Log in

GDPR for beauty salons: which client data can you keep, and for how long?

A typical salon processes more personal data than the owner realises: name, address, phone, email, treatment history, payment details, sometimes before-and-after photos, and for skin treatments or injectables also health data such as allergies, medication and pregnancy. The GDPR applies to every salon - including the one-person business with a notebook full of client numbers. Fines for small operators are rare, but a complaint to the data protection authority (in the Netherlands the Autoriteit Persoonsgegevens), an angry former client who requests their data, or a data breach (a stolen laptop, a misdirected mailing) is more realistic than you think - and it then costs you far more time than getting it right up front. This guide translates the GDPR into what a salon actually needs to do: which data you can keep, how long, when you need consent and when you do not, and how to store health notes safely. No legal jargon - practice, retention periods and example wording. (This is not legal advice; if you have a specific concern, consult a privacy lawyer or the guidance from your data protection authority.)

Which client data can a salon keep?

The GDPR rests on two principles: you need a valid legal basis to process data, and you process no more than necessary (data minimisation). For a salon the basis for most data is simple: "performance of the contract" - you cannot schedule an appointment, carry out a treatment or send an invoice without a name, contact details and treatment history. So that is allowed without separate consent. Concretely, you may keep by default: name, address, phone number, email address, date of birth (for birthday offers or age checks on certain treatments), treatment history, appointments made, no-show history, payment and invoice details, and internal notes that are relevant to the treatment ("client always wants the same stylist", "colour was too dark last time"). What you cannot just keep: a copy of an ID document, a national identification number, or data that has nothing to do with the treatment. Rule of thumb: if you cannot explain a piece of data with "I need this to treat this client well or invoice them correctly", delete it or ask explicit consent for it. In Salonnare the standard client profile only holds what a salon actually needs; anything beyond that is a deliberate choice.

Special category data: allergies, medication, skin conditions, pregnancy

This is where it gets serious. Data about someone's health is "special category personal data" (Article 9 GDPR) and you are in principle not allowed to process it - unless you have the client's explicit consent. For beauty salons, skin therapists, and anyone working with chemical products, needles, lasers or injectables, this is not an edge case: an allergy to an ingredient, the use of blood thinners, a skin condition or a pregnancy are both treatment-relevant and health data. What you need to arrange: (1) ask explicit consent before you record this data - preferably via a checkbox or signature on an intake form that states what you use it for; (2) store it separately from ordinary client data, not as a loose remark in a general notes field; (3) limit who can see it to the staff who carry out the treatment; (4) keep it for as short a time as possible and delete it when the client stops coming; (5) make sure the client can withdraw consent. Salonnare has a dedicated encrypted "health vault" for this: health notes are stored AES-256 encrypted, separate from `clients.notes`, with an access log, a per-client consent record, and an automatic deletion period. An ordinary "note on the client" is explicitly not the right place for this.

How long can you keep client data?

The GDPR does not set fixed periods - the rule is "no longer than necessary". In practice you use different periods per type of data. For an active client: as long as the client relationship runs. For a client who no longer comes: a reasonable period - data protection guidance often cites around 2 years after the last contact as a benchmark for client records; many salons choose 1 to 2 years and send a "we miss you" email before that point. For invoices and payment details there is a statutory retention obligation of 7 years (tax administration) - so those you may and must keep longer than the rest, but in that period use them only for bookkeeping, not for marketing. For health notes: as short as possible, and in any case delete them as soon as the client stops coming. For marketing consent (mailing list): until the client unsubscribes. For before-and-after photos: until the client withdraws consent, and no longer than necessary for the purpose you made them for. In practice: set a reminder once a year to clean up your client base - anonymise or delete inactive clients, wipe old health notes. Salonnare does part of this automatically: the health vault has a retention job that clears out expired health notes after a configured period.

Consent: when do you need it, and how do you record it?

A common mistake is thinking you need consent for everything - and a second mistake is thinking you never need consent. The truth sits in between. You do not need separate consent for: scheduling appointments, sending appointment confirmations and reminders, keeping treatment history, and sending an invoice. That all falls under "performance of the contract". You do need explicit consent for: recording health data, taking and keeping before-and-after photos, using photos on your website or social media (with a recognisable client), and sending marketing mailings or a newsletter. Consent must be freely given, specific, informed and unambiguous - so no pre-ticked box, no "by booking you agree to all our mailings", and the client must be able to withdraw it as easily as they gave it. How to record it: an intake form (paper or digital) with separate checkboxes per purpose, or a double opt-in for your newsletter. Keep what the client ticked, when, and the version of the text. Salonnare logs consent for health notes with a timestamp and keeps the consent events, so if there is a question or complaint you can show exactly what the client agreed to.

Data processing agreement, sub-processors and data breaches

As soon as you use software that holds client data - a booking system, an email tool for your newsletter, a payment provider, an accounting package - you pass data to a "processor", and then you need a data processing agreement (DPA) that sets out what that party may and may not do with the data. A decent supplier has one ready as standard; ask for it if you cannot find it. The same goes for the parties your supplier in turn engages (sub-processors: hosting, email delivery, SMS) - those should be on a list you can review. Then data breaches: if personal data ends up (or could end up) in the wrong hands - a stolen or lost laptop or phone without encryption, a mailing accidentally sent with all addresses in the CC field, a hacked account, a folder of intake forms that disappears from your car - that is a data breach. If there is a risk to the people involved, you must report it within 72 hours to the data protection authority, and for a high risk also inform the clients themselves. So keep a short "breach register" (what, when, what was done), use screen locks and encryption on devices, and send mailings via bcc or a proper mail tool. Salonnare encrypts sensitive data, logs access to the health vault, and provides a data processing agreement plus a current sub-processor list as standard - that takes the most important paperwork off your plate.

Your clients' rights: access, correction and erasure

Your clients have rights you need to be able to respond to - usually within a month. The three you most often run into in a salon: (1) Access - the client may ask which data you hold about them and what you use it for. You then provide an overview: profile data, appointments, treatment history, any health notes, invoices, and which consents were given. (2) Correction - if data is wrong, you correct it. (3) Erasure ("right to be forgotten") - the client may ask for deletion, and you must in principle honour that, except for data you are legally required to keep (invoices: 7 years) - for those you explain that you cannot delete that record but will stop further use of it and delete the rest. There is also the right to data portability (receiving data in a readable format) and the right to object to marketing - the latter you simply handle with a working unsubscribe link. In practice: agree who in your salon handles this kind of request, and how. Salonnare has a built-in GDPR export that on request puts all of a client's data into one file (profile, appointments, treatments, invoices, health notes, consent history), so an access request is not half a day of digging.

A practical GDPR checklist for your salon

Ten things you can tick off this week: (1) Take stock of which client data you collect and why - drop what you do not need. (2) Move health notes (allergy, medication, skin, pregnancy) away from ordinary notes, with explicit consent and limited access. (3) Create an intake form with separate checkboxes per purpose (treatment, health data, photos, newsletter). (4) Set retention periods: active client = ongoing, inactive = 1-2 years, invoices = 7 years, health notes = as short as possible. (5) Set a reminder once a year to clean up your client base. (6) Request data processing agreements from your booking system, mail tool, payment provider and accountant. (7) Make sure all your devices have a screen lock and disk encryption. (8) Send mailings via bcc or a proper mail tool with an unsubscribe link, never with addresses in CC. (9) Make a short data breach plan: who reports, within 72 hours, to the data protection authority. (10) Agree who handles access and erasure requests. A good booking system does half of this list for you - encryption, separate storage of health data, consent logging, GDPR export, a data processing agreement. The other half is just an afternoon of work and after that a once-a-year tidy-up.

Salonnare handles the GDPR technical side for you

Encrypted health vault for health notes, consent recording, per-client GDPR export, built-in retention periods, and a data processing agreement plus sub-processor list included as standard. You do the intake forms and the yearly clean-up; Salonnare does the rest.

Try Salonnare for free

Frequently asked questions about GDPR for salons

Does the GDPR also apply to a small one-person salon?

Yes. The GDPR has no lower size threshold - whether you have one chair or ten branches, you process personal data and so the law applies. What does scale is how strict the oversight is and how much you have to document: a small salon does not need to appoint a data protection officer or keep an extensive processing register, but the basics (a valid legal basis, data minimisation, security, client rights, health data kept separate and with consent) apply to everyone.

Do I need to appoint a data protection officer (DPO)?

Almost certainly not. A DPO is mandatory for public authorities and for organisations that process special category data on a large scale or systematically monitor people. An ordinary salon does not fall under that, not even if you keep health notes - "large scale" means something like a hospital or an insurer, not a salon with a few hundred clients. Still useful: designate one person internally to keep an eye on GDPR matters.

Can I put before-and-after photos of clients on Instagram?

Only with the client's consent, and that consent must be specific to that purpose. "May I take a photo for your file" is not the same as "may I put this photo on Instagram and my website". Ask separately, record what the client agreed to, and respect it if someone later withdraws consent (take the photo offline). For recognisable minors you need the parents' consent. Anonymous close-ups without a face are a safer choice for your feed.

How long do I have to keep client invoices?

Seven years - that is the statutory retention obligation for your business records, and it overrides the GDPR principle of "as short as possible". During those seven years you use that data only for bookkeeping and the tax authorities, no longer for marketing or client contact. After seven years you delete or anonymise it. Other client data (profile, treatment history) you do not need to keep that long - there a much shorter, "reasonable" period of typically 1 to 2 years after the last visit applies.

What should I do if there is a data breach?

First assess the risk to the clients. If there is a chance of harm (identity fraud, exposure of sensitive data, reputational damage), you report it within 72 hours of discovery to the data protection authority via their online reporting form. For a high risk you also inform the affected clients themselves, in plain language. Always document what happened, when, which data was involved and what measures you took - even if you decide a report is not necessary. Encryption helps enormously: data on a stolen device that is properly encrypted usually does not constitute a reportable data breach.