Restaurant Digital Menu Compliance: Allergens, Privacy, and Accessible Pricing
5 minutes
Managing a restaurant involves food-information, consumer, accessibility, and privacy duties that vary by jurisdiction and by the features you use. This section is an operational checklist, not legal advice. IAMenu can help you organize and publish information, but the restaurant remains responsible for verifying recipes, supplier data, prices, privacy notices, and local requirements.
What You Will Learn in This Section
- Obligations of the EU allergen regulation (Regulation 1169/2011 + RD 126/2015)
- How to verify national and regional requirements without relying on generic fine tables
- Data protection (GDPR) applied to digital menus in hospitality
- Clear pricing and accessible alternatives to QR-only access
- A practical pre-publication checklist for your restaurant
Step 1: Mandatory Allergens - EU Regulation 1169/2011
The Regulation (EU) 1169/2011 of the European Parliament and Council requires all food operators to inform about the allergens present in their dishes. This regulation came into effect on December 13, 2014, and applies to all establishments that prepare food for the final consumer: restaurants, bars, cafes, hotels, food trucks, dark kitchens, and collective dining facilities.
The regulation defines "collectives" as any establishment, including a vehicle or a fixed or mobile stall, where food ready for consumption is prepared. It does not matter if your restaurant has 10 tables or 200: the obligation is the same.
The 14 Mandatory Allergens According to the EU
Every menu, card, or food information system must declare the presence of these 14 substances listed in Annex II of the Regulation:
| # | Allergen | Common Examples in Hospitality |
|---|---|---|
| 1 | Cereals containing gluten | Wheat, rye, barley, oats, spelt, kamut, and relevant products, subject to Annex II exceptions |
| 2 | Crustaceans | Shrimp, prawn, crab, lobster. Soups, seafood rice, sushi |
| 3 | Eggs | Omelette, mayonnaise, batters, meringue, some ice creams and sauces |
| 4 | Fish | Hake, salmon, anchovies, tuna. Present in broths, Worcestershire sauce |
| 5 | Peanuts | Asian sauces (satay), desserts, peanut oil |
| 6 | Soy | Soy sauce, tofu, soy lecithin (emulsifier in chocolates and bread) |
| 7 | Milk | Milk and milk products, subject to Annex II exceptions; may appear in cheese, cream, butter, yogurt, and sauces |
| 8 | Nuts | Annex II tree nuts and their products; may appear in pesto, praline, marzipan, and desserts |
| 9 | Celery | Soups, broths, salads, celery salt. Common in Mediterranean cuisine |
| 10 | Mustard | Sauces, dressings, vinaigrettes, curries. Sometimes hidden in marinades |
| 11 | Sesame | Hamburger buns, hummus, tahini, sushi. Common and easy to forget |
| 12 | Sulphites | Wine, vinegar, beer, dried fruits, preserves. Concentration >10mg/kg |
| 13 | Lupin | Gluten-free flours, artisanal bread, snacks. Increasingly common |
| 14 | Molluscs | Mussels, clams, squid, octopus, oysters. Rice dishes and paellas |
Advertencia
Critical Data: Most food allergy incidents in Europe originate from unpackaged foods served in restaurants. Food allergies affect 2-4% of adults and 6-8% of children. An information error can lead to anaphylaxis, hospitalization, and even death.
Complementary Regulation in Spain: Royal Decree 126/2015
Spain's Royal Decree 126/2015 explains how mandatory information for non-prepacked food must be available and accessible. For allergens, it permits oral communication in defined circumstances only when the information is also recorded in writing or electronically, staff can provide it before purchase, and a clear notice tells customers where to obtain it.
Practical controls for a restaurant include:
- Keep a written or electronic allergen record based on current recipes and supplier specifications.
- Make the information available before the customer completes the purchase.
- Display a clear notice if customers must ask staff for allergen information.
- Update the record whenever an ingredient, preparation method, or supplier changes.
- Confirm national, regional, and local requirements with the competent authority or a qualified adviser.
Enforcement Varies by Jurisdiction and Facts
This manual intentionally does not provide a generic fine table. Classification, penalty ranges, and additional measures depend on the applicable law, region, facts, harm, and enforcement decision. Use the official consolidated legislation and local authority guidance for your establishment.
Do Not Treat Software as Legal Approval
Publishing icons in a digital menu does not by itself prove compliance. The underlying allergen record must match the actual recipe, ingredients, preparation process, and cross-contact controls used by the restaurant.
How IAMenu Supports Your Workflow: Super Chef
IAMenu includes Super Chef, an AI-assisted allergen suggestion system. It helps organize the review; it does not certify a dish or transfer responsibility away from the food business operator:
- Analyzes each dish when creating or editing it, including name, ingredients, description, and context (dish category).
- Suggests possible matches among the 14 EU-regulated allergens from the information supplied.
- Surfaces suggestions for review; do not publish them without checking the actual recipe and supplier documentation.
- Allows you to correct manually: if you mark an allergen as reviewed, the AI respects your decision and does not overwrite it in future detections.
- Displays approved allergens in the digital menu with icons and supports translated labels in active languages.
- Anti-re-analysis shield: if you do not change the ingredients, the AI does not re-analyze (saves costs and avoids unexpected changes).
Tip
Super Chef can accelerate the first review, but no accuracy percentage or compliance guarantee should replace recipe verification. Review, correct, and approve each product manually. Learn more in Allergens and Labels.
Step 2: Data Protection and GDPR in Digital Menus
The General Data Protection Regulation (GDPR) and the Spanish LOPDGDD apply to any restaurant that collects personal data, directly or indirectly. This includes reservation platforms, loyalty systems, wifi with registration, and, in some cases, digital menus with app downloads. Data protection in hospitality is a legal obligation, not a recommendation.
What Personal Data Does a Typical Restaurant Handle?
Not all restaurants handle the same data, but these are the most common:
| Data Source | Data Collected | GDPR Risk |
|---|---|---|
| Reservations (web, phone, app) | Name, phone, email, number of diners | Requires a lawful basis and clear notice |
| Local Wifi (captive portal) | Device identifiers, email, usage data | Review necessity, notice, retention, and providers |
| QR Menu analytics | Device and usage data, depending on configuration | Disclose actual processing and cookie use |
| Public menu without a form | Technical request and security data may still be processed | Check logs, analytics, and hosting configuration |
| Loyalty | Purchase history, preferences, birthdays | Define purpose, lawful basis, retention, and opt-ins |
| Video Surveillance | Images of customers and employees | High - specific regulation |
| Electronic Invoicing | Tax data, payment methods | Medium - legal obligation |
Key GDPR Obligations for Hospitality
| Obligation | What It Implies | Maximum Fine |
|---|---|---|
| Record of Processing Activities | Document what data you collect, for what purpose, for how long, who accesses it | Up to 20M EUR or 4% global turnover |
| Data Processing Agreement | Sign a contract with digital platforms that process data (menu, reservations, POS) | Up to 10M EUR or 2% global turnover |
| Right to Information | Indicate responsible party, purpose, legal basis, and rights of the data subject | Up to 20M EUR or 4% global turnover |
| Marketing permissions | Apply the relevant GDPR and electronic-marketing rules to email, SMS, or WhatsApp | Depends on the infringement and applicable law |
| Cookie Policy | If your website or digital menu uses non-essential cookies | Up to 20M EUR or 4% global turnover |
| Breach Notification | Report security breaches to the AEPD within 72 hours | Up to 20M EUR or 4% global turnover |
The Data Processing Agreement is Mandatory
When a digital platform processes personal data on your restaurant's behalf as a processor, Article 28 GDPR requires the relationship to be governed by a written contract or other binding legal act. The Spanish Data Protection Agency explains the required controller-processor framework. Roles can differ by feature, so identify the actual processing before applying a template. The agreement should address matters such as:
- Defines what data is processed and for what exclusive purpose.
- Establishes technical and organizational security measures.
- Obligates the processor not to use the data for its own purposes.
- Legally protects the restaurant in case of a security breach.
- Must be kept up to date and available if requested by the AEPD.
GDPR Restaurant Digital Menu
Do not assume that every provider has the same legal role. Map which party determines purposes and means for public-menu analytics, reservations, orders, reviews, loyalty, and marketing. Where IAMenu acts as a processor, review the applicable data-processing terms; where the restaurant is the controller, configure notices, lawful bases, retention, and user rights for the features it enables.
What You Should Check with Your Digital Menu Provider
Before contracting any digital menu platform, verify:
- Whether viewing the menu requires an app or registration and whether that is genuinely necessary.
- What technical logs, analytics, cookies, and third-party resources the public menu uses.
- Whether a data processing agreement applies to the provider's role and features.
- Where data is hosted and what transfer mechanism applies if it leaves the EEA.
- That the platform has documented security measures (encryption, backups, access control).
- That they do not share data with third parties for advertising.
Tip
Customers can open an IAMenu public menu without creating an account or downloading an app. Features such as reservations, orders, reviews, loyalty, and analytics may process data according to how the restaurant configures and uses them. Review the current privacy notice and contractual terms instead of treating this manual as a blanket GDPR certification.
Step 3: Clear Pricing and an Accessible Alternative to QR-Only Access
One of the most frequent questions is whether a restaurant can rely only on a QR code. There is no single rule in this manual that safely answers for every country, autonomous community, municipality, accessibility context, and type of service.
The Regulation is Clear
Spanish consumer guidance says restaurant product, service, and price information should be clear, precise, visible, and accessible in supports such as menus, signs, or boards. Regional rules may add requirements. A practical approach is to keep an accessible alternative available when a guest cannot or does not want to use a QR code.
QR-only access can create barriers because it may require:
- It requires a smartphone with a camera and internet connection.
- It excludes elderly people or those with technological difficulties.
- It is not accessible for visually impaired individuals.
- It depends on the device's battery functioning.
Practical Menu-Access Checklist
| Access Method | Practical Use |
|---|---|
| Visible menu, price list, board, or sign | Gives guests direct access to current items and complete prices |
| Printed or accessible alternative on request | Helps guests who cannot use the QR or need another format |
| QR code menu | Adds live content, images, filters, and active-language options |
| Downloadable app | Usually unnecessary just to view a menu; assess necessity and privacy impact |
Advertencia
Do not rely on this page to decide the legally sufficient format for your establishment. Check the consumer and hospitality rules in your country and region, and make sure guests can obtain complete prices and required food information before ordering.
How IAMenu Supports Digital and Printable Access
IAMenu provides two useful outputs from the same menu data:
-
Digital QR Menu with images, approved allergen information, filters, and reviewed translations in active languages.
-
Professional downloadable PDF with 10 design templates (Modern, Classic, Premium, Board, Minimalist, Elegant, Rustic, Vibrant, Coastal, Mediterranean) ready to print as a physical menu. Customizable in colors, typography, logo, and content.
-
Synchronized updates: When you change a dish in the dashboard, both the QR menu and the PDF are automatically updated. You only need to reprint the PDF.
This helps maintain printable menu + digital QR from the same source. The restaurant still decides which formats and accessibility measures are required locally.
Tip
Generate a printable PDF from IAMenu when your operation needs a paper menu or accessible alternative. After changing a dish, regenerate and review the PDF before printing. Learn how in PDF Menu.
Step 4: Pre-Publication Checklist for Restaurants
Use this operational checklist before publishing, and adapt it with qualified advice for your location. Completing the list improves your information workflow but is not a legal certification.
Allergens (EU Regulation 1169/2011 + RD 126/2015)
- Required allergen information is available through the format permitted in your jurisdiction
- Each dish's record is based on its actual recipe, preparation, and supplier specifications
- Staff knows where the approved information is and how to communicate it
- Your allergen-control procedure and responsible people are documented
- Allergens are updated when ingredients or suppliers change
- Supplier technical sheets are archived and accessible
- Translated allergen labels have been checked against the approved source record
Data Protection (GDPR + LOPDGDD)
- Customers can view the public menu without unnecessary registration or an app
- You have mapped the data processed by reservations, orders, reviews, loyalty, analytics, and marketing
- A controller-processor agreement is in place wherever Article 28 GDPR applies
- If you collect data (reservations, wifi, loyalty), you have a record of processing activities
- If you send commercial communications, you have documented explicit consent
- Your privacy policy is visible and updated
- International transfers, if any, use an appropriate GDPR transfer mechanism
Menu Access and Pricing
- Items, services, taxes, supplements, and final prices are presented as required locally
- Guests who cannot use the QR can obtain the information through an accessible alternative
- The language and format follow national and regional requirements
- Prices are legible and do not induce confusion
Complete Comparison: Manual Management vs iaMenu
| Compliance Aspect | Manual Management | With iaMenu |
|---|---|---|
| Reviewing 14 EU-regulated allergens | Maintain recipe and supplier records | AI suggestions organized for human review |
| Updating allergens when changing recipe | Manual update process | Edit the product, re-run review, and approve changes |
| Allergens translated for guests | Translate from approved source | Generate translations for active languages and review them |
| Publishing current menu information | Coordinate each printed update | Update the digital menu and regenerate the PDF when needed |
| Menu in multiple languages | Manual or outsourced translation | AI-assisted translation with plan limits and human review |
| Privacy responsibilities | Map providers and processing | Public menu without required account; assess enabled data features |
| Allergen-control documentation | Maintained by the restaurant | Product records support, but do not replace, the restaurant's procedure |
| Consistency with actual ingredients | Verify recipes, suppliers, and cross-contact | Software assists the record; staff performs the final verification |
Protect the Customer First
Incorrect allergen information can cause severe harm. Never approve a suggestion from a product name alone: verify compound ingredients, sauces, garnishes, supplier changes, preparation methods, and cross-contact risks with the responsible kitchen team.
Summary: Key Regulations for Your Digital Menu
| Source | What It Covers | How IAMenu Helps | What the Restaurant Must Still Do |
|---|---|---|---|
| EU Regulation 1169/2011 | Food information, including Annex II allergens | Stores and displays approved allergen records | Verify every dish and applicable presentation rules |
| RD 126/2015 (Spain) | Information for non-prepacked food and Spanish availability rules | Digital records and customer-facing display | Follow the permitted local communication method and signage rules |
| GDPR + LOPDGDD | Personal-data processing | Public menu access without a required customer account | Configure enabled features, notices, contracts, retention, and rights lawfully |
| Consumer and regional rules | Clear prices, menu access, and service information | QR menu plus printable PDF | Confirm the formats, languages, taxes, and accessibility measures required locally |
Tips and Best Practices
Follow these recommendations to comply with all applicable regulations for your digital menu:
- Review allergen suggestions from the first product. Super Chef can organize an initial review, but approval must come from current recipe and supplier information.
- Keep an accessible current menu format. Use the IAMenu PDF generator when a printed menu or alternative format is appropriate for your guests and local rules.
- Review allergens when changing suppliers. Suppliers may change formulations without notice. If you change the bread supplier, verify that the allergens of the new product match.
- Train your staff on allergens. The regulation requires that the team knows how to inform the customer. Print the checklist from this page and post it in the kitchen.
- Verify each provider's data-protection role. Put an Article 28 agreement in place when the provider processes personal data on your behalf.
- Avoid unnecessary barriers. IAMenu works in the browser without requiring an app or customer account simply to view the public menu.
Common Problem Solutions
An inspector asks me for the Allergen Management Plan and I don't have it
IAMenu stores allergen information on products, but it does not create or certify your complete food-safety procedure. Ask the competent authority or a qualified adviser what documentation your establishment must maintain, then keep the responsible people, methodology, supplier evidence, and corrective actions current.
I have imported products with allergens in another language
IAMenu can generate translated labels for active languages. Treat the approved source-language record as authoritative and review every translation before publishing it.
I don't know if my digital menu complies with GDPR
Map the data flows for every enabled feature, including technical logs, analytics, reservations, orders, reviews, loyalty, and marketing. Check the privacy notice, lawful basis, cookies, retention, processors, transfers, and user-rights process. Obtain advice if you are unsure; no software product makes the restaurant automatically compliant.
A customer with an allergy wants to confirm the allergens of a dish
Direct them to the digital menu where allergens appear with standardized icons next to each product. If the customer has a severe allergy, staff must confirm directly with the kitchen. The AI is a help, not a substitute for professional judgment.
I want to know if my autonomous community has additional regulations
Each autonomous community may have additional requirements regarding visible prices, menus in co-official languages, or specific formats. Check your community's consumer website or contact the local hospitality association.
Frequently Asked Questions
Is it legal to offer only a QR menu without a physical menu?
Requirements vary. In Spain, information about products, services, and complete prices must be clear, precise, visible, and accessible, while regional rules may add detail. Keep an accessible alternative and confirm the rule for your establishment.
What happens if allergen information is missing or inaccurate?
Enforcement depends on the jurisdiction and facts, and inaccurate information can seriously harm a customer. Consult official local sources for penalties and focus operationally on accurate, current records and trained staff.
Does iaMenu comply with GDPR?
Customers can view the public menu without creating an account or downloading an app. Other enabled features may process personal data, so review the current IAMenu privacy and contractual terms and configure your restaurant's notices and workflows appropriately.
Does allergen detection with AI replace the chef?
No. Super Chef is a support tool. The responsible team must review suggestions against actual recipes, compound ingredients, preparation, cross-contact risks, and supplier records.
Do I need a data processing agreement with iaMenu?
An Article 28 agreement is required when IAMenu or another provider acts as a processor on your restaurant's behalf. Review the applicable terms for the features you use and obtain advice on the parties' roles if needed.
Related Tutorials
Continue protecting your restaurant with these guides:
- Allergens and Labels for detailed setup of automatic detection with Super Chef
- Export PDF to generate a printable menu when your operation needs one
- Use Cases to see how each type of business complies with the regulations
- Create Products to understand how allergens are detected when creating each dish
- Automatic Translations so allergens appear in the customer's language
Ready to Build a Better Information Workflow?
Start Your 14-Day Professional Trial
No credit card required. AI-assisted allergen review, printable PDF, and reviewed translations for the active languages in your plan. Support in Spanish.
More information: