Policies, checklists, and monitoring to keep your Cork business on the right side of the DPC. Start in under 2 minutes.
Join 2,000+ Irish businesses already protected
GDPR applies to every spa in Ireland, whether you're based in Cork City or anywhere across Cork. With approximately 32,000 SMEs in the county, the DPC has made it clear that enforcement applies to businesses of all sizes.
Cork is Ireland's second-largest economic centre, with a powerful pharmaceutical and life sciences cluster including Pfizer, Eli Lilly, and Johnson & Johnson. The tech sector thrives with Apple's European headquarters and a growing startup scene. The county's food heritage is nationally renowned, with Ballymaloe and the English Market underpinning a vibrant artisan food economy. Spas in Cork typically process client names, addresses, phone numbers, and email addresses and medical histories including conditions, pregnancies, medications, and allergies (special category data) — both of which fall squarely under GDPR's definition of personal data. The risk of collecting extensive medical histories on intake forms covering conditions, pregnancies, surgeries, and medications — all special category data makes compliance particularly important for this sector.
Let's walk through what compliance looks like for your business, step by step.
Yes — it's a legal requirement. Any spa in Cork processing personal data must meet GDPR standards. This covers everything from customer names and emails to CCTV footage and HR files. The DPC enforces compliance across all Irish businesses regardless of size, with fines of up to €20 million.
RISK ASSESSMENT
Collecting extensive medical histories on intake forms covering conditions, pregnancies, surgeries, and medications — all special category data
Sharing client treatment notes between therapists without adequate access controls or client knowledge
Processing gift voucher purchases that contain both purchaser and recipient personal data
Recording body measurements and wellness assessments that could reveal health conditions
Using client testimonials and reviews containing health-related statements without proper consent
DATA INVENTORY
FREE ASSESSMENT
See exactly where your Spa in Cork stands on GDPR compliance — no signup required.
REQUIRED DOCUMENTS
Every Spa in Ireland needs these documents to demonstrate GDPR compliance. ComplianceKit generates all 8 policy types with a living compliance score that tracks your progress.
STEP BY STEP
Redesign client intake forms to include clear, specific GDPR consent for processing medical and health data, explaining why each piece of information is needed.
Implement role-based access controls in your spa management software so therapists only see the client records relevant to their appointments.
Create a separate consent process for using client testimonials, reviews, or case studies that mention treatments or health outcomes.
Establish secure handling for gift voucher data — the purchaser's and recipient's details are both personal data and must be protected.
Train all therapists on the confidential nature of client medical and treatment data, and document this training.
Set retention periods: keep active client medical records for the duration of the relationship, archive and review inactive records annually, retain financial records for six years.
Conduct a Data Protection Impact Assessment if you are systematically processing health data at scale, as this may be required under Article 35 of GDPR.
COMMON PITFALLS
Collecting detailed medical histories on intake forms without realising this triggers the special category data rules under Article 9 of GDPR, which require explicit consent.
Allowing all spa staff to access every client's full medical history and treatment notes through a shared login on the booking system.
Publishing client testimonials that mention specific treatments or health conditions without checking the client consented to their words being used publicly.
Keeping intake forms containing medical data for clients who have not visited in many years, with no policy for reviewing or deleting them.
FAQ
Everything you need to know about GDPR compliance for your business.
Contact usOTHER SERVICES
Every day your Spa in Cork operates without proper GDPR compliance is a risk. The DPC is increasing enforcement across Ireland — get ahead of it today.
Join 2,000+ Irish businesses. No credit card required.