GDPR for Dutch Restaurant Websites: What You Actually Need to Fix

You have a restaurant, café, or bar. Your website shows the menu, directions, and a reservation form. Simple, right?

Not for the GDPR. That reservation collects a name, phone number, and sometimes dietary requirements — all personal data. The embedded Google Maps sends your visitors' IP addresses to Google. And that dish photo you grabbed from Google Images? That can get you a copyright claim.

Restaurant websites are a blind spot in GDPR compliance. Most restaurant owners do not know their website fails on multiple points. This guide covers the main issues and gives you a concrete checklist to fix them.

Reservations Are Personal Data

Every online reservation collects at minimum a name, phone number, or email address. But many restaurant websites ask for more:

• Dietary requirements or allergies (gluten-free, vegan, nut allergy)
• Occasion (birthday, business dinner, anniversary)
• Number of guests and table preference
• Accessibility notes (wheelchair, child seat)

Allergies and dietary requirements are health data. Under GDPR Article 9, health data is a "special category" with stricter rules. The Court of Justice of the EU confirmed this in the Lindenapotheke case (C-21/23): data that reveals health or beliefs falls under the strictest category. You may only process it with explicit consent from the guest.

What to do:

• Ask only for the data you actually need. A name and phone number suffices for most reservations.
• Make dietary fields optional — never required.
• Include a link to your privacy policy next to the reservation form.
• Set clear retention periods: delete reservation data after the visit, unless you have a legal reason to keep it (tax records: 7 years; marketing use: maximum 2 years with ongoing consent).
• If you use a reservation system (Formitable/Zenchef, OpenTable, Resengo), that system is your data processor. You need a data processing agreement (DPA) under GDPR Article 28.

The Google Maps Problem

Almost every restaurant website has a Google Maps embed on the contact page. Useful for guests — problematic for privacy.

The moment a visitor opens your page, the embedded Google Maps sends their IP address to Google's US servers. This happens automatically, before the visitor does anything. Under GDPR, an IP address is personal data. Sending it to Google without consent lacks a legal basis.

German courts ruled in 2022 that embedding Google Fonts without consent is unlawful (LG München, Az. 3 O 17493/20) — same logic: IP address transfer without justification. The same reasoning applies to Google Maps. The AP (Autoriteit Persoonsgegevens) follows this interpretation.

What to do:

• Replace the Google Maps embed with a static screenshot image of the map, with a link to Google Maps. This requires no consent, loads faster, and involves no data transfer. See our Google Maps embed guide for copy-paste code.
• Or: load Google Maps only after the visitor consents via your cookie banner (click-to-load approach).
• Mention Google Maps as a third party in your privacy policy if you use it.

Menu Photos and Copyright

This is not a GDPR issue but affects hospitality websites just as seriously. Many restaurant owners use dish photos from Google Images or Pinterest. That is copyright infringement.

Photographers and stock photo agencies use automated tools to scan the internet for unauthorised use of their images. CopyTrack and Getty Images are notorious for their claims systems. A claim typically starts at €500–€1,500 per photo. With multiple photos, it adds up quickly.

What to do:

• Take your own photos. A smartphone with good lighting is sufficient for menu photography.
• Use stock photo sites with clear licences: Unsplash, Pexels, and Pixabay offer free photos for commercial use. Always check the licence terms.
• Keep the licence file or source link for every photo you use. If a claim arrives, you need proof.
• Review existing photos on your website. If you cannot trace the source, replace them.

Delivery Platform Widgets and Tracking

Thuisbezorgd, Uber Eats, Deliveroo — many restaurants embed an order button or widget from a delivery platform on their website. These buttons often load tracking scripts.

An important legal point: delivery platforms like Thuisbezorgd and Uber Eats are independent data controllers for the orders processed through their platforms — not your data processors. You do not need a DPA with them, but it is advisable to document the data-sharing arrangement.

A "Order via Thuisbezorgd" widget can contain a tracking pixel that monitors visitor behaviour — similar to a Facebook Pixel. It logs page visits and sends that data to the platform.

What to do:

• Use regular links to the delivery platform instead of embedded widgets. A plain link (<a href="...">) loads no scripts.
• If you use a widget, check whether it places cookies. Open browser developer tools (F12 → Network tab) and observe what requests the widget makes.
• Mention each delivery platform that receives data in your privacy policy.
• Load tracking widgets only after consent via your cookie banner.

Guest WiFi and Personal Data

If you offer free WiFi, you are likely processing personal data. Most WiFi portal systems log:

• MAC addresses of devices
• Email addresses (if required for access)
• Connection times and duration
• In some systems, visited websites

A MAC address is personal data — the AP confirmed this when the municipality of Enschede received a €600,000 fine in 2021 for WiFi tracking in the city centre (tracking passersby via MAC addresses to measure footfall — the fine was overturned on procedural grounds in 2024, but the principle that MAC addresses are personal data stands).

What to do:

• Ask for as little data as possible. A shared password on a chalkboard is the most privacy-friendly option.
• If you use a login portal, show a privacy notice on the login screen.
• Set access logs to auto-delete after maximum 30 days.
• Do not use WiFi data for marketing without explicit consent.
• Do not retain browsing history of guests.

CCTV in Your Premises

Many hospitality businesses have security cameras. The GDPR sets strict requirements:

• Warning signs are required. Guests must know they are being filmed before entering. Signs must state who is responsible and how guests can exercise their rights.
• Maximum retention: 4 weeks. The AP's guidelines on camera surveillance specify that footage may not be kept longer than 4 weeks, unless an incident was recorded.
• DPIA required for large-scale monitoring. Multiple cameras covering a large area may require a Data Protection Impact Assessment.
• No cameras in toilets or changing rooms. No exceptions.

Include your CCTV use in your privacy policy.

Your Compliance Checklist

Privacy policy

• Privacy policy exists on your website
• Accessible from the footer on every page
• Lists reservation systems, delivery platforms, and Google Maps as third parties
• States which data you collect and why
• States retention periods for reservation data

Cookies and tracking

• Cookie banner if you use non-functional cookies
• Google Maps loads only after consent (or use static image alternative)
• Google Analytics in anonymous mode or replaced with privacy-friendly alternative
• Delivery platform widgets do not load tracking scripts without consent
• Google Fonts self-hosted (not loaded from Google servers)

Reservations and forms

• Reservation form asks only for necessary data
• Dietary and allergy fields are optional
• Privacy policy linked from the form
• Data processing agreement with your reservation system
• Old reservation data is regularly deleted

Photos and content

• All photos are self-taken or have a valid licence
• You can prove the source or licence for every photo
• No photos from Google Images or Pinterest without a licence

WiFi

• WiFi requires no unnecessary personal data
• Login portal (if used) shows a privacy notice
• WiFi logs are automatically deleted

Security

• Website runs on HTTPS
• CMS and plugins are up to date
• Admin passwords are strong and unique

Data Breach Risk Reality

The AP does not exempt hospitality businesses from GDPR enforcement. A restaurant whose website leaks personal data faces the same legal exposure as a webshop. GDPR fines go up to €20 million or 4% of annual turnover.

In practice, the AP often starts with a warning for smaller businesses. But copyright claims from CopyTrack or Getty arrive as invoices — no warning, no process. Those are more immediately likely than a GDPR fine for most small restaurants.

The combination of GDPR and copyright risk makes hospitality websites vulnerable on two fronts. The good news: both can be addressed in an afternoon.

Scan your website free to see which issues you currently have.

For the complete overview of GDPR obligations for Dutch businesses, read our GDPR compliance checklist. For the accessibility requirements that also apply to your restaurant, read our restaurant accessibility guide.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.