Hair salons and hairdressers collect far more personal data than most people realise. Behind the reception desk sits a filing system — physical or digital — containing client contact details, colour formulas, allergy test results, health notes, and appointment histories. Add an online booking platform, a loyalty scheme, Instagram before-and-after photos, and an SMS marketing list, and you have a business that is processing personal data in half a dozen different ways every day. GDPR applies to all of it.
This guide covers the key compliance obligations for hairdressers and hair salons: client record cards, allergy test data as health information, lawful basis for record-keeping, before-and-after photos on social media, online booking systems, SMS and email marketing under PECR, data retention, staff employment records, self-employed stylists renting a chair, loyalty scheme data, handling complaints, data breach obligations, and CCTV in salon premises.
Client Record Cards: What You Hold and Why It Matters
Every salon keeps some form of client record — whether it is a handwritten card in a box, a spreadsheet, or a dedicated salon management system. These records typically contain:
- Full name, address, phone number, and email address
- Appointment history and services received
- Hair colour formulas and product preferences
- Notes about previous reactions, sensitivities, or scalp conditions
- Stylist preferences and pricing notes
Under GDPR, these records constitute personal data. You are a data controller, responsible for how that data is collected, stored, and used. Your clients have rights over their information, including the right to access it, correct inaccuracies, and in some circumstances have it deleted.
The lawful basis for holding client records is typically legitimate interest under Article 6(1)(f). You need the information to deliver the service safely and effectively — for example, knowing a client's colour formula ensures consistent results and knowing their allergy test history protects their health.
Allergy Test Records: Special Category Data
Patch test (allergy test) records are not ordinary personal data. They reveal information about a person's immune system and health, which means they qualify as health data — one of the special categories of personal data under GDPR Article 9.
Special category health data requires not just a lawful basis under Article 6 but also a separate condition under Article 9. For hairdressers, the most appropriate condition is Article 9(2)(a) — explicit consent.
In practice, this means:
- Obtain explicit, written consent before recording patch test results
- Keep a clear record of when the test was done, the product tested, and the result
- Explain to clients why you keep this information and how long you will hold it
- Do not share allergy test results with third parties without specific consent
Industry guidance suggests retaining allergy test records for at least six years — similar to medical records — to cover product liability claims and protect client safety.
Before-and-After Photos on Social Media
Sharing before-and-after photos of clients is a common salon marketing practice on Instagram and Facebook. Under GDPR, photographs of identifiable people are personal data — and photographs that reveal health-related information (such as scalp conditions or hair loss) may be special category data.
Before posting any photo of a client on social media, you must have explicit consent specific to that purpose. General terms and conditions that mention photos somewhere in the small print are not sufficient.
Online Booking Systems as Data Processors
Many salons use online booking platforms — Fresha, Treatwell, Booksy, Timely, and similar tools. When clients book through these platforms, their personal data is collected and processed on your behalf. This makes these platforms your data processors.
Under GDPR, you must have a Data Processing Agreement (DPA) in place with any data processor you use. Most reputable booking platforms provide DPAs in their terms of service or via their settings panel.
SMS and Email Marketing Under PECR
Many salons use SMS or email to remind clients about appointments, promote offers, and encourage rebooking. This type of direct marketing is governed by the Privacy and Electronic Communications Regulations (PECR) as well as GDPR.
The key rule for marketing to existing clients is the soft opt-in. Under PECR, you can send electronic marketing to existing clients if you obtained their contact details in the course of a previous appointment, you are marketing similar services, you gave them a clear opportunity to opt out, and every subsequent message includes an easy way to unsubscribe.
Data Retention: How Long Should You Keep Records?
Suggested retention periods for hair salons:
- General client contact details: Retain while active, plus one to two years after last appointment
- Colour formulas and service history: Retain for the duration of the client relationship
- Allergy test and patch test records: At least six years from the date of the test
- Financial records: Six years (HMRC requirement)
- Staff employment records: Six years after employment ends
Staff Personal Data: Employment Records and DBS Checks
If you employ staff, you are a data controller for their employment records. If your salon provides services to children, consider whether DBS (Disclosure and Barring Service) checks are appropriate. DBS certificate data is sensitive and should be handled carefully.
Self-Employed Stylists Renting a Chair
Chair rental is common in salons. A self-employed stylist who rents a chair is operating as an independent business and may be a separate data controller. Chair renters need their own privacy notice and should ensure they comply with GDPR independently.
Loyalty Schemes and Customer Data
Loyalty schemes collect additional personal data. Be transparent in your privacy notice about how loyalty data is used, do not use it for marketing without an appropriate basis, and give clients the ability to leave the scheme and have their data deleted.
Data Breach Obligations for Small Salons
Common breaches for hair salons include a lost or stolen phone containing client details, a paper record left visible to other clients, or an email sent to the wrong person. If a breach is likely to result in a risk to individuals' rights and freedoms, you must report it to the ICO within 72 hours.
CCTV in Salon Premises
If you operate CCTV, display clear visible signage, only record areas with a legitimate security justification, limit access to footage, set a retention period (typically 30 days), and respond to Subject Access Requests within one month.
Scan Your Website for Privacy Compliance
If your salon has a website, run a free scan at Custodia to see exactly what it is collecting from visitors. No signup required, results in under a minute. Custodia can also help you generate a tailored privacy policy and cookie notice for your salon website.
GDPR compliance for hairdressers is not about complex legal theory — it is about knowing what data you hold, keeping it secure, being honest with your clients, and having sensible policies for how long you retain it.
Top comments (0)