GDPR for Restaurants: Booking Data, Allergy Information, and Email Marketing

# gdpr# privacy# food# compliance
GDPR for Restaurants: Booking Data, Allergy Information, and Email MarketingCustodia-Admin

GDPR for Restaurants: Booking Data, Allergy Information, and Email Marketing Running a...

GDPR for Restaurants: Booking Data, Allergy Information, and Email Marketing

Running a restaurant means handling personal data at every touchpoint — from the moment a guest makes a reservation to the loyalty programme they sign up to, the CCTV footage captured in your dining room, and the marketing emails you send after their visit. GDPR applies to all of it, and the hospitality sector faces some unique compliance challenges that generic guides miss.

This post covers the personal data issues restaurants actually face: online booking platforms, allergy and dietary information, CCTV, loyalty programmes, delivery platform relationships, staff records, private dining events, customer complaints, and your website and marketing tools. By the end, you will know where your compliance gaps are likely to be and how to address them.

Online Reservation Platforms: OpenTable, Resy, and SevenRooms

Most restaurants do not take bookings directly — they rely on platforms like OpenTable, Resy, SevenRooms, or Collins. Under GDPR, these platforms are data processors acting on your behalf. The restaurant remains the data controller responsible for how guest data is used.

This matters because:

  • You need a Data Processing Agreement (DPA) with each booking platform. Most publish these in their terms — check you have accepted them.
  • You must tell guests in your privacy policy that their booking data is handled by a named third-party processor.
  • Guest data collected via the platform — names, email addresses, phone numbers, dietary notes, visit history — falls under your privacy obligations, not just the platform's.
  • If a guest submits a Data Subject Access Request (DSAR), you are responsible for responding, which may mean requesting their data from the platform.

Review your booking platform's data retention settings. Many platforms allow you to configure how long guest profiles and dining notes are retained. Set these in line with your own retention policy.

Allergy and Dietary Information: Special Category Data

This is one of the most significant GDPR risks for restaurants. When a guest informs you that they have a nut allergy, coeliac disease, or diabetes, that information constitutes health data — a special category of personal data under GDPR Article 9 that carries stricter handling requirements.

You generally need explicit consent or another Article 9 basis to process health data. For allergy information, the most appropriate basis is usually that processing is necessary for the performance of a contract (Article 6(1)(b)) combined with the vital interests condition (Article 9(2)(c)) — the processing is necessary to protect the guest's life or health.

In practice, this means:

  • Collect allergy information only when it is genuinely necessary to keep the guest safe
  • Do not store allergy notes longer than needed — ideally delete them shortly after the visit unless there is a clear reason to retain them
  • Restrict access to allergy data to kitchen and front-of-house staff who need it to serve the guest safely
  • Do not use allergy data for marketing purposes — it was collected for safety, not profiling
  • If allergy information is recorded in your booking platform or CRM, ensure those systems have appropriate access controls

The key principle is data minimisation: collect only what you need, use it only for the purpose it was collected, and delete it promptly.

CCTV in Restaurant Areas

CCTV is common in restaurant entrances, cash-handling areas, and sometimes dining rooms. Under GDPR, operating CCTV means you are processing personal data of everyone captured on footage.

Your obligations include:

  • Signage: Clearly visible signs must inform people that CCTV is in operation, identify who operates it, and direct them to your privacy notice
  • Legal basis: Legitimate interest is the most common basis for restaurant CCTV (security and fraud prevention), but you must conduct a Legitimate Interests Assessment (LIA) and document it
  • Retention: Most ICO guidance suggests CCTV footage should be retained for no more than 31 days unless it is needed for an ongoing investigation
  • Access: Restrict access to footage to management; do not share footage with third parties (including the police) without a lawful basis
  • DSARs: Individuals can request access to footage in which they appear — you must respond within one month

Be aware that CCTV in areas where staff have a reasonable expectation of privacy (break rooms, changing areas) raises additional issues and should generally be avoided.

Loyalty and Rewards Programme Data

Loyalty programmes generate rich personal data profiles: visit frequency, spend, dietary preferences, special occasions, and contact details. This is marketing-valuable data, but it comes with compliance obligations.

Key requirements:

  • Explicit consent is required before signing guests up to a loyalty programme — you cannot enrol them automatically
  • Your sign-up process must clearly explain what data you collect, how you will use it, and how to opt out
  • Consent must be specific — consent to earn loyalty points is not the same as consent to receive marketing emails
  • Guests must be able to easily withdraw from the programme and have their data deleted
  • If you use a third-party loyalty platform (like Yotpo, Loyalty Lion, or a branded app), ensure you have a DPA with that provider
  • Retention: decide how long you will keep inactive loyalty accounts and communicate this clearly

Email and SMS Marketing to Past Diners

Sending promotional emails or SMS messages to past customers is one of the most common GDPR (and PECR) compliance failures in hospitality.

Under PECR (the UK's Privacy and Electronic Communications Regulations), you may send marketing emails to past customers under the soft opt-in rule — but only if:

  1. You collected their email address in the context of a sale or negotiation for a similar product or service
  2. You gave them a clear opportunity to opt out at the time of collection
  3. Every subsequent message gives them an easy way to unsubscribe

This means that emailing a past diner about upcoming events or special offers can be lawful under soft opt-in — but you must have genuinely offered them the chance to opt out when you collected their address (on a booking form, for example), and you must honour unsubscribes promptly.

If you are sending SMS marketing, the rules are stricter — you generally need explicit prior consent.

For email marketing:

  • Maintain a clean suppression list of opt-outs
  • Do not purchase or rent email lists of potential customers
  • Include your business name and a working unsubscribe link in every email
  • Do not send marketing to people who have unsubscribed, even if their contact details appear in a new booking

Custodia can scan your website to identify what email marketing tools are active, whether your consent capture is correctly configured, and whether your cookie banner is compliant with PECR requirements.

Delivery Platform Data: Deliveroo, Uber Eats, and Just Eat

If you take orders through delivery platforms, the data relationship is different from booking platforms. Deliveroo, Uber Eats, and Just Eat typically act as independent data controllers — they control the customer relationship and share only limited order data with you.

This means:

  • You generally cannot use delivery platform customer data for your own marketing — the customer consented to the platform's terms, not yours
  • You should not retain delivery customer details (names, addresses, phone numbers) beyond what is needed to fulfil the order
  • If a customer contacts you directly, you can collect their data with appropriate notice — but you cannot bulk-import delivery platform customer data into your CRM

Check each platform's partner terms carefully to understand exactly what data they share with you and what restrictions apply to its use.

Staff Employment Records

Restaurants employ a large number of staff, often on flexible or zero-hours contracts. Employment records are personal data, and GDPR applies in full.

Data you process as an employer includes: names and contact details, bank account information for payroll, right-to-work documentation, tax records, sick leave and absence records, disciplinary and grievance records, and in some cases, DBS check results.

Key compliance points:

  • Legal basis: Most employment data processing relies on legal obligation (payroll, right-to-work checks) or the performance of an employment contract
  • Retention: HMRC requires payroll records to be kept for three years after the tax year to which they relate; right-to-work records should be kept for two years after employment ends
  • Access: Restrict access to HR and payroll data — front-of-house managers should not have access to payroll records
  • Staff privacy notice: You are legally required to provide employees with a privacy notice explaining how their data is used — this should be provided at onboarding

If you use a third-party payroll provider or HR software, ensure you have a DPA with that provider.

Event Booking Data for Private Dining

Private dining events — birthday dinners, corporate lunches, wedding breakfasts — generate personal data about the event organiser and often about guests. You may collect names, dietary requirements, contact details, credit card details for deposits, and event-specific preferences.

Apply the same principles as for general bookings:

  • Collect only the data you genuinely need to deliver the event
  • Retain deposit and payment records in line with your financial record-keeping obligations (see below)
  • Delete guest lists and event-specific personal data promptly after the event unless there is a clear reason to retain them
  • If you use an event management platform, ensure you have a DPA with that provider

Special care should be taken with corporate events where the data may relate to employees of a client business — the client company may itself have GDPR obligations regarding how their employees' dietary information is shared with third parties.

Negative Reviews and Customer Complaints

When a customer complains — whether in writing, by phone, or via a review platform — they create personal data. How you handle and retain that data matters.

Under GDPR:

  • Retain complaint records for a reasonable period to defend potential legal claims — typically no more than three years unless litigation is ongoing
  • Restrict access to complaint records to relevant management
  • Do not publish identifying details about complainants without their consent (for example, identifying a reviewer on social media)
  • If someone asks you to delete their complaint record, consider whether you have a legitimate reason to retain it (for example, an ongoing dispute) — you do not have to delete records simply because someone asks if you have a lawful basis for retention

Regarding online reviews on Google, Tripadvisor, or similar platforms: you are the data controller of your own response to reviews, and you should not include personal details about a reviewer in your public response. The review platforms themselves are independent data controllers for the reviews published on their platforms.

Data Retention for Financial Records

HMRC requires businesses to retain financial records — including records of sales, payments, and VAT — for a minimum of six years. This creates a tension with GDPR's data minimisation and storage limitation principles.

The solution is to retain financial records in their minimal form: you need the transaction amount, date, and reference — but you probably do not need the customer's full dietary profile or marketing preferences attached to a financial record after the visit is complete.

Separate your operational guest data from your financial records, apply appropriate retention periods to each, and delete personal data that is no longer necessary while retaining the financial information you are legally required to keep.

Website Contact Forms and Cookies

Your restaurant website collects personal data through contact forms, reservation widgets, and cookies. GDPR and PECR require you to:

  • Display a cookie consent banner before loading non-essential cookies (analytics, marketing pixels, social media embeds)
  • Provide a privacy policy that accurately describes what your website collects and why
  • Ensure contact form submissions are held securely and deleted when no longer needed
  • If you use Google Analytics, Facebook Pixel, or similar tools, these must only activate after the visitor consents

Many restaurant websites load Google Analytics, Google Maps embeds, Instagram feeds, and reservation platform widgets without any consent mechanism — each of these may involve personal data processing that requires user consent.

Custodia can scan your restaurant website at https://app.custodia-privacy.com/scan to identify every tracker, cookie, and third-party service loading on your site, and generate a compliant privacy policy and cookie banner tailored to what your site actually does.

Google and Tripadvisor Reviews

Restaurants often ask whether they can republish customer reviews on their website or social media. Under GDPR, a customer review that includes an identifiable person's name or other personal details is personal data. Republishing reviews without explicit permission from the reviewer raises GDPR concerns.

Safe practice:

  • Republish only star ratings or anonymised excerpts
  • If you wish to republish a named review or testimonial, obtain explicit written consent from the reviewer
  • Do not screenshot and share negative reviews in a way that publicly identifies the reviewer

Platform reviews (Google, Tripadvisor, OpenTable) are governed by those platforms' terms and privacy policies — you cannot use the reviewer data (email addresses, identifiers) for any purpose other than responding to the review on-platform.

A Practical Compliance Checklist for Restaurants

  • [ ] Sign Data Processing Agreements with your booking platform, loyalty provider, payroll software, and any other data processor
  • [ ] Update your privacy policy to accurately reflect your use of booking platforms, CCTV, loyalty programmes, and marketing tools
  • [ ] Review allergy data handling — collect minimally, restrict access, delete promptly
  • [ ] Audit your email marketing list — verify soft opt-in basis or explicit consent for every contact
  • [ ] Place CCTV signage and document your legitimate interests assessment
  • [ ] Provide a privacy notice to all staff at onboarding
  • [ ] Add a cookie consent banner to your website that blocks non-essential cookies before consent
  • [ ] Set data retention periods for guest records, staff records, and financial records — and enforce them
  • [ ] Establish a DSAR process so you can respond to access requests within one month

Scan Your Restaurant Website for Free

Privacy compliance in hospitality is not just about your dining room — it starts with your website. Most restaurant websites load tracking tools, reservation widgets, and social media embeds that process visitor data without proper consent infrastructure.

Scan your restaurant website free at https://app.custodia-privacy.com/scan. Custodia will identify every tracker and cookie loading on your site, generate a compliant privacy policy tailored to your actual setup, and help you deploy a cookie consent banner that meets GDPR and PECR requirements. Results in 60 seconds — no signup required.

For restaurants needing ongoing compliance monitoring — especially those handling loyalty programmes, CCTV, and email marketing — Custodia offers automated audit reports and compliance tools designed for small and independent hospitality businesses.