GDPR for cafés, restaurants and small hotels

Reservations, guest registration, Wi-Fi, cameras, review replies — hospitality touches more personal data than owners think. The compliant setup fits on this page.

By data stream: Reservations & guest data — name, contact, dietary notes (allergies are health-adjacent: collect for the meal, don’t archive), booking history for regulars is fine with transparency; delete no-show blacklists you cannot justify. Hotel guest registration — national law dictates what you must record and how long; record that, not a passport photocopy habit beyond it (see ID copies). Guest Wi-Fi — a captive portal needs no marketing-consent ransom: offering Wi-Fi ≠ licence to spam; the newsletter tick stays optional and unticked. Cameras — the shop-CCTV rules apply verbatim: till and entrance yes, terrace pointing at the street carefully, toilets never. Reviews — replying is fine; never confirm a guest’s visit details or identity in a public reply (that is a disclosure), and never threaten reviewers with “we have you on camera”. Staff — rotas and payroll run on contract/law; the workplace-camera limits and monitoring rules apply to your team like anyone’s. One page of privacy notice (site + QR at reception), a modest Art. 30 record, processor agreements with your booking and POS systems — done. Deliveroo-style platforms handling your orders are separate controllers; their compliance is not yours to carry.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← For small businesses📞 Your data protection authority