In 2018 the EU introduced new data privacy and security laws that determine how businesses and restaurants process customer information. General Data Protection Regulation (GDPR) laws are the most rigorous in the world, and restaurant owners are protected when using digital services like Carbonara App. Follow our guidance and confidently enjoy the features of the app.
Why Data Protection is Important for Restaurants
Officially, GDPR legally protects the privacy of individuals on the web. This is a fundamental right enmeshed in the European Convention of Human Rights. All restaurants established in the EU/UK must use guest information and personal data accordingly.
This is important because restaurant guests entrust their personal data — names, emails, phone numbers — with hospitality venues. They trust their data will be used responsibly. Breaches in digital data are illegal, and as such, restaurants need to make sure they comply with GDPR guidance.
What Types of Data Does GDPR Cover?
In regard to using a restaurant reservation and waitlist system, GDPR regulation covers all data details. This includes:
Personal Data
Anything that relates to individuals, such as names and email addresses, and other information that could identify someone, such as notes and allergy advice on a specific restaurant party.
Data Processes
Whether automated or manual, GDPR protects actions and/or communications involving data. This refers to basically anything — i.e., storing, using, and erasing — but specifically this covers processes such as text messages in a restaurant app, and disclosing anything on personal data.
Device Information
This refers to indirect identifiers such as an IP address or the type of device a customer uses to access services (for example, the type of mobile phone used to access an app or web browser).
Who is Responsible for GDPR Data Protection in Restaurants?
In a restaurant business, there are two entities that are responsible under GDPR data protection laws.
- The data controller at the highest level is responsible for the fair and lawful use of data for general business purposes. Data controllers determine the means of processing data, including restaurant owners and their employees.
- The data processor is responsible for processing data on behalf of businesses and organisations, the data controllers.
Since Carbonara App facilitates fair use of personal data for restaurants using its services, GDPR has special criteria for businesses. Here’s how these GDPR rules apply to restaurants.
- The restaurant is the data controller of personal data in Carbonara App’s guestbook, reservation calendar, and waitlist service. This includes online reservation’s personal data, including all the data customers input when joining a waitlist, making a reservation, or pre-paying for a drink to have when indoors.
- Carbonara App is the data processor of personal data. When it comes to creating accounts, facilitating guest communications, and performing commercial activities, Carbonara App processes personal data on behalf of restaurants that use its services. This means that all personal data — reservations, waitlists — lives in Carbonara App, the product.
There is one exception to these rules. Carbonara App is the data controller of personal data in the app’s consumer functions — such as this website, the app itself, and online reservations flow. For example, diners who make online bookings via Carbonara App (including via a booking link embedded on a Google profile, social media, or restaurant website) agree to Carbonara App’s terms of use and privacy policy.
Note that restaurants and hospitality venues control data in the app’s guestbook, calendar, and waitlist, for which Carbonara App acts not as the controller but as the restaurant’s data processor.

What Are the 8 Restaurant Data Protection Principles
Carbonara App’s GDPR compliance relies on adherence to the restaurant data protection principles outlined in Article 5.1-2 of EU GDPR, ensuring lawful and transparent use of personal data. This article applies to all businesses, including those in the hospitality industry.
Our privacy policy illustrates the legal protections of restaurant owners, our users, and customer data processed in the app. The 8 restaurant data protection principles are:
- Lawfulness. The processing of personal data must be fair and transparent to the customer.
- Purpose. Both restaurants and Carbonara App must process data for legitimate business purposes only.
- Minimisation. Both restaurants and Carbonara App strictly collect necessary data for purposes specified to the customer.
- Accuracy. Customer personal data must be accurate and up to date.
- Limitation. Referring to the storage of personal data, both restaurants and Carbonara App must only keep data for as long as necessary for a specified purpose.
- Confidentiality. Both restaurants and Carbonara App must ensure data integrity, ensuring data security, and confidentiality.
- Accountability. Both restaurants and Carbonara App are equally responsible for a clear demonstration to GDPR rules and the above principles.
- Portability. When requested, customers must be able to obtain any personal data that restaurants may maintain and hold on them (e.g. marketing information).
GDPR is For Everyone in Hospitality
App users make regular visits to restaurants because digital services help to improve overall guest efficiency, enjoyment, and satisfaction when dining out. Understandably, when facing the mass of data in today’s connected hospitality environment, both venues and restaurants have become more concerned with the fair use of personal data.
Though restaurant owners must understand the importance of data collection laws, there is no need to fear them. To ensure GDPR compliance, follow our version of the GDPR acronym:
- Get to grips with data. Learn and understand what types of data your restaurant collects, locate where it is stored, and know who accesses it. Take the necessary steps to secure each part of the data flow process.
- Don’t be afraid to ask for help. Consult official experts in the small business field or stay informed using official sources such as gov.uk.
- Protect personal data. Use encryption processes and related security features for storing data.
- Remember what Carbonara App offers. Regularly keep restaurant contact information up-to-date on the app, and reach out to us with any questions about Carbonara App’s services.
Conclusion: on GDPR Compliance for Restaurants
Customers, restaurant owners, and hospitality staff can see that GDPR data privacy principles are relatively straightforward. Simply, both EU and UK law asks that hospitality businesses and restaurant technology make a good faith commitment to give everyone full means of control over how their data is used, knowing who has access to it, and requesting its full erasure if necessary.
Making it simple for our users to exercise GDPR rights, Carbonara App fully meets UK/EU standards. Still not sure? Consult us with any questions or concerns you may have.
If you would like to find out about Carbonara App’s current users, read one of our testimonials called, “The Chicago Diner that Chose Carbonara App”. A handpicked selection of other restaurant stories is available on our website, ranging across Europe, from France to Italy.