Admittedly, nobody can really listen to the topic of data protection anymore. What’s more, the world will obviously continue to turn even if we leave everything as it is. Because until the data protection authorities inspect the first tattoo/piercing studio, a lot of water will probably still be flowing down the Rhine.
Well, that’s not quite true. The biggest risk of a sudden inspection by the authorities (including data protection) is a disgruntled ex-employee or ex-customer (whose deposit has been withheld, for example). All it may take is a phone call and you have a data protection officer in the studio. This has already happened to one or two colleagues. And the penalties have become considerably more severe: up to €20 million or 4% of the annual turnover, the higher amount is decisive, i.e. effectively open-ended.
Rumors are not a solution
That’s why we’re revisiting this tiresome topic to address a few persistent rumors circulating in the industry:
- If you store fewer than three characteristics of a customer (e.g. first name and cell phone number or email address), you do not have to comply with the new GDPR.
- The GDPR only applies to electronically stored data, not to paper.
- If you store the data in different places (partly electronically, partly on paper), everything is fine.
All information that allows conclusions to be drawn
Well, all these points are unfortunately wrong. Rather, any information that allows conclusions to be drawn about a person, regardless of the form (electronic, paper, carved in stone, …), is subject to the GDPR.
- A cell phone number, email or FB/IG address is unique and always allows conclusions to be drawn about a person.
- An appointment with a first name and details of a specific tattoo also allows conclusions to be drawn about a person.
- Also a photo of a tattoo.
Sensitive data
In addition, you store very sensitive customer data with the risk factors from the declaration of consent (DOC), regardless of whether you use a system or paper. And last but not least: The customers who entrust you with this sensitive data are relying on it being handled with appropriate sensitivity. They would be rightly annoyed if it was just lying around somewhere.
2(!) data protection agreements
The customer data and in particular their EVE with the risk factors must be locked away or under supervision at all times and must not be left lying around open at any time. So: The practical appointment folder for your guest tattoo artist, which is sometimes left open at the workplace when the artist is on the toilet or having a smoke, is an absolute no-go!
You must also inform the customer in detail about what data you collect, for what purpose, for how long and what happens to it. You must always keep their data up to date and delete it at their request. The customer must consent to all of this in writing.
The GDPR stipulates the following things in your specific case:
- A data protection agreement for the customer data in your studio (not to be confused with the data protection agreement on your website – you need a separate one).
- A signed consent to this data protection agreement from each customer
- A processing directory (PD) for all personal data (customers and also employees!).
- In addition, a written risk impact assessment (RIA) is required when working with particularly sensitive data (this includes the health information from the risk factors).
- Written confidentiality obligations should also be included in employment and space rental contracts.
- A data processing agreement (DPA) with all service providers who have access to your customer data (see below).
Free electronic calendars are generally not permitted!
If you store any information about the customer (their appointment is sufficient) in a system (Google, iCal, etc.), you need a so-called GDPR-compliant order processing contract from the provider of the system. This is not available for the free versions of the well-known calendars iCal and Google. If you use these for your appointments, you automatically violate the GDPR (yes, even if you only enter the customer’s first name there!).
So: before you get into trouble with your ex, take care of it! It’s not really that difficult. The easiest way is of course with our carefree package contracts and kisscal: you automatically have everything you need for the GDPR.
Yours
