GDPR starter kit for hairdressers + beauty salons

Beauty salons + hairdressers process more than just contact data. Core matters: (1) Booking systems (Treatwell, Salonized, Mijnsalon): DPA + check where data is stored (EU vs USA). (2) Allergy information = health data (Art. 9). Stricter regime: only when really needed for the service, explicit consent, secure storage, destroy after client relationship. (3) Client photos (before/after): separate consent per publication channel (Instagram vs portfolio vs website). Prefer opt-in per use. (4) Reviews (Google, Facebook, own site): anonymise or pseudonym, because a ready-named review = disclosure. (5) Loyalty cards / saving programmes: marketing basis = consent. Opt-outable mandatory. (6) CCTV: sign + 4 weeks max. No audio. (7) WhatsApp confirmations: private number client via a message platform = legitimate interest. No advertising via that channel. AP risks 2024-2025: multiple fines for salons posting client photos on social without consent. Avoid "we asked, they nodded yes" — written + per use.