Beauty salons: destroying client data
A beauty salon or nail studio keeps a card on many clients, and it often holds more than a name and an appointment: skin conditions, allergies, medication use, sometimes a pregnancy and treatment photos. That health information makes part of the client card special-category personal data. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the administration you keep for seven years for the tax retention obligation. The client card with skin and allergy data you keep while the client is under treatment and for a short period afterwards. Treatment photos you use only with consent. What may go disappears confidentially and with a certificate.
Why a client card contains health data
A beauty treatment requires information about the client's skin and health. For a peeling, a facial or a waxing treatment you note allergies, skin conditions, medication use and sometimes a pregnancy, because they affect what is safe. That is health data and therefore special-category personal data under the GDPR, with stricter rules. That makes a client card more sensitive than an ordinary customer list.
The GDPR requires storage limitation and extra protection of health data. Do not keep the data longer than necessary for the treatment and aftercare, and clear it out afterwards. Only the tax administration has a fixed period of seven years.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the last treatment.
| Part | Starting point | Period |
|---|---|---|
| Administration and invoicing | Tax retention obligation | 7 years |
| Client card with skin and allergy data | Special-category data | purpose-bound, destroy finely |
| Treatment history | While client is under treatment | + short period |
| Before-and-after photos | Only with consent | as long as consent applies |
| Appointments and contact details | While there is a relationship | purpose-bound |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a final legal ruling. Set the retention period of the client card in your own policy. The tax side is in the 7-year tax retention obligation.
Treating skin and allergy data separately
The part of the client card with skin and allergy data is the most sensitive. Keep it recognisably separate, allow it only to whoever does the treatment and destroy it at a fine level once the client no longer comes and there is no longer a reason. That way you avoid an old client card with health data lying in a card box for years. Hairdressers and salons process similar data, as you read in hairdressers and salons: data destruction.
Treatment photos and consent
Before-and-after photos are popular for showing results, but they show a recognisable person and sometimes a skin condition. Use them only with the client's consent and limit it to the agreed purpose, such as the treatment history itself or, with separate consent, your portfolio. If a client withdraws consent, you remove the photos. How to handle portrait photos is in photographers: destroying client photos and portraits.
How to handle it in 6 steps
- Split the data into administration, client card, health data and photos.
- Treat skin and allergy data separately and at a fine destruction level.
- Use treatment photos only with consent and clear them out on withdrawal.
- Assess per client whether the treatment relationship has ended and the short period is past.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Client cards are destroyed confidentially at a fine level, because they contain health data and sometimes photos. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old salon computer or backup with client cards and photos belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Client cards to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at a fine DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping old client cards just in case. After the end of the treatment relationship the purpose lapses.
- Treating skin and allergy data as ordinary paper. That is special data.
- Using treatment photos without consent. Portfolio and social media require consent.
- Throwing away unshredded. A client card with health data on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a beauty salon keep a client card?
The administration falls under the seven-year tax retention obligation. The client card with skin and allergy data you keep while the client is under treatment with you and for a short period afterwards, after which it may go.
Are skin and allergy data special data?
Yes. Information about skin conditions, allergies, medication use or pregnancy on a client card is health data and therefore special-category personal data. Treat it separately and destroy it at a fine level.
May I keep before-and-after photos of a treatment?
Only with consent. Treatment photos show a recognisable person and sometimes a skin condition. Use them only for the agreed purpose and clear them out as soon as that purpose lapses or consent is withdrawn.
How do I destroy client data in line with the GDPR?
Confidentially and at a fine level, with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A beauty salon or nail studio processes health data through the client card and sometimes treatment photos. Keep the administration seven years, keep the client card while the client is under treatment and shortly afterwards, and treat skin and allergy data separately. Use photos only with consent. What may go you have destroyed confidentially at a fine level, with a certificate as proof. That way you protect your clients' health data.
Read also: gyms and fitness clubs: destroying member data, tattoo and piercing studios: destroying consent forms, coaches and psychologists: destroying session notes and the GDPR retention periods cheatsheet.
Have client cards collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.
Also relevant: Sauna and wellness: destroying customer data.