GDPR for Restaurants: 6 useful tips for catering businesses

The GDPR (General Data Protection Regulation) has been in force since 25/5/2018 and brings changes in the management of sensitive personal data. However, a large percentage of companies in Greece and in Europe have not complied with the new regulation and the control mechanisms appear to be unprepared.

Percentage of the class of 20% in Greece appears to be compliant with the new regulation, while the 49% have started the compliance process. Cases have been observed companies – to a small extent of course – that do not even know of its existence regulation or what they should do. In Greece, a vote is expected from Parliament of the draft law that will regulate the new responsibilities of the Authority Personal Data Protection, which is responsible for examination of complaints, imposition and collection of fines.

We note that several EU countries have not yet passed a new draft law on the GDPR, which is a sign of general readiness in the new regulation, after all it is something new for all of us. By no means do I want to convey that I recommend for the mother to be inactive. The first step of these is to understand some basic and very important concepts that I describe below:

What is the GDPR;

On April 27 2016 was adopted by the European Parliament Regulation 679/2016 or General General Data Protection Regulation Regulation). The Regulation entered into force on May 5, 2016 with a transitional one for a period of two years and shall apply as a direct law (not a Directive) to all member states of the European Union from 25 May 2018.

The rule regulates the rights of individuals with regard to:

  1. The their personal data.
  2. The processing of their personal data.
  3. The free and unimpeded movement and transfer of their staff within the borders of the European Union.
  4. The procedures for the transfer of personal data outside the European Union.

To whom Is the GDPR addressed?

Every private and public enterprises, as well as the state authorities that with any way they manage personal data of clients, customers of their customers, employees, associates or other natural persons. As a million Therefore, the GDPR applies to virtually all companies, inside and outside Europe Union, if the data concerns European citizens.

Based on the above, it is addressed to:

  • Large companies and organizations.
  • Small and medium businesses.
  • Small and micro-enterprises, corporations and sole proprietorships.

As indicative in:

  • Companies IT and services.
  • Insurance insurance intermediary companies and offices.
  • Medical centers and clinics.
  • Companies and companies with a workforce.
  • Businesses maintaining surveillance cameras.
  • Companies who maintain a clientele for marketing purposes.
  • Stores e-shop.

What do we define as ‘personal data’?

Personal data are considered:

  • Data identification (TIN, name, age, residence, occupation, family situation etc.).
  • Of course characteristics, education, work (previous service, work behavior, etc.).
  • Economic situation (income, assets, financial behavior).
  • Interests, activities, habits.
  • IP Address, e-mail, internet cookies.
  • GPS Location.
  • The medical, religious, political, erotic preferences, trade union activity, etc., are considered sensitive personal data.

Data processing

It is any work performed on personal data, such as: collection, registration, organization, preservation or modification, modification, export, use, transmission, dissemination, association or combination, interconnection, commitment, deletion, destruction.

Who is the Data Controller?

The Responsible Processing (Data Controller) is the entity (the natural or legal person public or private law) which sets out the purpose, the conditions and the how to process personal data. For example, Processor is any company, association, association etc. who keeps personal data at least one natural person: its officials or candidates, of its members, customers, suppliers, partners and consultants, etc.

Who is the Data Processor?

The Executor Processing (Data Processor) is respectively the entity that processes personal data on behalf of the Controller. In the above For example, the Processing Provider is, among others, the Provider e-mail of the company, as well as processing it personally personal data (eg personal data in abundance within the CVs that the candidates send to the company). By entity we mean a legal entity of the public or private sector.

What do we define Data Subject Consent?

Any indication of will, free, specific, explicit and fully aware, by which the data subject expresses that he agrees, by a statement or by a clear positive action, that the personal data concerning him be processed.

Violation of a given personal character

Violation of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

What do we do if a data breach occurs?

If this happens, and the breach is likely to jeopardize rights and freedoms of an individual, the company or organization must notify the supervisory authority without undue delay and within 72 hours at the latest after realizing the violation. If the company or organization is the executor processing, must inform the data controller of any data breach.

The DPO (Data Protection Officer) and who are required to appoint a DPO?

The Responsible Data Protection (DPO) facilitates the compliance of the controller and the processor in accordance with the provisions of the General Regulation for Data Protection and mediates between the various stakeholders (e.g. supervisors, data subjects). Its role is advisory (not decisive) and bears no personal responsibility for non-compliance with Regulation.

The DPO definition is mandatory when:

  • THE processing is carried out by a public authority or public body (including and natural or legal persons governed by public or private law power). The courts are excluded when acting under their jurisdiction competence.
  • Required regular and systematic monitoring of data subjects on a large scale scale (eg insurance or banking services, telephone services or Internet security, all forms of surveillance and setting up “profiles” on the internet, retaining elements such as racial or ethnic origin, political views, religious or philosophical beliefs, participation in trade unionism organization, genetic or biometric data for the purpose of indisputable face identification, such as for behavioral advertising purposes).
  • It is carried out large-scale processing of specific categories of data (eg in context provision of health services by hospitals) or personal data that concern criminal convictions and offenses.
  • Organizations employing more than 200 staff.
  • Organizations maintaining a camera and video surveillance system.

Compliance Steps & Stages

  • Education/ Awareness: It is the most basic and the Achilles heel of all organisms for a possible leak. It should be adopted and consolidated fully staffed the concept of GDPR and protection regulations personal data. To fully cultivate and develop this mentality, ‘mentality’ is the key word.
  • Data Mapping: Data collection and recording of Personal Retention Points Data
  • Gap Analysis & Compliance Plan: Analysis of Deficiencies and deviations, identifying deviations and observed deficiencies or incompatibilities of procedures in in relation to the objective pursued of full compliance with all articles of the GDPR.
  • Risk Assessment: Risk assessment of risk factors, which threaten the Personal Data held by the company.
  • Privacy Protection Plan: Design of a Personal Data Protection Program.
  • Privacy Impact Assessment (PIA): Writing a Privacy Impact Study
  • Writing or correction of incomplete procedures: Development of technical or legal standards support and implementation thereof.

To implement all of the above I would suggest you consult your lawyer consultant, who will inform you competently, giving the necessary clarifications and interpretations that specifically concern your company. For technical implementation, you will need IT consultants, who will implement with appropriate tools, measures and security and protection policies data as well as their encryption.

What are the fines?

The fines that provided by the General Regulation are high. The highest amounts to 20 million. or 4% of the previous year’s global turnover financial year, if it is a business – whichever is higher.

This fine may be imposed on serious violations of the Rules of Procedure, such as: violations concerning the consent of the individual, the basic principles of data protection, data transfer of European citizens outside Europe, non – compliance with instructions of the Supervisory Authorities.

There are also cases where a fine of 10 million is provided. or 2% of global annual turnover – whichever is higher – for example: non-compliance with organized records, non-disclosure of security breaches, failure to set DPOs where required, failure to conduct Impact Assessment, incomplete implementation or absence of technical and organizational measures to ensure data protection.

Useful tips for catering businesses

  • If employs over 200 people or has a camera system You will need to set a DPO and report it to the Authority Privacy Policy immediately.
  • The Camera-Video Surveillance systems must not cover common areas, customer tables, workplaces and staff gathering (kitchen, locker rooms etc.), should not be high definition, zoom in, rotate and have a view of streets and sidewalks.
  • Nouns the cameras are allowed to cover entrances and exits and cash registers. It is forbidden to maintain the recording of the cameras for more than 30 days. On the contrary in this case there is a serious risk of termination.
  • Caution with the details you keep of employees online and offline, for example CVs, e – mails, payroll cards, sending data to public bodies, in their characterizations, preservation of medical records from possible diseases of the past.
  • Caution in customer data, and characterizing them based on some habits, for example of any allergies or preferences that have occurred during past. E-mails that are probably stored in a database for purposes marketing, or for ads through social media.
  • If maintained official web site, you need to set security policies privacy and consent to the visitor regarding cookies and any data entered.


Restaurant Marketing after GDPR

Αν σκεφτήκατε ότι το marketing σας ήταν δύσκολο πριν από το GDPR, πρόκειται να είναι ένα εντελώς διαφορετικό μετά τις 25 Μαΐου. Η αναζήτηση επαγγελματικής βοήθειας είναι πλέον πιο σημαντική από ποτέ. Ξεκινήστε σήμερα κλείνοντας μια δωρεάν διαβούλευση με έναν από τους ειδικούς μας.

Scroll to top