GDPR for Hairdressers in Belgium: What You Must Know

Hairdressers process more personal data than most other small businesses. Not just names and phone numbers, but also records about allergies, and those are special categories of personal data under the GDPR (Regulation (EU) 2016/679).

The GBA/APD, the Belgian data protection authority, has not published a decision aimed specifically at a hair salon, and hairdressers are not a priority sector. But the rules are the same for everyone, the authority works complaint-driven and the threshold is low. The case that ended in 2024 with a €172,431 fine began with one complaint from one customer about a €1.50 surcharge (Decision 87/2024). Salons that process health data without the right legal basis run the biggest risk.

Want to know where your salon stands? Scan your website for free to check the cookie banner, privacy policy and company number.

---

Allergy records: a special category of personal data

When you ask clients about allergies, for hair colour, chemical treatments or skin products, you are processing health data. That makes it a special category of personal data under Article 9 GDPR. Unlike a doctor or dentist, a hairdresser cannot rely on the healthcare exemption. You need explicit consent (Article 9(2)(a)), and a pre-ticked box is not enough.

What this means for your salon:

• You need explicit, documented consent to process allergy records
• You must describe how you secure this data (paper cards in a locked cabinet, digital records with access controls)
• You may not keep the data longer than necessary
• Clients have the right to access, correct and delete their data

In practice. Use an intake form with a consent box for health data and keep the form as your proof of consent. A skin test before a colour treatment also produces health data. Note the result on the client card.

Example wording for your intake form:

☐ I give Hair Salon [name] permission to keep my allergy and skin sensitivity details on my client card so that treatments can be carried out safely. I can withdraw this consent at any time via [email address].

Date the form, store it with the client card and note any withdrawal. If a client withdraws consent, delete the allergy records. The rest of the client card may remain in place on a different legal basis.

---

Client cards and client profiles

A client card with name, contact details, colour formula and treatment history is a personal file. All GDPR rules apply:

• Inform clients about what you keep and why
• Store data securely (not on an open list behind the reception desk)
• Set retention periods and apply them
• Delete data when a client asks for it

About retention periods. There is no statutory retention period for client cards. In its Recommendation 01/2025 on direct marketing the GBA/APD deliberately sets no fixed number. You must choose a proportionate period and justify it. Our practical advice, not a GBA/APD rule, is two years after the last visit for colour formulas and treatment history. Record your choice in your privacy policy and processing register.

A guideline per category, our practical advice unless stated otherwise:

And if you ignore these rules? In Decision 87/2024 a company kept sending marketing emails and calls after the customer had his data erased and objected. The Litigation Chamber imposed €172,431 (reduced from €245,000 under the EDPB fining guidelines). Ignoring a client's deletion request is not an administrative detail.

Do you send newsletters or SMS reminders with promotions? Then the opt-in rule of Article XII.13 of the Code of Economic Law applies on top. Prior consent is required, except for existing customers you email about similar services. A plain appointment confirmation or reminder without advertising does not fall under it.

---

The processing register: the exemption is smaller than you think

Many salons assume the register of processing activities (Article 30 GDPR) only applies to large companies. It does not. The exemption in Article 30(5) for organisations with fewer than 250 employees is, according to the GBA/APD's SME FAQ, "very limited". It lapses as soon as the processing is not occasional or covers special categories of data. A salon that keeps structural client cards, and certainly one that records allergy details, simply needs a register.

The good news: for a salon the register is one or two pages. For each activity (appointments, client cards, allergy forms, newsletter, any cameras) note which data, for which purpose, on which legal basis, how long it is kept, who has access and how it is secured.

---

Cameras in the salon

If a surveillance camera hangs in your salon, the Camera Act of 21 March 2007 applies on top of the GDPR:

• Declaration. Declare every surveillance camera electronically no later than the day before first use via www.aangiftecamera.be, and validate the declaration annually (Royal Decree of 8 May 2018).
• Pictogram at the entrance with the legally required details (Royal Decree of 28 May 2018).
• Retention. One month at most (Articles 6 §3 and 7 §3 of the Camera Act), longer only if the footage is evidence of a crime, damage or nuisance.
• Staff on camera? Then CBA No. 68 also applies. Permanent monitoring of employees behind the chair conflicts with data minimisation. In Warning 154/2023 a retailer that permanently filmed shop staff received a formal warning from the Litigation Chamber.

---

Online booking systems

Treatwell, Salonized, Planfy and similar tools process personal data on your behalf. You are the controller, so you are responsible for how your clients' data is used.

What you must check:

1. Data processing agreement. Do you have a data processing agreement (DPA) with the software vendor? This is mandatory under Article 28 GDPR. The Belgian privacy law of 30 July 2018 supplements the GDPR in Belgian law.
2. Data location. Is the data stored on EU servers, or is it transferred to the US or other countries outside the EEA? Transfers outside the EEA require a separate legal basis.
3. Access security. Who can get into the booking system? Do staff only have access to what they need?

---

Your salon's website

If your website has a contact form or booking form:

• Privacy policy required. It describes which data you collect and how you use it. Our privacy policy guide with free generator walks you through it.
• Cookie banner required if you use analytics or social media embeds. See the Belgian cookie banner rules the GBA/APD checks for.
• Company number visible in the footer (a legal obligation in Belgium).

For that cookie banner, Belgium applies stricter rules than many off-the-shelf themes can handle. The GBA/APD cookie checklist (October 2023) requires a "refuse all" button on the first layer as prominent as "accept all", prohibits pre-ticked boxes and states that first-party analytics (such as Google Analytics) also require consent in Belgium. Withdrawing consent must take one click, with real effect.

Do you use Instagram or Facebook embeds? They load cookies and send data to Meta, which requires prior consent. The banner must block these embeds until consent is given. For everything else your site must cover, run through our GDPR checklist for Belgian businesses.

---

Practical checklist for hairdressers

---

Common questions

Do client allergy records fall under the GDPR?

Yes. Information about allergies is health data and falls under the special categories of personal data in Article 9 GDPR. You need explicit consent to process it and you must describe how you secure it in your privacy policy.

Does my hair salon need a privacy policy?

Yes, if you process personal data, and you certainly do if you use an appointment system, client cards or an online booking tool. The privacy policy must be available on your website and at client contact.

Is Treatwell or Salonized GDPR compliant?

Treatwell and Salonized are themselves controllers or processors. You must check whether they offer a data processing agreement and whether their servers are located in the EU. Consult their privacy documentation.

Do I need to keep a processing register as a hairdresser?

In practice almost always. The exemption in Article 30(5) GDPR for organisations with fewer than 250 employees is very limited according to the GBA/APD. As soon as you keep client records on a structural basis, and certainly with health data such as allergies, a register is required.

---

Check your website for free

Our scanner automatically checks whether your website complies. It tests the cookie banner, privacy policy, company number and more.

Scan your website for free →

---

Sources

• Regulation (EU) 2016/679 - GDPR (eur-lex.europa.eu)
• Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (Dutch version / French version, ejustice.just.fgov.be)
• Camera Act of 21 March 2007 (ejustice.just.fgov.be)
• GBA/APD official homepage (Dutch / French)
• GBA/APD FAQ brochure for SMEs (gegevensbeschermingsautoriteit.be)
• GBA/APD Recommendation 01/2025 on direct marketing (gegevensbeschermingsautoriteit.be)
• GBA/APD cookie checklist, October 2023 (gegevensbeschermingsautoriteit.be)
• APD Decision 87/2024 (autoriteprotectiondonnees.be)
• GBA/APD Warning 154/2023 (gegevensbeschermingsautoriteit.be)
• CBA No. 68 of 16 June 1998 (cnt-nar.be)
• Crossroads Bank for Enterprises - Public Search (kbopub.economie.fgov.be)

---

This is technical analysis, not legal advice. Consult a qualified lawyer for specific legal guidance.