GDPR Basics for Salons and Clinics: Client Data and Consent Without the Legalese
If you run a beauty salon or a dental clinic, you already hold a surprising amount of personal data. Names, phone numbers, birth dates, treatment notes, invoices - all of it sits behind your booking system, and all of it falls under the GDPR. That word tends to trigger a mix of guilt and confusion, but the day-to-day reality is far more manageable than the legal text suggests.
This article is general information, not legal advice. Your clinic is the data controller, and your exact obligations - especially Estonian and EU medical-record retention minimums - are worth confirming with a qualified advisor. What follows is the practical version: what data you actually hold, when you need consent and when you don't, how to do marketing opt-in properly, and what "delete my data" really means for a regulated service provider.
What client data you actually hold
Every client who books an appointment leaves a trail: contact details, appointment history, invoices, and often health-adjacent notes about treatments. Under GDPR, that data isn't yours to do whatever you like with - you hold it for specific, legitimate purposes, and you're accountable for keeping it accurate, secure, and no longer than you genuinely need it.
The good news is that most of what a clinic does with client data is entirely lawful without any special paperwork. The mistake small businesses make isn't holding too much data - it's misunderstanding why they're allowed to hold it.
Lawful basis vs. consent - the distinction that trips everyone up
This is the single most common GDPR misunderstanding in small clinics, so it's worth being precise.
Service delivery doesn't need consent. When a client books with you, sending a booking confirmation, an appointment reminder, or a payment receipt is simply part of fulfilling the service they asked for. These transactional messages run on contract and legitimate interest - the client implicitly agreed to them by booking. You do not need a separate opt-in to remind someone about their own appointment.
Marketing does need consent. A "special offer on your next visit" email or an SMS about a new treatment is a different animal. That's promotional, and it requires explicit, freely-given consent under GDPR Article 6(1)(a) - a genuine, unbundled opt-in.
Why does this matter so much in practice? Because clinics routinely conflate the two. A client unsubscribes from marketing and the clinic assumes it must now stop sending appointment reminders too. It shouldn't. "Stop marketing to me" and "stop contacting me about my own booking" are governed separately. Reminders keep going; the promotional stream stops. Getting this right means clients still show up on time and you still respect their marketing choice.
Marketing opt-in done right
If you send any promotional messages, the opt-in has to be real. A few principles that keep you on solid ground:
- Default to unticked. Consent that's pre-checked or bundled into mandatory booking terms isn't freely given. The box should start empty and the client should choose to tick it.
- Use plain language. "I'd like to receive offers and news from your clinic" beats a wall of legalese.
- A single combined checkbox is fine for a small clinic. One clear "email or SMS" opt-in is a defensible pattern, as long as it's genuinely optional and plainly worded.
- Record when consent was given. Being able to prove "this client opted in on this date" is the whole point of consent provenance.
In Tervita, this is built into the client record. On the client-facing booking page, there's one plain-language checkbox under contact details, unticked by default, and the opt-in timestamp is captured automatically the moment it's ticked. Staff see the same on the client card: a Marketing block showing email and SMS opt-in status and the date consent was recorded. Crucially, booking again can only ever add consent - a client can't accidentally un-consent by rebooking, and withdrawing consent is always a separate, explicit action.
Suppression lists vs. consent flags
Here's a subtlety worth understanding, because it protects you from embarrassing mistakes.
A consent flag records "did this person agree to be marketed to." A suppression list records "this contact must never be messaged again, regardless of anything else" - the sort of thing you add after a bounce, a complaint, or an explicit "stop texting me." These are different tools and should never be treated as interchangeable.
The safe architecture always lets suppression override consent, never the reverse. In Tervita, a suppressed contact gets nothing - even if their profile still shows the marketing box ticked. Suppression also stops automated reminders, not just marketing, which makes it the right switch when someone truly wants no contact at all. Two systems, and suppression always wins.
The right to be forgotten - what it really means
Clients have the right to access their data and, in principle, the right to erasure. But "delete everything about me" rarely means literal deletion for a regulated service provider, and that surprises people.
Dental and aesthetic treatment records are commonly treated as medical records with statutory minimum retention periods under national law. Invoices fall under accounting-retention rules. You can't simply wipe a row that you're legally required to keep. The practical compliance pattern is anonymization-in-place: strip the identifying fields - name, contact details, birth date, ID code, notes - while keeping the transactional and financial trail intact under anonymized identifiers.
That's exactly how Tervita's GDPR tools work, and it's why "erase" and "delete" aren't the same operation. Removing a client from your list only archives them; their history stays. The real GDPR tools live on a dedicated tab, restricted to owners and administrators: Export data produces the client's records, appointments, invoices and consent state for an access request, and Erase (anonymize) permanently replaces personal fields with "Deleted Client" and clears both marketing flags. Appointments and invoices remain for your own accounting and medical-record obligations; the personal data is gone for good. Both actions are logged. Tervita never auto-deletes records on a schedule - judging when a retention period has lapsed is the clinic's call as data controller, not something to automate blindly.
Practical hygiene: access and accountability
One last point that's easy to overlook: who inside your team can see, export, or erase client data is itself part of GDPR accountability. Restricting the export and erase tools to owners and administrators, with an audit trail of who did what, isn't just a nice permission setting - it's part of demonstrating that you take data protection seriously (Articles 5(2) and 30). Access control and technical tooling matter equally.
None of this has to be daunting. Hold the data you need for clear reasons, keep marketing consent honest and separate from service messages, respect suppressions absolutely, and treat erasure as anonymization rather than a magic delete button. Do those, and you're most of the way there.
Want to see how consent tracking works on a real client record? Read Client records, marketing consent and GDPR, or create your Tervita account and set your booking page up the right way from day one.