GDPR for Caterers: A Complete Compliance Guide

Why GDPR Applies to Catering Businesses

If you run a catering business — whether you're a wedding caterer, a corporate hospitality company, a mobile street food operator, or a contract catering firm — you collect and process personal data every single day. Names, phone numbers, email addresses, dietary requirements, allergy information, event details, and payment records all constitute personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The UK GDPR applies to any organisation that determines the purposes and means of processing personal data and is established in the UK, or that processes data about people in the UK. Even post-Brexit, UK GDPR broadly mirrors the EU GDPR framework, and if you cater for international events or serve clients from the EU, both regimes may apply simultaneously.

Non-compliance can result in fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, imposed by the Information Commissioner's Office (ICO). Beyond the financial penalties, a data breach or compliance failure can devastate the reputation a catering business depends upon for repeat bookings and word-of-mouth referrals.

What Personal Data Do Caterers Collect?

Before you can comply with GDPR, you need to map the personal data flowing through your business. Catering companies typically collect and process data in the following categories:

• Client contact details: Full name, email address, telephone number, home or business address
• Event details: Venue address, event date and time, number of guests, occasion type
• Dietary requirements and food allergies: For both the primary client and their guests
• Guest lists: Names and sometimes contact details of event guests provided by the client
• Payment information: Bank details, card information processed via payment providers, invoices, deposits, and outstanding balances
• Health and safety records: Any medical conditions disclosed that affect food preparation
• Marketing data: Email addresses and preferences of past clients or prospects
• Staff and freelancer data: Employment records, DBS check results, payroll information, bank details, National Insurance numbers, emergency contacts
• CCTV footage: If you operate a premises or commercial kitchen with cameras installed

Special Category Data: Dietary Requirements and Allergies

One of the most important aspects of GDPR for caterers is that dietary requirements and food allergy information can constitute special category data under Article 9 of the UK GDPR.

Special category data is given additional protection because of its sensitivity. It includes data that reveals a person's health condition. A food allergy or intolerance — particularly serious conditions such as nut allergies, coeliac disease, or Crohn's disease — is clearly health-related. Religious dietary requirements such as halal, kosher, or Hindu vegetarian may additionally reveal a person's religious beliefs, which is another special category.

This means that when you ask guests for their dietary requirements or allergy information, you need a stronger legal basis for processing than you would for ordinary personal data. Under Article 9, the most relevant conditions for caterers are:

• Explicit consent: The individual has given clear, specific, informed, and unambiguous consent to the processing of their health-related dietary data.
• Vital interests: Processing is necessary to protect the vital interests of the data subject. Severe nut allergies or anaphylactic risks would qualify.
• Legal obligation: UK food allergen law (the Food Information Regulations 2014) requires caterers to provide accurate allergen information.

Lawful Basis for Processing Personal Data

For ordinary personal data (not special category), you must identify a lawful basis from Article 6 of the UK GDPR before processing. The most relevant bases for catering businesses are:

Contract

Processing is necessary for the performance of a contract with the data subject. This covers the vast majority of client data — you need a name, contact details, event information, and payment records to deliver the catering service and issue invoices. No separate consent is needed for this data.

Legal Obligation

Processing is necessary to comply with a legal obligation. Tax records, employment data, and allergen information all have legal bases here. HMRC requires you to retain financial records for at least six years.

Legitimate Interests

Processing is necessary for your legitimate interests, provided those interests are not overridden by the data subject's rights. You must conduct a Legitimate Interests Assessment (LIA) and document it.

Consent

For marketing emails to people who have not previously purchased from you, consent is typically required. Consent must be freely given, specific, informed, and unambiguous.

Event Client Data: Bookings, Quotes, and Invoices

The client relationship generates the largest volume of personal data for most catering companies. Your lawful basis here is primarily contract. You need client details to quote accurately, agree terms, prepare food to their specifications, attend the correct venue, and process payment.

However, you do need to provide clients with a privacy notice at or before the point of data collection. Your privacy policy must explain who you are, what data you collect and why, your lawful basis for each type of processing, who you share data with, how long you retain data, and data subjects' rights.

Guest Lists and Dietary Sheets: Third-Party Personal Data

When a client provides you with a guest list — including names, seating arrangements, dietary requirements, and allergy information for their attendees — you become a data controller or joint data controller in respect of those third-party individuals.

The guests themselves have not contracted with you and may not know their data has been shared. Under UK GDPR, you should only request and process the minimum guest data necessary for the catering function (data minimisation).

Guest dietary sheets should be:

• Shared only with kitchen staff and front-of-house team who need to know
• Stored securely (password-protected files, locked filing cabinets)
• Destroyed or deleted promptly after the event
• Never shared with third parties unless strictly necessary

Staff and Freelancer Data

Catering businesses often employ a mix of full-time staff, part-time employees, zero-hours workers, and freelance contractors. All of these individuals have GDPR rights, and you have significant obligations as their employer or engager.

You will hold names, addresses, National Insurance numbers, bank account details, payroll records, contracts of employment, performance reviews, disciplinary records, and sickness absence records. Your lawful basis for most employment data processing is a combination of contract, legal obligation, and legitimate interests.

If your catering business operates in settings involving children or vulnerable adults, you may undertake DBS checks on staff. Criminal records data is a special category under UK GDPR. You must have a policy document in place that justifies your processing of this data.

Marketing: Email Lists, Newsletter Opt-Ins, and Follow-Ups

Marketing to Existing Clients

UK law (specifically PECR) allows you to send direct marketing about similar services using the "soft opt-in" rule to existing clients, provided you gave them a clear opportunity to opt out and include an easy way to unsubscribe in every marketing email.

Marketing to New Prospects

For people who have never purchased from you, you need explicit opt-in consent before sending marketing emails. Pre-ticked boxes and buried consent language are not valid consent under GDPR and PECR.

Data Retention: How Long Should You Keep Records?

GDPR requires you to retain personal data for no longer than is necessary. For catering businesses:

• Client booking records and invoices: Retain for six years after the financial year end (HMRC requirement)
• Guest dietary sheets and allergen records: Retain for up to six years (personal injury limitation period)
• Marketing consent records: Retain for as long as you are actively marketing to the individual
• Employee records: Retain for six years after the end of employment
• DBS check records: Record date, certificate number, and result only — do not retain copies of certificates
• Supplier contact details: Retain for six years after the end of the supplier relationship

Data Security for Caterers

UK GDPR requires you to implement "appropriate technical and organisational measures" to protect personal data:

• Secure email: Do not send guest dietary sheets as unencrypted attachments to multiple recipients
• Password policies: Use strong, unique passwords and enable two-factor authentication
• Physical security: Paper records should be stored in locked cabinets and shredded when no longer needed
• Device security: Laptops and mobile phones used to access client data should be password-protected and encrypted
• Third-party access: Only give access to personal data to staff who genuinely need it

Practical GDPR Compliance Checklist for Caterers

• Complete a data mapping exercise and create a Record of Processing Activities (ROPA)
• Publish a clear, compliant privacy policy on your website
• Add privacy notices to booking forms, quote emails, and guest dietary collection forms
• Identify whether dietary and allergy data qualifies as special category data and document your Article 9 condition
• Review your marketing consent process — ensure opt-in checkboxes are unchecked by default
• Establish a written data retention policy and schedule regular data deletion reviews
• Secure all personal data appropriately — encrypted devices, strong passwords, locked filing cabinets for paper records
• Train all staff who handle personal data on basic GDPR principles
• Sign Data Processing Agreements with any third-party suppliers
• Have a documented data breach response procedure in place
• Register with the ICO if required and pay the annual data protection fee
• Review your compliance annually and whenever you introduce a new type of data processing

---

This guide provides general information about UK GDPR obligations for catering businesses. It is not legal advice. For specific compliance questions, consult a qualified data protection solicitor or the ICO's helpline for small organisations.