Does GDPR apply to my restaurant in Ireland?

Yes. If your restaurant collects any personal data (reservation details, WiFi logins, loyalty programme sign-ups or CCTV footage) you are a data controller under GDPR and the Data Protection Act 2018. The Data Protection Commission can investigate complaints from customers and employees.

Can I use customer email addresses collected via reservations to send marketing?

Only with separate explicit consent for marketing. Collecting an email address to confirm a reservation gives you a lawful basis to process that email for the reservation. Using it to send newsletters or promotions needs a fresh opt-in. The soft opt-in exemption under SI 336 of 2011 applies to existing customers but you must still give an easy way to opt out.

What CCTV rules apply to Irish businesses?

CCTV in business premises processes personal data (images of identifiable people). You must display clear signs that CCTV is in operation. You must store footage securely. You must limit who can access footage. You must set a retention period (typically 30 days unless an incident requires longer). You must respond to access requests from people who appear in the footage.

GDPR & Privacy

GDPR for restaurants and hospitality in Ireland

Steven | TrustYourWebsite · 3 April 2026 · Last updated: April 2026

A restaurant or hotel might not look like a data business. In practice, Irish hospitality operators handle more personal data than most small offices. Reservation details, dietary and allergy notes, CCTV footage, WiFi logs, loyalty card data and staff records all sit inside your systems. The Data Protection Commission (DPC) has flagged CCTV and direct marketing as common complaint areas in retail and hospitality. You can run a free website scan for your venue before you read on.

This guide covers the five data contexts that matter most for an Irish cafe, restaurant or hotel: reservations, guest WiFi, loyalty, CCTV and staff data. Each section links to a primary source so you can check the rule yourself.

Is your hospitality website compliant?

We check cookie consent, privacy policy and tracker rules in 60 seconds.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

The five hospitality data contexts at a glance

Use this table as a jump-off. The rest of the page goes deeper on each row.

Context	Lawful basis (GDPR Art. 6)	Typical retention	Primary source
Reservations	Contract (Art. 6(1)(b))	12 months unless tax law requires longer	DPC, Lawful Basis
Guest WiFi logs	Legitimate interest (Art. 6(1)(f))	30 days connection logs	DPC, Legal Bases
Loyalty programmes	Consent (Art. 6(1)(a))	Until member closes account	DPC, Consent
CCTV	Legitimate interest with DPIA	30 days unless incident	DPC, CCTV and security
Staff records	Contract + legal obligation	7 years after employment ends (Revenue)	DPC, Employment

The DPC's main entry point for small business obligations is the organisations guidance hub. The Data Protection Act 2018 sits on top of GDPR and is the Irish statute that gives the DPC its powers (Data Protection Act 2018).

Reservation systems

OpenTable, ResDiary, SevenRooms and similar platforms process guest data on your behalf. Under GDPR Article 28 you need a written Data Processing Agreement with each platform you use.

Worked example. A 50-cover restaurant in Galway takes 200 bookings a week through OpenTable. The platform stores guest names, mobile numbers, emails, party size and any dietary notes such as a peanut allergy. The lawful basis for processing this data is contract performance under Article 6(1)(b). The data is needed to honour the booking. You do not have a basis to mail those guests a newsletter from the same record unless they tick a separate opt-in at the time of booking.

Your obligations:

Sign a Data Processing Agreement with the booking platform before you go live.
Show guests a short notice at the time of booking that explains what their data is used for.
Set a retention rule. 12 months of booking history is enough for most operators. Keep tax-relevant records (cash totals, deposits) for the 6 years required by Revenue.
Do not re-use reservation data for marketing without a fresh opt-in.

Allergy notes are a special case. They are health data under GDPR Article 9 and need stricter handling. The Food Safety Authority of Ireland (FSAI) sets the food allergen rules under the Food Information for Consumers Regulation (EU) 1169/2011. You must record allergens accurately but only keep the allergy note as long as the booking is open.

Guest WiFi captive portals

Most hotels and many cafes run a captive portal that asks the guest for an email before letting them online.

Worked example. A Dublin hotel offers free WiFi via a portal that captures email and room number. The hotel's legitimate interest is network security and fair use of the connection. That covers basic connection logs. It does not cover sending the guest a marketing email a week later.

Your obligations:

State clearly on the portal why you collect the email. Use one or two short lines.
Do not bundle marketing consent with the connection. The DPC's cookies and tracking guidance explains why pre-ticked boxes are not valid consent. The same logic applies to WiFi portals.
Keep connection logs only as long as you need them for security. 30 days is a common rule.
Check your router or hotspot provider's privacy notice. Some providers also process the data for their own analytics.

Loyalty programmes

A digital loyalty card stores names, contacts, purchase history and visit frequency. The lawful basis is consent under Article 6(1)(a) because the member opted in.

Worked example. A small cafe chain in Cork runs a stamp app. A new member sees a one-screen sign-up that lists what data is collected, how long it is kept and how to close the account. The cafe stores the data in a managed loyalty platform with role-based access. It does not export the list to a spreadsheet on a shared drive.

Your obligations:

Show a clear privacy notice at sign-up. One screen is enough.
Use the data only for the purpose stated at sign-up. Sending offers is fine if you said so. Selling the list to a third party is not.
Let members see their data, fix mistakes and close the account. The DPC's individuals guidance explains the rights you need to honour.
Protect the database. Use role-based access and avoid plain spreadsheets.

CCTV

CCTV is one of the most common complaint areas the DPC sees from hospitality and retail. The DPC's annual reports flag CCTV among the top categories of complaints handled each year (DPC news and reports).

Your obligations:

Display clear, visible signs at every CCTV entry point. Name the controller and a contact.
Store footage securely. Limit access to named managers.
Set a default retention of 30 days. Keep longer only if you need the footage for an open incident.
Respond to data subject access requests within one month. A guest or staff member can ask for footage in which they appear.
Do not share footage on social media to "name and shame". That is unlawful processing without a basis.

For staff CCTV you also need to follow Workplace Relations Commission guidance and the DPC's guidance on employee monitoring. Covert monitoring needs a specific, documented reason and is rarely lawful.

<title>Hospitality data lifecycle</title> <rect x="10" y="20" width="115" height="60" fill="#1f2937" rx="6" /> <text x="67" y="48" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#ffffff" textAnchor="middle">1. Collect</text> <text x="67" y="66" fontFamily="system-ui, sans-serif" fontSize="10" fill="#d1d5db" textAnchor="middle">booking / WiFi</text> <rect x="135" y="20" width="115" height="60" fill="#1f2937" rx="6" /> <text x="192" y="48" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#ffffff" textAnchor="middle">2. Inform</text> <text x="192" y="66" fontFamily="system-ui, sans-serif" fontSize="10" fill="#d1d5db" textAnchor="middle">privacy notice</text> <rect x="260" y="20" width="115" height="60" fill="#1f2937" rx="6" /> <text x="317" y="48" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#ffffff" textAnchor="middle">3. Use</text> <text x="317" y="66" fontFamily="system-ui, sans-serif" fontSize="10" fill="#d1d5db" textAnchor="middle">stated purpose only</text> <rect x="385" y="20" width="115" height="60" fill="#1f2937" rx="6" /> <text x="442" y="48" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#ffffff" textAnchor="middle">4. Retain</text> <text x="442" y="66" fontFamily="system-ui, sans-serif" fontSize="10" fill="#d1d5db" textAnchor="middle">documented period</text> <rect x="510" y="20" width="115" height="60" fill="#1f2937" rx="6" /> <text x="567" y="48" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#ffffff" textAnchor="middle">5. Delete</text> <text x="567" y="66" fontFamily="system-ui, sans-serif" fontSize="10" fill="#d1d5db" textAnchor="middle">securely</text> <path d="M125 50 L135 50" stroke="#1f2937" strokeWidth="2" /> <path d="M250 50 L260 50" stroke="#1f2937" strokeWidth="2" /> <path d="M375 50 L385 50" stroke="#1f2937" strokeWidth="2" /> <path d="M500 50 L510 50" stroke="#1f2937" strokeWidth="2" /> <text x="320" y="120" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="600" fill="#111827" textAnchor="middle">Typical hospitality retention</text> <text x="67" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#374151" textAnchor="middle">Reservations</text> <text x="67" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#15803d" textAnchor="middle">12 months</text> <text x="192" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#374151" textAnchor="middle">WiFi logs</text> <text x="192" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#15803d" textAnchor="middle">30 days</text> <text x="317" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#374151" textAnchor="middle">Loyalty</text> <text x="317" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#15803d" textAnchor="middle">Until opt-out</text> <text x="442" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#374151" textAnchor="middle">CCTV</text> <text x="442" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#15803d" textAnchor="middle">30 days</text> <text x="567" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#374151" textAnchor="middle">Staff (Revenue)</text> <text x="567" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#15803d" textAnchor="middle">7 years</text> <text x="320" y="200" fontFamily="system-ui, sans-serif" fontSize="10" fill="#6b7280" textAnchor="middle">Document the period in your retention policy and follow it.</text> </svg>

Staff data

Employee data is covered by GDPR and the Data Protection Act 2018. You also need to look at Workplace Relations Commission guidance on monitoring and at Revenue's record-keeping rules.

Your obligations:

Give every employee a written privacy notice on day one. List the data you hold, the purpose and the retention.
Process payroll data with role-based access and reputable payroll software.
Keep employment records for the duration of employment plus 7 years for Revenue purposes.
Ask for explicit consent before using staff photos on the website or social media. Consent must be free, which is harder to show in an employment context, so always offer a real opt-out.

Your website and cookies

If your venue website has a booking form, an enquiry form or a newsletter sign-up, it processes personal data.

You must follow Ireland's ePrivacy Regulations under SI 336 of 2011, which transpose the EU ePrivacy Directive. Regulation 5(3) requires prior consent before any non-essential cookie or tracker fires. That covers Google Analytics, Meta Pixel and most booking-platform widgets. The DPC's cookies guidance is the controlling document.

Required on a hospitality website:

A privacy policy linked from every page.
A cookie banner with equal Accept and Reject buttons on the first layer if you use analytics or social pixels.
The CRO number and registered address in your footer if you are a registered company.
A visible contact email.

Check your website free

Free compliance scan for your hospitality website

The scanner checks cookie consent, tracker behaviour before consent, privacy policy presence, security headers and image copyright signals. It takes about 60 seconds and you get a risk score with the top issues.

Sources

This is technical analysis, not legal advice.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR compliance for Irish businesses: website checklist 2026

GDPR compliance for Irish businesses: privacy policy, cookie consent, CRO number, DPC enforcement cases and a free website check in 60 seconds.

Google Maps and GDPR for Irish Businesses: Compliance Guide

Google Maps GDPR Ireland: why DPC says embeds need consent, plus three compliant approaches (click-to-load, OpenStreetMap, static image).

Cookie banner dark patterns: DPC rules in Ireland

The 12 cookie banner dark patterns per EDPB taxonomy. DPC guidance, IAB Europe ruling and what the scanner detects after clicking reject all.