Data Protection Obligations in Turkish Franchise and Dealer Networks

Introduction

Data protection obligations in Turkish franchise and dealer networks are becoming increasingly important for brands, franchisors, franchisees, dealers, distributors, authorized service providers, retailers, regional representatives, sales agencies, and multi-location business networks operating in Turkey. Franchise and dealer systems are built on cooperation, brand control, customer experience, sales reporting, marketing campaigns, loyalty programs, CRM systems, after-sales services, and shared operational standards. Each of these activities may involve personal data.

A franchise or dealer network may process customer names, phone numbers, email addresses, delivery addresses, purchase histories, service records, warranty claims, loyalty program points, marketing preferences, complaint files, CCTV footage, payment data, vehicle data, product registration data, online order information, mobile app identifiers, cookies, employee data, dealer representative data, and call center records. In some sectors, such as healthcare, automotive, insurance, education, beauty, fitness, or food delivery, the network may also process sensitive or high-risk information.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to personal data processed wholly or partly by automated means or by non-automated means forming part of a data filing system. It imposes obligations on data controllers and processors regarding lawful processing, transparency, data security, data subject rights, retention, transfer, and registry obligations.

For franchise and dealer networks, KVKK compliance is complex because personal data often flows between multiple independent businesses. The franchisor may manage the brand and central CRM system. Franchisees may collect customer data at physical stores. Dealers may share sales and warranty data with the manufacturer or distributor. Authorized service centers may upload customer service records into a central platform. Marketing campaigns may be run jointly. Loyalty programs may be centralized. Therefore, the first legal question is not only “Is there personal data?” but also “Who is the data controller for each data flow?”

Why Franchise and Dealer Networks Create Specific Data Protection Risks

Franchise and dealer networks are different from ordinary single-company operations. In a single company, the legal entity usually controls all branches, employees, systems, and customer records. In a franchise or dealer model, however, each outlet may be a separate legal entity. The franchisor may impose brand standards, but the franchisee may employ its own staff, sign its own local contracts, issue invoices, and interact directly with customers.

This structure creates several KVKK risks. A customer may give personal data to a local franchisee, but the data may later be transferred to the franchisor’s central database. A dealer may collect customer data for a vehicle sale, but the manufacturer may use the same data for warranty, recall, satisfaction surveys, and marketing. A franchisee may send promotional messages using the franchisor’s campaign tools. A central loyalty program may collect purchase data from all outlets. A call center may handle complaints on behalf of both the brand owner and local franchisees.

If roles are not clearly defined, the network may fail to provide proper privacy notices, obtain valid marketing permissions, respond to data subject requests, manage deletion requests, or determine who is responsible for a data breach. This can create regulatory risk, contractual disputes, reputational harm, and customer complaints.

Data Controller and Data Processor Roles in Franchise Networks

Under KVKK, the data controller is the person or entity that determines the purposes and means of processing personal data. The data processor processes personal data on behalf of the controller based on authorization.

In franchise and dealer networks, role classification must be done activity by activity. The franchisor may be a data controller for its central loyalty program, brand website, mobile application, online store, national marketing campaigns, customer complaint management system, central CRM, franchisee performance monitoring, and brand-level analytics. The franchisee may be a separate data controller for local store sales, local employee data, local invoices, local CCTV systems, customer reservations, local service records, and local complaints.

In some cases, a franchisee may process data on behalf of the franchisor. For example, if the franchisor runs a central loyalty program and instructs franchisees to collect customer enrollment forms solely for that program, the franchisee may act as a processor or local collection point for that specific activity. In other cases, both parties may act as separate controllers or joint participants in a shared processing ecosystem. Turkish KVKK does not use the same detailed “joint controller” terminology in the same way as some foreign regimes, but the practical allocation of responsibilities should still be contractually defined.

The same analysis applies to dealer networks. A vehicle dealer, electronics dealer, furniture dealer, appliance dealer, or authorized service center may act as an independent controller for sales and service relationships, while the manufacturer or distributor may act as a controller for warranty registration, product recall, customer satisfaction surveys, and central marketing. If the dealer uploads data into a platform controlled by the manufacturer, the parties should determine whether the dealer is acting as a controller, processor, or both.

Personal Data Commonly Processed in Franchise and Dealer Systems

Franchise and dealer networks may process many categories of personal data. Customer data may include name, surname, phone number, email address, address, customer number, purchase history, product preferences, loyalty program membership, invoice information, payment status, delivery information, complaint records, satisfaction survey responses, and marketing preferences.

Dealer and franchisee representative data may include names of authorized signatories, company officers, store managers, sales staff, service technicians, contact persons, identity details, tax-related information, bank account records, performance reports, training participation, and access logs in central systems.

Operational data may include CCTV footage, visitor records, Wi-Fi logs, call center recordings, online order records, mobile app data, cookies, device identifiers, service appointment records, warranty documents, repair reports, return forms, and after-sales support notes.

Sector-specific networks may process more sensitive information. Automotive dealers may process vehicle plate numbers, accident records, driving-related service data, and financing documents. Healthcare franchise networks may process health data. Fitness chains may process body measurements, health declarations, and membership attendance. Beauty and cosmetic service franchises may process photographs, treatment history, and allergy information. Education franchises may process children’s data, student records, and parent information. These categories require stricter legal assessment.

Core KVKK Principles Applicable to Franchise and Dealer Networks

KVKK Article 4 principles apply to every data flow within a franchise or dealer network. Personal data must be processed lawfully and fairly, accurately and up to date where necessary, for specified, explicit, and legitimate purposes, in a relevant, limited, and proportionate manner, and only for the period required by law or by the processing purpose.

For franchise networks, these principles require clear limits. A franchisor should not collect all customer data from franchisees merely because it may be useful for future marketing. A dealer should not upload excessive customer documents to a central system if only warranty registration data is needed. A franchisee should not use customer information obtained through a national campaign for unrelated local marketing unless there is a lawful basis. A distributor should not retain old dealer contact lists indefinitely without purpose.

The principle of purpose limitation is especially important. Data collected for warranty service should not automatically be used for promotional messages. Data collected for loyalty points should not automatically be shared with unrelated business partners. Data collected for a customer complaint should not be used to profile the customer for unrelated advertising unless separately assessed and disclosed.

Legal Bases for Processing Customer Data

Under KVKK Article 5, personal data may be processed with explicit consent or without explicit consent where one of the statutory legal bases applies. These include processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, necessity for establishment, exercise or protection of a right, and legitimate interests of the data controller provided that fundamental rights and freedoms of the data subject are not harmed.

For example, a franchisee may process customer identity, contact, order, delivery, and payment information to perform a sale contract. A dealer may process invoice data to comply with tax obligations. An authorized service center may process product serial number, customer contact details, and service history for warranty and repair services. A franchisor may process complaint records to protect brand quality and legal rights, depending on the structure.

However, explicit consent may be required for optional or non-essential processing, such as promotional marketing, behavioral advertising, location-based campaigns, sharing customer data with unrelated commercial partners, publishing customer testimonials, or processing certain special categories of data. The legal basis must be identified separately for each processing purpose. A single broad consent form cannot cure all data flows in a complex franchise network.

Privacy Notices in Franchise and Dealer Networks

KVKK Article 10 requires data controllers to inform data subjects at the time personal data is obtained. The notice must include the identity of the data controller, processing purposes, recipients and transfer purposes, collection method and legal basis, and rights under Article 11.

In a franchise network, this obligation becomes difficult if both the franchisor and franchisee process customer data. Customers should understand whether they are dealing with the local franchisee, the brand owner, or both. A receipt, membership form, website checkout page, loyalty program form, reservation system, or service appointment form should not hide the identity of the actual data controller.

A good franchise privacy notice should explain:

Who the local franchisee is.
Whether the franchisor receives customer data.
Which data is processed locally and centrally.
Why data is transferred within the network.
Whether data is used for loyalty programs, complaints, warranty, marketing, analytics, or service quality.
Which legal basis applies to each purpose.
How customers may exercise their KVKK rights.
Whether data is transferred abroad through central systems or vendors.

Dealer networks should also provide transparent notices. A vehicle customer, for example, should know whether their data will be shared with the national distributor, manufacturer, finance company, insurance provider, authorized service network, call center, or CRM platform.

Franchise Agreements and Data Protection Clauses

Franchise and dealer agreements should contain detailed data protection clauses. It is not enough to say that “the parties shall comply with KVKK.” The agreement should define the parties’ roles for each data flow, allocate responsibilities, regulate data sharing, and impose technical and organizational safeguards.

A strong data protection clause should address:

Controller and processor roles.
Customer data collection standards.
Privacy notice obligations.
Marketing permission management.
Central CRM access rules.
Data transfer purposes.
Data subject request handling.
Data breach notification obligations.
Retention and deletion rules.
Use of customer data after termination.
Confidentiality obligations.
Vendor and sub-processor restrictions.
Cross-border transfer rules.
Audit rights.
Liability and indemnity.

For example, if the franchisee collects data for the franchisor’s loyalty program, the agreement should state which privacy notice will be provided, who stores consent records, who responds to deletion requests, and how data is deleted if the franchise relationship ends. If the dealer shares customer data with the manufacturer for warranty purposes, the agreement should define the scope of data and prohibit unrelated use unless separately lawful.

Customer Data Sharing Between Franchisor and Franchisee

Customer data sharing is the central compliance issue in franchise networks. The franchisor may want visibility over customers to protect brand quality, run national campaigns, monitor complaints, analyze store performance, manage loyalty programs, and improve products. Franchisees may want to retain local customer relationships and run local campaigns.

These interests must be balanced with KVKK principles. Data sharing should be based on a clear purpose. For example, sharing customer complaint data with the franchisor may be necessary for brand-level quality control and dispute management. Sharing purchase totals for aggregated performance reporting may be legitimate if personal data is minimized. Sharing identifiable customer data for national marketing requires separate assessment and, often, marketing permission.

Where possible, networks should use anonymized or aggregated reports for performance analytics. The franchisor may not need every customer’s name and phone number to understand sales trends. Store-level reports, product-level sales, and anonymized satisfaction metrics may achieve the same purpose with less privacy risk.

Loyalty Programs and Central CRM Systems

Loyalty programs are common in franchise and dealer networks. Customers may earn points, receive discounts, join membership clubs, access mobile apps, receive birthday offers, or benefit from personalized campaigns across multiple branches. These programs usually require centralized data processing.

The brand owner or central operator will often be the data controller for the loyalty program. Local franchisees may collect membership applications and record purchases into the central CRM. The privacy notice should clearly explain that customer data will be processed centrally and may be accessible by participating stores to provide loyalty benefits.

Loyalty programs should not be mandatory for ordinary purchases unless necessary for the service. Marketing permissions should be separate from membership terms. A customer may join a loyalty program to earn points without necessarily consenting to promotional SMS or behavioral advertising. CRM systems should record the source, date, and scope of each permission.

Access to CRM data should be limited. A franchisee should not be able to download the entire national customer database unless strictly necessary. Branches should access only customers relevant to their operations or service interactions.

Marketing Permissions, SMS, Email, and İYS

Franchise and dealer networks frequently run national and local marketing campaigns. These may include SMS, email, phone calls, push notifications, discount offers, product launches, service reminders, seasonal campaigns, and local branch promotions.

Marketing communications must comply with both KVKK and Turkish commercial electronic message rules. İYS, the Turkish Commercial Electronic Message Management System, is designed to manage permissions and rejection rights for commercial electronic messages; legal commentary on the system explains that it enables recipients to manage whether they receive commercial electronic messages, including calls, SMS, and emails.

Franchise networks should define who is the “service provider” for marketing messages, who stores permissions, who sends messages, and who handles opt-outs. A franchisor should not assume that a customer who consented to messages from one franchisee also consented to all brand affiliates, all dealers, or unrelated group companies. Similarly, a franchisee should not use the franchisor’s central CRM for local campaigns unless the permission scope covers that use.

Marketing permissions should be auditable. The network should be able to prove when the permission was obtained, through which channel, for which brand or branch, and whether it has been withdrawn.

Cookies, Mobile Apps, and Digital Campaigns

Many franchise and dealer networks use websites, mobile applications, online ordering systems, booking tools, dealer locators, customer portals, advertising pixels, analytics tools, and retargeting campaigns. These technologies may process personal data through cookies, device identifiers, IP addresses, advertising IDs, location data, browsing behavior, and purchase behavior.

The Turkish Authority’s cookie materials distinguish cookies used for website operation from advertising, functional, and other cookies; strictly necessary cookies are used to enable information society services explicitly requested by the user. Advertising and marketing cookies used for retargeting or behavioral advertising require careful consent and privacy notice analysis.

In franchise systems, the brand owner often operates the main website or app, while franchisees may have local pages, ordering portals, or delivery integrations. The network should map all digital tracking tools. If a local franchisee installs its own advertising pixel on a brand-approved microsite, the franchisor may still face brand-level risk if users are not properly informed.

Mobile applications should also separate necessary permissions from optional permissions. Location access for finding the nearest dealer may be optional. Location-based advertising usually requires a separate assessment. Push notification permissions for service alerts should be distinguished from promotional campaign messages.

Dealer Networks, Warranty, and After-Sales Services

Dealer networks often process customer data for product sales, installation, warranty registration, maintenance, repair, recall, replacement, and after-sales support. This is common in automotive, electronics, furniture, appliances, machinery, construction materials, medical devices, and industrial equipment sectors.

A manufacturer or distributor may need customer data for warranty, safety recall, product improvement, or legal compliance. However, the scope should be limited. For warranty registration, the central system may need customer contact details, product serial number, purchase date, dealer identity, and service history. It may not need unrelated purchase preferences, family information, or broad financial data.

Authorized service centers should provide clear privacy notices when collecting service data. If service records are uploaded to the manufacturer’s central platform, customers should be informed. If the manufacturer uses service records for marketing or product profiling, that purpose should be separately assessed.

Employee and Representative Data in Dealer Networks

Franchise and dealer networks also process data about employees, managers, authorized representatives, technicians, sales personnel, trainers, and branch owners. The franchisor may organize training programs, issue system credentials, monitor service quality, audit stores, evaluate sales performance, and record disciplinary or compliance incidents.

Employees of a franchisee are not automatically employees of the franchisor. If the franchisor processes their personal data, it should have a legal basis and a privacy notice. For example, a franchisor may process franchisee employee names and training records to ensure brand standards. It may process system access logs to protect the CRM. It may process audit results to enforce franchise standards.

However, employee monitoring, performance tracking, CCTV access, and disciplinary reporting must be proportionate. The franchisor should not access detailed employee files of a franchisee unless necessary and legally justified.

Data Security in Franchise and Dealer Networks

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. Where processing is carried out by another person on behalf of the controller, the controller is jointly responsible with that person for such measures.

In franchise networks, data security must be standardized across the network. A central brand CRM may be secure, but a weak local branch may still expose customer data. Risks include shared passwords, local exports, unsecured spreadsheets, personal phones, unauthorized WhatsApp groups, old customer lists, unencrypted laptops, former employee access, weak Wi-Fi, and uncontrolled printing.

Practical measures include:

Role-based access to central systems.
Unique user accounts for each branch employee.
Multi-factor authentication for CRM and admin panels.
Access logs and periodic access reviews.
Immediate access revocation after employee departure.
Data export restrictions.
Secure password policies.
Franchisee staff training.
Incident reporting procedures.
Central security audits.
Contractual data security standards.

Dealer networks should also secure service platforms, warranty databases, customer complaint systems, and after-sales portals. Local dealers should not be allowed to download national customer data without need.

Data Breach Notification in Franchise Systems

Data breaches in franchise and dealer networks may arise from local outlets, central systems, call centers, marketing agencies, CRM vendors, cloud providers, or third-party service providers. A breach may involve leaked customer lists, stolen loyalty databases, compromised dealer accounts, exposed service records, ransomware, phishing, or unauthorized employee access.

Under KVKK Article 12, if processed personal data is obtained by others unlawfully, the controller must notify the data subject and the Personal Data Protection Board within the shortest time.

Franchise agreements should require immediate breach notification between parties. If a franchisee discovers that customer data from a central loyalty program has been leaked, it must notify the franchisor immediately. If the franchisor discovers a central CRM breach affecting local franchisees’ customers, it should inform affected franchisees and coordinate regulatory response.

The network should have a breach response plan defining who investigates, who contacts vendors, who notifies the Authority, who informs customers, who preserves evidence, and who implements remediation.

Retention and Deletion in Franchise and Dealer Networks

KVKK requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist. The By-Law on Erasure, Destruction or Anonymization sets the procedures for erasure, destruction, and anonymization of personal data.

Franchise networks should define retention periods for customer accounts, loyalty records, invoices, marketing permissions, complaint files, service records, CCTV footage, call recordings, dealer reports, employee training records, franchise audit reports, and terminated franchisee data.

A key issue arises when a franchise agreement ends. The former franchisee should not continue using customer data obtained through the brand network unless it has its own lawful basis. The franchisor should revoke system access, require return or deletion of brand-controlled data, preserve necessary legal records, and prevent unauthorized post-termination marketing.

Similarly, when a dealer relationship ends, the dealer should not retain central warranty, campaign, or customer data beyond lawful purposes. The contract should regulate what happens to data after termination.

Cross-Border Transfers in International Franchise Networks

Many franchise systems are international. A global franchisor may operate a central CRM, loyalty platform, booking engine, reporting system, training platform, marketing database, or cloud infrastructure outside Turkey. Turkish franchisees may upload customer data into foreign systems. International distributors may send dealer data to headquarters. Global call centers or analytics teams may access Turkish customer data.

KVKK Article 9 was amended in 2024 and now provides a structured framework for transfers abroad. Transfers may be based on adequacy decisions or, where no adequacy decision exists, appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

Franchise networks should therefore map all international data flows. The network should identify whether customer data, dealer data, employee data, loyalty data, complaint data, or marketing data is transferred to foreign headquarters, foreign cloud vendors, international CRM providers, global marketing agencies, or analytics platforms. The correct standard contract module should be selected according to the roles of the parties.

VERBIS and Data Inventory

Under KVKK Article 16, natural or legal persons processing personal data must register with the Data Controllers’ Registry before starting processing unless an exemption applies. The By-Law on the Data Controllers Registry states that controllers must fulfill registration obligations before processing and that controllers who later become subject to registration must register within thirty days after becoming obliged.

Franchisors, franchisees, dealers, distributors, and authorized service providers should each assess whether they have VERBIS obligations. One party’s registration does not automatically cover all other independent legal entities. A franchisee that acts as a data controller for local customer and employee data may need its own assessment. A distributor with a large dealer CRM may also need to register if no exemption applies.

Even where registration is not required, data inventory remains essential. A network-level inventory should identify customer data, dealer data, employee data, marketing data, loyalty data, service data, complaint data, CCTV data, cookies, vendors, transfer recipients, foreign transfers, and retention periods.

Competition Law and Data Sharing in Vertical Networks

Franchise and dealer networks are also vertical commercial structures. Turkish Competition Authority materials describe vertical agreements as agreements between undertakings operating at different levels of the production or distribution chain, and the Block Exemption Communiqué on Vertical Agreements determines conditions for exempting certain vertical agreements from the prohibition under Article 4 of Law No. 4054.

While competition law and data protection law are separate regimes, data sharing in dealer networks may raise both privacy and competition questions. For example, central sales reporting, customer allocation, pricing analytics, and dealer performance monitoring should be reviewed not only for KVKK compliance but also for competition law sensitivity. Customer data sharing should be limited to legitimate operational purposes and should not become a tool for unlawful coordination, resale price maintenance, or market partitioning.

This is especially important in networks where dealers are independent undertakings. Data governance should therefore be designed together with distribution law, competition law, and KVKK compliance.

Practical KVKK Compliance Checklist for Franchise and Dealer Networks

A franchise or dealer network operating in Turkey should:

1. Map all customer, franchisee, dealer, employee, representative, vendor, and digital data flows.
2. Identify controller and processor roles for each processing activity.
3. Prepare separate privacy notices for customers, franchisees, dealers, employees, and website users.
4. Define legal bases for sales, service, warranty, loyalty, complaint, and marketing data.
5. Regulate data sharing in franchise and dealer agreements.
6. Limit central data collection to necessary purposes.
7. Use anonymized or aggregated reports where possible.
8. Manage marketing permissions separately from service data.
9. Keep İYS and opt-out records aligned where applicable.
10. Control CRM access by branch, region, and role.
11. Prohibit unauthorized local exports and customer list downloads.
12. Establish data subject request coordination procedures.
13. Define retention periods and deletion procedures.
14. Regulate post-termination use of customer data.
15. Sign data processing agreements with vendors and service providers.
16. Map cross-border transfers to foreign headquarters and cloud systems.
17. Apply Article 9 transfer mechanisms where required.
18. Assess VERBIS obligations separately for each legal entity.
19. Implement franchisee and dealer training.
20. Audit network compliance periodically.

Common Mistakes in Franchise and Dealer Data Protection

One common mistake is assuming that all customer data belongs to the franchisor. Another is assuming that all data collected at a local branch belongs only to the franchisee. In reality, the answer depends on the purpose, system, contract, and actual control over processing.

A second mistake is using a single privacy notice for all network activities. Customers should understand whether their data is processed by the local franchisee, the franchisor, or both.

A third mistake is sharing customer data with all branches or dealers without need. A franchisee should not access customers of other franchisees unless necessary for a specific service.

A fourth mistake is sending promotional messages from the central CRM without valid marketing permission. A fifth is failing to delete customer data after a franchise or dealer relationship ends. A sixth is using global CRM or loyalty platforms without cross-border transfer analysis.

Another frequent mistake is weak local security. A franchisor may invest in a secure central system, but if franchisee employees share passwords, export Excel lists, or use personal devices, the network remains exposed.

Conclusion

Data protection obligations in Turkish franchise and dealer networks require a structured, contract-based, and operational KVKK compliance program. These networks process personal data across multiple legal entities, systems, branches, dealers, service centers, vendors, and sometimes foreign headquarters. Customer data may be collected locally, stored centrally, used for loyalty programs, shared for warranty services, analyzed for brand performance, and processed for national or local marketing campaigns.

The most important compliance issues are controller-processor role allocation, privacy notices, lawful basis mapping, customer data sharing, central CRM governance, loyalty program rules, marketing permission management, franchise and dealer agreement clauses, data security, data breach coordination, retention and deletion, VERBIS assessment, and cross-border transfer compliance.

KVKK imposes clear obligations on data controllers and processors regarding lawful processing, transparency, security, data subject rights, retention, transfer, and registry duties. International franchise systems must pay particular attention to Article 9 transfer rules, standard contracts, and five-business-day notification requirements for standard contracts.

For franchisors, KVKK compliance protects brand reputation and reduces network-wide risk. For franchisees and dealers, compliance protects local customer relationships and prevents liability. For customers, proper data governance creates trust. In a Turkish franchise or dealer network, personal data should not be treated as a freely transferable commercial asset. It should be treated as regulated information that must be processed only for lawful, transparent, limited, secure, and documented purposes.