Records & Documentation

GDPR for Barbershops: Consents, Photos and CCTV

Author:

A client sits down in the chair, and you save their phone number in a booking app, take a "before and after" photo for Instagram and record everything on the…

A client sits down in the chair, and you save their phone number in a booking app, take a "before and after" photo for Instagram and record everything on the camera hanging in the corner. Three actions, three different obligations under GDPR – and most barbershops don't meet a single one. GDPR in a hairdressing salon sounds like a topic for corporations, but it applies to you just as much as to a big company. You process client data: name, phone, image, sometimes information about skin condition. This article shows what you realistically need to have in place to sleep easy – with no legal jargon.

Why a barbershop is subject to GDPR

GDPR (RODO in Polish) is Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data, applied in Poland together with the Act of 10 May 2018 on the protection of personal data. It applies to anyone who processes people's data – regardless of the size of the business. Do you book a client in by their name and phone number? Then you're processing personal data. That's enough for GDPR to apply to you.

You don't need a data protection officer or a legal department. You need a few simple things sorted out.

What a typical barbershop processes

DataSourceSensitivity
Name, phone, emailbookingsordinary
Visit history, preferencesclient cardordinary
Image (photos, portfolio)social mediarequires consent
Information about skin condition/allergiespre-service consultationspecial category data – greater caution
CCTV recordingcamerasrequires an information notice

The information obligation – the basics

Before you collect data, the client must know: who is collecting it, what for, how long you keep it and what rights they have. This is the so-called privacy notice. In a barbershop you meet it simply:

  • a short notice at the point of booking (in the app, on the booking page or on a card in the salon)
  • identifying the data controller (you / the company name) and the purpose (arranging and delivering visits)
  • information about the client's rights: access, rectification, erasure of data

It doesn't have to be an essay. The key thing is that the client can access it before they give their data.

Consents – when they're needed

Not everything requires a separate consent. Simply arranging a visit rests on delivering the service – no consent is needed here. Two things require separate, explicit consent:

  1. Publishing an image – "before and after" photos, videos on Instagram or TikTok. Without the client's consent, you don't publish their face.
  2. Marketing – sending SMS/email promotions requires marketing consent, separate from the booking.

Consent must be freely given and specific. "I agree to everything" doesn't work – separate the consent for image and for marketing. It's best to have a short form or a checkbox in the booking system.

Monitoring – cameras in the salon

A camera in a barbershop is legal, but it comes with obligations. Three rules:

  • Signage – a visible "premises under CCTV monitoring" notice at the entrance, with the controller's details
  • Purpose – monitoring may serve safety and the protection of property, not surveillance
  • Scope – don't point cameras at private areas (toilet, staff room); limit the retention time of recordings (usually up to 3 months, unless they are evidence in a case)

Recordings are personal data too. If a client asks whether they are being recorded and why – you must be able to answer.

Data security in practice

GDPR requires you to protect data. In a small salon that's common sense:

  • access to the booking app protected by a password
  • client cards (if on paper) in a lockable drawer, not on the counter
  • don't share client data with third parties without a basis
  • if you use an external booking system – check whether the provider has a data processing agreement

This documentation is part of the salon's broader set – how to arrange it, we describe in the article barbershop sanitary documentation – the complete inspection-ready set. Information about skin condition from the pre-service consultation connects with the topic skin conditions – when a barber must refuse a service.

"Before and after" photos – the most common trap

An Instagram portfolio is your best marketing. But every client photo showing their face is a publication of their image – and that requires consent. A few practical rules for doing it legally:

  • get consent before publishing, not after; ideally in writing or via a checkbox in the system
  • the consent should state where you publish (e.g. Instagram, website, Google)
  • the client has the right to withdraw consent – then you remove the photo from the profile
  • if the client doesn't want to be identifiable, frame the shot so the face isn't visible – then consent for the image isn't needed

"I'll post it, and if someone complains I'll take it down" is an approach that ends in a complaint. Better to set up a simple consent form and have peace of mind.

What to do when a client asks for their data

GDPR gives the client specific rights, and you must be able to respond to them. The most common situations:

  1. Access request – the client asks what data you hold about them; you answer and show them
  2. Erasure request – the client wants you to delete their data; you do so, unless you have to keep it for another reason (e.g. an invoice)
  3. Withdrawal of consent – the client withdraws consent for marketing or image; you stop sending messages / remove the photo

These aren't complicated procedures – it's a matter of responding within a reasonable time and knowing where you keep that data. A tidy client card and a single booking system make this much easier.

Frequently asked questions

Is a small barbershop really subject to GDPR?

Yes. GDPR applies to anyone who processes personal data, regardless of the size of the business. Simply booking clients in by name and phone number means processing data, so you have obligations: the information obligation, securing data, and obtaining consents where they are required.

Not for the booking itself – that stems from delivering the service. Separate, explicit consent is required, however, for publishing the client's image (photos, videos on social media) and for sending marketing messages. These consents should be separated and freely given.

Can I have cameras in the barbershop?

Yes, monitoring is permitted, but you must signpost the premises as being under CCTV, identify the controller and the purpose, not point the cameras at private areas, and limit the retention time of recordings, usually to around 3 months.

How long can I keep client data?

Only for as long as it is needed for the purpose you collected it for, or as long as the law requires. Marketing data you keep until consent is withdrawn. CCTV recordings usually up to 3 months, unless they constitute evidence in a case.

GDPR in a barbershop is a few documents you need to have – not a mountain of bureaucracy. BarberReady gives you a ready-made privacy notice, templates for image and marketing consents, plus a CCTV sign and monitoring rules tailored to a salon. You collect client data in line with the law, without a lawyer at every visit.

See BarberReady packages

Newsletter

Tips and updates—once in a while.