UAE PDPL for Restaurants: Handling Customer Data Legally
Quick answer: The UAE Personal Data Protection Law (PDPL) requires restaurants that collect customer data — like loyalty or delivery details — to get consent, protect it, and let customers request export or deletion. If you run a loyalty programme, take delivery orders, or register customers at the till, the PDPL applies to you. Getting it right protects both your customers and your business.
Running a loyalty programme, storing delivery addresses, or registering regulars at the till might feel like ordinary business operations. They are — but they also make you a data controller under UAE law. TajerGo, the UAE-built restaurant operating system that combines POS, inventory, purchasing, Khata, AI insights, and VAT compliance in one platform, builds PDPL compliance tools directly into the product so you are protected by design, not by accident.
What is the UAE PDPL and does it apply to restaurants?
The UAE Personal Data Protection Law (PDPL), Federal Decree-Law No. 45 of 2021, is the UAE's primary data privacy legislation. It governs how organisations collect, store, use, share, and delete personal data belonging to individuals.
For restaurants, the PDPL applies whenever you collect personal data from customers. Personal data includes anything that can identify an individual: a name, phone number, email address, delivery address, loyalty account, or order history linked to a named person.
Typical restaurant scenarios where PDPL applies:
| Scenario | Personal data collected |
|---|---|
| Loyalty programme registration | Name, phone, email, date of birth |
| Delivery order | Name, phone, delivery address, order history |
| Customer registration at POS | Name, phone, credit balance (Khata) |
| Marketing messages | Phone or email used to send offers |
| Reservation system | Name, phone, party size |
If your restaurant does any of the above, you are collecting personal data, and the PDPL applies to you.
What does the PDPL require restaurants to do?
The core obligations are practical and achievable for any sized business:
1. Get consent before collecting data. You need a lawful basis to collect and process personal data. For most restaurant purposes — loyalty, marketing, customer registration — the most straightforward basis is informed consent. The customer must understand what data you are collecting, why, and what you will do with it, and they must agree.
This means you cannot silently collect data when someone pays, nor can you pre-tick a "sign me up for marketing" box. The consent must be clear and freely given.
2. Tell customers what you are doing with their data. A privacy notice — sometimes called a privacy policy — must explain: who is collecting the data (your business and its legal name), the purpose of collection, the legal basis, how long you will keep it, and what rights the customer has. This applies at the point of collection, not just in a document buried on your website.
3. Protect the data appropriately. You must take reasonable steps to secure personal data against unauthorised access, loss, or disclosure. This includes access controls (not every staff member needs access to every customer record), secure storage, and careful handling of printed data.
4. Honour data subject rights. Customers have the right to:
- Access their data — know what you hold about them.
- Correct inaccurate data.
- Export their data — receive a copy in a usable format.
- Delete their data — request erasure, subject to any legitimate retention obligations (such as financial records required for VAT purposes).
5. Be careful about data transfers outside the UAE. If you use systems that store or process customer data on servers outside the UAE, specific conditions must be met. Check with your technology vendors and, if necessary, with legal counsel familiar with the PDPL.
What is "consent" under the PDPL and how do I get it in a restaurant?
Consent must be informed, specific, and freely given. In a restaurant context, this means:
- Before registering a customer for your loyalty programme, show them a brief, plain-language notice explaining what data you collect, what you use it for, and how they can withdraw consent or request deletion.
- Make the notice available in the customer's language. In the UAE, Arabic and English are the most important.
- Do not make loyalty membership (or another benefit) conditional on consenting to marketing you do not need for the core service.
- Keep a record that consent was given — this is your protection if a complaint arises.
A customer who later asks you to stop marketing to them, or to delete their data, has exercised their rights under the PDPL. You must act on that request.
What are data subject rights and how does a restaurant fulfill them?
Data export (right of access/portability): A customer can ask for a copy of the personal data you hold about them. You need to be able to produce this — their contact details, order history, loyalty balance — in a reasonable timeframe. The PDPL sets out timelines for responding; you should verify the current requirements with a UAE legal advisor.
Data deletion (right to erasure): A customer can ask you to delete their personal data. You can do this for marketing and CRM data. Note: for financial records that must be retained for VAT or audit purposes (for example, the transaction history underlying a tax invoice), you have a legitimate reason to retain that data even after a deletion request — but you should delete everything else and document why you retained what you kept.
The practical test: If a customer walks in tomorrow and says "what data do you have about me, and I want it deleted," can you answer clearly and act on it? If not, you have a gap.
What happens if a restaurant does not comply with the PDPL?
Non-compliance with the PDPL can result in regulatory investigations and financial penalties. The UAE's competent authority for PDPL enforcement has the power to impose fines. Beyond the legal risk, a data breach or misuse of customer data damages the trust your regulars place in your business — and in the UAE's close-knit communities, reputation travels fast.
The sensible approach is to treat PDPL compliance as a standard part of how you operate, not a separate project. Most of what it requires — consent notices, the ability to export or delete data, protecting records from unauthorised access — can be built into your operating systems from the start.
What about data collected on delivery platforms or third-party apps?
If you use a third-party delivery platform or reservation system, that platform is also a data controller or data processor. You should check what their privacy practices are and whether you have a data processing agreement with them. You remain responsible for the data you pass to them and the instructions you give them about how to use it.
This is an area where many restaurant operators have gaps: they treat the platform as "someone else's problem" without understanding that they share responsibility for how customer data is handled.
How TajerGo helps
TajerGo builds PDPL compliance into the product so you do not have to piece it together separately:
- Privacy notice at the point of collection (EN/AR): Before capturing customer data — registration, loyalty, or voice ordering — the POS shows a PDPL-compliant notice in Arabic or English, covering controller identity, purpose, legal basis, retention, and customer rights. The customer sees it at the moment of collection, which is when consent must happen.
- One-click personal-data export: From the admin portal, you can generate a complete JSON export of a customer's personal data to respond to a subject access or portability request.
- Confirmed account deletion: A customer deletion request can be processed with confirmed removal from the platform, with audit retention maintained only for the financial and legal records you are required to keep.
- Zero customer PII on kitchen screens: The Kitchen Display System shows only prep data — order number, table, items, and modifiers — never a customer's name, phone, or credit details. Kitchen staff never see personal data they do not need.
- Role-based access control (168+ capabilities): You control exactly which staff members can see customer data, at what level, and for which branches. The principle of limiting access to those who need it is built into the permission system.
Frequently asked questions
Does the UAE PDPL apply to small restaurants? Yes. The PDPL applies based on what data you collect, not on the size of your business. If you collect personal data from customers — for loyalty, delivery, or registration — the law applies to you regardless of how many branches you have.
Do I need to get consent to keep a customer's delivery address? You need a lawful basis to hold and use that data. Consent is the most common basis for marketing; for the operational purpose of fulfilling a delivery order, you may be able to rely on contractual necessity. You should display a privacy notice at the point of collection explaining the purpose and retention period.
How long can I keep customer data? The PDPL requires you to keep personal data only as long as necessary for the stated purpose, or as long as required by other law. For financial records underlying VAT returns, FTA requirements typically set a minimum retention period. For marketing data, you should delete it when the customer withdraws consent or when the purpose ends.
What should I do if a customer asks me to delete their data? Confirm what data you hold, delete marketing and CRM data, retain only what you are legally required to keep (such as financial records for VAT purposes), and document what you did and why. Respond to the customer within the timeframe the PDPL requires — check the current requirement with a UAE legal advisor.
About TajerGo: TajerGo is a UAE-built restaurant operating system that combines POS, inventory, purchasing, Khata, AI insights, and VAT compliance in one platform, from AED 499 per branch, with every feature included and no upgrade gatekeeping.
Read next: The state of the UAE F&B market: what operators face in 2026 (pillar) · Opening a restaurant in Dubai: the operations setup checklist · VAT on restaurant food UAE: complete guide
Book a TajerGo demo