Happy Bar & Grill, a Bulgarian restaurant chain, deployed an AI facial recognition system that biometrically profiles customers without transparent notice or valid legal basis under GDPR.[1] The system, developed by vendor IP Biometrix, tracks facial attributes including ethnicity while claiming to monitor staff "smiles," raising systemic privacy concerns for all patrons.[1]
Background
Happy Bar & Grill is a Bulgarian restaurant chain operating multiple locations across Bulgaria. In or before 2026, the chain implemented an AI-powered facial recognition system developed by Bulgarian security vendor IP Biometrix.[1] Marketed for "smile monitoring" of staff to generate employee performance rankings, the system uses existing security cameras for real-time facial recognition.
Biometric surveillance without notice
IP Biometrix's portfolio page demonstrates that the system processes not only employees but also customers. A sample image shows a customer's face labeled "Subject 6053" with biometric attributes tracked including glasses, sunglasses, beard, mustache, and ethnicity.[1] Patrons entering affected locations receive no visible signage at entrances or within dining areas informing them that their facial biometrics are being captured, analyzed, or stored in a biometric database.
Under the EU General Data Protection Regulation (GDPR), facial recognition constitutes processing of biometric data—a "special category" of personal data requiring explicit consent or another narrow legal basis under Article 9.[2] Inferring ethnicity triggers additional restrictions as it reveals "racial or ethnic origin." The absence of transparent notice before data collection violates GDPR Articles 13–14, while processing customers' biometrics for staff performance monitoring lacks a proportionate legal basis under Articles 6 and 9.[2]
Company's response
As of March 2026, Happy Bar & Grill has issued no public statement addressing biometric processing of customers. No privacy notices specific to AI camera systems appear at restaurant entrances or on the company website detailing the presence of facial recognition technology or customers' GDPR rights.[3] IP Biometrix continues to showcase the Happy Bar & Grill implementation in its portfolio without addressing transparency or consent requirements for customer processing.[1]
Lawsuit
No lawsuits against Happy Bar & Grill regarding this system have been publicly reported as of March 2026. However, similar biometric surveillance practices in EU retail environments have resulted in regulatory enforcement: the Dutch Data Protection Authority fined a shopping center €565,000 in 2023 for emotion recognition cameras processing customers' biometric data without valid legal basis.[4]
Consumer response
Consumer awareness of the surveillance system appears limited due to absent on-site notices. Affected customers may exercise GDPR rights by:
- Submitting Subject Access Requests (Article 15) demanding all biometric data processed about them
- Filing complaints with Bulgaria's Commission for Personal Data Protection[5]
- Requesting deletion of biometric templates under the right to erasure (Article 17)
References
Cite error: <ref> tag with name "ip-biometrix" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "gdpr-article9" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "happy-privacy" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "dutch-dpa" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "cpdp-bg" defined in <references> is not used in prior text.