Happy Bar & Grill, a Bulgarian restaurant chain, deployed an AI facial recognition system that biometrically profiles customers without transparent notice or valid legal basis under GDPR.[1] The system, developed by vendor IP Biometrix, tracks physical attributes, infers ethnicity categories (white, black, Asian, Hispanic, Indian, Arabian), and analyzes emotional states—including fear and disgust—while claiming to monitor staff "smiles," raising systemic privacy concerns for all patrons.[1]
Background
Happy Bar & Grill is a Bulgarian restaurant chain operating multiple locations across Bulgaria.[2] In or before 2026, the chain implemented an AI-powered facial recognition system developed by Bulgarian security vendor IP Biometrix.[1] Marketed for "smile monitoring" of staff to generate employee performance rankings, the system uses existing security cameras for real-time facial recognition.
Biometric surveillance without notice
IP Biometrix's portfolio page demonstrates the system processes both employees and customers. A sample image shows multiple individuals labeled as "Subject 6053," "6054," and "6055" with extensive biometric attributes tracked including:[1]
- Physical features: glasses, dark glasses, beard, mustache, blink, mouth open, mask presence
- Ethnicity classifications: white, black, Asian, Hispanic, Indian, Arabian
- Emotional states: neutral, anger, contempt, disgust, fear, and others
Patrons entering affected locations receive no visible signage at entrances or within dining areas informing them that their facial biometrics are being captured, analyzed, or stored. Happy's published privacy policy makes no mention of facial recognition, biometric processing, or AI surveillance systems in restaurants.[3]
Under the EU General Data Protection Regulation (GDPR), facial recognition constitutes processing of biometric data—a "special category" of personal data requiring explicit consent or another narrow legal basis under Article 9.[4] Inferring ethnicity and emotional states triggers additional restrictions as these reveal "racial or ethnic origin" and constitute sensitive psychological profiling. The absence of transparent notice before data collection violates GDPR Articles 13–14, while processing customers' biometrics for staff performance monitoring lacks a proportionate legal basis under Articles 6 and 9.[4]
Company's response
As of March 2026, Happy Bar & Grill has issued no public statement addressing biometric processing of customers. No privacy notices specific to AI camera systems appear at restaurant entrances or on the company website.[3] IP Biometrix continues to showcase the Happy Bar & Grill implementation in its portfolio without addressing transparency or consent requirements for customer processing.[1]
Lawsuit
No lawsuits against Happy Bar & Grill regarding this system have been publicly reported as of March 2026.
Consumer response
Consumer awareness of the surveillance system appears limited due to absent on-site notices. Affected customers may exercise GDPR rights by:
- Submitting Subject Access Requests (Article 15) demanding all biometric data processed about them
- Filing complaints with Bulgaria's Commission for Personal Data Protection[5]
- Requesting deletion of biometric templates under the right to erasure (Article 17)
References
- ↑ 1.0 1.1 1.2 1.3 1.4 "Face recognition solution for Happy Bar and Grill". IP Biometrix. Retrieved 4 March 2026.
{{cite web}}: Check|archive-url=value (help) - ↑ "Happy Bar & Grill". happy.bg. Retrieved 4 March 2026.
- ↑ 3.0 3.1 "Privacy Policy". happy.bg. Retrieved 4 March 2026.
- ↑ 4.0 4.1 "Regulation (EU) 2016/679, Article 9". EUR-Lex. Retrieved 4 March 2026.
- ↑ "Commission for Personal Data Protection". cpdp.bg. Retrieved 4 March 2026.