Guide

Can EU Therapists Use AI for Session Notes? A GDPR Reality Check (2026)

Last updated: 2026 · A practical guide for EU therapists on using AI for session notes under GDPR

General information for therapists, not legal advice. Data protection rules vary by country and situation — consult a qualified data protection advisor for your specific practice.

AI note tools promise to hand therapists their evenings back. But if you practice in the EU, a fair question comes first: am I even allowed to use one without breaching GDPR? The short answer is yes — but how you use it, and which tool you choose, makes all the difference. This guide walks through what actually matters, in plain language.

If you haven't yet, our guide to GDPR and therapy notes covers the foundations. This article focuses specifically on the AI question.

The real risk isn't the AI — it's the recording

Most of the GDPR anxiety around AI note tools comes down to one thing: recording the client. Under EU law, a person's voice is personal data, and in many member states recording someone — even to help your own note-taking — requires informed consent or another lawful basis. In Germany, for example, unauthorised recording of the spoken word can even touch criminal law (§ 201 StGB).

This is why "silent" transcription bots that join and record without clear consent are the genuine compliance hazard. The recording, not the note-writing, is where therapists get exposed.

The practical implication: a workflow that doesn't depend on recording your client sidesteps the single biggest risk. A short voice memo you dictate yourself after the session — describing what happened in your own words — is your data about your own observations, not a covert recording of the client. That's a meaningfully safer starting point.

Why you can't just paste sessions into ChatGPT

A tempting shortcut is to type or paste session details into a free AI tool like the public version of ChatGPT. Don't.

Public, consumer-grade AI tools won't sign a data processing agreement, offer no guarantees about how your input is used, and may process your data to train their models. Feeding client health information into one is a direct breach of GDPR principles — and the same logic that makes it a HIPAA violation in the US applies under EU law. Health data is special category data; it cannot go into a tool that gives you no contractual protection over it.

The takeaway isn't "AI is unsafe." It's that you need a purpose-built, contractually accountable tool — not a general-purpose chatbot.

What a GDPR-respecting AI notes tool looks like

When you evaluate any AI documentation tool as an EU therapist, these are the questions that matter:

  • Does it minimise or avoid recording the client? Tools built around your own post-session dictation carry far less consent risk than ambient recorders. If a tool does record sessions, you need explicit, documented client consent every time.
  • Is data encrypted in transit and at rest? This is the baseline, not a premium feature.
  • Will the provider sign a Data Processing Agreement (DPA)? As the data controller, you are legally required to have a DPA with any processor handling client data on your behalf. If a provider won't sign one, walk away.
  • Is your data used to train their models? The gold standard is that it never is — and that this is the default, not something you have to opt out of. Be wary of vague, self-assessed "GDPR compliant" badges; look for clear, specific commitments.
  • Where is data stored? EU-based or adequacy-covered processing keeps things simpler. Transfers outside the EU require additional safeguards.
  • Do you stay in control of the clinical content? The tool should produce a draft you review and approve — not autonomous clinical records. You remain the clinician and the data controller.

Consent and transparency: what to tell clients

Even with a low-risk, dictation-based workflow, transparency is part of GDPR. Your privacy notice should mention that you use a secure digital tool to help produce your clinical notes, what data it involves, and how it's protected. If your workflow ever does involve recording the client, consent must be explicit, informed, and freely given — the client must be able to decline without it affecting their care.

Being open about this tends to build trust rather than erode it. Clients worry about loss of control; a clear, calm explanation of how their data is protected usually puts that to rest.

How PremiumSession is designed around this

PremiumSession is built around a quick 2-minute voice memo you dictate after the session — in your own words. It produces a structured draft you review and approve. There's no live-session recording, nothing to set up with your client, and no session audio to safeguard. That means far less consent friction and less sensitive data to protect.

On top of that: notes and recordings are end-to-end encrypted, your data is never sold or used to train models, and Pro users can request a Data Processing Agreement. You stay in control of every word.

Try it free — five notes a month, no credit card required.

Start free →

Frequently asked questions

Is it legal for EU therapists to use AI for session notes?

Yes, provided you use a purpose-built tool that encrypts data, will sign a DPA, and doesn't train on your data — and provided any recording of the client has proper informed consent. The tool should produce drafts you review, not autonomous records.

Can I use ChatGPT to write my therapy notes?

Not with real client information. Public AI tools won't sign a data processing agreement and may use your input for training, which breaches GDPR for special category health data. Use a purpose-built, contractually accountable tool instead.

Do I need client consent to use an AI notes tool?

If the tool records the client, yes — explicit, informed consent every time. If you dictate your own post-session memo rather than recording the client, the consent burden is much lower, though transparency in your privacy notice is still expected.

What's the safest type of AI notes workflow under GDPR?

A workflow based on your own short post-session dictation, using an encrypted tool that signs a DPA and never trains on your data, where you review and approve every note.

This article is general information and not legal advice. EU member states apply additional national rules, and your professional body may have its own guidance. Consult a qualified data protection advisor for your specific circumstances.

Ready to get your evenings back?

Start free