GDPR & DPA for UK & EU Therapy Practices

Your practice (controller)

You decide why and how client data is collected — privacy notices, lawful basis for treatment, retention schedules, and responding to subject access requests.

PsycSuit (processor)

We store and run the software on your instructions — encryption, access controls, backups, subprocessors listed in the DPA.

• Signed at practice activation — not optional for production PHI
• Lists subprocessors (hosting, email, video, etc.)
• Defines breach notification timelines and assistance duties
• Documents cross-border transfer mechanisms where applicable

Read the DPA overview and full Trust center.

• Publish a privacy notice clients receive before or at intake
• Document lawful basis (often contract + health care for treatment records)
• Honor access, correction, and erasure requests within legal limits
• Train staff on GDPR-aware handling — no PHI in personal email
• Report breaches to supervisory authority when required

• Clinic tenant isolation — your data not mixed with other practices
• Role-based access and audit logging
• Encryption in transit (TLS)
• Individual staff accounts — no shared logins
• Data export before contract end

If you treat clients in multiple countries or your team works remotely abroad, confirm transfer rules with your data protection advisor. Processor location and subprocessor regions are disclosed in your agreement — not hidden in generic terms.

UK practice software buyer guide · EU private clinic checklist · US HIPAA checklist