GDPR starter kit for restaurants

Restaurants process customer data via reservation platforms (often outside EU), allergy info (Art. 9), and staff data. Five pitfalls: (1) TheFork / OpenTable: these platforms are often joint controllers with restaurant — DPA + JCA + Schrems II TIA. (2) Allergies: health data (Art. 9). Only mention where needed (e.g. in kitchen), not structurally in CRM tool. Destroy after visit. (3) POS systems (Lightspeed, Square): staff hours + tip admin + loyalty-card data. DPA required. (4) Staff scheduling: Loket / Bridge / NMBRS. DPA + separate databases — no marketing use. (5) Reviews: never repost reviews on social without consent (Cruijff jurisprudence portrait right). Stars yes. Food photos: no problem if only food visible. But guest visible in background = portrait right risk. Booking via WhatsApp: legitimate interest for confirmation. No marketing after. Breaches: often via stolen tablet/laptop with customer data, or hack of TheFork account. Document the procedure.