HomeKnowledge base › Tattoo and piercing studios
Tattoo

Tattoo and piercing studios: destroying consent forms

A tattoo studio's consent forms with health questions ready for confidential destruction

A tattoo or piercing studio has every client fill in a consent form, and that form contains more sensitive information than it seems: name and date of birth, but also questions about allergies, medication use, pregnancy and blood-borne diseases. That is health data and therefore special-category personal data. For minors, parental consent is added. This guide shows how long you keep those forms and how to destroy them confidentially.

The quick answer: the administration you keep for seven years for the tax retention obligation. The consent form with health questions you keep while there is a reason, such as aftercare or a possible complaint, and clear out confidentially afterwards. Because the forms contain health data, you destroy them at a fine level, with a certificate as proof.

Why a consent form is sensitive

A consent form is not a simple signature. Before a needle comes into play, the studio asks about the client's health: allergies, medication use, cardiovascular conditions, diabetes, pregnancy and sometimes contagious blood-borne diseases. That information is needed to work safely, but it is health data and therefore special-category personal data under the GDPR, with stricter rules. That makes the form more sensitive than an ordinary client form.

The GDPR requires storage limitation and extra protection of health data. Do not keep the form longer than necessary for aftercare or a possible complaint, and destroy it afterwards so that nothing remains reconstructable.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the treatment.

PartStarting pointPeriod
Administration and invoicingTax retention obligation7 years
Consent form with health questionsAftercare and possible complaintpurpose-bound, destroy finely
Parental consent (minor)Extra protectiondestroy finely
Photos of the resultOnly with consentas long as consent applies
Aftercare instructions and contactWhile there is aftercarepurpose-bound
Correspondence and draftsNo retention obligationclear out at once

Use this as a guideline, not a final legal ruling. Set the retention period of the form in your own policy. The tax side is in the 7-year tax retention obligation.

Treating health questions separately

The part of the form with health questions is the most sensitive. Keep it recognisably separate, allow it only to whoever does the treatment and destroy it at a fine level once the reason to keep it has lapsed. That way you avoid a form with a signature and a health declaration lying unmanaged in a drawer for years. You use photos of the result only with consent, just as a photographer works, as you read in photographers: destroying client photos and portraits.

Minors and parental consent

Stricter rules apply to a piercing or tattoo for a minor, and parental consent is often needed. The data you process for that, including that of the child and the parents, enjoys extra protection under the GDPR. Do not keep it longer than necessary and destroy it carefully at a fine level. Treat this part separately, so you can clear it out specifically once the reason to keep it has lapsed.

How to handle it in 6 steps

  1. Split the data into administration, consent form, parental consent and photos.
  2. Treat the health questions separately and at a fine destruction level.
  3. Use photos only with consent and clear them out on withdrawal.
  4. Assess per form whether the aftercare period and complaint window are past.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Consent forms are destroyed confidentially at a fine level, because they contain health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old studio computer or backup with client data and photos belongs with it too.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Consent forms to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at a fine DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Keeping consent forms for years. After aftercare and the complaint window the purpose lapses.
  • Treating health questions as ordinary paper. That is special data.
  • Using photos without consent. Portfolio and social media require consent.
  • Throwing away unshredded. A form with health data on the street is a reportable data breach.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long does a tattoo studio keep a consent form?

The administration falls under the seven-year tax retention obligation. The consent form with health questions you keep while there is a reason, such as aftercare or a complaint, and clear out confidentially afterwards.

Are health questions on a consent form special data?

Yes. Questions about allergies, medication use, pregnancy or blood-borne diseases are health data and therefore special-category personal data. They require extra protection and destruction at a fine level.

Do extra rules apply to minors?

Yes. Stricter rules apply to a piercing or tattoo for a minor and sometimes parental consent is needed. That data of children enjoys extra protection and you must keep and destroy it carefully.

How do I destroy consent forms in line with the GDPR?

Confidentially and at a fine level, with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.

Conclusion

A tattoo or piercing studio processes health data through the consent form, and for minors also parental consent. Keep the administration seven years, keep the form while there is aftercare or a complaint risk and treat the health questions separately. What may go you have destroyed confidentially at a fine level, with a certificate as proof. That way you protect your clients' health data and work demonstrably tidily.

Read also: gyms and fitness clubs: destroying member data, beauty salons: destroying client data, coaches and psychologists: destroying session notes and the GDPR retention periods cheatsheet.


Have consent forms collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.