PDPA for F&B and Restaurants: Customer Data Compliance in Singapore

Every restaurant, café, and food business in Singapore handles personal data daily — reservation details, delivery addresses, loyalty programme sign-ups, and payment information. Under the Personal Data Protection Act 2012 (PDPA), your F&B business has clear legal obligations for how you collect, use, store, and dispose of this data. Non-compliance can result in financial penalties of up to S$1 million, or 10% of your organisation's annual turnover, whichever is higher.

TL;DR — Key Takeaways for F&B Businesses

• You need valid consent before collecting customer data for reservations, loyalty programmes, or marketing.
• Your business must appoint a Data Protection Officer (DPO), even if it is the owner themselves.
• Retention periods must be defined — do not keep customer data indefinitely.
• Third-party platforms (delivery apps, POS providers, marketing tools) do not absolve you of responsibility.
• A data breach involving 500+ individuals must be reported to the PDPC within 3 calendar days.

For a full compliance walkthrough, see our PDPA Compliance Checklist for Singapore SMEs.

What Customer Data Do F&B Businesses Collect?

Singapore F&B businesses collect more personal data than most owners realise. Under the PDPA, "personal data" means any data that can identify an individual, whether on its own or combined with other information your business holds.

Common data touchpoints in a typical restaurant or café include:

• Reservations: Names, mobile numbers, email addresses, party size, special requests (e.g. dietary restrictions or allergies, which may constitute sensitive health data)
• Loyalty and rewards programmes: NRIC/FIN (now restricted), birth dates, spending history, visit frequency
• Online ordering and delivery: Home or office addresses, payment card details, order history
• Wi-Fi login: Device MAC addresses, phone numbers, email addresses
• CCTV footage: Facial images, timestamps of customer visits
• Marketing: Email addresses, SMS numbers, customer preferences

Each of these data points carries specific obligations under the PDPA. The critical first step is knowing exactly what you collect and why.

The PDPA Obligations That Apply to Your F&B Business

The PDPA sets out nine main obligations. Here are the ones most relevant to F&B and restaurant operations.

Consent Obligation (Sections 13–17)

You must obtain consent before collecting, using, or disclosing personal data. For F&B businesses, this means:

• Reservations: When a customer calls or books online, they provide their name and phone number for the purpose of the reservation. This typically qualifies as deemed consent under Section 15 — the customer voluntarily provides data for an obvious purpose. However, you cannot then use that phone number to send promotional messages without obtaining separate, explicit consent.
• Loyalty programmes: Sign-up forms must clearly state what data you are collecting, why, and whether it will be used for marketing. A pre-ticked consent box does not constitute valid consent under the PDPA.
• Wi-Fi registration: If you require a phone number or email to access guest Wi-Fi, you must inform customers of the purpose and obtain consent. Avoid collecting more data than necessary.

Purpose Limitation Obligation (Section 18)

You may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances. A restaurant collecting NRIC numbers to join a basic loyalty programme, for example, would likely be considered excessive. Since 1 September 2019, the PDPC has restricted the collection of NRIC numbers — your F&B business should use alternatives like phone numbers or membership IDs.

Retention Limitation Obligation (Section 25)

You must not keep personal data longer than necessary for the purpose it was collected for. Many F&B businesses make the mistake of retaining customer records indefinitely in their POS or CRM systems. Define clear retention periods:

Document these periods in your data protection policy and enforce them through regular data purges.

Protection Obligation (Section 24)

You must protect personal data with reasonable security arrangements. For F&B businesses, this covers both digital and physical security:

• POS systems: Ensure your point-of-sale system is password-protected and uses encryption for payment data. Work with your POS vendor to confirm PCI DSS compliance.
• Reservation books: If you still use a physical reservation book, store it securely and do not leave it visible to customers at the host stand.
• Staff access: Limit access to customer data on a need-to-know basis. A kitchen team member generally does not need access to customer contact details.
• Cloud systems: If you use cloud-based reservation or CRM platforms, verify that your provider stores data securely, ideally with a provider that meets ISO 27001 standards.

Common PDPA Mistakes in the F&B Industry

Mistake 1: Using Reservation Data for Marketing Without Consent

A customer who books a table and provides their mobile number has consented to being contacted about that reservation — not to receiving weekly promotional SMS blasts. The PDPC has issued fines for exactly this type of misuse. If you want to market to customers, you need a separate, clear opt-in.

Mistake 2: Sharing Customer Data with Third Parties Without Safeguards

Many F&B businesses work with food delivery platforms, marketing agencies, event booking tools, and payment processors. Under the PDPA's Transfer Limitation Obligation (Section 26), you must ensure any third party receiving your customer data provides a comparable standard of protection. Put data processing agreements in place with every vendor that handles personal data on your behalf.

If your business uses multiple digital tools, consider working with a provider like Adaptels to build an integrated system with proper data handling controls, rather than patching together disconnected platforms.

Mistake 3: No Data Breach Response Plan

A data breach at an F&B business might seem unlikely, but consider the scenarios: a hacked POS system leaking payment data, a stolen laptop with customer records, or a misconfigured online ordering system exposing delivery addresses. Under the PDPA's mandatory breach notification provisions, if a breach affects 500 or more individuals, or is likely to result in significant harm, you must notify the PDPC within 3 calendar days and affected individuals as soon as practicable.

Every F&B business — regardless of size — should have a documented data breach response plan.

Mistake 4: Not Appointing a Data Protection Officer

Under Section 11(3) of the PDPA, every organisation must designate at least one individual as a Data Protection Officer (DPO). For small restaurants, this can be the owner or manager — it does not need to be a dedicated hire. But the appointment must be made, and the DPO's contact details should be publicly available (e.g. on your website or at the counter).

CCTV in Restaurants: What the PDPA Requires

CCTV is standard in most F&B establishments for security and loss prevention. Under the PDPA, CCTV footage constitutes personal data because it can identify individuals. Your obligations include:

• Notification: Display clear signage informing customers and staff that CCTV is in operation. Signs should state the purpose (e.g. "for security purposes") and who to contact for enquiries.
• Retention: Do not keep footage longer than necessary. The industry standard is 30 days. Some businesses retain footage for up to 90 days for incident investigation, which is generally acceptable if documented.
• Access: Restrict access to CCTV footage to authorised personnel only. Do not share footage on social media or with unauthorised third parties.
• Access requests: Individuals have the right to request access to footage of themselves under Section 21. You must respond within 30 days.

For more on monitoring obligations, see our guide on employee monitoring and the PDPA.

How to Become PDPA-Compliant: A Practical Checklist for F&B Businesses

1. Appoint a DPO — Designate an individual responsible for data protection. This can be the business owner.
2. Map your data — Identify every touchpoint where you collect personal data (reservations, loyalty, CCTV, Wi-Fi, deliveries).
3. Review consent mechanisms — Ensure you have valid, informed consent for each purpose. Separate marketing consent from service-related consent.
4. Draft a privacy policy — Publish a clear, accessible data protection policy. Display it on your website and make it available in-store.
5. Set retention schedules — Define and enforce how long you keep each type of data.
6. Secure your systems — Password-protect POS terminals, encrypt customer databases, and restrict staff access.
7. Vet your vendors — Ensure third-party providers (delivery platforms, CRM tools, payment processors) have adequate data protection measures.
8. Prepare a breach response plan — Document what to do if a breach occurs, including PDPC notification procedures.
9. Train your staff — Front-of-house and management staff should understand basic data protection practices — what to collect, what not to share, and how to handle access requests.

For most F&B businesses, going through this checklist manually can be time-consuming and error-prone. Tools like ComplyHQ offer AI-powered compliance that handles your PDPA obligations in minutes, not weeks — particularly useful for restaurant owners who need to focus on running their business rather than navigating regulatory requirements.

What Happens If Your F&B Business Violates the PDPA?

The PDPC has actively enforced the PDPA across industries, including hospitality and F&B. Penalties include:

• Financial penalties of up to S$1 million or 10% of annual turnover (whichever is higher) for organisations with annual turnover exceeding S$10 million.
• Directions to stop collecting or using data, destroy improperly collected data, or implement specific remediation measures.
• Reputational damage — PDPC enforcement decisions are published publicly, which can significantly impact customer trust.

Even for smaller F&B businesses, fines of S$10,000–S$50,000 have been issued for relatively straightforward violations such as inadequate protection of customer data or failure to implement reasonable security measures. You can review real cases and lessons in our PDPC enforcement cases analysis.

Conclusion

Running a compliant F&B business in Singapore does not require a legal team or a massive budget. It requires awareness of your data obligations, sensible policies, and consistent execution. The PDPA is designed to be practical — and for most restaurants and food businesses, compliance comes down to collecting only what you need, telling customers why, keeping it safe, and deleting it when you no longer need it.

Start with a data audit, put your policies in writing, and train your team. If you want to simplify the process, ComplyHQ can walk your business through each step with AI-guided compliance tailored to your industry.

Sources

1. Personal Data Protection Act 2012 — Full Text
2. PDPC Advisory Guidelines on Key Concepts in the PDPA
3. PDPC Guide on Managing and Notifying Data Breaches
4. PDPC Advisory Guidelines on the NRIC and Other National Identification Numbers
5. PDPC Enforcement Decisions