Client Photos on Instagram and TikTok: What Is Allowed in a Salon and What Can Lead to a GDPR Fine

A nail art photo, a client's face in frame, a video of a treatment in progress. These are popular content formats in a beauty salon that build reach and attract new clients. But without proper client consent this is a GDPR violation, and the Polish Personal Data Protection Office (UODO) can impose a fine. This is not a theoretical risk: UODO actively investigates micro-businesses.

This article tells you straight: what is protected, how to collect consent correctly, and what the consequences of skipping that step are.

What GDPR Protects in the Context of Social Media

A Client's Face: Absolute Protection

A client's face is personal data under GDPR. It allows a specific person to be identified. To publish an image showing a client's face you need a separate, explicit image consent. The GDPR consent on your client intake form is not enough. A general "yes" at registration is not enough. Image consent is a separate document or a clearly separated section within a form, dedicated solely to this purpose.

Hands and Nails Without a Face: Lower Risk, But Not Zero

A photo of hands only, without a face and without any identifying features (a distinctive tattoo, jewellery the client always wears), does not allow a person to be identified in practice. The legal risk is lower. However, it is worth having a general consent to publish content from the visit: the client signs to confirm she agrees to photos of treatment results without identifying features. This protects you from a situation where the client recognises her own hands and raises an objection.

Content Revealing Health Data: Absolute Prohibition

GDPR classifies health data as a special category of personal data (Article 9). If you publish a photo with a caption suggesting the client's health condition ("nails after chemotherapy", "nail reconstruction after psoriasis", "client with atopic dermatitis"), without explicit written consent based on Article 9(2) GDPR: you are committing a serious violation. The fine can be many times higher than for a standard image rights violation.

How to Obtain Proper Image Publication Consent

Image Consent Form: A Separate Document

The image consent form must be separate from the client record card and the general GDPR consent at registration. It must include:

• The client's full name
• A description of exactly what you will publish (e.g. "photos and short videos showing treatment results on hands and face")
• Where you will publish it (e.g. "Instagram @salon_name, TikTok @salon_name, website")
• Duration of consent (e.g. "for the duration of the salon's operation or until consent is withdrawn")
• Information about the right to withdraw consent at any time
• Date and client's signature

Consent Must Be Voluntary: You Cannot Make It a Condition

You cannot make a client's service conditional on giving image consent. If the client refuses to sign the form, you serve her exactly the same and take no photos. Consent given under pressure ("if you don't sign, I won't do the treatment") is invalid under GDPR.

Withdrawal of Consent: What Happens Next

A client has the right to withdraw consent at any time. After withdrawal: you remove all photos and videos featuring that client from every platform (Instagram, TikTok, website, Google Business Profile). Exception: if you have another legal basis for retention (for example, a photo is part of documentation required by law). In practice for a beauty salon: after consent is withdrawn, you remove the content.

Verbal Consent: Not Enough

The client said "yes, you can post it." That is not sufficient. It is her word against yours: if she denies it and files a complaint with UODO, you have no proof. Always get written consent or at minimum a text message (SMS or WhatsApp) that you save with the client's name and date.

Safe Day-to-Day Practices

Instagram Tags: A Better Option Than No Consent

If you tag the client on Instagram (@tag), she sees the post in her notifications and can remove the tag. This does not replace written consent, but it is better than publishing without any notification. If the client removes the tag: treat this as a signal that she does not consent and remove the photo.

Stories and Reels: Same Rules as Posts

Stories disappear after 24 hours, but during that time they are publicly visible. If a client sees her photo in a Story without consent and takes a screenshot: you have a problem. Reels stay on the profile indefinitely. GDPR rules apply equally to all formats.

TikTok: GDPR Applies, Algorithms Do Not Change the Law

TikTok has different reach and different algorithms than Instagram. Your video featuring a client could reach hundreds of thousands of people. GDPR makes no exception for high-reach platforms: consent is required just the same. Greater reach means greater potential harm when consent is missing.

Photos of Nails Only: A Practical Solution

Your social media portfolio can be built entirely from photos of treatment results (nails, brows, lashes) with no faces and no identifying features. This is a safe practice that does not require collecting image consent from every client. Many nail technicians successfully run profiles with tens of thousands of followers without a single photo of a client's face.

What the Consequences of Missing Consent Are

Client Complaint to UODO

A client can file a complaint with the Personal Data Protection Office. UODO is obliged to investigate every complaint. Proceedings can take several months. During the investigation you may be required to provide explanations and submit documentation.

Financial Fine From UODO

For small salons, a financial penalty typically starts with a warning or a fine of a few thousand zlotys. The maximum penalty is 20 million euros or 4% of global annual turnover (for companies). In practice UODO imposes penalties on micro-businesses proportionate to the scale of the violation and the degree of bad faith. Repeat violations or lack of cooperation during proceedings: higher penalties.

Civil Claims From the Client

Independently of UODO proceedings, the client can pursue protection of personal rights in a civil court. Claims can include: removal of the image, financial compensation for violation of personal rights (amounts ranging from several to tens of thousands of zlotys depending on circumstances), and a public apology. Legal costs can far exceed the value of any social media popularity gained without consent.

FAQ

Can I post a photo of a client's hands without consent?

A photo of hands only, without identifying features (no face, no distinctive tattoos or jewellery), carries a low risk profile because it does not allow the client to be identified. For full peace of mind and legal certainty: collect a general consent for publishing treatment results without identifying features. One signature that protects you going forward.

Is consent "in exchange for compensation" (e.g. a discount for sharing) valid?

Yes, provided the client understands what she is agreeing to and the consent is documented. A discount in exchange for image consent is a permissible practice. But: the consent must still be voluntary. The client must have a genuine choice: either a discount and image consent, or full price without consent. If the only option is "consent or no service": the consent is invalid.

Can I film a client during a treatment?

Filming a client during a treatment (face in frame, voice captured) is processing particularly sensitive personal data (image, voice). You need explicit consent before filming. Not during. Before. If the client has not given consent: you do not film. Filming from behind with no face visible: lower risk, but a general consent is still advisable.

What if a client posts a photo of me without my consent?

Your image is protected in exactly the same way as a client's image. You have the right to ask the client to remove any photo showing your face or details identifying the salon (e.g. a photo in front of the salon logo). You can do this politely via a private message. If the client refuses: you can file a complaint with UODO or report the violation directly to the platform (Instagram and TikTok both have procedures for removing privacy-violating content).