GDPR for Tattoo Studios and Piercing Parlours: How to Handle Client Data Compliantly
Tattoo studios and piercing parlours collect more personal data than most small businesses realise — and some of it falls into the most sensitive category under GDPR. Health questionnaires, allergy records, ID copies for age verification, signed consent forms, and portfolio photographs of completed work all carry data protection obligations. Get it wrong and you risk ICO enforcement, client complaints, or the kind of social media attention no studio wants.
This guide covers everything tattoo artists, studio owners, and piercing practitioners need to know — written in plain English, not legalese.
What Personal Data Does Your Studio Collect?
Before you can comply with GDPR, you need to know what data you actually hold. For a typical tattoo studio or piercing parlour, that includes:
Standard personal data (Article 6):
- Client name, address, phone number, and email
- Booking history and appointment records
- Payment records and invoices
- Emergency contact details
Special category data (Article 9):
- Health questionnaires covering conditions like blood disorders, diabetes, skin conditions, medications, and pregnancy
- Allergy information (latex, nickel, ink ingredients)
- Any other health information disclosed during consultation
Age verification:
- Copies of ID documents (passport, driving licence) used to confirm clients are 18+
Consent records:
- Signed tattoo or piercing consent forms
- Aftercare acknowledgement records
Photography:
- Photos of completed tattoos or piercings taken for portfolio or social media use
- Images taken during the process (healed results, progress shots)
The health data is what makes tattoo and piercing studios different from most small businesses. The moment you record that a client has a penicillin allergy, a bleeding disorder, or takes blood thinners, you are processing special category data under Article 9 of GDPR. This triggers additional obligations on top of the standard GDPR requirements.
Lawful Basis: Getting This Right
GDPR requires you to identify a lawful basis for each type of processing. For studios, the relevant bases are:
Explicit Consent (Article 9(2)(a)) — Health and Allergy Data
For special category health data, you need explicit consent in addition to a standard Article 6 lawful basis. Your consent form should:
- Clearly explain what health information you are collecting and why
- Name the specific conditions and medications you are asking about
- State how the information will be used (to assess whether the procedure is safe for this client)
- State how long it will be kept
- Be signed and dated
A generic "I agree to the terms" tick box is not sufficient. The consent must be granular, specific, and documented.
Contract (Article 6(1)(b)) — Service Delivery Data
Processing client names, contact details, booking information, and payment records is necessary to perform the contract — providing the tattoo or piercing service. You do not need separate consent for this data; the contractual basis covers it.
Legitimate Interest (Article 6(1)(f)) — Aftercare Contact
Contacting a client after their appointment to check in on healing progress can rely on legitimate interest — you have a genuine reason (client welfare, professional duty of care) that does not override the client's rights. Document your legitimate interest assessment in writing. Be specific: "We contact clients 2–4 weeks after a procedure to check on healing and provide additional aftercare advice."
Do not use legitimate interest as a catch-all for marketing. Sending promotional emails or texts to past clients requires their consent under PECR (see the marketing section below).
Legal Obligation (Article 6(1)(c)) — Age Verification
Age verification is a legal obligation — tattooing or piercing anyone under 18 is a criminal offence in the UK. Processing ID copies to verify age has a clear legal obligation basis. However, this does not mean you can keep those ID copies indefinitely (see retention, below).
Booking and Management Software: Your Data Processors
Most studios use booking software — platforms like Studio Director, Ink'd, or Venyoo — to manage appointments, client records, and consent forms. Under GDPR, these platforms are data processors: they process personal data on your behalf, under your instructions.
As the data controller, you remain responsible for how client data is handled on these platforms. Before using any booking or studio management software, you must:
- Sign a Data Processing Agreement (DPA) — reputable platforms provide these; if a platform cannot produce one, do not use it
- Check where data is stored — UK and EU storage is generally straightforward; US-based platforms require appropriate transfer safeguards (adequacy decisions or Standard Contractual Clauses)
- List the platform in your privacy notice — clients should know their data is processed on your booking system
- Ensure you can export and delete data — you need the ability to respond to Subject Access Requests and deletion requests
If you collect paper consent forms and then photograph or scan them into a cloud service (Google Drive, Dropbox), that cloud service also becomes a data processor. The same DPA requirement applies.
Consent Forms: Paper vs. Digital Storage
Signed consent forms are your evidence that a client understood and agreed to the procedure. They are also your evidence of explicit consent for health data processing. This makes them critical documents — and you need to store them securely.
Paper Forms
If you use paper forms:
- Store them in a locked filing cabinet accessible only to authorised staff
- Do not leave them visible at the front desk or in areas where other clients could see them
- Have a documented retention schedule — know how long you keep each form and what you do with it when that period expires
- Ensure you can locate any given form quickly if a client makes a Subject Access Request
Digital Forms
If you use digital consent forms (DocuSign, a built-in studio management tool, or your own system):
- Ensure the system is access-controlled with individual staff logins
- Ensure signed forms are stored on systems with appropriate security (encryption at rest, regular backups)
- Check your supplier's DPA before committing client data to any platform
- Keep the signed version, not just the submitted data — the signature and timestamp matter
How Long Should You Keep Consent Forms?
There is no single mandated retention period for tattoo or piercing consent forms, but consider:
- Limitation periods: If a client later claims harm or negligence, they have up to 6 years to bring a civil claim in England and Wales (3 years for personal injury). Keeping consent forms for at least 6 years from the date of the procedure is prudent.
- Minors: If you ever tattoo or pierce someone at 16 or 17 with parental consent (where legally permitted for piercings), keep records until the client turns at least 24.
- Data minimisation: Do not keep forms longer than you need. After your retention period, securely shred paper records or permanently delete digital ones.
Document your retention schedule and apply it consistently.
ID Copies for Age Verification: How Long Can You Keep Them?
Copying a client's passport or driving licence is sensitive. These documents contain more personal data than you strictly need once age has been confirmed. The data minimisation principle under GDPR requires you to hold only what you need, for as long as you need it.
Best practice:
- Record the minimum: Note that you verified age, the document type seen, the date of verification, and the staff member who checked — rather than taking a full copy of the document
- If you do take a copy: Do not retain it longer than necessary. Once the appointment is complete and you have confirmed the client is 18+, you do not need the ID copy for operational purposes. Consider a short retention period (30–90 days) after the procedure
- Secure storage: ID copies must be stored securely — never in unprotected folders, never emailed unencrypted, never accessible to staff who have no reason to see them
- Delete on request: If a client requests erasure of their ID copy, you have limited grounds to refuse, given that the original verification purpose has been served
Some studios scan IDs as a routine precaution against future disputes. If you do this, make sure your privacy notice discloses it and your retention policy covers it.
Photo Releases and Portfolio Consent
Photographs of completed tattoos or piercings are a core part of how studios market their work — Instagram, websites, and portfolios are how artists attract new clients. But GDPR applies to photographs that identify (or could identify) individuals.
A standard service consent form does not cover photography. You need separate, specific consent for:
- Posting photographs on social media (Instagram, TikTok, Facebook)
- Using images on your studio website or portfolio
- Including photos in press features, competitions, or collaborations
- Using images in any paid advertising
Your photo release should specify:
- Exactly where the images may be used (social media, website, print, advertising)
- Whether images will be credited (with the client's name or anonymously)
- Whether the client can withdraw consent and what happens to already-published images
- How long you intend to use the images
Practical points:
- Get photo consent at the time of the appointment, not as part of the general terms buried in the service contract
- Make it easy for clients to decline — not every client wants their work on your Instagram, and refusal should not affect the service
- If a client later withdraws consent, remove their images from active posts where practicable. You cannot erase images already shared by third parties, but you should remove them from your own channels
- Body part photographs that do not show the client's face may still be identifiable (distinctive features, other tattoos in frame). Treat them as identifiable unless you are certain they are not
Marketing to Returning Clients: PECR Rules
GDPR is not the only law governing how you contact past clients. The Privacy and Electronic Communications Regulations (PECR) govern marketing by electronic means — email, SMS, and automated calls.
Under PECR's "soft opt-in" rule, you can email or text a past client about your own similar products or services without separate marketing consent, provided that:
- You obtained their contact details during a previous sale (the tattoo or piercing service)
- You are marketing similar products or services (more tattoo/piercing work, not, say, merchandise or an unrelated business)
- You gave them a clear opportunity to opt out at the time of collection
- You offer a clear opt-out in every subsequent message
If any of those conditions are not met — or if the client has previously opted out — you need explicit marketing consent before contacting them.
In practice for studios:
- Include a clear opt-out option on your booking confirmation and in your aftercare follow-up
- Maintain a suppression list of clients who have opted out — and honour it
- If you are using a CRM or email tool (Mailchimp, Klaviyo, etc.), ensure your consent records are documented in the platform
- Do not assume that a client who booked twice wants to receive your monthly newsletter
Compliance Checklist for Tattoo Studios and Piercing Parlours
Documentation
- [ ] Privacy notice on your website covers all data categories collected, lawful bases, retention periods, and third-party processors
- [ ] Records of Processing Activities (ROPA) completed listing each processing activity and its legal basis
- [ ] Data Processing Agreements in place with booking software, cloud storage providers, and any other data processors
- [ ] Data retention schedule documented and applied consistently
Consent and Lawful Basis
- [ ] Consent forms obtain explicit consent for special category health data (Article 9(2)(a))
- [ ] Photo releases are separate from service consent forms and granular in scope
- [ ] Marketing opt-outs are offered at every communication and honoured promptly
- [ ] Age verification records are retained only for as long as necessary
Data Security
- [ ] Paper consent forms stored in locked, access-controlled storage
- [ ] Digital records access-controlled with individual logins
- [ ] ID copies stored securely and subject to a short retention period
- [ ] Staff trained on data protection obligations and what to do if they receive a Subject Access Request
Client Rights
- [ ] Process documented for responding to Subject Access Requests within one month
- [ ] Process for handling deletion requests (Right to Erasure)
- [ ] Process for withdrawing consent and what happens to data when consent is withdrawn
- [ ] Contact details for submitting data rights requests included in privacy notice
Marketing
- [ ] PECR soft opt-in conditions met for email and SMS marketing to past clients
- [ ] Suppression list maintained for clients who have opted out
- [ ] Every marketing communication includes a clear, functional opt-out
Get Your Studio's Compliance Sorted
Understanding what data you hold is the first step. Custodia can scan your website and booking tools to identify what trackers and data processors are active — and give you a plain-English report on what you need to fix.
Run a free scan at https://app.custodia-privacy.com/scan — no signup required. Results in 60 seconds.
This post provides general information about GDPR compliance for tattoo studios and piercing parlours. It does not constitute legal advice. For advice tailored to your specific circumstances, consult a qualified data protection professional or your relevant supervisory authority.
Top comments (0)