GDPR 2026: QR Menu, WhatsApp to Guests and Mailing Lists in Restaurants

A customer sits down at a table, scans a QR code, opens the menu in their browser. Then they write through WhatsApp to the restaurant "do you have lactose-free coffee?". After they leave, you save their number in a newsletter database. From the guest's perspective, this is a convenient service. From the GDPR perspective - 3 separate personal data processing activities, each requiring a separate legal basis and a separate information notice for the customer.

This post does not explain GDPR from scratch. It shows 3 typical contact points between your restaurant and a guest's personal data that almost every venue in 2026 handles poorly, and what exactly to change to stay on the right side of a Data Protection Authority audit.

Contact point 1: QR menu and the information duty

The customer scans a QR code leading to a menu on your website. The page loads in their browser. What happens under the hood:

• Google Analytics or another tracker logs the visit (IP address, device type, approximate location).
• Your server log holds the customer's IP for X days (typically 30 days).
• If you run remarketing via Facebook/Google Ads, the customer gets "tagged" and their data flows to the ad platform.

Each of these is personal data processing. The customer has the right to know it is happening, why, and who the data controller is. Practically: a QR menu page must have:

1. A cookie banner (consent to tracking cookies) if you use Google Analytics or similar.
2. A link to the privacy policy (visible, best in the footer).
3. The privacy policy must list: who is the controller (your company), what data, for what purpose, for how long, to whom it is transferred (e.g. Google Analytics as a processor).

Most small restaurants run a menu page without a cookie banner and without a privacy policy. That is a legal gap that the Data Protection Authority increasingly audits (fines up to 4 percent of annual turnover, in practice for small foodservice typically 10 to 50 thousand PLN).

Contact point 2: WhatsApp to guests

More restaurants use WhatsApp to communicate with guests: reservation confirmation, daily menu updates, takeaway pickup info. From a GDPR perspective:

• The customer's phone number is personal data.
• Saving it in contacts or a spreadsheet is processing.
• Sending "Today we recommend carbonara" to a list of customers who once booked a table is marketing - and requires separate consent (consent to handle a reservation is not enough).

Practical path:

1. Operational WhatsApp (reservation confirmations, callback contact). The customer contacts first. Your legal basis: necessity to perform the contract (reservation). No separate consent needed.
2. Marketing WhatsApp (offer newsletter). Requires explicit consent. "Would you like to receive information about the seasonal menu?" at reservation. Without "Yes" checked - you do not send.
3. Contact list on the waitress's phone. If a waitress keeps her guest contacts on a private phone, this formally also requires a processing agreement or employment terms. Best practice: WhatsApp Business on a company number, managed centrally.

Contact point 3: Mailing list and marketing

A customer left their email at an online reservation (through ResDiary, TheFork, your own form). You entered them into an Excel sheet "regular customers". What next:

Without explicit marketing consent, you cannot send them a holiday offer. You can only send: operational contact tied to a specific reservation.

If you want to send a newsletter with a seasonal menu, you need for each customer:

1. Consent to receive marketing (separate checkbox, not "together with the privacy policy").
2. Opt-out option in every message ("unsubscribe me" link).
3. Consent log with date, time and IP address (for Data Protection Authority audit).

An Excel of regulars without these elements is a potential fine. Better solution: Mailchimp, Brevo, ConvertKit - each automatically logs consents and simplifies compliance.

What to do in one afternoon

GDPR checklist for a small restaurant in 2026:

1. Check your QR menu page. Does it have a cookie banner? Privacy policy in the footer? If not, add them. Privacy policy generators are available for free (e.g. termly.io, iubenda).
2. Check your WhatsApp. Do you have a separate company number (WhatsApp Business), or do you use a private one? If private, switch to a company number. Set up an auto-welcome message with a link to the privacy policy.
3. Check your mailing list. Did customers give explicit consent for marketing? If not, send a re-permission email ("reminder - do you still want our newsletter, click here if yes"). Customers who do not click - remove from the list.
4. Check your privacy policy. Does it list all processors (Google Analytics, ResDiary, Mailchimp, site hosting)? Update if missing.
5. Designate a GDPR-responsible person at the venue (typically owner or manager). This person handles incidents (e.g. database leak), customer requests ("what do you know about me"), Data Protection Authority contact.

Frequently asked questions

Does a small restaurant need a Data Protection Officer (DPO)?

No, in 2026 the DPO requirement applies only to organisations processing data on a large scale (typically: over 5000 people in the database). A small restaurant can do without a DPO, but designates a GDPR-responsible person - typically owner or manager.

Is CCTV footage in the venue personal data?

Yes. CCTV monitoring requires: signage ("monitored premises" sticker), retention policy (typically 30 days), legal basis (most often legitimate interest - security). If the camera covers guest tables, additional information duty applies.

Can I post guest photos on Instagram Stories?

Only with consent. Every guest visible in a photo in a way that allows identification must consent. In practice: you blur faces, take photos of the table with food (no people), or ask a specific person "can I take a photo and post it".

What if a customer asks for their data to be deleted?

You have 30 days to handle it. Remove from the database, from the newsletter, from the Excel sheet, from all places. Keep only data required for accounting obligations (typically 5 years for invoices). After processing, send confirmation to the customer.

Is WhatsApp Business GDPR-compliant?

WhatsApp itself is compliant (Meta is a processor, has appropriate certifications). Your configuration may not be: no privacy policy, no information in auto-reply, no separation of operational and marketing contacts. WhatsApp Business plus updated privacy policy = safe.