ALaCarte.Direct ALaCarte.Direct
FR DE EN ES HI
Réglementation CHR

GDPR Compliance for Restaurants: Protecting Customer Data

17 min de lecture
41 vues
GDPR Compliance for Restaurants: Protecting Customer Data
Sommaire

Here is the full article:

You collect your customers' email addresses for your newsletter, you record phone numbers for bookings, you keep a purchase history for gift cards — and yet, you've never checked whether your restaurant complies with data protection regulations? You're not alone. The vast majority of independent restaurateurs handle personal data on a daily basis without fully understanding the legal implications. Since the GDPR (General Data Protection Regulation) came into force in 2018, obligations have tightened considerably, and data protection authorities actively monitor all sectors — including hospitality. This isn't just a concern for large chains: a neighbourhood restaurant with a simple Excel spreadsheet of customers is already covered. Here's everything you need to know to bring your establishment into compliance, without unnecessary jargon and with practical steps you can take straight away.

GDPR for restaurants: why you're affected as a restaurateur

Many restaurateurs assume that data protection regulations only apply to tech giants or large corporations. That's simply not true. As soon as you collect, store, or use information that can identify an individual, you're subject to the GDPR.

What personal data are you collecting without necessarily realising it?

Let's look at the common scenarios in an independent restaurant:

  • Bookings: name, surname, phone number, email address, party size, sometimes allergy information (health data, which is considered sensitive)
  • Loyalty cards: customer identity, visit history, dietary preferences
  • Online orders: delivery address, bank details (via the payment provider), order history
  • Free Wi-Fi: MAC address, browsing data if the captive portal logs activity
  • CCTV: images of customers and staff, timestamps
  • Online reviews: when you respond to a Google review by mentioning specific details of the customer's visit
  • Gift cards: buyer's name, recipient's name, amount, date of use
  • Supplier contact files: names and contact details of your business contacts

Each of these cases constitutes personal data processing under the GDPR. And each processing activity must be documented, justified, and properly managed. If you offer gift cards in your restaurant, you inevitably collect data on both the buyer and the recipient — a processing activity you shouldn't overlook.

Common misconceptions that put restaurateurs at risk

"I don't have a website, so this doesn't apply to me." Wrong. A digital reservation book, an Excel spreadsheet of regular customers, or even a WhatsApp group with your customers is enough.

"My data is on paper, so the GDPR doesn't apply." Partially wrong. The GDPR applies to automated processing, but also to structured paper files (an alphabetical customer directory, for example). Regulators can audit an organised paper file.

"I'm too small to be audited." Data protection authorities have made it clear that they carry out checks on businesses of all sizes. Complaints from customers or former employees can trigger an audit, regardless of the size of your establishment.

Understanding GDPR for restaurants: the core principles

The General Data Protection Regulation is built on clear principles that every restaurateur should know. You don't need to be a lawyer: these principles are common sense once explained.

The 6 GDPR principles applied to the restaurant industry

1. Lawfulness, fairness, and transparency. You must have a legal reason to collect data, and the customer must be aware of it. When a customer gives you their email for a booking, that doesn't automatically authorise you to send them promotions every week.

2. Purpose limitation. Data collected for a booking should only be used to manage that booking, unless the customer has explicitly consented to another use (newsletter, loyalty programme, etc.).

3. Data minimisation. Only collect what you genuinely need. For a booking, you don't need the customer's date of birth or home address.

4. Accuracy. Data must be kept up to date. A customer file that's never been cleaned, containing outdated email addresses, is a compliance issue.

5. Storage limitation. You cannot keep data indefinitely. Each type of data has a maximum retention period (more on this later).

6. Integrity and confidentiality. Data must be protected against unauthorised access. A customer spreadsheet on a shared computer with no password is a security gap.

The GDPR requires a legal basis for each processing activity. In the restaurant industry, the most common ones are:

  • Performance of a contract: managing a booking, processing an online order, honouring a gift card. The customer provides their data so you can deliver a service.
  • Consent: sending a newsletter, enrolling a customer in a loyalty programme, using tracking cookies on your website. Consent must be freely given, specific, informed, and unambiguous — no pre-ticked boxes.
  • Legitimate interest: CCTV for the security of your premises, for example. But this interest must be balanced against the rights of the individuals being filmed.
  • Legal obligation: retention of certain accounting and tax data as required by law.

The processing register: your essential reference document

The record of processing activities is the cornerstone of your GDPR compliance. It's a document that lists all the personal data processing activities you carry out. Regulators can request it at any time during an audit.

What your register must include

For each processing activity, you must document:

  • The purpose: why are you collecting this data? (e.g. managing bookings)
  • The categories of data: what data exactly? (e.g. name, phone number, email, party size)
  • The categories of data subjects: customers, employees, suppliers
  • The recipients: who has access to the data? (e.g. the front-of-house manager, the booking software)
  • Transfers outside the UK/EU: does your booking software store data in the United States?
  • Retention periods: how long do you keep the data?
  • Security measures: passwords, encryption, restricted access

A practical register example for a restaurant

Here's what a line in your register might look like:

  • Processing activity: Booking management
  • Purpose: Record and confirm customer bookings
  • Data collected: Name, surname, phone number, email, booking date and time, party size, any allergies
  • Legal basis: Performance of a contract (restaurant service)
  • Retention period: 1 year after the customer's last visit
  • Recipients: Front-of-house manager, booking software [software name]
  • Security measures: Access via username and password, hosting in the UK/EU

Your national data protection authority (such as the ICO in the UK or equivalent body) provides simplified register templates on its website, tailored to small businesses. Use one as your starting point.

Restaurant customer data and GDPR: retention periods you must follow

One of the most common mistakes in the restaurant industry: keeping data "just in case" for years. The GDPR requires retention periods proportionate to the purpose of the processing.

  • Booking data: up to 1 year after the last interaction with the customer. Beyond that, delete or anonymise it.
  • Loyalty data: 3 years from the last active contact (purchase, account login). This is the standard period generally accepted by regulators for marketing purposes.
  • Online order data: transaction data may be kept for accounting purposes for up to 6–10 years (legal obligation, depending on your jurisdiction). However, browsing data and customer account data follow the 3-year inactivity rule.
  • CCTV footage: 30 days maximum, unless an incident requires extended retention (theft, assault). This is a strict rule in most jurisdictions.
  • Job application data (CVs received): 2 years maximum after the last contact with the candidate, with their agreement.
  • Cookies and trackers: consent must be renewed every 13 months according to most European data protection guidelines.

How to implement a data purge policy

In practical terms, here are the steps to follow:

  1. List all your files containing personal data (software, spreadsheets, notebooks)
  2. Assign a retention period to each type of data
  3. Set quarterly reminders to clean your databases
  4. Delete or anonymise data that has exceeded its retention period
  5. Document each purge (date, volume deleted, person responsible)

If you use booking or management software, check whether it offers automatic deletion or compliant archiving features.

Your customers' rights: how to handle them in practice

The GDPR grants individuals rights over their data. Your customers can exercise these at any time, and you are required to respond within one month.

The rights your customers can exercise

  • Right of access: "What data do you hold on me?" You must provide a copy of all data held on that person.
  • Right to rectification: "My phone number has changed, please update it."
  • Right to erasure (right to be forgotten): "Delete all my data." You must comply, unless a legal obligation requires retention (accounting data, for example).
  • Right to object: "I no longer want to receive your promotional emails." Withdrawing consent must be as easy as giving it.
  • Right to data portability: "Transfer my data to another provider in a readable format."
  • Right to restriction of processing: "Don't delete my data, but stop using it until the dispute is resolved."

How to handle a request in practice

Imagine a former customer sends you an email: "I would like to know what personal data you hold about me and I request its deletion."

Here's what to do:

  1. Verify the requester's identity — ask for proof of identity if you have reasonable doubt, but don't be excessive
  2. Gather all the data — booking software, loyalty file, newsletter, CCTV if applicable
  3. Respond within one month — provide the requested data and confirm the deletion
  4. Document the request — keep a record of the request and your response (as proof of compliance)
  5. Inform your processors — if a third-party software stores the customer's data, ask them to delete it too

When you manage online reviews from your customers, be careful not to include personally identifiable information (exact visit date, order details) in your responses without the person's consent.

Informing your customers: transparency is mandatory

The GDPR requires you to clearly inform individuals about the collection of their data, at the time it takes place. This isn't a mere formality: it's a fundamental right.

Mandatory information notices

Every time you collect data, you must communicate:

  • The identity and contact details of the data controller (you or your company)
  • The purpose of the processing and its legal basis
  • The recipients of the data
  • The retention period
  • The individual's rights (access, rectification, erasure, etc.)
  • The right to lodge a complaint with the relevant data protection authority
  • Whether providing the data is mandatory or optional

How to inform your customers depending on the channel

On your website: a "Privacy Policy" page accessible from every page. If you have a booking or contact form, add a notice beneath the form with a link to this policy.

In-house (phone bookings): a notice displayed in the establishment (at reception or near the till) informing customers about data collection. The notice can be concise and refer to your full policy available online or on request.

For Wi-Fi: the captive portal (the Wi-Fi login page) must display an information notice before the customer connects.

For CCTV: a sign at the entrance indicating the presence of cameras, the purpose (security), the retention period (30 days maximum), and the contact details of the person responsible for handling data rights requests. This is a separate legal requirement in most jurisdictions.

For newsletters and promotional emails: an unsubscribe link in every email, and proof that consent was properly obtained (opt-in).

CCTV in your restaurant: a special case

CCTV is a sensitive topic that falls under multiple regulations. In restaurants, it's commonly used to prevent theft and secure the till area.

Specific rules to follow

  • Regulatory authorisation: if your cameras cover areas accessible to the public (dining room, terrace, entrance), you may need to register with or obtain authorisation from the relevant local authority, depending on your jurisdiction
  • Data protection registration: if your cameras cover private areas (storage, kitchen not accessible to the public), recording the processing in your register is sufficient (no prior declaration needed under the GDPR, but the register is mandatory)
  • Retention period: 30 days maximum
  • Informing individuals: visible signage at the entrance
  • No employee surveillance: cameras must not continuously film a workstation unless there is a specific justification (cash handling at the till, for example). Film the till, not the cashier.
  • No cameras in break areas: changing rooms, toilets, and rest areas are strictly off-limits

Common CCTV mistakes in restaurants

  • Cameras installed by the technician "because there was spare capacity on the recorder", without any assessment of necessity
  • Footage kept for months "just in case"
  • No information sign at the entrance
  • All employees having unrestricted access to footage via a mobile app

Securing your data: practical measures for your restaurant

Data security isn't just a concern for large corporations. As a restaurateur, you must implement measures appropriate to your size and resources.

Essential baseline measures

For your digital tools:

  • Strong passwords (at least 12 characters, mixing letters, numbers, and special characters) on all your software
  • Different passwords for each service
  • Two-factor authentication enabled wherever available
  • Regular updates for your software and operating systems
  • Up-to-date antivirus on all devices
  • Regular backups of your data on an external drive or in the cloud

For your team:

  • Train every employee who handles customer data (taking bookings, managing the till)
  • Create individual accounts — no shared password like "resto2024"
  • Limit access: the waiter doesn't need access to the accounting file
  • Lock screens when leaving the workstation

For your service providers:

  • Check that your software (booking, POS, online ordering, referral programme) hosts data in the UK or EU
  • Sign a data processing agreement (Article 28 of the GDPR) with each provider that processes data on your behalf
  • Ask them for their own security policy

What to do in the event of a data breach

If you discover a data leak (your booking software is hacked, a laptop containing customer files is stolen, a file is sent to the wrong recipient), you have specific obligations:

  • Notify the relevant data protection authority within 72 hours if the breach poses a risk to individuals' rights. In the UK, this is done via the ICO website; in the EU, via your national authority's portal.
  • Inform the affected individuals if the risk is high (compromised bank or health data, for example).
  • Document the incident internally: nature of the breach, data affected, measures taken.

Don't underestimate this. A stolen laptop with an unencrypted Excel file of 500 customers is a data breach under the GDPR.

Penalties: what you actually risk

Data protection authorities have a range of graduated sanctions. For an independent restaurateur, the theoretical maximum fines under the GDPR (up to €20 million/£17.5 million or 4% of turnover) are unrealistic, but significant penalties do exist.

The scale of sanctions

  1. Warning: the authority orders you to comply within a given timeframe. This is the most common outcome for small businesses at a first offence.
  2. Public enforcement notice: your name is published on the regulator's website. For a local restaurant, the reputational damage can be devastating.
  3. Administrative fines: proportionate to your business size and the severity of the breach. Fines of several thousand pounds/euros have already been issued against small businesses.
  4. Order to cease processing: the authority can ban you from using your customer file. Imagine no longer being able to send newsletters or manage your bookings digitally.

What triggers an audit

  • A customer complaint: a dissatisfied customer reports to the regulator that they can't unsubscribe from your newsletter
  • An employee or former employee complaint: a dispute over CCTV or access to their personnel file
  • A sector-wide audit: regulators regularly target specific sectors in their annual programme
  • A tip-off: a competitor, a health inspector who spots an irregularity

Action plan: bring your restaurant into GDPR compliance in 7 steps

There's no need to appoint a DPO (Data Protection Officer) when you're an independent restaurant — it's not mandatory for businesses that don't process data on a large scale. However, you must be able to demonstrate your compliance. Here's a practical action plan.

Step 1: Map your data processing activities

Take an hour to list every place where you collect or store personal data. Don't miss anything: the reservation book, the POS system, the Excel spreadsheet, the WhatsApp group, the cameras, the Wi-Fi.

Step 2: Create your processing register

Use a free template from your data protection authority. Complete one entry for each processing activity identified in Step 1. This register must be updated whenever a new processing activity is created.

For each processing activity, identify the legal basis: contract, consent, legitimate interest, or legal obligation. If you're sending newsletters without having obtained explicit consent, correct this immediately.

Step 4: Draft your information notices

Write a privacy policy for your website and a notice for your premises. Free templates are available from your national data protection authority's website.

Step 5: Implement retention periods

Set a retention period for each type of data. Schedule reminders to purge your databases regularly. If you also manage recurring corporate events, the data of professional contacts follows the same retention rules.

Step 6: Secure your data

Apply the security measures listed above. Change default passwords, enable two-factor authentication, and review contracts with your service providers.

Step 7: Train your team

Brief your staff on the essential rules: don't share passwords, don't leave a screen unlocked, know how to redirect a data access request to you. Five minutes during a team meeting is enough to cover the basics.

Tools and resources to help you

You don't have to do everything on your own. Several free resources are available:

  • Your national data protection authority's website: guides, register templates, practical fact sheets by sector (e.g. the ICO in the UK, CNIL in France)
  • Free online training courses: many data protection authorities offer free GDPR e-learning modules — typically a few hours, with a certificate of completion
  • Chambers of Commerce: some offer GDPR workshops for small businesses and retailers
  • Industry associations (such as UKHospitality, the National Restaurant Association, or equivalent bodies in your country): often provide sector-specific guides and legal support for their members
  • GDPR-compliant SaaS solutions: when choosing your digital tools (booking, digital menu, gift cards), check that the provider is GDPR-compliant and hosts data in Europe. ALaCarte.direct, for example, was built with GDPR compliance by design for restaurateurs.

The most common mistakes among restaurateurs

To wrap up this overview, here are the shortcomings most frequently identified by data protection authorities in restaurant businesses:

  • No processing register whatsoever — this is the most widespread failing
  • Newsletters sent without opt-in consent — buying or harvesting email addresses without explicit agreement
  • Undeclared CCTV — cameras with no information sign or regulatory authorisation
  • No procedure for data rights requests — a customer asks for their data to be deleted and nobody knows how
  • Data kept indefinitely — customer files ten years old with no purge ever carried out
  • Unmanaged processors — no contract with the booking software provider or the accessibility management solution
  • Weak or shared passwords — the restaurant's Wi-Fi code used as the password for everything

Take action today

GDPR compliance isn't a mammoth project for an independent restaurant. It's a set of straightforward best practices that protect both your customers and your business. The risk isn't just financial — your local reputation is also on the line.

Start with the most urgent task: create your processing register this week. It's free, templates are available to download from your data protection authority's website, and it will take you less than two hours. Then, tackle your information notices and secure your tools.

Don't wait for an audit or a complaint before taking action. A restaurateur who can present an up-to-date register and explain their data policy inspires trust — with their customers, their team, and with the regulator if they ever come knocking.

Protecting your customers' data is a natural extension of the hospitality you offer them every day in your dining room. Treat their data with the same care as their plates.

Cet article vous a-t-il été utile ?

Partager cet article :
Sophie - Rédaction ALaCarte
Sophie - Rédaction ALaCarte

FoodTech & Innovation Restauration

L'équipe éditoriale d'ALaCarte.Direct, spécialiste de la digitalisation des restaurants et de l'innovation FoodTech.

Articles similaires