With the government restrictions relaxing and many pubs and restaurants open to dine in, one key issue seems to ask are online ordering apps breaching GDPR rules?

It can only be a good thing to see the reopening of the hospitality sector after the UK lockdown for a large part of 2020. A new feature of this seems to be the ubiquitous rise of online ordering and booking service apps, usually allowing customers to book a table in advance or order food and drinks from the comfort of their table, minimising contact with staff and other customers. 

It may be stating the obvious, but booking tables, ordering and paying for food and drinks, all require the collection of customer data. It is of paramount importance that businesses consider whether the services are providing them and their customer’s adequate legal protection. The GDPR states that you can collect and store certain information as long as the user remains anonymous. The data must be held for the shortest amount of time possible. If it becomes unnecessary, it must be deleted. The consequences of breaching GDPR are pretty eye-watering, so it’s worth an assessment of the risk.

It is essential that any business:

  1. is transparent about the purpose of collecting personal data and prevents this from being used for any other purpose, such as marketing, unless explicit permission to do so has been given;
  2. only collects the minimum amount of data necessary to fulfil their service;
  3. allows users control over their data;
  4. deletes personal data as soon as it is no longer needed; and
  5. processes the data securely.

As well as the above, we also highly advise that businesses do the following:

  1. check if a data protection impact assessment was carried out when the service was rolled out and whether it is important to complete one
  2. evaluate how its employees can access data and how they will prevent misuse
  3. ensure that the contract with the service provider includes information required by Article 28 of the GDPR
  4. ensure that the service includes accurate and appropriate privacy policies and notices.


Customers are beginning to criticise and question the amount of data collected by these services. Although it’s likely that some customers accept privacy policies without fully understanding or even reading them, it is still essential to ensure the information is provided to them and that they are able to ask for their data to be deleted.

We can offer you:

  • A no-obligation call or meeting to discuss how GDPR might impact your organisation.
  • Review and update your contractual documents, policies, and procedures.
  • Work with you to create a compliance plan and assess the key risks to your organisation.
  • Provide training to you and your employees.