Prepay 3 months — $12/seat/mo

See offer
PsycSuit

Compliance

GDPR for Psychology Practices — EU & UK Guide

What EU and UK GDPR mean for outpatient psychology practices — special category health data, Data Processing Agreements, lawful basis, data subject rights, breach notification, and retention periods.

Updated June 27, 2026 · 9 min read

If you run an outpatient psychology or therapy practice in the EU or UK, GDPR is not a bureaucratic technicality — it is the legal framework that governs every piece of client data you hold. Patient records, appointment histories, session notes, invoices, and even email addresses are personal data under GDPR. Psychological and mental health data is additionally classified as special category data, which carries the strictest protections the regulation provides.

This guide covers what GDPR means practically for outpatient mental health practices, what your software must do, and what to check when choosing a platform.

EU GDPR vs UK GDPR — what changed after Brexit

The UK retained GDPR into domestic law as UK GDPR, administered by the Information Commissioner's Office (ICO). For most practical purposes the obligations are identical. The key differences are:

  • UK GDPR is enforced by the ICO; EU GDPR is enforced by each EU member state's supervisory authority
  • Breach notification goes to the ICO (UK) vs the relevant national authority (EU)
  • If you have clients in both the EU and UK, you are subject to both regimes

Your practice software provider must have a Data Processing Agreement (DPA) that covers both jurisdictions if you serve clients across both.

Special category data — why mental health records need extra protection

Article 9 of GDPR defines special categories of personal data that receive heightened protection. Mental health data falls under health data — one of the most sensitive categories. Processing special category data is prohibited unless a specific exemption applies. For healthcare providers, the key exemption is Article 9(2)(h): processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care.

In practice, this means your clinical records are lawful to process — but you must document your lawful basis, apply appropriate safeguards, and limit processing to what is necessary for care.

What your software must do under GDPR

  • Data Processing Agreement (DPA) — your software provider is a Data Processor acting on your instructions. You need a signed DPA before any client data enters the system. This is the GDPR equivalent of a BAA.
  • Data hosting within the EEA or UK — data must stay within the EU/EEA or UK unless an adequate safeguard exists for the transfer (such as Standard Contractual Clauses). A provider hosting EU client data in US-only infrastructure creates a cross-border transfer that requires additional justification.
  • Encryption — GDPR requires appropriate technical measures. Encryption in transit (TLS 1.2+) and at rest (AES-256) are standard expectations.
  • Access controls — only staff who need client data for their role should have access to it. Role-based permissions documented and enforced.
  • Breach notification — your processor must notify you within 24 hours of a confirmed breach so you can meet your 72-hour reporting obligation to your supervisory authority.
  • Data subject rights support — clients can request access to their data, rectification, erasure, and restriction of processing. Your software should make it feasible to fulfil these requests.

Data subject rights in a mental health context

GDPR gives individuals strong rights over their personal data. For therapy practices:

  • Right of access (Article 15) — clients can request a copy of all data held about them. This includes clinical notes, invoices, and portal records. You have one month to respond.
  • Right to rectification (Article 16) — clients can request correction of inaccurate data. In a clinical context, clinicians may annotate records rather than alter original notes.
  • Right to erasure (Article 17) — also called the right to be forgotten. In healthcare, this right is limited — you may be required to retain clinical records for a minimum period under health law. GDPR explicitly allows retention to be maintained for public health, archiving, or legal claim purposes.
  • Right to portability (Article 20) — clients can request their data in a structured, machine-readable format. For practices, this typically applies to data provided directly by the client (intake forms, messages).

Lawful basis for processing — what to document

You need a documented lawful basis for each category of data processing. For most mental health practice workflows:

  • Clinical records — Article 9(2)(h): healthcare provision
  • Appointment scheduling — Article 6(1)(b): performance of a contract (treatment agreement)
  • Invoicing and billing — Article 6(1)(c): legal obligation (financial record-keeping) or (b): contract
  • Marketing emails — Article 6(1)(a): consent (must be freely given, specific, and withdrawable)

Document your lawful bases in your privacy notice and your Record of Processing Activities (ROPA), which is required for most healthcare organisations.

What to check in your practice software

  1. Is a DPA available and signed at activation — not on request?
  2. Is data hosted within the EU/EEA or UK depending on your client base?
  3. Does the provider document and disclose their sub-processors?
  4. Is there a breach notification SLA of 24 hours or less?
  5. Are data subject rights requests (access, erasure) operationally supportable?
  6. Is cross-border data transfer (if any) covered by SCCs or another valid mechanism?

Retention periods for mental health records

GDPR's storage limitation principle (Article 5(1)(e)) requires you to not keep data longer than necessary. For clinical records, national health law typically overrides GDPR's erasure obligations. Common minimum retention periods:

  • UK — 8 years from last treatment (adults); until age 25 for children's records
  • Germany — 10 years minimum under § 10 Musterberufsordnung
  • Ireland — 8 years (adults); until age 25 (children)
  • Netherlands — 20 years under the WGBO

Your practice software should support configuring retention policies per record type and jurisdiction.

The client portal and GDPR consent

A client portal reduces GDPR risk significantly compared to email. Portal messages stay within an authenticated, encrypted system. Intake forms signed through the portal create a documented consent record. Sending PHI via email — which forwards easily and lacks authentication — is difficult to defend under GDPR's appropriate technical measures requirement.

FAQ

Is mental health data special category under GDPR?
Yes — health data, including mental health records, is special category data under Article 9 of GDPR and requires explicit lawful basis and heightened protection.
What is a DPA and when does a psychology practice need one?
A Data Processing Agreement is the GDPR equivalent of a HIPAA BAA. Any software vendor that processes client personal data on your behalf requires a DPA before data enters their system.
Can clients request erasure of their therapy records under GDPR?
GDPR's right to erasure is limited in healthcare. National health law typically requires retention for a minimum period — often 8–20 years depending on jurisdiction.

Try PsycSuit in your practice

Scheduling, clinical notes, PHQ-9 & GAD-7, billing, client portal, and telehealth in one Practice OS. 1-month free trial starts when you activate your clinic — no card required to sign up.

← All guides · Pricing