Are patch-test records special category data under UK GDPR?

Yes. Patch-test records, allergy notes, sensitivity reactions and skin-condition information collected before colouring, chemical peels, eyelash extensions or microblading are health data — a special category under UK GDPR Article 9. You need an Article 6 lawful basis (usually 6(1)(b) contract) plus an Article 9 condition (typically 9(2)(h) provision of healthcare or 9(2)(a) explicit consent) plus a corresponding Data Protection Act 2018 Schedule 1 condition, with an appropriate policy document where the condition requires one.

Do UK salons need to pay the ICO data protection fee?

Almost certainly yes. Any salon that stores client records electronically — even just on the practice-management software's booking system — is in scope. Most independent salons fall into Tier 1 (£40 per year, or £35 by direct debit). The small-business exemption is narrow and rarely applies in practice because the booking software automates record-keeping for tax. Failure to pay can result in a monetary penalty of up to £4,350.

Is a rebook-reminder SMS a marketing message under PECR?

It depends. A reminder of an existing booked appointment is a service message, not marketing — no consent needed. A prompt sent weeks after the last visit asking the client to book again is direct marketing under PECR Regulation 22 and needs the recipient's prior consent, unless you can rely on the soft opt-in for previous customers (clear opportunity to opt out at the point of collection, every subsequent message includes a free opt-out, marketing only about similar treatments to those previously purchased).

Do I need consent for before-and-after photos on Instagram?

Yes — explicit, separately-recorded, written consent for each purpose. A generic 'we may use your image' line in your terms is not granular enough under UK GDPR. Clinical use, social media use, your own website portfolio and training/CPD use are separate purposes that each need their own opt-in. Withdrawal must be as straightforward as giving consent, and you must be able to take the image down on request unless another lawful basis applies.

GDPR & Privacy

GDPR for hair & beauty salons in the UK: NHBF guide

Steven | TrustYourWebsite · 17 May 2026

UK salons sit in an awkward middle ground: the data is more sensitive than most retailers (patch-test allergies, skin conditions, payment records, often photographs), but salon owners are usually trying to run a busy chair, not parse legislation. The good news is that the National Hair & Beauty Federation (NHBF) and BABTAC have done a lot of the translation work — but the legal obligations sit with you as the data controller, not the trade body.

This guide covers what a UK salon — from a sole-trader stylist to a chain of beauty clinics — needs to do to stay compliant with the UK GDPR, the Data Protection Act 2018 and PECR (the marketing rules).

Even a single-chair salon collects:

Client names, contact details, dates of birth (loyalty programmes), postcode (marketing geofencing)
Booking history and treatment notes
Patch-test results, allergy declarations, skin-sensitivity notes
Payment details (collected via Stripe, Square, SumUp — usually as a controller-to-controller pass-through, but the booking record is yours)
Photographs and consent forms for before-and-after marketing
Sometimes CCTV footage of the salon floor

You are a data controller the moment the first client provides their phone number to book an appointment. There is no "small salon exemption" from UK GDPR — only from the ICO data protection fee, and even that exemption is narrow.

Patch-test records as health data

Allergy, sensitivity and adverse-reaction information collected before a treatment is health data under UK GDPR Article 4(15) and therefore a special category under Article 9(1). That covers:

The pre-treatment consultation form (allergies to PPD, ammonia, formaldehyde-releasing preservatives)
Patch-test results 24 or 48 hours before colouring
Reactions noted during or after a treatment
Pregnancy or medical-condition disclosures (gel-polish on chemotherapy patients, retinol contraindications)

To process special-category data lawfully, three things must stack together:

An Article 6 lawful basis. Usually Article 6(1)(b) — necessary for performance of the treatment contract.
An Article 9 condition. Either 9(2)(h) (provision of healthcare, where treatments have a therapeutic / medical justification — common for trichology, electrolysis, certain cosmetic dermatology), or 9(2)(a) (explicit consent) for purely cosmetic services where the health-data collection is to protect the client.
A DPA 2018 Schedule 1 condition. Paragraph 2 of Part 1 (health or social care purposes) for the 9(2)(h) route. If you rely on 9(2)(a) consent the Schedule 1 condition is not required — but the consent must meet the high UK GDPR bar (specific, informed, freely given, withdrawable).

Many salons will be cleanest using 9(2)(a) explicit consent for patch-test and allergy disclosures: the form the client signs at consultation is the consent, and it should clearly say what you'll do with the information, how long you'll keep it, and how to withdraw consent. Where 9(2)(h) is the chosen route, the Schedule 1 paragraph-2 condition does not require a separate appropriate policy document.

Either way, store the records in a way that limits access to staff who need it — not in a shared file in the salon back office where any junior stylist can browse.

Booking platforms and Article 28 processors

Almost every UK salon uses a booking and practice-management platform. Each one is a processor under UK GDPR Article 28, and each one needs a written data-processing agreement.

Platform	Hosting	Notes for UK salons
Treatwell	EU (UK + Ireland)	UK personal data largely in-region; the partner DPA covers Treatwell's own processing as a controller for the marketplace side too — read it carefully because "controller for marketplace, processor for your direct bookings" creates dual roles
Phorest	EU (Dublin)	Standard SaaS DPA covers their role; Phorest's own marketing tools are a separate consent flow
Fresha	EU + US multi-region	UK tenant data primarily EU-hosted but their global product replicates to US — the IDTA / UK Addendum to SCCs needs to cover the US replica
Booksy	EU + US	US-hosted analytics components — transfer mechanism required
SalonIQ / Salon Genius	UK	UK hosting; standard Article 28 DPA still required
Timely	Australia / EU	UK personal data flows to Australia for some tenants — IDTA / UK Addendum required

What to confirm in writing with every booking platform:

An Article 28 data-processing agreement covering the eight mandatory points (instructions, confidentiality, security, sub-processors, data-subject rights assistance, breach notification timing, return/deletion at end of contract, audit rights)
The sub-processor list and the right to object to changes (most have Mailchimp/Twilio/SendGrid for messaging and Stripe for payments — each is a sub-processor)
The hosting country and the transfer mechanism for any data leaving the UK
Security certifications — ISO 27001 and Cyber Essentials are normal in this market
The breach-notification SLA — UK GDPR Article 33 gives you 72 hours from awareness to notify the ICO; your processor must give you "without undue delay" notice. In practice 24-48 hours is the standard contractual ask

The NHBF Member Resources include template DPA-review checklists — they are a sensible starting point if this is the first time you have read a SaaS contract.

This is where most salons trip up. There are two rule sets layered on top of each other:

UK GDPR governs whether you can hold and process the email or phone number at all (lawful basis under Article 6)
PECR (the Privacy and Electronic Communications Regulations 2003) governs whether you can actually send a direct marketing message to it

A reminder of an existing booked appointment ("Your appointment is tomorrow at 14:30") is a service message, not direct marketing. PECR Reg 22 does not apply; UK GDPR contract (Article 6(1)(b)) is the lawful basis.

A re-engagement message six weeks after the last visit ("It's time to rebook!") is direct marketing. PECR Regulation 22 applies. You need:

The recipient's prior consent to direct marketing (specific tick-box, separate from the booking form), or
The PECR soft opt-in — narrow conditions: (a) the contact details were obtained in the course of a sale or negotiations for the sale, (b) the marketing is only about your own similar services, (c) the recipient was given a simple, free opportunity to opt out at the point of collection, (d) every subsequent message also offers a free opt-out

Sending a "How was your visit?" survey followed by an offer is borderline; safer to treat it as marketing. For the bigger picture and a worked example of consent vs soft opt-in, see newsletter signup form rules for the UK.

The ICO has fined PECR breaches in the salon-adjacent space (cosmetics retailers, online beauty subscriptions) into six figures; the regulator treats SMS-bombing as a higher-harm offence than email marketing.

CCTV in salons

Salon CCTV is common in larger sites — front-door, reception, sometimes the colour bar. The ICO's CCTV code applies regardless of whether you call it CCTV or "security cameras":

Notify with signage at every entrance — operator name, contact, purpose, who to contact for a Subject Access Request
Document a lawful basis — usually Article 6(1)(f) legitimate interests, with a written balancing test
Set a retention period and stick to it — 14-30 days is typical for a salon; anything beyond 60 days needs strong justification
Restrict access to recordings to the salon owner and one named deputy
Never record audio unless you have a very specific reason; audio is a far higher-intrusion category
Don't put cameras in treatment rooms, changing areas or toilets. Ever. This is a foundational ICO position and a likely fitness-to-practise concern for any practitioner

If CCTV is mounted to overlook public pavement or a neighbour's property, the Data Protection (Charges and Information) Regulations 2018 ICO fee is mandatory and the small-business exemption is unavailable.

Photography of clients

Before-and-after shots, balayage portfolios, lash-extension reels for Instagram and TikTok — all involve identifiable people, and the photo paired with a treatment caption is special-category-adjacent (you are publishing the fact that this person had this beauty treatment, which can reveal information about appearance, health and personal style).

Obtain explicit, written, separately-recorded consent for each purpose — clinical/portfolio use (kept on the client record) is different from social media use is different from your website portfolio is different from training use. One blanket tick-box is not enough
State exactly where images will appear (your website portfolio, your Instagram, your TikTok, the salon Pinterest, third-party stylist platforms) and how long they will be retained
Withdrawal must be as easy as giving consent (Article 7(3)). When a client asks for a take-down, do it across every channel — including reshares
For under-18s, consent must come from a person with parental responsibility; in Scotland the Age of Legal Capacity (Scotland) Act 1991 means 12-15-year-olds may have capacity in their own right depending on understanding

A generic "we may use your photo for marketing" line in the booking terms does not meet the UK GDPR consent bar. Treat it as a separate document or a signed photo-release form.

Loyalty programmes

Paper stamp cards — low risk. The card is the record; the salon doesn't hold a database
Digital loyalty (Phorest Loyalty, Fresha Plus, custom apps) — you are profiling clients (visit frequency, spend per visit, treatment preferences). That triggers Article 13/14 transparency, must appear in your privacy notice, and may need a Data Protection Impact Assessment if you start to use the profile for targeted marketing
Tiered rewards — be careful that tier-based pricing does not become unlawful discrimination under the Equality Act 2010 (lower prices for under-30s, for example, is a genuine equality issue, not just a GDPR one)

Your salon website

Required on a UK salon site:

Companies House disclosures if the salon trades through a limited company — registered name, company number, registered office, country of registration. See company website trading disclosures
Privacy notice covering booking-form data flows, marketing data flows, photo consent, the lawful-basis stack for patch-test data, CCTV, retention periods, ICO complaint route
Cookie banner compliant with PECR and the ICO's 2025 enforcement standard — see cookie banner rules under the ICO. Reject must be as prominent as accept on the first layer; the booking-system widget and the embedded Instagram reel both drop tracking cookies and should be blocked until consent
NHBF / BABTAC / Habia membership badge — optional but useful; if you display the badge make sure it is current
VAT number if you are VAT-registered — required by HMRC on the website if you take orders or display prices

Common gaps on salon sites: the Treatwell / Phorest / Fresha booking widget that drops third-party cookies before consent; embedded Instagram reels that load Meta tracking before the banner is answered; "book now" Facebook Pixel and Google Ads remarketing tags wired into the conversion event of a booking — all GDPR-relevant because the conversion implies an interest in a specific treatment. A free website compliance check will surface this.

For the wider UK GDPR baseline see GDPR compliance for UK businesses.

The ICO data protection fee

Under the Data Protection (Charges and Information) Regulations 2018 every controller that is not exempt must pay an annual ICO fee. For salons:

Tier	Annual turnover	Staff	Fee (DD)	Fee (other)
Tier 1 — micro	≤ £632,000	≤ 10	£35	£40
Tier 2 — small/medium	≤ £36m	≤ 250	£55	£60
Tier 3 — large	> £36m or > 250 staff	—	£2,895	£2,900

Most independent salons are Tier 1. A small chain (3-10 sites) usually sits in Tier 2. The small-business exemption only applies to controllers that don't use electronic record-keeping for any personal data — almost no salon qualifies once a booking app or HMRC-required digital books are in play.

Failure to register can result in a monetary penalty of up to £4,350, and the ICO routinely sends discovery letters to unregistered organisations in regulated sectors.

Breach procedure

Typical breaches in this sector:

A booking-system password is leaked or guessed and a competitor or fraudster pulls the client list
A staff tablet with the day's client list is left in a taxi
An email is sent to the wrong group (client list pasted into the To: field instead of Bcc:)
A salon laptop is stolen during a break-in

If clinical or contact information is exposed:

Contain. Revoke access, change passwords, recover or remotely wipe the device, isolate the affected systems
Assess. What data was involved, how many subjects, what is the likely impact on rights and freedoms. Patch-test allergies and treatment history are special-category — the threshold for ICO notification is almost always met
Notify the ICO within 72 hours of becoming aware, via ico.org.uk/for-organisations/report-a-breach. If you cannot complete the assessment within 72 hours, file a preliminary notification and follow up
Notify the clients directly where the breach is likely to result in a high risk — clinical detail leaked to a named third party, or a ransomware exfiltration of identifiable records
Document everything — UK GDPR Article 33(5) requires you to maintain a record of every breach regardless of whether it was notified
Tell your insurer — most professional indemnity policies require notification within a similar window

Most ICO actions against small salons end in reprimands and improvement notices rather than fines, but the reputational damage of a public reprimand in a local-business community is its own deterrent.

Practical checklist for UK salons

Item	Required?
ICO data protection fee paid (Tier 1 or 2)	Yes
Lawful basis stack documented for patch-test / consultation data	Yes
Article 28 DPA signed with booking platform	Yes
Transfer mechanism (IDTA / UK Addendum) for non-UK processors	Yes, if any data leaves the UK
Companies House details in footer	Yes, if incorporated
Privacy notice covering booking, marketing, photos, CCTV, retention	Yes
Separate explicit consent for clinical/marketing/social media photos	Yes
Cookie banner with equally prominent accept/reject	Yes, if using non-essential cookies
CCTV signage and retention policy (if used)	Yes
Direct-marketing consent or PECR soft-opt-in for SMS/email	Yes
Staff trained on confidentiality + GDPR basics	Yes
Breach notification procedure (ICO 72h)	Yes
Patch-test records securely stored, access-controlled	Yes

Check your salon website

Free website compliance check →

A TYW scan checks your privacy notice, cookie banner configuration, Companies House disclosures, embedded booking widgets, Instagram/TikTok reel loaders, and trackers loaded before consent — in 60 seconds, no signup.

Sources

NHBF — GDPR for hair, barber and beauty businesses — National Hair & Beauty Federation
NHBF — Marketing for hair, barber and beauty businesses — NHBF (PECR + soft opt-in framing)
BABTAC — British Association of Beauty Therapy & Cosmetology — professional standards
UK GDPR Article 9 — Processing of special categories of personal data — legislation.gov.uk
Data Protection Act 2018, Schedule 1 — legislation.gov.uk
Privacy and Electronic Communications Regulations 2003, Regulation 22 — legislation.gov.uk
ICO data protection fee — Information Commissioner's Office
ICO direct marketing guidance — ICO

This is technical analysis, not legal advice. Consult the NHBF, BABTAC, your insurer, and a data protection specialist for advice specific to your salon.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

AI-Built Website Liability Under UK Law

ICO enforces UK GDPR, PECR and Equality Act against the site owner, not Cursor, Lovable or the developer. EU PLD doesn't apply post-Brexit.

GDPR for UK Restaurant Websites: Data, Bookings, and Consent

UK GDPR and PECR for restaurant websites: bookings, email signups, cookies, payment data. ICO guidance with examples.

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.

Contact Form GDPR Requirements: Article 13 Compliance

What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.