GDPR for hairdressers and beauticians: what you really need

"GDPR" is that word that makes anyone running a salon cringe. They tell you about €20 million fines, sell you €1000 consultancies, offer you "GDPR-compliant" software at €200/month. Reality is much simpler — and much less expensive.

This guide explains what you actually need to be GDPR compliant as a hairdresser or beautician, without fluff or unnecessary spending.

Disclaimer: this article is informational, not legal advice. For complex situations (e.g. chain with 10+ locations) consult a privacy lawyer or certified DPO.

What is GDPR (in 30 seconds)

The GDPR (EU Regulation 2016/679, in force since 25 May 2018) is the European law on personal data protection. It applies to anyone processing data of EU residents. Period.

"Processing data" includes just noting a client's phone number to call them if you're running late. Yes, you're subject to GDPR. No, don't panic.

The 6 actual obligations (not 600)

1. Privacy notice for clients

When a client gives you their data (name, phone, email, photos), you must explain:

• Who you are (Data Controller)
• What data you collect (personal info + contact + treatment history)
• Why you collect it (appointments, invoicing, contact)
• How long you keep it (typically: duration of relationship + 10 years for tax purposes)
• Who you pass it to (e.g. ZenBookr as Processor, accountant, Stripe for payments)
• Their rights (access, rectification, erasure, portability)

How to comply: a printed A4 page posted in the salon + PDF version for first visit. Cost: zero. With ZenBookr the notice is included in our Privacy Policy, just link it.

2. Legal basis for each processing

GDPR (Art. 6) requires a "legal basis" for processing data. For hairdresser/beautician the 4 relevant bases:

• Contract performance (Art. 6.1.b) — data needed to provide booked service. Example: name + phone to confirm appointment.
• Legal obligation (Art. 6.1.c) — tax data (tax code for invoices/receipts above local threshold).
• Legitimate interest (Art. 6.1.f) — non-promotional operational communications (e.g. "your appointment confirmed for tomorrow 10am").
• Explicit consent (Art. 6.1.a) — promotional newsletters, photos published on salon socials.

Common trap: the newsletter "we only send special offers" requires explicit opt-in consent, revocable anytime. Not enough to say "automatically subscribed".

3. Explicit consent for sensitive data (Art. 9)

Health data is "special category" Art. 9 GDPR — requires separate explicit consent. Examples:

• Allergies to products / dyes
• Scars, skin lesions
• Pregnancy (relevant for product selection)
• Before/after photos showing skin conditions

Practical solution: a second signed consent declaration, separate from general notice. Example: "I consent to processing of my data on allergies and skin conditions for proper service personalization." Yes/No.

4. Pre/post photos: double consent

Before/after treatment photos are personal data (Art. 4 GDPR) and potentially sensitive data if showing conditions.

Photos require separate written consent, with two dimensions:

• Consent to photograph for internal client card (always)
• Consent to publish on salon socials (optional, separate)

Client must be able to say "yes to card, no to socials" — these are two different processings.

Common error: salons posting treatment photos on socials without explicit written consent. Even if client "said yes verbally" or "signed something generic", it's not enough.

5. Data security (Art. 32)

You must protect data with "measures adequate to risk". What this means practically:

• Strong password on salon computer (no "1234" or "admin")
• Screen that locks after 5 min inactivity
• Regular backup of client data (cloud or encrypted external drive)
• Paper filing (if any) locked away
• Updated management software (e.g. ZenBookr auto-updates)

No need for military bunker setup. Just "digital diligence of a good professional".

6. Client rights

Clients have right to ask you, at any time:

• Access: "Show me all data you have about me." Respond within 30 days.
• Rectification: "Change my phone number." Immediately.
• Erasure (right to be forgotten): "Delete everything about me." You must, except data needed for tax obligations (10 years).
• Portability: "Export my data in readable format (CSV/PDF)." Within 30 days.
• Opposition: "Don't send me promotional communications anymore." Implement immediately.

With good software (ZenBookr does this natively) CSV export + complete deletion are 1-2 clicks.

What you DON'T need to do (debunking myths)

Myth 1: "You need a DPO"

False for 99% of hairdressers/beauticians. DPO (Data Protection Officer) is mandatory only if:

• You process data "on a large scale" (above ~50,000 clients)
• You're public administration
• You process sensitive data as core activity

A salon with 500 active clients does NOT need a DPO. If someone sells you "mandatory DPO" at €1,500/year, it's an unnecessary service.

Myth 2: "You need a Records of Processing"

Records of Processing (Art. 30 GDPR) is mandatory only for organizations with 250+ employees, except risky/sensitive systematic processings. A salon with owner + 2-3 employees doesn't need it.

Myth 3: "You need to pay for GDPR seal"

No official "GDPR seal" exists. Who sells you one is a scam.

Cookie Banner: the web trap

If you have a website or use management software with public pages (e.g. marketplace), you need a compliant cookie banner.

EU rules (ePrivacy Directive + local implementations) require:

• Banner appearing on first visit
• Explicit opt-in for non-technical cookies (analytics, marketing)
• "Accept" and "Reject" buttons with equal visual weight
• Ability to modify preferences anytime ("Manage cookies" link)

ZenBookr includes pre-configured compliant cookie banner. For salons with own Wix/WordPress site, use free plugins like Iubenda or CookieBot.

What ZenBookr does for your compliance

If you use ZenBookr as management software, a big chunk of compliance we handle (we're Processor, you're Controller):

• Signable Art. 28 GDPR DPA in-app — see our standard DPA
• EU servers (Firebase europe-west1, Belgium)
• Transit encryption (TLS 1.3) + at rest (AES-256)
• Daily automatic backups
• Pre-configured privacy notice for your clients (customizable)
• Compliant cookie banner in public marketplace pages
• CSV export / complete deletion in 2 clicks
• Audit log of data access (who viewed what, when)

Salon GDPR checklist — print and use

1. ☐ Privacy notice prepared (1 A4 page)
2. ☐ Allergies / sensitive data consent form (separate)
3. ☐ Pre/post photos consent form (with card vs social dimensions)
4. ☐ Management software with signable Art. 28 GDPR DPA
5. ☐ Software servers in EU
6. ☐ Strong password + screen auto-lock
7. ☐ Regular client data backup (cloud or encrypted)
8. ☐ Paper filing (if any) locked
9. ☐ Cookie banner on site (if applicable)
10. ☐ Newsletter only with explicit opt-in
11. ☐ Social photos only with separate written consent
12. ☐ Procedure for access/erasure requests (within 30 days)
13. ☐ Data breach notification procedure (if theft/leak: notify authority within 72h)

With all points covered, you're 99% compliant for typical salon activity.

TL;DR: privacy notice + explicit consent (separate for sensitive data and photos) + serious software with DPA + reasonable security = you're good. Don't spend €1,500 on "DPO consultancy" if you're a single salon.

Resources

• GDPR.eu (official EU site)
• Your local data protection authority website
• Our Privacy Policy (example complete GDPR notice, take as template)
• Our Art. 28 DPA (example Data Processing Agreement)

Specific doubts about your situation? Contact us. If the answer is "you need a lawyer / certified DPO", we'll tell you honestly.