DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Beauty Salons and Spas: How to Handle Client Data Compliantly

#gdpr #privacy #compliance #smallbusiness

Beauty salons, hair salons, spas, and nail bars collect more personal data than most owners realise. A standard client record card includes name, contact number, email, appointment history, and — critically — allergy and health information that GDPR classifies as special category data subject to the regulation's strictest protections.

Most salon software packages handle the basics of GDPR compliance for appointment booking. But the wider picture — patch test records, CCTV, loyalty schemes, marketing consent, staff data, and handling deletion requests from former clients — requires active decisions from you, not just your booking app.

This guide covers everything a beauty business owner needs to know about GDPR. Start by scanning your website at Custodia to see what data your digital presence is already collecting — it takes 60 seconds.

What Personal Data Do Beauty Salons Collect?

Before you can comply with GDPR, you need to map out what you actually collect. For most salons, that includes:

Basic contact and booking data:

  • Full name
  • Phone number
  • Email address
  • Appointment history (dates, services, stylist/therapist)
  • Payment records

Health and allergy data (special category under Article 9):

  • Allergy information (patch test results, known sensitivities)
  • Skin conditions (eczema, psoriasis, rosacea)
  • Pregnancy status (relevant for certain treatments)
  • Medical conditions affecting treatments (blood thinners, skin medication)
  • Scalp conditions
  • Contraindications for specific services

Other data:

  • CCTV footage (if you have cameras)
  • Loyalty scheme purchase history
  • Marketing preferences and consent records
  • Photos (before/after shots used with consent)
  • Staff data (rotas, contracts, payroll — separate from client data)

The health and allergy data is the category that creates the most compliance obligations. Under GDPR Article 9, processing health data requires not only a lawful basis under Article 6 but also a specific Article 9 condition.

Lawful Basis: Getting the Foundations Right

GDPR requires you to identify a lawful basis for every type of data processing you do. For salons, this breaks down as follows:

Contract (Article 6(1)(b)) — Processing is necessary to perform a contract with the client. This covers:

  • Booking and managing appointments
  • Payment processing
  • Sending appointment confirmations and reminders

You do not need consent to send appointment reminders if they are directly related to a booking the client has made. The processing is necessary to fulfil the contract.

Explicit consent (Article 6(1)(a) + Article 9(2)(a)) — For health and allergy data, explicit consent is the most appropriate basis for most salons. This means:

  • A separate, clear consent statement — not buried in your booking terms
  • The client actively ticking a box or signing a separate form
  • A plain-language explanation of why you need the data and how it will be used
  • Easy withdrawal: clients must be able to withdraw consent at any time

"By booking an appointment you agree to our terms" does not constitute valid consent for health data. It must be explicit, specific, and freely given.

Legitimate interests (Article 6(1)(f)) — Can be used for some processing activities where your interests and the client's reasonable expectations are balanced. For salons, this might cover:

  • Contacting a former client about an outstanding balance
  • Fraud prevention

However, do not rely on legitimate interests as a catch-all. For health data, only explicit consent or vital interests (in genuine emergencies) applies.

Legal obligation (Article 6(1)(c)) — Covers employment-related processing (tax, payroll, right-to-work checks) and any mandatory record-keeping.

Booking Systems as Data Processors

If you use a third-party booking platform, that platform acts as a data processor under GDPR — processing your clients' personal data on your behalf. As the data controller, you are responsible for ensuring your processor handles data compliantly.

Popular salon booking systems and their GDPR status:

Treatwell — Operates as a marketplace and data controller for clients who book through Treatwell directly. For clients booked through your Treatwell dashboard, they act as a processor. Check your agreement and their DPA.

Fresha — Provides a Data Processing Agreement (DPA) and is GDPR-aware. Review their privacy documentation and ensure the DPA is in place before processing client health data through the platform.

Timely — Based in New Zealand, which has an adequacy decision from the EU. Provides a DPA. Suitable for EU/UK client data with appropriate safeguards confirmed.

Vagaro — US-based. Review their Standard Contractual Clauses (SCCs) and data transfer mechanisms if you serve EU or UK clients.

Square Appointments — Square has a DPA available and provides GDPR documentation. Ensure the DPA covers your specific use case including health data fields.

What you need to do for each booking system:

  1. Obtain and sign a Data Processing Agreement (DPA)
  2. Check where client data is stored (EU, UK, or third country)
  3. Understand what data the platform collects independently (e.g. for marketing)
  4. Confirm the platform's data deletion process for when clients request erasure

Client Record Cards: Paper vs. Digital

The client record card — whether a physical card or a digital profile — is the heart of your compliance obligations.

Paper record cards:

  • Must be stored in a locked cabinet, in a non-public area of the salon
  • Access should be restricted to staff who need it for the specific client's appointments
  • Old cards for clients you no longer see should be reviewed and securely destroyed (shredded), not simply thrown away
  • Do not leave client cards visible at reception where other clients can see them

Digital records:

  • Must be stored in a system with appropriate access controls (password-protected, role-based access)
  • Should be backed up securely
  • Health/allergy data should ideally be in a separate field or flagged as sensitive
  • Audit logs showing who accessed a record and when are best practice for health data
  • Encryption at rest is strongly recommended

Photographs — Before/after photos of clients are personal data. If the client's face is visible or they are identifiable, you need explicit consent to take the photo and a separate consent to use it in marketing (social media, website). Keep those consents separate and documented.

Patch Test Records and Medical Data: The Highest-Risk Area

Patch test records — required before applying hair colour, lash tint, or certain skin treatments — are health data under GDPR Article 9. This is the area most salons get wrong.

What the law requires:

  1. Explicit consent to record the patch test result, including any adverse reactions or sensitivities noted
  2. Restricted access — only staff involved in the client's treatment should access this data
  3. Accurate and up-to-date records — GDPR's accuracy principle means you must update records when a client reports a new allergy or reaction
  4. Retention limits — You cannot keep patch test records indefinitely. Consider a retention period (e.g. 2 years after the last appointment, or as required by your insurance) and apply it consistently
  5. Security — Patch test records stored on paper must be in a locked location. Digital records must be encrypted

When a client has a reaction: Document it carefully, keep a secure record, and if it results in a medical issue, be aware that reporting obligations (under health and safety law) may apply separately from GDPR.

CCTV in Salons

If you have CCTV cameras in your salon, you are a data controller for the footage. GDPR and the ICO's CCTV guidance impose specific obligations:

  • Signage — You must display clear CCTV signs at entry points before someone enters the surveilled area. The sign should include your name or trading name and a contact for privacy enquiries
  • Purpose limitation — CCTV must be used only for the stated purpose (typically security or crime prevention). You cannot use salon CCTV footage for staff performance monitoring without separate disclosure
  • Retention — Footage should be deleted after a set period. 30 days is typical for most small businesses unless there is an ongoing incident under review
  • Access — Restrict who can view footage. Viewing for curiosity or entertainment is a data breach
  • Subject access requests — If a client asks to see footage that includes them, you must respond within one month. However, you may redact footage of other individuals before providing it

Cameras in changing areas, treatment rooms, or anywhere clients undress are almost certainly unlawful and should be removed immediately.

Loyalty Schemes and Marketing Consent

A loyalty scheme involves collecting purchase history, visit frequency, and often additional contact data. Marketing communications — promotional emails, SMS offers, anniversary messages — require separate, explicit consent under GDPR and the Privacy and Electronic Communications Regulations (PECR).

What this means in practice:

  • A client booking an appointment has not consented to receive your monthly email newsletter. These are separate things
  • You need a clear, unticked opt-in checkbox at the point of data collection: "I'd like to receive special offers and news by email"
  • Keep a record of when and how consent was given (date, method, version of your consent wording)
  • Include an easy unsubscribe mechanism in every marketing email
  • For SMS marketing, consent requirements are equally strict — "please text me offers" must be an affirmative opt-in, not buried in booking terms

Existing clients and soft opt-in: UK GDPR (post-Brexit) follows the same rules as EU GDPR on marketing consent. There is a "soft opt-in" exception for existing customers for similar products or services — but it only applies if the client was given a clear opportunity to opt out at the time of purchase and you give them the opportunity to opt out in every subsequent message.

Do not assume that because someone booked with you last year they want your marketing. Document your consent collection and keep it current.

Staff Rota and Employment Data

Your staff data is entirely separate from your client data in GDPR terms — but it is still regulated. As an employer, you process data about your employees under Article 6(1)(b) (contract of employment) and Article 6(1)(c) (legal obligation, covering payroll, tax, right-to-work).

What this covers:

  • Contracts, payroll, and tax records
  • Right-to-work documentation
  • Sick leave and absence records
  • Disciplinary records
  • Rotas and scheduling

Key obligations:

  • Staff must be provided with a privacy notice explaining what you collect and why (a staff privacy notice, separate from your client privacy policy)
  • Health data about employees (sick notes, medical certificates) is special category data and must be stored securely, with access restricted to those who need it (typically the salon owner and payroll provider)
  • Rotas containing staff names and contact details should not be shared publicly or left visible to clients
  • When an employee leaves, retain records for as long as legally required (HMRC requires payroll records for at least 3 years; consider up to 6 years for contract-related records) then delete

Handling Former Client Deletion Requests

Under GDPR Article 17, individuals have the "right to erasure" — the right to request that you delete their personal data. Former clients who no longer visit your salon can and do exercise this right.

When you must comply:

  • The client withdraws their consent (and consent was the lawful basis)
  • The data is no longer necessary for the purpose it was collected
  • There is no overriding legitimate reason to retain it

When you may decline or delay:

  • You are legally required to retain it (e.g. financial records required by HMRC for 6 years)
  • There is an unresolved dispute (e.g. the client owes payment)
  • You are processing under a legal obligation that overrides the erasure right

Practical process:

  1. Receive the request — acknowledge within 72 hours is good practice
  2. Verify the identity of the requestor
  3. Identify all systems where their data appears: booking platform, paper record cards, email marketing list, loyalty scheme, any WhatsApp booking conversations
  4. Delete or anonymise data you are not legally required to retain
  5. Respond to the client within one month confirming what was deleted and what (if anything) was retained and why
  6. Log the request and your response

Deletion requests are not optional. Ignoring them is a reportable breach.

Your GDPR Compliance Checklist for Beauty Salons

Use this checklist to assess your current position:

Data mapping

  • [ ] You know every category of personal data you collect (contact, appointment, health/allergy, payment, CCTV, photos)
  • [ ] You have identified a lawful basis for each type of processing
  • [ ] Explicit consent is documented for all health and allergy data

Consent and notices

  • [ ] Clients are provided with a privacy notice (in-salon or via booking confirmation)
  • [ ] Marketing consent is collected separately from booking consent
  • [ ] Consent records are stored with date, method, and wording version

Client records

  • [ ] Paper records are stored in a locked cabinet with restricted access
  • [ ] Digital records are in a password-protected system
  • [ ] Patch test records are handled as special category health data
  • [ ] A retention period is defined and enforced for client records

Booking systems

  • [ ] A Data Processing Agreement (DPA) is in place with your booking platform
  • [ ] You have checked where client data is stored geographically
  • [ ] You understand your booking platform's data deletion process

CCTV

  • [ ] CCTV signage is displayed at entry points
  • [ ] Footage is deleted after a defined retention period (typically 30 days)
  • [ ] Access to footage is restricted

Marketing

  • [ ] Email and SMS marketing lists are opt-in only
  • [ ] An unsubscribe mechanism is included in every marketing communication
  • [ ] Marketing consent records are separate from booking records

Staff data

  • [ ] A staff privacy notice has been issued to all employees
  • [ ] Employment records are stored securely with restricted access
  • [ ] Health data (sick notes, medical certificates) is treated as special category

Subject access and erasure requests

  • [ ] There is a process for receiving and responding to client data requests
  • [ ] Deletion requests are completed within one month
  • [ ] Requests and responses are logged

Where to Start

The most common GDPR gaps in beauty businesses are: no explicit consent for health/allergy data, marketing emails sent to clients who never opted in, and paper client cards stored unsecurely.

Fix those three first. Then work through the checklist above systematically.

For your website, run a free compliance scan at Custodia to identify trackers, cookie issues, and privacy policy gaps in 60 seconds — no signup required.

This article provides general guidance on GDPR obligations for beauty and wellness businesses. It does not constitute legal advice. Your specific obligations depend on your jurisdiction, your services, and your data processing activities. Consult a qualified data protection advisor for advice tailored to your business.

Top comments (0)