Data protection in restaurants


RODO is an acronym for Personal Data Protection Regulation, the legal basis of which is Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

RODO has introduced changes in companies affecting the processing of personal data of employees, contractors, customers. The regulation is aimed mainly at reducing the misuse of personal data. It also has an informative function.

Opening any business, including catering, you need to prepare full documentation with the provisions on RODO. Keep in mind that illegal data processing can be punished with a fine and even criminal liability. When preparing documentation and procedures for RODO, it is worth cooperating with a law firm that will prepare the necessary documents in accordance with applicable law. In this way, there is no risk of any negligence resulting from ignorance.

What personal data are processed in restaurants?

  • Name and surname,
  • PESEL identification number,
  • Phone number,
  • Email address,
  • City of residence, place of work,
  • Bank account number,
  • Sensitive health data (diet, allergies),

Image 1
Whose personal data are processed in the restaurant?

  • Candidates recruiting for a position in the restaurant by sending a CV,
  • Restaurant employees via a commission or employment contract,
  • Restaurant employees through a commission agreement or employment contract,
  • Customers placing an order by phone or online, reserving a table,
  • Customers hosting events at the restaurant,
  • Customers participating in contests or loyalty program,
  • Guests of special events,
  • All persons appearing on any surveillance footage,

What information must the person whose data will be processed receive?

  • Full name with address, contact details and TIN of the company that is the controller of the personal data.
  • For what purpose the data will be processed and to whom it may be shared.
  • Consequences of not consenting to data processing - a contract may not be concluded if you do not consent to the processing of personal data.
  • How long personal data will be kept by the controller.
  • The ability to access your data, amend your data or withdraw your consent to the processing of your personal data.
  • Indication of the supervisory authority to which you can report a complaint.
  • The ability to voluntarily consent to the use of personal data for marketing purposes.

Image 2
What RODO documents should you prepare for your restaurant

  • Contracts with employees, contractors, suppliers should contain provisions regarding the processing of personal data.
  • If there are cameras in the restaurant in the backroom, in the kitchen, in the restaurant hall or in front of the building - you need to inform all people who may be recorded about it through, for example, information plates.
  • If you have created a website, you should prepare it in accordance with RODO.
  • If you have created a website - make sure that it contains regulations informing about personal data processing
  • If you have a website with the possibility of online ordering, subscribing to the newsletter, booking a table - it is necessary to have rules of procedure along with privacy policy

Image 3

Beginning cooperation with 4B Systems and implementing in its restaurant online ordering system Foodeliver, the restaurant receives a modern responsive website with regulations and privacy policy prepared by a friendly law firm for the restaurant industry. The website has all necessary certificates of data security.

Personal data security in a restaurant

A very important issue regarding RODO is the security of the entrusted personal data. Thus, any documents containing such data should be protected from unauthorized access. When opening a business, you should create a procedure to store documents with personal data in a secure manner.

The premises should have an office area secured against intrusion by third parties. Additionally, documents with sensitive data should be kept in locked cabinets. Websites and online stores should encrypt data and use SSL certificates. If you use online payment gateways, you should also pay attention to the security certificates of the operators.

An additional requirement is to create a company document with an analysis of risks associated with the processing of personal data. This document should include:

  • an inventory of all personal data along with the purpose and legal basis for processing,
  • the process of obtaining consent for data processing, together with an indication of the period for which the data will be kept,
  • possible risks occurring in the restaurant in connection with the processing of personal data together with a description of the safeguards used,
  • a complete list of recipients of personal data and a register of persons who have access to personal data,
  • procedure for processing personal data,
  • list of persons authorized to process personal data
  • list of persons authorized to access and process personal data in the restaurant.

RODO a coronavirus

The food service industry is facing restrictions imposed by the Government to curb the spread of coronavirus.

  • Customers entering the premises should wear masks. Taking them off is possible only at the table where consumption will take place.
  • The waiters and staff taking orders should also have masks on.
  • When organizing special events, there are limits on the number of people who can participate in the celebration. People vaccinated for coronavirus are not included in this pool.

Health data is sensitive data. Thus, information about a history of coronavirus, a COVID test result, a certificate of exemption from having to wear a mask, or information about being vaccinated are sensitive personal information. Such information may be needed to ensure the safety of attendees at a special event, for example.

It should be remembered, however, that neither the restaurant owner, nor the manager, nor the room service have any legal basis for requesting medical documents. A verbal declaration should be sufficient. In case of doubts or a suspicion of a threat to safety, you should call the police, who have the right to demand documents allowing them to confirm or deny the existence of an epidemic threat.

Izabela Praska

Editor of, passionate about gastromarketing and good cuisine, marketer. product specialist.

Interested in the offer?

Want to know the details of our offer? See the demo system? Write to us, we will call you back