GDPR for restaurants and hospitality in Ireland

A restaurant or hotel might not seem like a data-intensive business, but hospitality businesses typically process more personal data than they realise: reservation details, dietary and allergy requirements, CCTV footage, WiFi logs, loyalty card data, and employee records. The DPC has received complaints about hospitality businesses — including around CCTV practices and direct marketing.

---

Reservation systems

OpenTable, ResDiary, SevenRooms, and similar platforms process guest personal data on your behalf.

Your obligations:

• Ensure a Data Processing Agreement (DPA) is in place with your reservation platform provider
• Inform guests at the time of booking what their data is used for (usually covered in the platform's booking confirmation)
• Do not use reservation data for direct marketing without separate consent
• Set retention periods — reservation data typically does not need to be kept beyond 12 months unless required for accounting

---

WiFi login pages

If your restaurant or hotel offers guest WiFi via a portal that captures an email address:

• Clearly state why you're collecting the email and how it will be used
• Do not use the email for marketing without explicit consent (a tick-box on the WiFi login is not valid consent unless it is genuinely optional and unticked by default)
• Keep WiFi connection logs only as long as technically necessary — typically 30 days
• Review your router/hotspot provider's data practices

---

Loyalty programmes

A digital loyalty card or points system typically involves storing names, contact details, purchase history, and visit frequency.

• Provide a clear privacy notice at sign-up
• Do not use loyalty data for purposes beyond what was stated at sign-up
• Allow members to access their data, request corrections, and close their account
• Implement reasonable security on the loyalty database (not a plain CSV on a shared drive)

---

CCTV

CCTV is one of the most common sources of DPC complaints in the hospitality sector. Rules under GDPR:

• Display clear, visible signage at all CCTV entry points stating that recording is in operation
• Store footage securely — access restricted to authorised managers
• Retention: Typically 30 days maximum unless footage captures an incident requiring investigation
• Data subject access requests: An employee or customer can request access to footage in which they appear. You must respond within one month
• Do not share footage with third parties (including on social media) without a lawful basis

---

Staff data

Employee data falls under GDPR. Specific obligations:

• Provide employees with a privacy notice covering what data you hold about them, for what purposes, and for how long
• Process payroll data securely (restrict access, use reputable payroll software with appropriate security)
• Retain employment records for at least the duration of employment plus 7 years (for Revenue purposes)
• Obtain explicit consent before using employee photos on your website or social media

---

Your website

If your restaurant or hotel has a website with a booking form, enquiry form, or newsletter sign-up:

• Privacy policy required and linked from every page
• Cookie banner required if using Google Analytics or social media pixels
• CRO number and registered address in your footer (if a registered company)
• Contact email address visible

---

Check your website free

Free compliance scan for your hospitality website →

---

Sources

• DPC — Guidance for small businesses
• DPC — CCTV guidance
• Fáilte Ireland — GDPR resources for tourism businesses

---

This is technical analysis, not legal advice.