Guide to General Data Protection Regulation (GDPR)

How to get ready for GDPR

The Basics

GDPR is a new European law coming into effect May 25, 2018, protecting the rights and freedoms of EU individuals with respect to their personal data.


If your restaurant is established in the EU/UK, yes it does. If your restaurant is not established in the EU/UK, then it only applies with respect to diners and prospective diners who are residents of the EU/UK.


Personal data of EU individuals. Personal data is data that can be linked to an identified or identifiable person. It includes direct identifiers (e.g., name and email) and indirect identifiers if they can be used to identify a person (e.g., IP address and online identifiers).


All types, whether or not automated, such as the access, collection, storage, retrieval, use, disclosure or erasure of personal data.


Yes, the UK will still be a part of the EU when GDPR comes into effect and the UK government has stated that it will comply with the GDPR and that such compliance will not be affected by Brexit.


No, consent is only one of the legal bases for processing data. For example, data can also be processed: – To fulfill a contract with that person – Sometimes for “legitimate interests,” such as for marketing and commercial objectives (these legitimate interests must, however, outweigh detriment to the privacy of that person) – When there is a legal obligation to do so

Understanding Controller vs. Processor: You control the data in your OpenTable Guestbook

Rights and responsibilities for data processing under GDPR depend on whether your business is a data controller or data processor.


The controller uses the data for its own business purposes. The controller determines the purposes and means of processing personal data. The processor performs data processing services for the controller. Here is how it applies to your restaurant’s use of OpenTable’s products:


Your restaurant is the controller of personal data in your OpenTable Guestbook. This data includes both online reservation data and data that you input into your OpenTable guestbook, such as your phone-in reservations, guest notes and tags.

OpenTable is the processor of personal data in your OpenTable Guestbook. As such, OpenTable processes this data in your OpenTable guestbook on behalf of your restaurant by powering the product. Your guestbook may live in any of our restaurant products, such as GuestCenter, OpenTable Connect, Electronic Reservation Book (ERB) or ResPAK.


OpenTable is the controller of personal data in our consumer products, including OpenTable’s websites, apps and booking flows. Diners who make reservations through our sites and apps, including our booking tool on your restaurant’s website, agree to OpenTable’s terms of use and privacy policy as part of completing the reservation. However, as noted, your restaurant controls personal data in your OpenTable guestbook, for which OpenTable acts as your restaurant’s data processor.

Your OpenTable contract

To help your restaurant prepare for GDPR, OpenTable will be updating our EU/UK online restaurant contracts. If you do not have an online contract, we will make this update available to you as an addendum to your current contract.

OpenTable will also be maintaining certain records of our data processing as required by GDPR. As the processor of personal data in your restaurant’s OpenTable guestbook, OpenTable’s records will include your restaurant’s contact information, together with your Data Protection Officer and local representative, if you have one. We will be reaching out to your restaurant for any updates to this information prior to GDPR. You may also submit this information to your OpenTable Account Manager.

Data Subject Rights: The Right to Erasure

EU diners have certain personal rights under GDPR, including the right to erasure. OpenTable is putting in place new processes and procedures to respond to these requests.

If OpenTable receives a request for erasure from a diner who booked a reservation at your restaurant through OpenTable, we will:

  • Process the diner’s request for erasure from our consumer systems.
  • Provide your restaurant with notice of the request, because GDPR requires us to inform recipients to whom we passed the diner’s data of these sorts of requests.
  • Your restaurant, as the data controller of your OpenTable guestbook, will then decide how to handle this request with respect to your guestbook. If you elect to erase the diner from your OpenTable guestbook, OpenTable is here to assist you upon your request.

If a diner submits a request for erasure directly to your restaurant, OpenTable, as your data processor, is also here to help you upon your request with respect to your OpenTable guestbook.

Changes to our Sites & Apps

  • Our Privacy Policy
    OpenTable will be updating our website consumer privacy policy as part of GDPR readiness. These updates will include, for example, information for EU/UK individuals on how to exercise their GDPR rights, as well as clarifying the legal bases for processing their data.
  • Email Marketing
    Our sites and apps give the diner the opportunity to provide their email address to your restaurant for email marketing purposes. As we explain at the end of paragraph 1 (The Basics), consent is just one legal basis for processing data for marketing purposes.

How You Can Prepare for GDPR in Your Restaurant

  • Know your data. Be aware of what data your restaurant collects, where it is stored, and who can access it. From there, you can take necessary actions to secure access.
  • Secure your data. Use the security features that may be contained in your OpenTable guestbook in order to only permit access to personal data on a need-to-know basis.
  • Consult with experts, as needed. To answer questions specific to your restaurant, it may help to consult with tech and legal experts who can assess your restaurant’s particular situation.
  • Take advantage of what OpenTable has to offer. Update your contract and restaurant contact information with OpenTable and follow the security tips outlined in this Guide. We encourage you to reach out to your Account Manager with any questions about OpenTable products.