PIP: When data is collected for a system-wide program, the roles shift. For a national loyalty app, a centralized delivery platform, or an e-commerce website, the franchisor is typically the PIC. They designed the system, defined the data requirements, and control the central database. In this scenario, the franchisee and their staff are often acting as PIPs, collecting data on behalf of the franchisor according to a strict set of protocols.

The franchise agreement is supposed to clarify these roles and responsibilities. However, many agreements, especially older ones, are notoriously vague on data ownership. They may grant the franchisor broad rights to access all data collected by the franchisee, blurring the lines of control. This is where many franchisees fall into a compliance trap. It is crucial for anyone entering a franchise to read the fine print regarding their rights and obligations, which are detailed in the franchise disclosure document.

Navigating the Data Tug-of-War

This dual-controller system often creates tension. The franchisor needs aggregated data from across the network to spot trends, measure national marketing campaign effectiveness, and ensure brand consistency. They view this data as a critical asset of the entire system.

The franchisee, on the other hand, built the direct relationship with the customer. That list of local patrons feels personal—it's the lifeblood of their direct marketing efforts and a key component of their business's value if they ever decide to sell. The conflict arises when a franchisee wants to use "their" customer list for a promotion not sanctioned by the franchisor, or when a franchisor demands access to all data without clear justification.

The Data Privacy Act cuts through this conflict by re-centering the conversation on the customer. The debate isn't about whether the franchisor or the franchisee owns the data; it's about which party is responsible for protecting the customer's rights. The franchise agreement cannot override Philippine law. Any clause that infringes on the data subject's rights as defined by the DPA is effectively void. This is why modern franchising emphasizes the importance of a clear and compliant guide to the data privacy act, ensuring both parties understand their roles.

Your Compliance Checklist: Practical Steps for Filipino Franchisees

For a franchisee, the message is clear: you are on the front lines of data privacy compliance. Ignorance of the law is not a defense. Taking proactive steps is essential.

1. Embrace Radical Transparency: You must have a clear and easily understandable privacy notice displayed wherever you collect data. This notice, written in English or Filipino, must state what data is being collected, why it's being collected, how it will be used, how long it will be stored, and if it will be shared with the franchisor or any other third party.
2. Secure Active Consent: Consent must be a specific, informed, and freely given action. A customer ticking a box is the bare minimum. Pre-ticked boxes are illegal. For sensitive information, the consent requirements are even higher. Customers must also have an easy way to withdraw their consent at any time.
3. Prioritize Data Security: The DPA mandates that you implement reasonable and appropriate security measures to protect the data you hold. This includes both organizational measures (like training staff on privacy) and technical measures (like using encrypted storage for sensitive data and having strong access controls on your POS system). Robust franchise data security is not just a legal requirement but also a way to build customer trust.
4. Uphold Customer Rights: Every customer whose data you hold has clearly defined franchisee rights under the DPA. These include:
   • The Right to Be Informed that their data is being processed.
   • The Right to Access a copy of the data you hold on them.
   • The Right to Rectify any inaccurate information.
   • The Right to Erasure or Blocking of their data under certain conditions.
   • The Right to Object to the processing of their data for direct marketing.
   • The Right to Data Portability to get their data in a usable format.
   • The Right to File a Complaint with the National Privacy Commission.
5. Formalize Responsibility: Every franchise, regardless of size, must designate an individual responsible for data privacy compliance. For larger operations that process significant amounts of data, the law requires the formal appointment and registration of a Data Protection Officer (DPO) with the NPC.

Data Privacy as a Competitive Advantage

The resurgence of data privacy is not a burden; it’s an opportunity. In an economy increasingly powered by digital payments, delivery apps, and online engagement, customer trust has become the ultimate currency. A recent NPC report noted a staggering increase in data privacy violations, with a large percentage coming from the retail and service sectors.

Franchisees who master the principles of data privacy are not just avoiding fines; they are building a more resilient and respected business. A customer who trusts you with their data is more likely to become a loyal, long-term patron. Being able to clearly explain your data practices, and demonstrating that you respect their ownership, is a powerful way to differentiate your business and build a strong brand from the ground up. The foundation of any great franchise is a replicable system, and in the modern Philippines, a compliant data privacy framework is a non-negotiable part of that system.

The old assumptions about data ownership are dead. The customer is in control. For the Filipino franchisee, the path forward is clear: become an expert steward of the data you collect, champion the rights of your customers, and turn compliance into a cornerstone of the trust that will fuel your growth for years to come.