Hair and beauty salons: destroying client data safely
A hair or beauty salon processes more sensitive data than it seems. Client cards with allergies, skin information, phone numbers and treatment history fall under the GDPR. Some of it even falls under the stricter rules for health data. Those documents should be destroyed confidentially, not put with the waste paper.
In the bustle of a salon, privacy is rarely top of the list. Yet every day you collect data that you must handle carefully, from the client card by the mirror to the card receipt in the till drawer. This article explains which data a salon processes, why some of it needs extra protection and how to destroy everything safely and GDPR-proof.
Which data does a salon hold?
More than you would think at first glance. A typical hair or beauty salon keeps:
- Client cards with name, phone number, colour formulas and treatment history.
- Allergy and skin information for dye, peels or other treatments.
- Appointment books and no-show lists with names and contact details.
- Card and till receipts from the till drawer.
- Personnel data of staff and trainees.
- Supplier invoices as part of the records.
Special data: allergies and skin
Here is the difference with an ordinary shop. Information about allergies, skin conditions or a sensitive scalp is health data. The GDPR counts that among the special categories, for which stricter rules apply. You may process it because it is needed for a safe treatment, but you must handle it with extra care. That means storing it well secured and destroying it to a high level once it is no longer needed. How this fits the wider GDPR picture is in GDPR requirements for SMEs.
What the GDPR specifically requires
The GDPR has two articles that matter directly for a salon. Article 5 puts storage limitation at the centre, the idea that you do not keep personal data longer than needed for the purpose you collected it for. A client card of someone who has not come for years therefore falls outside that. Article 32 requires appropriate technical and organisational measures to protect that data. That duty runs until the moment a document is destroyed beyond legibility.
If it does go wrong, for example because a stack of client cards ends up unshredded with the waste paper, that is a data breach. A serious data breach you report within 72 hours to the data protection authority. Structural negligence can lead to a fine. For a small salon that sounds heavy, but the practice is simple. Careful destruction prevents the whole scenario.
How long do you keep salon data?
The GDPR's main rule is storage limitation. You do not keep data longer than needed. For a salon that concretely means:
- Keep the financial records for 7 years, that is the tax retention obligation.
- Keep client cards as long as someone is a client. If a customer no longer comes for years, clear out the card.
- Keep card receipts and appointment lists no longer than needed for handling.
An overview per document type is in the retention periods cheatsheet.
Paper or digital: clear out both
Many salons now work with a digital till system or a booking app. Yet paper remains, think of old client cards in a card box, printed appointment lists and card receipts. Clear out both. Delete digital client profiles you no longer need and destroy the paper confidentially. Do you have an old computer or till system being replaced? It often still holds years of client data. Hand over the data carrier for physical destruction, see data destruction.
Which DIN level do you need?
How finely paper must be shredded is set out by the DIN 66399 standard in security levels. For a salon these are mainly relevant.
| Level | Particle size | Suitable for |
|---|---|---|
| P-2 | Strips | General print without data |
| P-4 | Small particles | Client cards, appointment lists, invoices |
| P-5 | Very small particles | Allergy and health data |
For ordinary client data P-4 is the workable minimum. If you process health data such as allergies or skin conditions, choose P-5. A cheap office shredder rarely reaches that high level, professional destruction does.
Destroy safely, not with the waste paper
A client card with an allergy and a phone number does not belong in the paper bin behind the shop. An open container stands on the street and is accessible to anyone. For a few cards a week a good shredder is enough, but as soon as you clear out a card box or boxes at a time, having it collected is faster and safer. You then get a certificate as proof that everything was handled confidentially. The general approach is in destroying confidential documents, the costs in what does archive destruction cost.
The proof: certificate of destruction
If you have data collected, you receive a certificate of destruction with the date, quantity and DIN level. For a salon working with health data that is extra valuable. Should a client ever ask what happened to their data, you can immediately show that everything was destroyed carefully.
What if it goes wrong? A data breach at a salon
Imagine a staff member accidentally throws a stack of old client cards in the ordinary paper bin behind the shop. A passer-by sees the cards lying there, with names, phone numbers and notes about treatments. That is a data breach, even though it was a mistake. You then assess whether it poses a risk to the people involved. If so, you report it within 72 hours to the data protection authority and inform the affected clients where needed.
A fixed destruction route makes such a mistake almost impossible. With a locked bin for paper to be destroyed and a periodic collection everyone knows where sensitive documents go and nothing is left in the wrong place.
The digital side and the cloud
More and more salons work with an online booking system or an app on the tablet at the desk. Handy, but it moves the privacy question to the cloud. Check which provider you work with and whether there is a processing agreement, because you remain responsible for your clients' data. If you occasionally export a client list to a spreadsheet, delete those exports as soon as you no longer need them. Do not forget the old devices, because a replaced tablet or till system often still holds years of client data that must be physically destroyed.
A real-world example
Imagine a beauty salon switching to a new booking system. For years the owner worked with a card box full of client cards, holding colour formulas, allergies and phone numbers. That box does not move to the digital system, but first lands in a corner of storage and then almost in the paper bin. It is precisely those cards that hold the most sensitive information of hundreds of clients. Instead of putting the box with the waste paper, the salon has the cards destroyed confidentially in one go, with a certificate. A small effort that prevents a data breach. The same applies when a salon closes or is taken over. The old client administration should not simply end up with a new owner, but be destroyed confidentially once it is no longer needed for an ongoing treatment or the accounts.
Destroy yourself or have it collected?
For a handful of cards a month an office shredder next to the desk is enough, provided it shreds finely enough for sensitive data. But when clearing out a whole card box, old appointment books or a box of receipts, such a device jams quickly. Then having it collected is more practical. A certified party collects the material, destroys it to the right DIN level and gives you a certificate. For a salon working with health data, that high level is no needless luxury but a logical choice.
Client trust as a bonus
In a salon, privacy is also a matter of trust. Clients share personal things, from a skin problem to an upcoming wedding. Those who notice a salon handles that information carefully feel taken seriously. A visibly tidy desk without cards lying around and a clear approach to old data contribute to that. It takes little effort, but strengthens the image of a professional business.
Costs and process: what can you expect?
Having it destroyed is no big expense for a salon. You pay a fixed price per box or per collection, known in advance, with no surprises afterwards. Within 20 km of Amsterdam we charge no call-out fee, which makes it extra attractive for a local salon. The process itself is short and costs you hardly any time.
You tell us how much material you have, for example a card box and a box of card receipts. You then plan a collection that fits your schedule, so it does not disrupt the busy salon. We collect the material at your location, in a locked bin for sensitive documents. After that everything is destroyed to the agreed DIN level and recycled. Within a few working days you receive the certificate. For an average salon a few collections a year is ample, tuned to how fast your archive grows.
Periodic or one-off collection?
Do you have a one-off clear-out, for example when switching to a digital system or renovating the shop? Then a one-off collection of the old archive is enough. Do you continuously produce sensitive paper, such as daily card receipts and new client cards, then a fixed frequency is handier. You then place a locked bin emptied periodically, for example each quarter. That way your salon stays tidy by itself without anyone having to think about it much.
Practical tips for the salon
- Place a locked bin at the desk, not an open waste bin for paper with data.
- Set a fixed clear-out moment, for example at the year-end or the change of season.
- Agree it with the team, so new staff and trainees also know where sensitive paper goes.
- Keep the certificates together in a separate folder, so you can show something immediately if asked.
Arranged in 4 steps
- Take stock. Go past the card box, the till drawer and the storage room and see what can go with personal data.
- Separate keep from destroy. Keep the financial records for 7 years and clear out old client cards.
- Destroy sensitive material to a high DIN level, a handful of cards yourself and a full box via a collection.
- Keep the certificate in your GDPR file as proof towards a client or supervisor.
Common mistakes
- Client cards with the waste paper. With a name, phone number and allergy that is a data breach.
- Keeping an old card box for years. Cards of clients who no longer come should be cleared out.
- Only thinking of paper. The old till system holds client data just as much.
- Binning card receipts loose. Those contain traceable data too.
Clearing out the salon or switching to digital?
We collect your old client cards, appointment books and card receipts and destroy them confidentially, with a certificate. No call-out charge within 20 km of Amsterdam.
Request a quoteFrequently asked questions
Do salon client cards fall under the GDPR?
Yes. A client card with a name, phone number and treatment data contains personal data. Allergy and skin information also counts as health data, a special category with extra protection.
How long may a salon keep client data?
No longer than needed for the service. Keep the financial records for 7 years and clear out client cards of customers who no longer come.
Do I have to protect allergy information separately?
Yes. Data about allergies and skin conditions is health data. It should be kept with extra care and destroyed to a high level.
What do I do with old card receipts and appointment books?
Card receipts and paper appointment books with names and phone numbers should be destroyed confidentially, not put with the waste paper.
Which DIN level is needed for client cards?
For ordinary client data DIN 66399 P-4 is the workable minimum. For allergy and health data P-5 is indicated.
Must I report a data breach from binned cards?
If lost data poses a risk to the people involved, you report the data breach within 72 hours to the data protection authority. A fixed destruction route prevents such incidents.
Conclusion
A hair or beauty salon processes more sensitive data than the busy daily schedule suggests. Client cards, allergy information and card receipts should be destroyed confidentially, and health data calls for extra care. Clear out periodically, destroy both paper and old data carriers, and keep the certificate as proof. A few collections a year, a locked bin at the desk and a folder of certificates, not much more is needed. That keeps your salon GDPR-proof without taking much time.
Ready to clear out your salon? Request a quote via desnipperaar.nl or see how to have paper shredded. Within 5 minutes you have a fixed price.