GDPR for Dutch Restaurant Websites: Fix Checklist

GDPR for Dutch restaurants comes down to four things on your website. Reservations collect personal data. The Google Maps embed leaks IP addresses. Menu photos carry copyright risk. Delivery widgets load trackers.

You have a restaurant, café or bar. Your website shows the menu, directions and a reservation form. That looks simple. It is not. A reservation collects a name, phone number and sometimes dietary requirements. All of that is personal data. The embedded Google Maps sends visitor IP addresses to Google. The dish photo you grabbed from Google Images can trigger a copyright claim.

Restaurant websites are a blind spot in GDPR compliance. Most owners do not know their site fails on multiple points. This guide covers the main issues and gives you a concrete checklist to fix them.

At a Glance: Restaurant Website GDPR Risks

Reservations Are Personal Data

Every online reservation collects at minimum a name, phone number or email address. Many restaurant websites ask for more:

• Dietary requirements or allergies (gluten-free, vegan, nut allergy)
• Occasion (birthday, business dinner, anniversary)
• Number of guests and table preference
• Accessibility notes (wheelchair, child seat)

Allergies and dietary requirements are health data. Under GDPR Article 9, health data is a "special category" with stricter rules. The Court of Justice of the EU confirmed this in the Lindenapotheke case (C-21/23). Data that reveals health or beliefs falls under the strictest category. You may only process it with explicit consent from the guest.

What to do:

• Ask only for the data you actually need. A name and phone number suffices for most reservations.
• Make dietary fields optional. Never required.
• Include a link to your privacy policy next to the reservation form.
• Set clear retention periods. Delete reservation data after the visit, unless you have a legal reason to keep it. Tax records require 7 years. Marketing use is capped at 2 years with ongoing consent.
• If you use a reservation system (Formitable/Zenchef, OpenTable, Resengo), that system is your data processor. You need a data processing agreement (DPA) under GDPR Article 28.

The Google Maps Problem

Almost every restaurant website has a Google Maps embed on the contact page. Useful for guests. Problematic for privacy.

The moment a visitor opens your page, the embedded Google Maps sends their IP address to Google's US servers. This happens automatically, before the visitor does anything. Under GDPR, an IP address is personal data. Sending it to Google without consent lacks a legal basis.

German courts ruled in 2022 that embedding Google Fonts without consent is unlawful (LG München, Az. 3 O 17493/20). The logic is simple. IP address transfer without justification is not lawful. The same reasoning applies to Google Maps. The Dutch regulator, the AP, follows this interpretation in its guidance on cookies.

What to do:

• Replace the Google Maps embed with a static screenshot image of the map. Add a link to Google Maps. This requires no consent, loads faster and involves no data transfer. See our Google Maps embed guide for copy-paste code.
• Or load Google Maps only after the visitor consents via your cookie banner (click-to-load approach).
• Mention Google Maps as a third party in your privacy policy if you use it.

Menu Photos and Copyright

This is not a GDPR issue but it affects hospitality websites just as seriously. Many restaurant owners use dish photos from Google Images or Pinterest. That is copyright infringement.

Photographers and stock photo agencies use automated tools to scan the internet for unauthorised use of their images. CopyTrack and Getty Images are well known for their claims systems. A claim typically starts at €500 to €1,500 per photo. With multiple photos, it adds up fast.

What to do:

• Take your own photos. A smartphone with good lighting is enough for menu photography.
• Use stock photo sites with clear licences. Unsplash, Pexels and Pixabay offer free photos for commercial use. Always check the licence terms.
• Keep the licence file or source link for every photo you use. If a claim arrives, you need proof.
• Review existing photos on your website. If you cannot trace the source, replace them.

Delivery Platform Widgets and Tracking

Thuisbezorgd, Uber Eats, Deliveroo. Many restaurants embed an order button or widget from a delivery platform on their website. These buttons often load tracking scripts.

An important legal point. Delivery platforms like Thuisbezorgd and Uber Eats are independent data controllers for the orders processed through their platforms. They are not your data processors. You do not need a DPA with them, but it is wise to document the data-sharing arrangement.

An "Order via Thuisbezorgd" widget can contain a tracking pixel that monitors visitor behaviour, similar to a Facebook Pixel. It logs page visits and sends that data to the platform.

What to do:

• Use regular links to the delivery platform instead of embedded widgets. A plain link (<a href="...">) loads no scripts.
• If you use a widget, check whether it places cookies. Open browser developer tools (F12, then Network tab) and observe what requests the widget makes.
• Mention each delivery platform that receives data in your privacy policy.
• Load tracking widgets only after consent via your cookie banner.

Guest WiFi and Personal Data

If you offer free WiFi, you are likely processing personal data. Most WiFi portal systems log:

• MAC addresses of devices
• Email addresses (if required for access)
• Connection times and duration
• In some systems, visited websites

A MAC address is personal data. The AP confirmed this when the municipality of Enschede received a €600,000 fine in 2021 for WiFi tracking in the city centre. The municipality tracked passersby via MAC addresses to measure footfall. The fine was overturned on procedural grounds in 2024, but the principle that MAC addresses are personal data stands.

What to do:

• Ask for as little data as possible. A shared password on a chalkboard is the most privacy-friendly option.
• If you use a login portal, show a privacy notice on the login screen.
• Set access logs to auto-delete after 30 days at most.
• Do not use WiFi data for marketing without explicit consent.
• Do not retain browsing history of guests.

CCTV in Your Premises

Many hospitality businesses have security cameras. The GDPR sets strict requirements:

• Warning signs are required. Guests must know they are being filmed before entering. Signs must state who is responsible and how guests can exercise their rights.
• Maximum retention: 4 weeks. The AP guidance on camera surveillance at organisations states that footage may not be kept longer than 4 weeks, unless an incident was recorded.
• DPIA required for large-scale monitoring. Multiple cameras covering a large area may require a Data Protection Impact Assessment.
• No cameras in toilets or changing rooms. No exceptions.

Include your CCTV use in your privacy policy.

Your Compliance Checklist

Privacy policy

• Privacy policy exists on your website
• Accessible from the footer on every page
• Lists reservation systems, delivery platforms and Google Maps as third parties
• States which data you collect and why
• States retention periods for reservation data

Cookies and tracking

• Cookie banner if you use non-functional cookies
• Google Maps loads only after consent (or use static image alternative)
• Google Analytics in anonymous mode or replaced with privacy-friendly alternative
• Delivery platform widgets do not load tracking scripts without consent
• Google Fonts self-hosted (not loaded from Google servers)

Reservations and forms

• Reservation form asks only for necessary data
• Dietary and allergy fields are optional
• Privacy policy linked from the form
• Data processing agreement with your reservation system
• Old reservation data is regularly deleted

Photos and content

• All photos are self-taken or have a valid licence
• You can prove the source or licence for every photo
• No photos from Google Images or Pinterest without a licence

WiFi

• WiFi requires no unnecessary personal data
• Login portal (if used) shows a privacy notice
• WiFi logs are automatically deleted

Security

• Website runs on HTTPS
• CMS and plugins are up to date
• Admin passwords are strong and unique

Data Breach Risk Reality

The AP does not exempt hospitality businesses from GDPR enforcement. A restaurant whose website leaks personal data faces the same legal exposure as a webshop. GDPR fines go up to €20 million or 4% of annual turnover.

<svg viewBox="0 0 720 260" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="GDPR Article 83 fine tiers: lower tier up to ten million euros or two percent of turnover, upper tier up to twenty million euros or four percent" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff' }}>

<title>GDPR Article 83 fine tiers</title> <text x="360" y="30" fontFamily="system-ui, sans-serif" fontSize="14" fontWeight="700" fill="#111827" textAnchor="middle">GDPR Article 83 fine ceilings</text> <rect x="60" y="60" width="280" height="160" rx="8" fill="#fef3c7" stroke="#b45309" strokeWidth="1.5" /> <text x="200" y="85" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#78350f" textAnchor="middle">Lower tier (Art. 83(4))</text> <text x="200" y="115" fontFamily="system-ui, sans-serif" fontSize="20" fontWeight="700" fill="#78350f" textAnchor="middle">€10m or 2%</text> <text x="200" y="135" fontFamily="system-ui, sans-serif" fontSize="11" fill="#78350f" textAnchor="middle">of global annual turnover</text> <text x="200" y="165" fontFamily="system-ui, sans-serif" fontSize="11" fill="#78350f" textAnchor="middle">Examples: records of processing,</text> <text x="200" y="180" fontFamily="system-ui, sans-serif" fontSize="11" fill="#78350f" textAnchor="middle">breach notification, DPA missing,</text> <text x="200" y="195" fontFamily="system-ui, sans-serif" fontSize="11" fill="#78350f" textAnchor="middle">DPIA gaps, processor obligations</text> <rect x="380" y="60" width="280" height="160" rx="8" fill="#fee2e2" stroke="#b91c1c" strokeWidth="1.5" /> <text x="520" y="85" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#7f1d1d" textAnchor="middle">Upper tier (Art. 83(5))</text> <text x="520" y="115" fontFamily="system-ui, sans-serif" fontSize="20" fontWeight="700" fill="#7f1d1d" textAnchor="middle">€20m or 4%</text> <text x="520" y="135" fontFamily="system-ui, sans-serif" fontSize="11" fill="#7f1d1d" textAnchor="middle">of global annual turnover</text> <text x="520" y="165" fontFamily="system-ui, sans-serif" fontSize="11" fill="#7f1d1d" textAnchor="middle">Examples: lawful basis breach,</text> <text x="520" y="180" fontFamily="system-ui, sans-serif" fontSize="11" fill="#7f1d1d" textAnchor="middle">consent invalid, special category</text> <text x="520" y="195" fontFamily="system-ui, sans-serif" fontSize="11" fill="#7f1d1d" textAnchor="middle">data, data subject rights ignored</text> <text x="360" y="245" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">The regulator applies whichever amount is higher. Source: GDPR Art. 83(4) and 83(5).</text> </svg>

In practice, the AP often starts with a warning for smaller businesses. Copyright claims from CopyTrack or Getty arrive as invoices. No warning, no process. Those are more immediately likely than a GDPR fine for most small restaurants.

The combination of GDPR and copyright risk makes hospitality websites vulnerable on two fronts. The good news. Both can be addressed in an afternoon.

Scan your website free to see which issues you currently have.

For the complete overview of GDPR obligations for Dutch businesses, read our GDPR compliance checklist. For the accessibility requirements that also apply to your restaurant, read our restaurant accessibility guide.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.