Client Records in a Nail Salon - How to Manage a GDPR-Compliant Client Database in 2026

A first name, a phone number, allergy information, appointment history - these are your clients' personal data. The GDPR (General Data Protection Regulation) sets out how you collect it, how you store it, and for how long. An inspection by the Polish Personal Data Protection Office (UODO) can result in a fine of up to 50,000 PLN for a small business. A few simple rules are all it takes to operate within the law.

This article explains what personal data means in the context of a beauty salon, how to correctly maintain client records, what rights your clients have, and how long you keep their data.

What Counts as Personal Data in a Nail Salon

Ordinary Personal Data

Ordinary personal data (subject to standard GDPR protection) includes:

• Client's first name and surname.
• Phone number and email address.
• Date and time of appointment.
• History of services performed.
• Notes on client preferences (favourite colour, preferred technique).

The legal basis for processing ordinary data: Article 6(1)(b) GDPR (performance of a contract) - you do not need a separate consent if the data is necessary to carry out the service and maintain appointment records. You can also rely on Article 6(1)(a) (consent) - in that case you need explicit confirmation from the client.

Special Category Data (Sensitive Data)

Article 9 GDPR identifies categories of data subject to stronger protection. In a beauty salon, this primarily includes:

• Allergies to cosmetic ingredients (for example, acrylic resins, latex, henna).
• Skin conditions and nail plate disorders (psoriasis, nail fungus, onycholysis).
• Pregnancy (relevant for UV gel, acrylic, and henna services).
• Medications affecting services (for example, blood thinners during manicure).
• General health conditions affecting the ability to perform a service.

Health data requires the client's explicit, written consent (Article 9(2)(a) GDPR). You cannot collect it on the basis of a service contract alone. Consent must be freely given, specific, and unambiguous - the client must understand what she is signing and why you are collecting this information.

Legal Basis for Data Processing: What You Need to Know

The two legal bases you will use most often:

1. Article 6(1)(b) GDPR: processing necessary for the performance of a contract. Data needed to carry out a service and maintain appointment history can be processed without a separate consent. However, this applies only to ordinary personal data.
2. Article 9(2)(a) GDPR: explicit consent for processing health data. Required when collecting information about allergies, medical conditions, and pregnancy.

The information notice (privacy notice) is a legal obligation regardless of the legal basis. When collecting data from a client, you provide information about:

• Who is the data controller (you as the salon owner, with your address and contact details).
• The purpose for which you process the data.
• How long you retain the data.
• What rights the client has (access, rectification, erasure, portability).
• Whether data will be shared with third parties (for example, a booking app).

How to Correctly Maintain Client Records

Client Card with Privacy Notice and Consent

Every client whose data you collect fills in a client record card that includes:

• Basic details (first name, phone number, email - optional).
• Health data: allergies, conditions, medications - with a separate written consent.
• A GDPR privacy notice in a clear, plain-language format.
• The client's signature on the health data consent.

The card may be paper or electronic. If paper, store it in a locked cabinet or drawer accessible only to you (and any authorised employee). If electronic, data must be in an encrypted folder or in a password-protected application.

Data Minimisation

You collect only the data you genuinely need to perform the service and maintain records. GDPR calls this the data minimisation principle. You do not collect national ID numbers, residential addresses, or any other data that is not necessary in the context of salon services.

Authorised Employees

If you employ staff, you must formally authorise them to process client personal data and train them in GDPR principles. The authorisation should be in writing. An employee without authorisation should not have access to client record cards.

Client Rights Regarding Their Data

Right of Access

A client may request access to her data at any time. You are obliged to show her the client card or provide a copy of her data within one month of the request. You cannot refuse without justification.

Right to Rectification

If a client's data is inaccurate (for example, a wrong phone number or outdated allergy information), she has the right to ask for it to be corrected. Update the data without delay.

Right to Erasure ("Right to Be Forgotten")

A client may request the deletion of her data. You are obliged to delete it, with certain exceptions:

• If the data is needed to handle a potential complaint (three-year limitation period), you may refuse deletion for a reasonable period.
• If the data is needed to fulfil a legal obligation (for example, tax documentation).

Refusal to erase data must be communicated in writing, citing the legal basis.

Right to Data Portability

A client may ask you to provide her data in an electronic format (for example, PDF or CSV) so she can transfer it to another salon or system. This applies to data processed on the basis of consent or a contract, by automated means.

How Long You Retain Client Data

Retention periods depend on the type of data and the purpose of processing:

• Data relating to services with health risk (henna, lash lamination, acrylic, services involving skin conditions): minimum three years from the last appointment (limitation period for service-related claims).
• Marketing data (for example, an email address for a newsletter): until the client withdraws her consent.
• Data for tax purposes (invoices and receipts containing client data): five years from the end of the tax year.

After the retention period has elapsed, delete data securely: shred paper cards in a cross-cut shredder (do not put them in the regular bin), and permanently delete digital files (do not just move them to the recycle bin - use secure deletion).

FAQ: Client Records and GDPR in the Beauty Salon

Can I send a client an appointment reminder without her consent?

Yes, if you collected her phone number or email in order to provide the service, and the reminder is directly connected to the booked appointment. This falls within Article 6(1)(b) GDPR (performance of a contract). However, sending a promotional newsletter or a review invitation requires a separate marketing consent. The boundary is: communication necessary to deliver the service does not require consent; marketing communication does.

What do I do when a client asks for her data to be deleted?

First, assess whether you have grounds to refuse (for example, an ongoing complaint process or a tax obligation). If not, delete the data within one month and confirm the deletion in writing to the client. If you refuse, inform her in writing, citing the legal basis, and inform her of the right to lodge a complaint with UODO. You cannot simply ignore the request.

Is an online booking app safe from a GDPR perspective?

An online booking application that processes your clients' data is a data processor under GDPR. You must enter into a Data Processing Agreement (DPA) with it. Reputable applications such as Booksy, Fresha, and similar platforms have ready-made DPA templates. Without a DPA, you are using the app in breach of GDPR, even if the app itself is technically secure.

Do I need a Data Protection Officer (DPO)?

For a small nail salon, appointing a DPO is not a legal obligation. A DPO is required in cases where, for example, you process data on a large scale or where processing sensitive data is your core activity. A nail salon collecting health data (allergies, conditions) from clients as part of its service does not meet this threshold. You may, however, voluntarily appoint a DPO or use an external GDPR service (an external DPO on contract), which is a common solution for small salons.