GDPR for Salons: What You Need to Comply With in 2026
A practical GDPR guide for hairdressers, fitness studios, massage therapists, and other service businesses. What data you can collect, how long to keep it, and how Resovu helps.
Personal data protection isn't just a bureaucratic obligation β it's the foundation of trust between you and your clients. Salons, fitness studios, wellness centers, and other service providers handle sensitive data every day: names, phone numbers, emails, health information, payment details. The General Data Protection Regulation (GDPR) sets clear rules for how to handle this data. In this article, we'll explain exactly what you need to comply with in 2026 and how your booking system can help.
What Personal Data Salons Collect
You might not realize it, but as a service provider, you process a surprisingly large amount of personal data. This includes:
- Identification data β name, surname, date of birth
- Contact details β phone, email, address
- Booking data β visit history, preferred services, favorite staff members
- Health information β allergies, contraindications, health restrictions (especially for cosmetic and wellness services)
- Payment data β card numbers (if you store them), payment history
- Marketing preferences β newsletter consent, communication channels
- Photographs β before/after photos for cosmetic procedures
Each of these categories is subject to specific GDPR rules. Health data is considered a special category of data with stricter protection requirements.
Legal Bases for Processing
GDPR requires that you have a valid legal basis for each type of processing. For salons, these three are the most relevant:
Contract Performance
When a client makes a booking, they enter into a service agreement with you. To fulfill it, you need their name, contact information, and details about the chosen service. You don't need special consent for this processing β it's necessary to deliver what the client has requested.
Legitimate Interest
Some processing can be justified by legitimate interest, such as sending booking reminders or retaining visit history to improve services. However, you must perform a balancing test β your interest must not outweigh the client's rights.
Consent
For marketing communications (newsletters, promotional offers, birthday discounts), you need the client's explicit consent. This consent must be freely given, specific, informed, and unambiguous. Pre-checked checkboxes do not constitute valid consent.
Consent Management
Consent record-keeping is one of the areas where salons most commonly make mistakes. For each consent, you must record:
- Who gave consent (client identification)
- When consent was given (date and time)
- What the client consented to (exact wording)
- How consent was given (online form, paper document)
Clients have the right to withdraw their consent at any time, and you must have a mechanism to allow and record this. Withdrawing consent must be as easy as giving it.
Data Retention Periods
GDPR prohibits retaining personal data longer than necessary for the purpose it was collected. Establish a clear retention policy:
- Active clients β retain data for the duration of the relationship
- Inactive clients β recommended retention period is 2β3 years from the last visit
- Accounting records β legal obligation to retain for 5β10 years
- Health data β for the period necessary for safe service delivery, then delete
- Marketing consents β until consent is withdrawn by the client
After the retention period expires, you must securely delete or anonymize the data.
Client Rights Under GDPR
Your clients have several rights under GDPR that you must be prepared to respond to within 30 days:
- Right of access β clients can request a copy of all data you hold about them
- Right to rectification β clients can request correction of inaccurate data
- Right to erasure β the so-called right to be forgotten, when there's no reason to continue storing the data
- Right to data portability β clients can request an export of their data in a machine-readable format
- Right to object β particularly against processing for direct marketing
How Resovu Helps You With GDPR
Resovu was designed from the ground up with GDPR compliance in mind. The system offers a range of features to make regulatory compliance easier:
- Automatic consent management β during booking, clients see and agree to precise processing conditions, everything is logged
- Configurable retention periods β define after how long of inactivity data should be automatically anonymized
- Client data export β generate a complete overview of a client's data on request
- Right to erasure β delete or anonymize all client data with a single click
- Data encryption β all data is encrypted in transit and at rest
- Audit log β a record of who accessed or modified data, when, and how
Thanks to these features, you don't need to maintain complex spreadsheets and paper records. Resovu handles the technical side of GDPR while you focus on your clients.
Frequently Asked Questions
Does a small one-person salon need to comply with GDPR? Yes. GDPR applies to all entities that process personal data of individuals, regardless of company size. Even a solo practitioner with a single chair must have a legal basis for data processing, inform clients, and protect their data.
Can I be fined for GDPR non-compliance? Yes. Data protection authorities can impose fines of up to 20 million EUR or 4% of annual turnover. In practice, authorities typically impose lower fines on small businesses, but even fines in the thousands can be significant. Additionally, you risk losing client trust.
Can I send clients birthday discounts without consent? No. A birthday offer is a form of direct marketing and requires the client's explicit consent. Without consent, you can only send communications directly related to the service being provided, such as booking confirmations and appointment reminders.
How long can I keep client photos (before/after)? Photos are personal data, and you need explicit consent to take and store them. We recommend keeping them for the duration of the active relationship plus 1 year at most. For use on social media or your website, you need separate consent.
Do I need a Data Protection Officer (DPO)? Most salons and smaller studios don't need a DPO. The requirement applies mainly to entities whose core activity involves large-scale processing of special categories of data. However, it's good practice to have someone in the company who monitors GDPR and ensures compliance.