GDPR Consents for Beauty Salon Clients — Health Data, Portfolio Photos, Privacy Policy [2026]

Beauty salons (nail, brow, lash) process sensitive data — allergies, medical history, medications, pregnancy, client face photos. Each carries a separate GDPR legal regime. Missing the right consent format isn't theory — it's concrete UODO (Polish DPA) fines plus civil claims after data leaks from Instagram or client databases.

Personal vs sensitive data — key distinction

GDPR distinguishes regular data (name, phone, email) from special categories (Art. 9):

• Health data (allergies, skin conditions, atopic dermatitis, psoriasis, pregnancy)
• Biometric data (face photos for identification — client portfolio)
• Ethnic origin, opinions, genetic data, sexual orientation

Beauty salons regularly collect the first two. This changes the legal basis — Article 6.1.b (contract performance) is NOT enough. You need explicit consent (Art. 9.2.a GDPR) — separate, informed, in writing.

Required consents for beauty salons

What clients should sign at first visit:

1. Basic personal data consent

Name, phone, email — for booking, contact, reminders. Basis: Art. 6.1.b. Must include: purpose, retention period, rights of access/rectification/erasure, controller contact.

2. Health data consent (CRITICAL)

Separate consent — must be informed and explicit. Client checks a box + signs:

"I voluntarily and consciously consent to processing of my health data (allergies, medications, pregnancy, skin conditions) by {salon} for safe treatment performance and contraindication assessment. Data will be processed for 5 years from last visit."

Missing this consent = illegal special-category processing = fine up to 20 million EUR or 4% global turnover (Art. 83.5). For a small salon UODO typically imposes 5-50k PLN.

3. Photo / portfolio consent (if you use)

Photos for Instagram, Facebook, salon site = image + biometric data. Requires separate consent: purpose, period, right to withdraw consent at any time.

4. Marketing consent (newsletter, SMS)

Separate consent. Client MUST be able to opt out without losing treatment access. Use double opt-in.

5. Patch test consent

Part of client card — confirms test was performed and risk information was provided.

Consent format — paper, digital signature, checkbox?

GDPR requires consent be informed, voluntary, specific, and unambiguous. In practice for a beauty salon:

• Paper with signature — gold standard. Salon retains physically 5 years.
• Tablet with digital signature (e.g. SignNow, Adobe Sign) — acceptable, but you need evidence (timestamp, IP, immutable copy)
• Checkbox without signature — INSUFFICIENT for health data. UODO consistently challenges "click and confirm" for special categories.

Recommended: paper with signature at first visit + digital backup in client card.

Privacy policy — required publicly

Every salon must have a publicly accessible privacy policy (Art. 13 GDPR). Format: poster on reception, document available on request, salon website.

Must include: controller data, processing purposes, legal basis (Art. 6 and 9 GDPR), retention period (typically 5 years for health data), data sharing (booking system = processor), client rights (access, rectification, erasure, restriction, objection, portability), right to lodge complaint with UODO, automated decision-making info.

Most common GDPR mistakes in beauty salons

1. "Catch-all" consent in one line — "I consent to processing my data for marketing, health and biometric purposes" simultaneously. Non-compliant — each purpose = separate consent.
2. Instagram photos without explicit consent — classic. Client nodded but nothing in writing. One UODO complaint = fine plus order to delete entire portfolio.
3. Client cards lying on reception — all clients see each other's data. Privacy breach = GDPR violation.
4. Employee phone with client database — WhatsApp with 200 clients in groups, contacts synced to personal Google. Leak = fine.
5. No processor agreement — using Booksy, BookingTime for reservations = they're processors of your data. Required Art. 28 processing agreement.

Data breach response

Breaches happen: stolen phone with database, hacked laptop, lost binder. GDPR Art. 33 requires notification to UODO within 72 hours. Procedure:

1. Stop further spread (change passwords, remote-lock device)
2. Assess scope — how many people, what data, risk to clients
3. If high risk (health, financial data) — notify clients individually (Art. 34)
4. Submit to UODO via online form (uodo.gov.pl) within 72h
5. Document everything

Failure to report breach within 72h = separate fine (up to 10 million EUR or 2% turnover).

Templates for beauty salon GDPR

Full GDPR document pack (client consents, privacy policy, cookies policy, processing register, information clause) is in the PRO pack (697 PLN). 21 documents covering everything UODO and Sanepid audit.

FAQ

Does the client need to sign consents at every visit?

No — consents are signed at first visit. Subsequent visits: verbal confirmation or short check ("anything new — medications, allergies, pregnancy?"). Consent renewal: every 5 years or when service scope changes.

Can I store client cards electronically instead of paper?

Yes, but the system must meet GDPR: encryption, access control, backups, audit log. Booksy/BookingTime comply. Excel on laptop desktop — does NOT.

What about Ukrainian/Belarusian clients — different rules?

No — GDPR applies to all natural persons in the EU regardless of citizenship. Templates in Ukrainian recommended for salons serving Ukrainian-speaking clients.

Do I need to appoint a DPO?

Small salons — NO. DPO obligation applies to entities processing on a large scale (typically >5,000 clients/year or >50 employees). Small salon only needs a processing register (Art. 30) — a binder document.

What if a client wants their data deleted?

You must delete within 30 days — unless other legal bases apply (e.g. invoices kept 5 years for tax). Then inform the client of restrictions. Note "client requested right to be forgotten + date" in your records.