GDPR applies to any therapist who processes the personal data of EU residents — regardless of where the therapist lives. Mental-health data is classified as special-category sensitive data, so it carries the strictest rules. To store client notes legally, you need a lawful basis, informed consent, secure encrypted storage, a defined retention period, and the ability to honor clients' access and deletion rights.
Does GDPR really apply to a solo therapist?
Yes — there's no small-practice exemption. The moment you process personal data of someone in the EU, GDPR applies. And because mental-health information is "special category" data, it's held to a higher standard than ordinary personal data. Crucially, this applies based on where your client is, not where you are — so a therapist living abroad with EU clients is fully covered.
What you're required to do
1. Inform your clients
Each client must be clearly told what data you collect, why, how long you keep it, and what their rights are. In practice, a signed consent form at the start of therapy covers most of this.
2. Keep a record of processing
GDPR expects a register listing your data activities — client records, scheduling, billing, email. It doesn't need to be complex; a simple spreadsheet is enough, but it must exist.
3. Secure the data
Sensitive health data must be stored securely:
- Encryption of digital files
- Strong, unique passwords and access control
- A provider with appropriate health-data hosting and a Data Processing Agreement if you use cloud software
4. Define a retention period
Keep records only as long as clinically and legally necessary, then delete or anonymize them. Many jurisdictions set a minimum retention period for clinical records — check your local professional body for the exact term that applies to you.
What you must NOT do
- Store client notes in consumer Gmail or Google Drive without a compliant agreement and configuration — these aren't appropriate for special-category health data by default
- Record sessions without explicit, informed consent
- Share information with third parties (family, doctors) without the client's agreement, except where the law requires it
- Use consumer AI like ChatGPT for client notes — it's not GDPR compliant (see Is It Safe to Use AI for Therapy Notes?)
If a data breach happens
If client data is compromised — a hack, a lost laptop, an email to the wrong person — GDPR gives you 72 hours to notify the relevant supervisory authority when there's a meaningful risk to the people involved. Have a simple plan written down before you ever need it.
Storing notes compliantly when you live abroad
Being outside the EU doesn't remove GDPR; it adds the question of international data transfer. To stay clean:
- Choose software that hosts EU client data in a GDPR-appropriate region
- Confirm the vendor signs a Data Processing Agreement
- Avoid scattering notes across personal devices and consumer cloud accounts in multiple countries
- Use one compliant system as the single source of truth
This is exactly the gap most US-built tools leave open — and a core reason therapists with EU clients choose GDPR-native software. See how the major tools compare in our best AI therapy notes apps in 2026 roundup.
The bottom line
GDPR compliance isn't an extra bureaucratic burden — it's a natural extension of the professional confidentiality you already practice. Inform, secure, document, and respect your clients' rights, and you're most of the way there. The one trap for international therapists is assuming distance from the EU means distance from the law. It doesn't.