If you run a restaurant, takeaway, or food delivery business — whether you use Deliveroo, Uber Eats, Just Eat, or your own ordering system — you are processing significant amounts of personal data every day. Customer names, delivery addresses, order history, dietary preferences, allergen information, payment details, and location data all flow through your operation. Under GDPR, you have legal obligations around how you collect, store, use, and protect all of it.
This guide covers the key data protection issues specific to food businesses and delivery platforms.
What Data Do Food Businesses Actually Collect?
Before you can manage data compliantly, you need to know what you are actually holding. Food businesses typically collect more personal data than they realise.
Contact and delivery data — Customer names, email addresses, phone numbers, and delivery addresses are the foundation of any ordering system.
Order history — Records of what customers have ordered and when. This creates a profile over time and can reveal information about a person's lifestyle and household.
Dietary preferences and allergen information — If a customer tells you they are coeliac, diabetic, or have a severe nut allergy, that is health data under GDPR Article 9. Health data is special category data and attracts the highest level of protection.
Payment information — Card details processed through a payment provider. Most businesses do not store raw card data, but may retain transaction records.
Location data — GPS tracking for delivery drivers or a delivery radius tool for customers constitutes location data processing.
Device and browsing data — Analytics, cookies, or a Facebook pixel on your website may be collecting IP addresses and behavioural data.
Lawful Basis for Processing
Every piece of personal data you process needs a lawful basis under GDPR Article 6.
- Contract (Article 6(1)(b)) — Processing names and addresses to fulfil an order is lawful without separate consent.
- Legal obligation (Article 6(1)(c)) — Allergen disclosure obligations under food safety law support recording allergy information.
- Legitimate interest (Article 6(1)(f)) — Retaining order history for customer service and accounting, subject to a balancing test.
- Consent (Article 6(1)(a)) — Required for marketing emails and SMS messages.
Allergen Data and Article 9 Health Data
This is the area where food businesses are most likely to get GDPR wrong.
When a customer discloses an allergy or intolerance, they are sharing health information that qualifies as special category data under GDPR Article 9. Special category data requires both a lawful basis under Article 6 AND an additional condition under Article 9 — typically explicit consent (Article 9(2)(a)) or vital interests (Article 9(2)(c)).
In practice:
- Obtain explicit consent before recording allergen information
- Explain how the information will be used and who will see it
- Do not retain allergen information beyond the transaction without justification
- Limit access to allergen notes to staff who need them
Delivery Platform Relationships: Deliveroo, Uber Eats, and Just Eat
Deliveroo, Uber Eats, and Just Eat operate as independent data controllers for customer data. They collect customer personal data under their own privacy policies. As a restaurant listed on these platforms, you receive a subset of that data to fulfil specific orders.
This means:
- You cannot use platform customer data for your own marketing without a separate lawful basis
- You cannot add customers who order through Deliveroo to your own mailing list without their separate consent
- The customer's GDPR rights in relation to platform data are primarily exercisable against the platform
Many restaurant operators assume that a customer who ordered through Deliveroo has given them permission to market directly. They have not.
Building Your Own Ordering System
If you have your own website ordering system, you are the primary data controller. This means:
- A privacy policy that accurately describes what data you collect
- A cookie consent banner if you use analytics or advertising trackers
- A process for handling data subject access requests within 30 days
- The ability to delete customer data on request
- A Data Processing Agreement with any third-party ordering platform you use
Loyalty Programmes and Profiling
When you record order history for loyalty rewards, you are creating a profile of that individual. You must:
- Tell customers in your privacy policy that you use order history for loyalty and personalisation
- Give customers the ability to opt out of profiling
- Never use health or allergen data for profiling or marketing segmentation
SMS and Email Marketing: PECR and the Soft Opt-In
The soft opt-in exception (PECR Regulation 22(3)) allows you to market to existing customers without explicit consent if:
- You obtained their contact details in the course of a sale
- You are marketing similar products and services
- You gave them a clear opportunity to opt out at the point of collection
- Every subsequent message includes an easy opt-out
Important: The soft opt-in does not apply to customers who ordered through Deliveroo or Uber Eats. You did not collect their details — the platform did.
Delivery Driver Data
If you track driver locations during deliveries:
- Have a clear lawful basis (legitimate interest in managing the delivery operation)
- Inform drivers clearly that tracking occurs and when
- Do not track drivers outside working hours
- Have a data retention policy for location data
Compliance Checklist
Data mapping
- Know what personal data you collect and where it is stored
- Identify allergen/health data separately with Article 9 safeguards
- Document the lawful basis for each processing category
Customer data
- Privacy policy accurately describes data collection
- Customers given clear opportunity to opt out of marketing at point of collection
- Platform-sourced customer data not used for own marketing
Allergen and health data
- Allergen information collected with explicit consent
- Access limited to relevant staff
- Not retained beyond the transaction without justification
Marketing
- Email and SMS marketing has a valid lawful basis
- Every message includes an easy opt-out
- Opt-out requests actioned promptly and recorded
Website and app
- Cookie consent banner in place
- Privacy policy linked from ordering page
- Process in place for DSARs within 30 days
Where to Start
The highest-risk areas for food businesses are allergen data handling and customer marketing without a valid lawful basis. Audit those two areas first.
Then run a free compliance scan at app.custodia-privacy.com/scan to identify trackers, cookie issues, and privacy policy gaps on your website in 60 seconds.
This article provides general guidance on GDPR obligations for food businesses. It does not constitute legal advice.
Top comments (0)