Digital Restaurant Menu Regulations 2026: Allergens, GDPR and Physical Menu
5 minutes
Digital Restaurant Menu Regulations 2026: Allergens, GDPR, and Physical Menu
Managing a restaurant involves complying with European and national regulations that directly affect your digital menu. Fines for non-compliance can reach 600,000 EUR and the closure of the establishment for 5 years. In this section, you will learn about the legal obligations your restaurant has regarding allergens, data protection, and menu formats, and how iaMenu helps you comply automatically in 5 minutes.
What You Will Learn in This Section
- Obligations of the EU allergen regulation (Regulation 1169/2011 + RD 126/2015)
- Fines and penalties for non-compliance in Spain and the EU
- Data protection (GDPR) applied to digital menus in hospitality
- The obligation to offer a physical menu: QR menu only is illegal
- Automatic compliance checklist for your restaurant
Step 1: Mandatory Allergens - EU Regulation 1169/2011
The Regulation (EU) 1169/2011 of the European Parliament and of the Council requires all food operators to inform about the allergens present in their dishes. This regulation came into effect on December 13, 2014, and applies to all establishments that prepare food for the end consumer: restaurants, bars, cafes, hotels, food trucks, dark kitchens, and collective dining facilities.
The regulation defines "collectives" as any establishment, including a vehicle or a fixed or mobile stall, where food ready for consumption is prepared. It does not matter if your restaurant has 10 tables or 200: the obligation is the same.
The 14 Mandatory Allergens According to the EU
Every menu, card, or food information system must declare the presence of these 14 substances listed in Annex II of the Regulation:
| # | Allergen | Common Examples in Hospitality |
|---|---|---|
| 1 | Gluten | Wheat, barley, rye, oats. Present in doughs, batters, bread, pasta, beer |
| 2 | Crustaceans | Shrimp, prawn, crab, lobster. Soups, seafood rice, sushi |
| 3 | Eggs | Omelette, mayonnaise, batters, meringue, some ice creams and sauces |
| 4 | Fish | Hake, salmon, anchovies, tuna. Present in broths, Worcestershire sauces |
| 5 | Peanuts | Asian sauces (satay), desserts, peanut oil |
| 6 | Soy | Soy sauce, tofu, soy lecithin (emulsifier in chocolates and bread) |
| 7 | Dairy | Milk, cheese, cream, butter, yogurt. Hidden in béchamel, carbonara |
| 8 | Nuts | Almonds, walnuts, pistachios, hazelnuts. Pesto, praline, marzipan |
| 9 | Celery | Soups, broths, salads, celery salt. Common in Mediterranean cuisine |
| 10 | Mustard | Sauces, dressings, vinaigrettes, curries. Sometimes hidden in marinades |
| 11 | Sesame | Burger bread, hummus, tahini, sushi. Common and easy to forget |
| 12 | Sulphites | Wine, vinegar, beer, dried fruits, preserves. Concentration >10mg/kg |
| 13 | Lupins | Gluten-free flours, artisanal bread, snacks. Increasingly common |
| 14 | Molluscs | Mussels, clams, squid, octopus, oysters. Rice dishes and paellas |
Advertencia
Critical Data: Most food allergy incidents in Europe originate from unpackaged foods served in restaurants. Food allergies affect 2-4% of adults and 6-8% of children. An information error can lead to anaphylaxis, hospitalization, and even death.
Complementary Regulation in Spain: Royal Decree 126/2015
The Royal Decree 126/2015 adapts the European regulation to the Spanish framework and establishes additional obligations:
- Information about allergens must be provided before purchase, not after.
- It must be available in written form (menu, card, board) or through a system that allows the consumer to access it without asking.
- Staff must have training to inform the customer about allergens in each dish.
- The restaurant must maintain a documented Allergen Management Plan, which includes the person responsible for preparation, identification methodology, and corrective measures.
- Chefs must verify the ingredient information every time they prepare a dish, as suppliers may change formulations without notice.
AESAN 2026-2030 Plan: Intensified Inspections
Intensified Inspection 2026
The National Control Plan for the Food Chain (PNCOCA) 2026-2030 from the Spanish Agency for Food Safety and Nutrition (AESAN) includes the Program 2.5 specific for allergens in hospitality. This means more thorough audits, increased frequency of inspections, and harsher penalties. Inspectors can verify the consistency between your menu, your actual ingredients, and your Allergen Management Plan.
Table of Fines for Non-Compliance in Spain
Penalties for failing to provide correct information about allergens are regulated by the Food Safety and Nutrition Law:
| Severity | Fine Range | Additional Consequences |
|---|---|---|
| Minor | 5,000 - 60,000 EUR | Warning, correction period of 30 days |
| Serious | 60,001 - 300,000 EUR | Temporary suspension of activity, closure for up to 2 years |
| Very Serious | 300,001 - 600,000 EUR | Closure of the establishment for up to 5 years, withdrawal of license |
In addition to the financial penalty, a serious or very serious infraction entails:
- Publication of the sanction in the BOE (reputational damage).
- Possibility of criminal liability if there is harm to health.
- Irreparable damage to the restaurant's image.
How iaMenu Protects You: Super Chef AI
iaMenu includes Super Chef, an automatic allergen detection system based on artificial intelligence that complies with the digital restaurant menu regulations 2026 automatically:
- Analyzes each dish when creating or editing it, including name, ingredients, description, and context (dish category).
- Detects the 14 EU allergens with expert inference: if your dish is in the "Pizzas" category, the AI knows that the dough contains gluten even if you haven't specified it in the ingredients. If it's a carbonara, it infers eggs and dairy.
- Works in the background (fire-and-forget): you don't need to do anything, detection is automatic and invisible every time you save a product.
- Allows you to correct manually: if you mark an allergen as reviewed, the AI respects your decision and does not overwrite it in future detections.
- Displays allergens in your digital menu with standardized icons and automatically translated into 29 languages. A German tourist sees allergens in German, a French tourist in French.
- Anti-re-analysis shield: if you do not change the ingredients, the AI does not re-analyze (saves costs and avoids unexpected changes).
Tip
iaMenu automatically detects the 14 EU allergens in each dish using AI with an accuracy rate of over 95%. If Super Chef detects "gluten" in a pizza, it marks it automatically without you having to do anything. You can review, correct, and approve manually. Learn more in the section Allergens and Labels.
Step 2: Data Protection and GDPR in Digital Menus
The General Data Protection Regulation (GDPR) and the LOPDGDD in Spain apply to any restaurant that collects personal data, directly or indirectly. This includes reservation platforms, loyalty systems, wifi with registration, and, in some cases, digital menus with app downloads. Data protection in hospitality is a legal obligation, not a recommendation.
What Personal Data Does a Typical Restaurant Handle?
Not all restaurants handle the same data, but these are the most common:
| Data Source | Data Collected | GDPR Risk |
|---|---|---|
| Reservations (web, phone, app) | Name, phone, email, number of diners | Medium - requires consent |
| Local Wifi (captive portal) | MAC, email, browsing data | High - requires information and consent |
| QR Menu with app | Device data, location, habits | High - transfer to third parties |
| QR Menu without app (direct web) | None if there is no form | Low - recommended |
| Loyalty | Purchase history, preferences, birthdays | High - requires contract and consent |
| Video Surveillance | Images of customers and employees | High - specific regulation |
| Electronic Billing | Tax data, payment methods | Medium - legal obligation |
Key GDPR Obligations for Hospitality
| Obligation | What It Implies | Maximum Fine |
|---|---|---|
| Record of Processing Activities | Document what data you collect, for what purpose, for how long, who accesses it | Up to 20M EUR or 4% global turnover |
| Contract with Data Processor | Sign a contract with digital platforms that process data (menu, reservations, POS) | Up to 10M EUR or 2% global turnover |
| Right to Information | Indicate responsible party, purpose, legal basis, and rights of the data subject | Up to 20M EUR or 4% global turnover |
| Explicit Consent | For commercial communications (email, SMS, WhatsApp marketing) | Up to 20M EUR or 4% global turnover |
| Cookie Policy | If your website or digital menu uses non-essential cookies | Up to 20M EUR or 4% global turnover |
| Breach Notification | Notify AEPD of security breaches within 72 hours | Up to 20M EUR or 4% global turnover |
The Contract with Data Processor is Mandatory
If you use a digital platform for your menu (like iaMenu, ElTenedor, CoverManager, or any other), the regulation requires that there is a contract between your restaurant (data controller) and the platform (processor). This contract:
- Defines what data is processed and for what exclusive purpose.
- Establishes technical and organizational security measures.
- Obligates the processor not to use the data for its own purposes.
- Legally protects the restaurant in case of a security breach.
- Must be kept updated and available if requested by the AEPD.
GDPR Restaurant Digital Menu
If your digital menu provider does not offer you a contract with the data processor, you are violating the regulation. GDPR fines can reach 20 million euros or 4% of global turnover, whichever is greater. In Spain, the AEPD has fined hospitality establishments amounts between 60,000 and 600,000 EUR for serious infractions.
What You Should Check with Your Digital Menu Provider
Before contracting any digital menu platform, verify:
- That the menu DOES NOT require the customer to download an app (unnecessary data transfer and friction for the user).
- That the menu DOES NOT require customer registration to view the dishes (would violate the data minimization principle).
- That there is a signed contract with the data processor that is accessible.
- That the data is hosted in the EU or in countries with adequate protection levels.
- That the platform has documented security measures (encryption, backups, access control).
- That they do not share data with third parties for advertising.
Tip
iaMenu complies 100% with GDPR: we do not collect personal data from customers who scan your QR to view the menu. The visitor accesses the menu directly in the browser without needing to register, download an app, or accept third-party cookies. Data is hosted in the EU (Supabase Frankfurt). Your digital menu is 100% privacy-friendly by design.
Step 3: Mandatory Physical Menu - QR Menu Only is Illegal
One of the most frequently asked questions among hoteliers is: "If I have a QR menu, can I eliminate the physical menu?" The answer is clear: no. QR menu only is illegal in Spain and in most EU countries.
The Regulation is Clear
The General Directorate of Consumption and the OCU (Organization of Consumers and Users) have been explicit: offering the menu only through a QR code is an illegal practice.
Current regulations state that prices and dishes must be displayed to the public through food and beverage menus and/or price lists, and other means such as murals, boards, or similar can be used. The QR code is a valid and recommended complement, but it can never be the only means of access to the menu.
The Order of June 29, 1978 and autonomous hospitality regulations require that prices be visible to the consumer before accessing the service. A QR code does not meet this requirement because:
- It requires a smartphone with a camera and internet connection.
- It excludes elderly people or those with technological difficulties.
- It is not accessible for visually impaired individuals.
- It depends on the device's battery functioning.
What Your Restaurant Must Have to Comply with QR Menu and Physical Menu Obligation
| Requirement | Mandatory | Complementary |
|---|---|---|
| Visible physical menu / price list | Yes | - |
| Board with dishes and prices | Yes (valid alternative) | - |
| QR code menu | No | Yes (recommended) |
| Downloadable app | No | Not recommended (GDPR) |
Advertencia
If an inspector finds that you only offer QR without any physical alternative (printed menu, board, mural with prices), your establishment may receive an administrative sanction. A customer can also request the complaint form and contact Consumption or the OCU. The sanction depends on the autonomous community but can range from 3,000 to 30,000 EUR.
How iaMenu Resolves the Physical Menu Obligation
iaMenu offers a dual solution that fully complies with the regulations:
-
Digital QR Menu for customers who prefer technology: they scan the code and see the complete menu on their mobile, with translations into 29 languages, images, allergens, and filters.
-
Professional downloadable PDF with 10 design templates (Modern, Classic, Premium, Board, Minimalist, Elegant, Rustic, Vibrant, Coastal, Mediterranean) ready to print as a physical menu. Customizable in colors, typography, logo, and content.
-
Synchronized updates: When you change a dish in the dashboard, both the QR menu and the PDF are automatically updated. You only need to reprint the PDF.
This means that with iaMenu you have physical menu + digital QR from the same system, without duplicating work or maintaining two different sources of information.
Tip
Generate your physical menu in PDF from iaMenu with 10 professional templates. Print it and comply with the regulations. Every time you change a dish, reprinting the updated PDF takes 1 click. Learn how in the section PDF Menu.
Step 4: Compliance Checklist for Restaurants 2026
Use this complete checklist to verify that your restaurant complies with all applicable regulations for digital menus in 2026. You can print it and stick it in the kitchen or office.
Allergens (EU Regulation 1169/2011 + RD 126/2015)
- The 14 EU allergens are visible in your menu (physical and digital)
- Each dish indicates which allergens it contains by specific name
- Staff knows how to inform the customer about allergens in each dish
- There is a documented and updated Allergen Management Plan
- Allergens are updated when ingredients or suppliers change
- Supplier technical sheets are archived and accessible
- Allergens are available in the languages of your customers
Data Protection (GDPR + LOPDGDD)
- Your digital menu does NOT require the customer to register to view the dishes
- Your digital menu does NOT require downloading an app
- You have a signed contract with the data processor with your digital menu provider
- If you collect data (reservations, wifi, loyalty), you have a record of processing activities
- If you send commercial communications, you have documented explicit consent
- Your privacy policy is visible and updated
- Data is hosted in the EU or in a country with adequate protection
Menu Format (Hospitality Regulation)
- You have a visible physical menu or price list in the establishment
- The QR is a complement, not the only means of access to the menu
- Prices include VAT and are in EUR (or local currency)
- The menu is in Spanish (and in the co-official language of your autonomous community if applicable)
- Prices are legible and do not induce confusion
Complete Comparison: Manual Management vs iaMenu
| Compliance Aspect | Manual Management | With iaMenu |
|---|---|---|
| Detecting 14 allergens per dish | Chef lists manually (frequent human error) | AI Super Chef automatic (>95% accuracy) |
| Updating allergens when changing recipe | Manual with each change, easy to forget | Automatic when editing the dish |
| Allergens translated for tourists | Only in local language | 29 languages automatically |
| Potential fine for allergens | 5,000 - 600,000 EUR | Protected with AI detection |
| Setup time for complete allergens | 8-10 hours for typical menu | 5 minutes (automatic) |
| Updated physical menu | Manually reprint, coordinate with printing | Downloadable PDF 1 click, 10 templates |
| Menu in multiple languages | Manually translate or hire translator | 29 languages automatic with GPT |
| GDPR compliance for digital menu | Depends on provider, verify contract | No customer registration, no app, data in EU |
| Allergen Management Plan | Create document manually | Automatic record of detections |
| Consistency menu-ingredients | Periodic manual verification | AI re-analyzes when editing |
Do Not Underestimate Fines
In Spain, a very serious infraction regarding allergens can result in up to 600,000 EUR in fines and the closure of the establishment for 5 years. The AESAN 2026-2030 Plan intensifies inspections with the specific Program 2.5 for hospitality. A single severe allergic reaction can lead to civil and criminal liability in addition to the administrative sanction.
Summary: Key Regulations for Your Digital Menu
| Regulation | What It Regulates | Maximum Fine | iaMenu Complies |
|---|---|---|---|
| EU Regulation 1169/2011 | 14 mandatory allergens in menu | 600,000 EUR + closure for 5 years | Yes (Super Chef AI) |
| RD 126/2015 (Spain) | Written information before purchase | Included in EU 1169/2011 | Yes (digital menu + PDF) |
| GDPR + LOPDGDD | Protection of personal data | 20M EUR or 4% turnover | Yes (no registration, data EU) |
| Hospitality Regulation | Mandatory physical menu | 3,000 - 30,000 EUR autonomous | Yes (PDF 10 templates) |
| AESAN 2026-2030 Plan | Intensified allergen inspections | Increases existing severity | Yes (automatic record) |
Tips and Best Practices
Follow these recommendations to comply with all applicable regulations for your digital menu:
- Activate automatic allergen detection from the first product. Super Chef analyzes each dish when created. It is easier to review AI suggestions than to manually detect the 14 allergens in 50 dishes.
- Always print an updated physical menu. Use the iaMenu PDF generator with one of the 10 professional templates. Each time you change a dish, reprinting the PDF takes 1 click.
- Review allergens when changing suppliers. Suppliers can change formulations without notice. If you change your bread supplier, verify that the allergens of the new product match.
- Train your staff on allergens. The regulation requires that the team knows how to inform the customer. Print the checklist from this page and stick it in the kitchen.
- Verify that your digital menu provider has a contract with the data processor. If they do not offer it, you are violating GDPR. iaMenu includes this contract automatically.
- Do not force your customers to download an app to view the menu. It violates the GDPR data minimization principle and creates friction. iaMenu works directly in the browser without downloads.
Common Problem Solutions
An inspector asks me for the Allergen Management Plan and I don't have it
iaMenu automatically records all allergen detections in each product. You can generate a report from the dashboard with all detected allergens. However, it is advisable to have an additional formal document with the responsible person, methodology, and corrective measures.
I have imported products with allergens in another language
iaMenu automatically translates allergens into 29 languages. A German tourist sees allergens in German, a French tourist in French. If the product has ingredients in English, the AI analyzes them as well to detect allergens.
I don't know if my digital menu complies with GDPR
Check these points: the menu does not require customer registration, does not require downloading an app, does not use third-party cookies, data is in the EU, and you have a contract with the data processor with your provider. iaMenu complies with all these points automatically.
A customer with an allergy wants to confirm the allergens in a dish
Direct them to the digital menu where allergens appear with standardized icons next to each product. If the customer has a severe allergy, staff must confirm directly with the kitchen. The AI is a tool, not a substitute for professional judgment.
I want to know if my autonomous community has additional regulations
Each autonomous community may have additional requirements regarding visible prices, menus in co-official languages, or specific formats. Check your community's consumer website or contact the local hospitality association.
Frequently Asked Questions
Is it legal to offer only a QR menu without a physical menu?
No. The regulation requires having a physical menu or visible price list. The QR is a valid complement but can never be the only means. Fines can range from 3,000 to 30,000 EUR depending on the autonomous community.
What is the fine for not informing about allergens?
Fines range from 5,000 EUR (minor) to 600,000 EUR (very serious) with closure for up to 5 years. The AESAN 2026-2030 Plan intensifies inspections with the specific Program 2.5 for hospitality.
Does iaMenu comply with GDPR?
Yes. iaMenu does not collect personal data from customers who scan the QR. The visitor accesses the menu without registering, without an app, and without third-party cookies. Data is hosted in the EU (Frankfurt).
Does allergen detection with AI replace the chef?
No. Super Chef is a helpful tool with over 95% accuracy. The chef must review the suggestions, especially in products with hidden ingredients like sauces and dressings.
Do I need a contract with the data processor with iaMenu?
Yes, and iaMenu includes it automatically. If you use another platform that does not offer it, you are violating GDPR with fines of up to 20 million EUR or 4% of global turnover.
Related Tutorials
Continue protecting your restaurant with these guides:
- Allergens and Labels for detailed setup of Super Chef automatic detection
- Export PDF to generate the mandatory physical menu with 10 professional templates
- Use Cases to see how each type of business complies with the regulations
- Create Products to understand how allergens are detected when creating each dish
- Automatic Translations for allergens to appear in the customer's language
Ready to Comply with the Regulations Automatically?
No credit card required. Setup in 5 minutes. 14 EU allergens detected by AI. Physical PDF menu included. 29 automatic languages. Support in Spanish.
More Information: