GDPR starter kit for café + hospitality

Hospitality often collects more data than they realise. Risk areas: (1) Reservations (TheFork, OpenTable, own form) — name + phone + email + diet/allergy (= Art. 9 special!). Minimise allergy to free field. (2) CCTV — sign mandatory (see CCTV sign), retention max 4 weeks, no audio recording. (3) Staff data (NVP retention, sick leave data = Art. 9). (4) Guest WiFi — login data rarely necessary. Prefer no-login WiFi. If logged: privacy statement at login, retention max 6 months. (5) Loyalty cards: marketing consent required + opt-outable. Tip: hotels have extra rules (Dutch Immigration Act Art. 4:1 — view passport allowed, copy not — see hotel passport). For restaurant owners: POS systems (Untill, Lightspeed, Square) process staff + customer data — request DPA. AP fines 2023-2025: multiple hospitality businesses fined for CCTV sign violation + no DPA + unsafe WiFi data.