Question 1

What GDPR obligations do pubs / bars in Galway have?

Accepted Answer

Pubs / Bars in Galway must appoint a data controller, maintain records of processing activities, implement appropriate security measures, provide privacy notices to customers, and respond to data subject access requests within one month under the Data Protection Act 2018.

Question 2

Can the DPC fine a pub / bar in Galway?

Accepted Answer

Yes. The Data Protection Commission can fine any business in Galway, including pubs / bars, up to €20 million or 4% of global annual turnover for serious GDPR breaches. Even smaller infringements can result in fines up to €10 million.

Question 3

Do I need a Data Protection Officer for my pub / bar in Galway?

Accepted Answer

Not all businesses need a formal DPO, but if your pub / bar processes personal data on a large scale or handles special category data (like health information), you may be required to appoint one under GDPR Article 37. Even if not mandatory, having someone responsible for data protection is best practice.

Question 4

How do I handle a data breach at my pub / bar in Galway?

Accepted Answer

You must notify the DPC within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. You should also notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Question 5

What privacy policy does a pub / bar in Galway need?

Accepted Answer

Your pub / bar needs a clear, plain-language privacy policy that explains what data you collect, why you collect it, how long you keep it, who you share it with, and what rights customers have under GDPR. This must be easily accessible to all customers and staff.

Question 6

Do pubs in Ireland need to comply with GDPR?

Accepted Answer

Yes, all pubs and bars in Ireland must comply with GDPR and the Data Protection Act 2018. Pubs process personal data through CCTV, bookings, payments, Wi-Fi systems, and employee records. The DPC applies the same standards to hospitality venues as to any other business.

Question 7

Can a pub record customers' ID details for age verification?

Accepted Answer

Generally, pubs should verify age by viewing the ID and returning it, rather than recording or copying the details. If there is a specific legal or regulatory reason to record ID information, it must be done with a clear lawful basis, stored securely, and deleted promptly. The principle of data minimisation applies.

Question 8

How long can a pub keep CCTV footage under GDPR?

Accepted Answer

The DPC recommends that CCTV footage is typically retained for no more than 30 days unless it is needed for a specific incident or investigation. Pubs must have a documented CCTV policy stating the retention period, and footage must be securely deleted when the retention period expires.

Question 9

Can a pub post customer photos on social media?

Accepted Answer

Posting identifiable photos of customers on social media requires their consent under GDPR. Pubs should implement a clear process for obtaining consent at events, and must remove images promptly if a customer withdraws consent or requests deletion.

Question 10

Does a pub need a privacy policy on its website?

Accepted Answer

Yes, if the pub's website collects any personal data — including through contact forms, booking systems, newsletter sign-ups, or analytics cookies — a privacy policy is required. The policy must explain what data is collected, the lawful basis, retention periods, and how individuals can exercise their rights.

GDPR Compliance for Pubs / Bars in Galway

Do pubs / bars in Galway need to comply with GDPR?

Key GDPR Risks for Pubs / Bars

Personal Data Your Pub / Bar Processes

Find out your GDPR score in 2 minutes

Required GDPR Policies & Documents

GDPR Compliance Steps for Pubs / Bars

Common GDPR Mistakes Pubs / Bars Make

Frequently asked questions

Don't wait for the DPC to come knocking