Guide

GDPR and Therapy Notes: A Practical Guide for Therapists in the EU (2026)

Last updated: 2026 · A plain-language guide to keeping session notes compliant under EU data protection law

A plain-language guide to keeping session notes compliant under EU data protection law. This article is general information, not legal advice — for your specific situation, consult a qualified data protection professional.

If you're a therapist working in the EU

Your session notes are some of the most sensitive personal data there is. GDPR takes that seriously — and so should your documentation workflow. The good news: staying compliant doesn't require a law degree. This guide breaks down what actually matters, in plain language, and how to keep your notes secure without drowning in paperwork.

Most guides on this topic are written for the UK. This one focuses on EU GDPR specifically, which is what applies if you practice in Germany, Austria, the Netherlands, France, and the rest of the EU.

Why therapy notes are a special case under GDPR

Under GDPR, not all personal data is treated equally. Ordinary personal data — a name, an email address — is protected, but health data, including mental health records, falls under "special category data" (Article 9). This category gets the strongest protection in the entire regulation.

That means your session notes, treatment plans, and any correspondence about a client's mental health carry a higher compliance bar than, say, a mailing list. You need both a lawful basis for processing the data (Article 6) and a separate condition that permits processing special category data (Article 9).

As a therapist, you are the data controller — you decide why and how client data is collected and used. That makes the responsibility yours, whether you keep paper files or use software.

The lawful basis: why you're allowed to keep notes at all

You can't process client data just because it's useful — you need a documented lawful basis. For most therapists in private practice, two combine naturally:

Article 6 basis: Usually performance of a contract. When a client agrees to therapy, you need clinical records to deliver the service and ensure continuity of care.

Article 9 condition: Typically the provision of health or social care, or sometimes explicit consent, depending on your setting and country.

The practical takeaway: you don't need to agonize over this for every note. You need to have identified and documented your basis once, clearly, and be able to explain it if asked.

What "compliant notes" actually require

Compliance comes down to a handful of concrete practices:

  • A clear retention policy. Decide what you keep, why, and for how long — then stick to it. When the retention period ends, securely destroy or anonymise the records unless there's a valid reason to keep them. Retention periods vary by country and professional body, so check your local requirements.
  • Secure storage. Paper records belong in a locked cabinet in a secure room. Digital records must be in encrypted systems with access controls. A common best practice: keep clinical notes separate from identifying contact details, so a single breach exposes less.
  • Device and account security. Any device holding client data should have full-disk encryption, strong authentication, automatic screen locks, and multi-factor authentication where possible.
  • A privacy notice for clients. You must tell clients what data you collect, why, how long you keep it, and what their rights are. The EU and national data protection authorities publish templates you can adapt.
  • Respecting client rights. Clients have the right to access the data you hold about them, to request corrections, and in some cases erasure. You need a process to handle these requests.

Where AI documentation tools fit in

More therapists now use AI tools to draft session notes from a short voice memo. This can be a huge time-saver — but it raises a fair question: is that GDPR-compliant?

It can be, provided the tool meets the standard you'd apply to any processor of special category data. Our dedicated guide on AI notes and GDPR walks through the specifics — recording risks, why consumer AI tools don't work, and what to look for in a purpose-built tool.

When evaluating an AI notes tool, ask:

  • Is the data encrypted in transit and at rest?
  • Does the provider sell or share your data? It should never sell it.
  • Will they sign a Data Processing Agreement (DPA)? As a data controller, you need a DPA with any processor handling client data on your behalf. This is non-negotiable under GDPR.
  • Where is data stored and processed? EU-based or adequacy-covered processing simplifies compliance.
  • Do you stay in control? The tool should produce a draft you review and approve, not make autonomous clinical records.

A tool that ticks these boxes can actually strengthen your compliance, because it centralises notes in one encrypted, access-controlled place rather than scattered documents.

How PremiumSession approaches this

PremiumSession was built for therapists with EU data protection in mind. Notes and recordings are end-to-end encrypted in transit and at rest, your data is never sold or shared, and Pro users can request a Data Processing Agreement. You speak for two minutes, review the structured draft, and approve it — every word stays under your control.

It's designed so that getting your evenings back doesn't mean compromising on compliance. You can try it free — five notes a month, no credit card.

Try it free — five notes a month, no credit card required.

Start free →

A simple compliance checklist

  • I've identified and documented my lawful basis (Article 6) and special category condition (Article 9)
  • I have a written retention policy with defined timeframes
  • Digital notes are encrypted with access controls; paper notes are locked away
  • Identifying details are stored separately from clinical notes where practical
  • Devices use encryption, strong authentication, and auto-lock
  • Clients receive a clear privacy notice
  • I have a process for access, correction, and erasure requests
  • Any software or AI tool I use offers encryption and will sign a DPA

Frequently asked questions

Are therapy notes "special category data" under GDPR?

Yes. Mental health information is health data, which Article 9 of GDPR classifies as special category data — the most strongly protected type.

Can I use an AI tool to write therapy notes and stay GDPR compliant?

Yes, if the tool encrypts your data, doesn't sell it, will sign a Data Processing Agreement, and leaves clinical judgment and final approval with you as the data controller.

How long should I keep client records?

It depends on your country and professional body — there's no single EU-wide number. Set a documented retention period based on your local requirements, and securely destroy or anonymise records once it passes.

Do I need a Data Processing Agreement with my notes software?

If a provider processes client data on your behalf, GDPR requires a DPA between you (the controller) and them (the processor). Always confirm a provider will sign one before entrusting them with client data.

This guide is general information and does not constitute legal advice. Data protection requirements vary by country and individual circumstances — consult a qualified data protection advisor or your professional body for guidance specific to your practice.

Ready to get your evenings back?

Start free