Swiss Data Protection for Restaurants (revDSG/GDPR)

Data protection is not just a concern for tech companies and banks. Any business that collects personal information from its customers has legal obligations, and restaurants are no exception. Every reservation, every guest profile, every email address collected for a newsletter represents personal data that must be handled responsibly and in compliance with applicable law.

For restaurants operating in Switzerland, the regulatory landscape includes the revised Swiss Federal Act on Data Protection (revDSG), which came into effect in September 2023, as well as the European Union's General Data Protection Regulation (GDPR), which applies whenever EU residents' data is processed. Understanding these obligations is not optional. Non-compliance can result in fines, reputational damage, and loss of guest trust.

This article provides a practical overview of what Swiss restaurants need to know.

What Data Do Restaurants Actually Collect?

Before addressing legal requirements, it helps to understand the scope of data that a typical restaurant handles. The list is often longer than operators realize:

• Reservation data: Guest name, phone number, email address, party size, date, and time.
• Dietary and health information: Allergies, intolerances, and dietary restrictions. This is considered sensitive data under both the revDSG and GDPR.
• Visit history: Frequency of visits, preferred tables, past orders, and spending patterns.
• Communication records: Emails, SMS messages, and marketing opt-ins.
• Payment information: Credit card details collected for deposits or no-show guarantees.
• Feedback and reviews: Guest complaints, compliments, and survey responses.
• Staff-entered notes: Subjective observations about guest preferences, VIP status, or behavior.

Each of these data points carries specific obligations around collection, storage, use, and deletion. The days of casually accumulating guest information without a framework are over.

The revDSG: What Swiss Restaurants Need to Know

The revised Swiss Federal Act on Data Protection, commonly referred to as the revDSG, modernized Switzerland's data protection framework to align more closely with the GDPR while maintaining some distinctly Swiss characteristics.

Key provisions relevant to restaurants:

• Transparency obligation. You must inform individuals about the collection of their personal data, the purpose of processing, and any sharing with third parties. This is typically accomplished through a privacy policy accessible on your website and referenced during the booking process.
• Purpose limitation. Data collected for one purpose (making a reservation) cannot be used for an unrelated purpose (selling to a marketing partner) without additional consent.
• Data minimization. Collect only the data you actually need. If you do not need a guest's date of birth to process a reservation, do not ask for it.
• Security requirements. Appropriate technical and organizational measures must be in place to protect personal data from unauthorized access, loss, or misuse.
• Right of access and deletion. Guests have the right to request a copy of the data you hold about them and to request its deletion, subject to certain exceptions (such as legal retention requirements).
• Data breach notification. If a data breach occurs that poses a high risk to the affected individuals, you must notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible.
• Personal liability. Unlike the GDPR, which primarily targets organizations, the revDSG can impose fines on responsible individuals (such as owners or managers), with penalties up to 250,000 CHF.

The personal liability provision is particularly important for restaurant owners and operators. It is not just the business entity that faces consequences; decision-makers can be held personally accountable.

GDPR Overlap for Swiss Restaurants

Even though Switzerland is not an EU member state, the GDPR applies to Swiss restaurants in several scenarios:

• EU/EEA resident guests. If your restaurant collects data from guests who are residents of EU or EEA countries, whether they book online or walk in, the GDPR applies to the processing of their data.
• Online booking from EU countries. If your website is accessible to and used by individuals in the EU (which it almost certainly is), the GDPR's provisions may apply.
• Cross-border data transfers. If you use service providers (cloud hosting, email marketing, payment processors) that transfer data to or from the EU, GDPR compliance is relevant.

For restaurants in tourist areas, border regions, or cities with significant international visitors, GDPR compliance is not theoretical. It is a practical necessity.

The key additional requirements under the GDPR include:

• Explicit consent for marketing. Pre-checked boxes and implied consent are not sufficient. Guests must actively opt in to marketing communications.
• Data Protection Officer (DPO). While most small restaurants will not need a formal DPO, larger operations or restaurant groups processing data at scale may.
• Right to data portability. Guests can request their data in a commonly used, machine-readable format.

Consent: Getting It Right

Consent is one of the most misunderstood aspects of data protection. Many restaurants assume that because a guest provided their email for a reservation, they have consented to marketing emails. They have not.

Proper consent management requires:

• Separate consent for separate purposes. Consent to process data for a reservation is distinct from consent to send promotional emails. Each requires its own clear, affirmative action.
• No bundling. Do not make marketing consent a condition of making a reservation. The guest must be able to book without opting in to your newsletter.
• Easy withdrawal. Guests must be able to withdraw their consent at any time, and the process must be as easy as the process of giving consent. Every marketing email should include a clear unsubscribe link.
• Record-keeping. Maintain records of when and how consent was obtained. If challenged, you must be able to demonstrate that the guest actively agreed.

For reservation-related communications (confirmations, reminders, and follow-ups directly related to the booking), consent is generally not required because processing is necessary for the performance of the contract (the reservation). However, anything beyond the scope of the specific booking, such as newsletters, promotional offers, or satisfaction surveys, requires explicit consent.

The Advantage of Swiss Hosting

Where your guest data is stored matters, both legally and practically. For Swiss restaurants, choosing a technology provider that hosts data in Switzerland offers significant advantages:

• Simplified compliance. When data stays within Switzerland, the complex rules around international data transfers (particularly to countries without an adequate level of data protection) do not apply.
• Swiss legal jurisdiction. Data hosted in Switzerland falls under Swiss law and Swiss courts, providing legal clarity and stability.
• Guest confidence. Swiss data protection standards are well-regarded internationally. Communicating that your guest data is stored in Switzerland enhances trust.
• No exposure to foreign government access. Data stored outside Switzerland may be subject to foreign government access requests under laws such as the US CLOUD Act. Swiss hosting avoids this exposure.

When evaluating reservation platforms, ask where the data is stored. A platform like miMesa, which hosts data in Switzerland, eliminates the cross-border transfer concerns that come with platforms headquartered elsewhere.

Practical Steps for Compliance

Compliance does not require a legal department. For most restaurants, the following practical steps cover the essentials:

1. Create or update your privacy policy. It should explain what data you collect, why, how long you keep it, and how guests can exercise their rights. Make it accessible on your website.
2. Review your booking process. Ensure that consent for marketing is separate from the reservation itself, and that you collect only the data you genuinely need.
3. Audit your technology providers. Understand where your data is stored, who has access to it, and what security measures are in place. Ensure contracts include appropriate data processing agreements.
4. Train your staff. Front-of-house and management teams should understand the basics of data handling: what to record, how to store it, and how to respond to guest requests about their data.
5. Establish a data retention policy. Decide how long you keep guest data and delete it when the retention period expires. Keeping data indefinitely "just in case" is not compliant.
6. Plan for data breaches. Even with good security, breaches can happen. Have a simple plan for who to notify and what steps to take.

Conclusion

Data protection compliance is an ongoing responsibility, not a one-time project. For Swiss restaurants, the combination of the revDSG and potential GDPR exposure creates a regulatory environment that demands attention. But the effort is worthwhile beyond mere legal compliance. Guests increasingly care about how their personal information is handled, and restaurants that demonstrate responsible data practices build deeper trust.

The foundation of compliance is straightforward: be transparent about what you collect, collect only what you need, protect it properly, use it only for stated purposes, and delete it when it is no longer necessary. With the right technology partner and a culture of respect for guest privacy, compliance becomes a natural part of how you operate rather than a burdensome obligation.