Can I do therapy sessions from a café under GDPR?

Live sessions from a café are generally not GDPR-compliant because of the risk of being overheard. Note-writing is lower risk but should still be done on an encrypted device with a private screen.

Do I need a fixed office address to be GDPR compliant?

No. GDPR compliance is about protecting personal data, not about having a physical address. Your professional body may have separate requirements, but GDPR itself doesn't require a static office.

How to Set Up a GDPR-Compliant Workspace as a Nomad Therapist

Working from a café, an Airbnb, or a co-working space raises real GDPR and confidentiality questions. Here's what actually needs to change — and what doesn't.

A GDPR-compliant workspace for a nomad therapist comes down to three things: no one else can hear your sessions, no one else can see your screen, and the data you create and store is encrypted and on compliant infrastructure. The workspace itself — café, Airbnb, co-working space — is secondary to these three controls.

The core GDPR requirements for workspace

GDPR's article 32 requires "appropriate technical and organisational measures" to protect personal data. For a nomad therapist, this translates to:

Confidentiality of the session:

Sessions conducted where you can't be overheard (private room, noise-cancelling headphones aren't enough alone)
Screen not visible to passersby
No use of public displays or shared screens

Security of the data:

Device encrypted at rest
Session notes saved to GDPR-compliant infrastructure (not consumer iCloud, not unprotected Google Drive)
VPN when using untrusted wifi networks
Password manager with strong, unique credentials

Workspace types and their risks

Workspace	Main risk	Solution

|---|---|---|

Airbnb / private rental	Low — if you have a private room	Confirm audio privacy before booking
Café	High — public audio and screen	Not suitable for live sessions; OK for note-writing
Hotel room	Low — private, your connection or VPN	Solid option for travel days
Home office abroad	Low if private	Standard setup, confirm internet reliability

The note-writing question

Even if you're not in a session, writing clinical notes in a public space exposes client data. Practical rules:

Write notes on an encrypted device
Don't leave your screen unlocked and visible
Use a tool with access control (not a public Google Doc)

What you don't need

Some nomad therapists over-engineer their compliance. You don't need:

A dedicated static IP address
Enterprise-grade hardware
A physical office address (unless your professional body requires one)

You do need: privacy, encryption, compliant storage, and good password hygiene.

The bottom line

A nomad can be GDPR compliant — the regulation was written for people, not offices. The practical test: could an overheard conversation, a visible screen, or a stolen device expose client information? Solve those three risks and your workspace is compliant.

For the data storage side, see GDPR for Therapists: Storing Notes Abroad.