Happy Bar & Grill biometric surveillance tool development

Happy Bar & Grill, a Bulgarian restaurant chain, deployed an AI facial recognition system that biometrically profiles customers without transparent notice or valid legal basis under GDPR.^[1] The system, developed by vendor IP Biometrix, tracks physical attributes, infers ethnicity categories, and analyses emotional states, while claiming to monitor staff "smiles," raising systemic privacy concerns for all patrons.^[1]

Happy Bar & Grill is a Bulgarian restaurant chain operating multiple locations across Bulgaria, Romania, Spain, and the United Kingdom.^[2] In or before 2026, the chain implemented an AI-powered facial recognition system developed by Bulgarian security vendor IP Biometrix.^[1] The system has also been deployed at the "Burrata Italiana" chain, which is also owned by the owners of Happy Bar & Grill.^[3] Marketed for "smile monitoring" of staff to generate employee performance rankings, the system uses existing security cameras for real-time facial recognition.

IP Biometrix's portfolio page demonstrates the system processes both employees and customers. A sample image shows multiple individuals labelled as "Subject 6053," "6054," and "6055" with extensive biometric attributes tracked including:^[1]

• Physical features: glasses, dark glasses, beard, moustache, blink, mouth open, mask presence, "face quality"
• Ethnicity classifications: white, black, Asian, Hispanic, Indian, Arabian
• Emotional states: neutral, anger, contempt, disgust, fear, and others

IP Biometrix's portfolio page was captured by the Internet Archive on 2 January 2026, with demonstration images dated to at least November 9, 2024 (evidenced by screenshot filename "Screenshot-2024-11-09-120029.png").

Patrons entering affected locations receive no visible signage at entrances or within dining areas informing them that their facial biometrics are being captured, analysed, or stored. Happy's published privacy policy makes no mention of facial recognition, biometric processing, or AI surveillance systems in restaurants.^[4] Under the EU General Data Protection Regulation (GDPR), facial recognition constitutes processing of biometric data—a "special category" of personal data requiring explicit consent or another narrow legal basis under Article 9.^[5] Inferring ethnicity and emotional states triggers additional restrictions as these reveal "racial or ethnic origin" and constitute sensitive psychological profiling. The absence of transparent notice before data collection violates GDPR Articles 13–14, while processing customers' biometrics for staff performance monitoring lacks a proportionate legal basis under Articles 6 and 9.^[5] Under Bulgarian national guidance, the Commission for Personal Data Protection (CPDP) has stated that processing biometric data in shops and restaurants for the purpose of analyzing customer behavior, gender, or age cannot be based on "legitimate interest." The CPDP emphasizes that placing information signs is insufficient to achieve "explicit consent."^[6]

As of March 2026, the Happy Bar & Grill and Burrata Italiana restaurant chains have issued no public statement addressing biometric processing of customers. No privacy notices specific to AI camera systems appear at restaurant entrances or on their websites.^[4] IP Biometrix previously showcased the Happy Bar & Grill implementation in its portfolio, but the page was removed during a site renovation prior to March 2026. The content is now only preserved through the Internet Archive's Wayback Machine capture from 2 January 2026.^[1], although the company continues to appear as a partner in the "Partners" section of the IP Biometrix website's main page. The vendor has not publicly addressed transparency or consent requirements for customer biometric processing in connection with this implementation.

No lawsuits against Happy Bar & Grill regarding this system have been publicly reported as of March 2026.

Consumer awareness of the surveillance system used to be non-existent due to absent on-site notices and little information online, restricted to IP Biometrix's now-removed portfolio page, preserved only through the Internet Archive's Wayback Machine.^[1] However, on March 11 2026, a post in the subreddit about Bulgaria (r/bulgaria) featuring this wiki page as an attachment rapidly gained traction, gathering thousands of views, hundreds of upvotes, multiple comments within hours and sparking widespread public outrage. Affected customers may exercise GDPR rights by:

• Submitting Subject Access Requests (Article 15) demanding all biometric data processed about them
• Filing complaints with Bulgaria's Commission for Personal Data Protection^[7]
• Requesting deletion of biometric templates under the right to erasure (Article 17)