GDPR for Salons and Dentists: Client Data on Your Website

If you run a salon or dental practice, your website probably collects more sensitive data than you realize. An online booking for a teeth whitening appointment or a hair loss treatment doesn't just capture a name and email. It reveals something about a person's health.

Under GDPR, health-related data is "special category data" covered by Article 9. This puts salons and dental practices in a higher risk category than a typical small business. The rules are stricter, and the consequences of getting it wrong are bigger.

Here's what you need to know about your website specifically.

Why salons and dentists face higher GDPR risk

Most small businesses deal with basic personal data: names, emails, phone numbers. Standard GDPR rules apply.

But when someone books an appointment for a dental implant, an acne treatment, a hair transplant consultation or a cosmetic procedure, that booking reveals health information. GDPR treats health data differently from regular personal data.

Article 9 of the GDPR prohibits processing special category data unless you meet one of a narrow set of exceptions. For most salons and dental practices, the relevant exception is "explicit consent." That means the person actively agrees to your processing of their health-related data, with a clear understanding of what they're consenting to.

A generic "I agree to the privacy policy" checkbox doesn't cut it for health data.

Your booking form needs extra attention

If your website has an online booking system, look at exactly what information it collects.

Treatment type selection. If your booking form asks clients to choose a treatment from a dropdown, that selection is health-related data. "Root canal" or "scalp treatment for hair loss" tells you something about the person's medical condition.

Notes fields. Many booking systems include a free-text field where clients can describe what they need. People write things like "my gums are bleeding" or "I have eczema on my scalp." This is health data entered voluntarily, but you still need to handle it properly.

Medical history forms. Dental practices often collect medical history through their website. Allergies, medications, existing conditions. This is clearly special category data and requires explicit consent, secure storage and a clear retention policy.

What your booking system needs

1. Explicit consent for health data. A separate, clearly worded consent checkbox that specifically mentions the processing of health-related information. Not bundled with marketing consent or general terms.

2. Encryption in transit and at rest. Your booking form must use HTTPS. The data must be stored in an encrypted database. Check that your booking software provider offers this.

3. Data retention limits. How long does your booking system keep old appointments? Many systems keep everything forever by default. Set a retention period and configure automatic deletion.

4. A clear privacy policy. Your privacy policy must specifically mention that you process health-related data, explain why, state the legal basis and describe how it's protected. See our GDPR compliance checklist for what else your privacy policy needs.

Before and after photos on your website

This is where many salons get into trouble. Before/after photos are powerful marketing. They're also a GDPR minefield.

You need a model release form

A model release is a signed document where the client gives you permission to use their photos for specific purposes. Without it, publishing client photos on your website is a GDPR violation.

Your model release should cover:

• Which photos are being used
• Where they'll be published (your website, social media, printed materials)
• How long you'll use them
• Whether the client can withdraw consent later

The right to withdraw consent

Under GDPR, a client can withdraw their consent at any time. If someone signed a model release two years ago and now wants their photos removed, you must remove them. From your website, from your social media, from your Google Business profile.

This means you need a system to track which photos have consent and from whom. A folder on your computer named "client photos" won't cut it if you have 200 before/after images across your website and social media.

Tips for safe before/after photo use

Photograph only the treatment area. A photo showing just the teeth or just the hair, without identifying facial features, carries much lower risk. If the person isn't recognizable, you have fewer consent obligations.

Never show photos of minors. Even with parental consent, the risk isn't worth it. Enforcement authorities treat children's data with extra scrutiny.

Don't tag or name clients in photos. Adding "Sarah's amazing transformation" connects the photo to an identifiable person and their health condition.

Renew consent periodically. Consent given three years ago may no longer reflect the client's wishes. Annual renewal is good practice.

Social media sharing of client photos

Posting client photos on Instagram, Facebook or TikTok follows the same rules. You need explicit consent, and the client can withdraw it.

But social media adds complications.

Once you post a photo on Instagram, you've given Instagram a license to use it under their terms. If a client withdraws consent and you delete the post, copies may still exist in Instagram's systems, in people's screenshot folders and in cached versions.

Make sure clients understand this when they give consent. Your model release should mention that once shared on social media platforms, complete removal may not be possible.

Also watch out for tagging. If your salon tags a client's personal account in a before/after post, you're linking their identity to a health-related treatment. This is a GDPR problem even if they gave consent for the photo itself, unless the consent also covered tagging.

Email and SMS reminders

Dental practices and salons commonly send appointment reminders via email or SMS. These messages often mention the treatment type, which again is health-related data.

Use secure channels. Standard SMS is not encrypted. For routine reminders like "Your appointment is tomorrow at 14:00," this is generally acceptable. But avoid including treatment details in SMS messages. "Your root canal appointment" is visible to anyone who sees the phone notification.

Get consent for reminders. Your booking form should include consent for receiving appointment reminders. This is separate from marketing consent.

Don't mix reminders with marketing. An appointment reminder email that also includes a promotional offer for teeth whitening is mixing two different purposes. Keep them separate.

Include an opt-out. Even for transactional messages like reminders, give clients the option to opt out of electronic communications.

Your client portal

If your practice has an online portal where clients can view their appointment history, access treatment records or see invoices, the GDPR requirements are significant.

Authentication. The portal must use strong authentication. Email and password at minimum. Two-factor authentication is better, especially for dental practices where the portal may show medical records.

Access controls. Clients should only see their own data. This sounds obvious, but poorly built portals have exposed client data through simple URL manipulation. A URL like yourpractice.com/client/1234 where changing the number shows someone else's records is a data breach waiting to happen.

Data export and deletion. GDPR gives people the right to download their data and to request deletion. Your portal should support both, or you need a manual process that responds within 30 days.

A practical checklist for your website

Run through this list for your salon or dental practice website:

• Does your booking form have a separate consent checkbox for health-related data processing?
• Does your privacy policy specifically mention health data?
• Are all before/after photos covered by signed model release forms?
• Do you have a system to track photo consent and handle withdrawals?
• Are appointment reminders separate from marketing emails?
• If you have a client portal, does it use proper authentication?
• Is your booking system provider GDPR compliant? Check their Data Processing Agreement.

You can scan your website for free to check many of these requirements automatically. The scan covers cookie consent, privacy policy presence, third-party data transfers and form security.

Common Questions

Does GDPR apply differently to dentists than to hair salons?

The same law applies, but dental practices typically handle more explicitly medical data. A dental office with patient records, X-rays and treatment histories has stricter obligations than a salon that only collects appointment bookings. Both need to treat treatment-type information as health data.

Can I use client testimonials with their photo on my website?

Yes, with explicit written consent. The consent should specify that the testimonial and photo will be published on your website. If the testimonial mentions a specific treatment, it becomes health-related data and requires the higher standard of explicit consent under Article 9.

What if a client posts their own before/after photo and tags my salon?

You're not responsible for what clients post on their own accounts. But if you reshare their post to your business account, you're now processing their data and need consent. Many salons ask clients to sign a general social media consent form. This works as long as it's specific about what you'll do with the content.

Do I need a Data Protection Officer?

Most small salons and dental practices don't need a formal DPO. The requirement kicks in when your "core activities" involve "regular and systematic monitoring of data subjects on a large scale" or "large scale processing of special categories of data." A single-location dental practice with a few hundred patients is unlikely to meet the "large scale" threshold. But having someone responsible for data protection, even informally, is good practice.

---

Check your website now Scan your website for GDPR compliance issues and more. Free, no signup, takes two minutes. Scan your website