Psychologists handle extremely sensitive patient information every day: diagnoses, clinical histories, session notes, and intimate personal details. This information is classified as special category data under the GDPR (Article 9), which imposes stricter protection obligations than for any other type of personal data.
This guide explains exactly what you need to do to comply with data protection regulations in your psychology practice, without the need for lawyers or complex documentation.
Why Psychologists Face a Higher Risk of Non-Compliance
Mental health data is the most heavily protected by European legislation. Unlike an online store that only stores emails and addresses, your practice processes:
- Psychological diagnoses and assessments
- Treatment histories
- Clinical session notes
- Medication information
- Intimate personal details about the patient’s life
Real consequences of non-compliance:
| Type of penalty | Amount / Consequence |
|---|---|
| GDPR fine (serious infringements) | Up to 20 million EUR or 4% of global turnover |
| Penalty from the College of Psychologists (COP) | From a warning to suspension from practice |
| Reputational damage | Loss of patients and professional trust |
In 2024, the healthcare sector received 237 fines totalling 22.8 million euros across Europe. The Spanish Data Protection Agency (AEPD) is one of the most active, with over 900 sanctioning proceedings annually.
Code of Ethics and GDPR: Complementary Obligations
As a registered psychologist in Spain, you have a dual obligation: comply with the GDPR and adhere to the Code of Ethics of the General Council of Psychology of Spain (Consejo General de la Psicologia de Espana).
Key Articles of the Code of Ethics
| Article | Obligation | Relationship with the GDPR |
|---|---|---|
| Art. 40 | All information from professional practice is subject to professional secrecy | Aligns with the GDPR’s confidentiality principle |
| Art. 41 | Professional secrecy is maintained even after the patient’s death | Exceeds the GDPR’s minimum requirements |
| Art. 42 | Secrecy can only be broken with express consent or a court order | Aligned with the GDPR’s legal bases |
Important: A deontological complaint can lead to the opening of proceedings by the AEPD, and vice versa. Complying with the GDPR strengthens your position before the College, and adhering to the Code of Ethics helps you demonstrate due diligence before the data protection authority.
Mandatory Documents for Your Practice
To comply with the GDPR, you need to have the following documents prepared and up to date:
1. Privacy Policy
It must inform patients about:
- The identity of the data controller (you)
- The purposes of data processing
- The legal basis for processing
- Data recipients
- Retention periods
- Patient rights (access, rectification, erasure, etc.)
- Contact details for exercising rights
Where to place it: On your website (linked in the footer), in the waiting room, and provide a physical copy at the start of the therapeutic relationship.
Create your privacy policy in 5 minutes with GDPR.Direct →
2. Informed Consent for Data Processing
Unlike other sectors, health data requires the patient’s explicit consent. This consent must be:
- Specific: For each purpose (clinical treatment, billing, etc.)
- Informed: The patient must understand what data is processed and why
- Unambiguous: It requires a clear affirmative action (signature, checked checkbox)
- Revocable: The patient can withdraw it at any time
Verbal consent is not sufficient. You must document it in writing and retain proof that it was obtained.
3. Record of Processing Activities
If you process special category data (and health data qualifies), you are required to maintain an internal record documenting:
- What data you collect
- What you use it for
- Who you share it with
- How long you retain it
- What security measures you apply
This record is not provided to patients, but the AEPD can request it during an inspection.
4. Data Processing Agreement
If you use external services that access patient data, you need a specific data protection contract. Common examples include:
- Appointment management software
- Video conferencing platforms for online therapy
- Cloud storage services
- Accounting or tax advisory firms
The contract must specify what the provider can and cannot do with your patients’ data.
Processing Health Data: Specific Requirements
Legal Basis for Processing
To process health data, you need a specific legal basis under Article 9 of the GDPR. In private clinical practice, the most common bases are:
| Legal basis | When it applies |
|---|---|
| Explicit consent (Art. 9.2.a) | Always recommended for the therapeutic relationship |
| Medical diagnosis or treatment (Art. 9.2.h) | When processing is necessary for healthcare provision |
| Vital interest (Art. 9.2.c) | Only in emergencies where the patient cannot consent |
Practical recommendation: Always obtain explicit consent at the start of the therapeutic relationship. It is the most robust legal basis and protects you against any claim.
Mandatory Security Measures
The GDPR requires “appropriate technical and organisational measures” to protect data. For a psychology practice, this means at a minimum:
Physical security:
- Locked filing cabinets if you keep paper records
- Locked office when you are not present
- Shredding of documents before disposal
Digital security:
- Strong passwords on all devices and accounts
- Encryption of the hard drive on the computer where you store records
- Secure connection (HTTPS) if you use online software
- Regular backups
- Up-to-date antivirus software
Organisational security:
- Do not discuss identifiable cases in public spaces
- Data protection training if you have staff
- Incident response protocol for security breaches
Clinical Data Retention Periods
One of the most frequently asked questions: how long should I keep my patients’ records?
Spanish Regulations
| Type of document | Minimum retention period | Legal basis |
|---|---|---|
| Clinical record | 5 years from last consultation | Ley 41/2002 (Patient Autonomy Act) |
| Tax documentation | 4 years | General Tax Law (Ley General Tributaria) |
| Informed consent forms | Duration of treatment + statute of limitations period | GDPR + Ley 41/2002 |
COP Recommendation
The General Council of Psychology (COP) recommends retaining clinical documentation for 7 to 10 years after the end of the therapeutic relationship, especially in cases involving:
- Minors
- Forensic evaluations
- Serious or chronic conditions
After the retention period expires: Data must be securely deleted. Simply deleting files is not enough; you must use secure deletion software or physically destroy the documents.
Patient Rights: How to Respond to Requests
Your patients have specific rights under the GDPR. You must respond within a maximum of one month (extendable to three months in complex cases).
Right of Access
The patient can request a copy of all data you hold about them. You must provide:
- A copy of the clinical record
- Information about who you have shared their data with
- The retention periods you apply
Important exception: You may restrict access to the professional’s subjective notes if you consider they could be harmful to the patient. However, you must document the justification.
Right to Rectification
If the patient identifies incorrect data, you must correct it. This does not mean you must alter your clinical judgement, but you must correct factual errors (date of birth, address, etc.).
Right to Erasure (“Right to Be Forgotten”)
The patient can request that you delete their data. However, in the healthcare context, there are limitations:
- You cannot delete data while a legal obligation to retain it exists
- You can refuse erasure if the data is necessary for the defence of legal claims
Always document the justification if you deny an erasure request.
Right to Data Portability
The patient can request that you transfer their records to another professional. You must provide them in a structured electronic format (PDF, XML) if requested.
Most Common Mistakes Made by Psychologists
Based on actual AEPD sanctions and deontological complaints, these are the most frequent errors:
1. No Privacy Policy
The problem: Practice website with no link to a privacy policy, or no privacy policy at all.
The penalty: Minimum fine of 40,000 EUR for violation of the right to information.
The solution: Generate your privacy policy now →
2. Contact Form Without Data Protection Information
The problem: Your website’s contact form collects name, email, and reason for consultation without informing about data processing.
The penalty: Violation of the duty to inform, sanctionable depending on severity.
The solution: Add an acceptance checkbox linked to your privacy policy. Read more about contact forms and GDPR →
3. Sending Reports via Unencrypted Email
The problem: You send psychological reports or diagnoses by email without any protection.
The penalty: Security breach involving special category data. Significant fines.
The solution: Use email services with encryption, or protect documents with a password and send the password through a different channel.
4. No Documented Consent
The problem: “The patient gave me verbal consent.”
The penalty: Without documentary evidence, consent is considered non-existent.
The solution: Written, signed consent before starting treatment.
5. Sharing Cases on Social Media or in Supervision Without Anonymisation
The problem: Publishing “anonymised” clinical cases with enough detail to identify the patient.
The penalty: Breach of professional secrecy + GDPR infringement.
The solution: True anonymisation means that nobody, including the patient themselves, can recognise the case.
Compliance Checklist for Your Practice
Use this list to verify that your practice meets the basic requirements:
Documentation
- I have an up-to-date and accessible privacy policy
- I use written informed consent for data processing
- I have a record of processing activities
- I have signed contracts with providers who access patient data
Website and Communications
- My website has a privacy policy linked in the footer
- My website has a legal notice with the data controller’s details
- Contact forms include data protection information
- I have a cookie banner if I use non-essential cookies
- My emails include data protection information in the signature
Security
- Digital records are password-protected
- Physical files are kept under lock and key
- I use secure connections (HTTPS) for online software
- I have backups of clinical documentation
- I have a protocol for notifying security breaches
Patient Rights
- I know how to respond to access requests within one month
- I have documented data retention periods
- I know the exceptions to the right to erasure in the healthcare context
Code of Ethics
- I maintain professional secrecy even after the therapeutic relationship ends
- I do not discuss identifiable cases in public settings
- I document the justification if I need to break professional secrecy
Comply in 5 Minutes with GDPR.Direct
Preparing all of this documentation manually can take days. Hiring a specialist lawyer costs between 2,000 EUR and 5,000 EUR.
GDPR.Direct lets you generate all the documents you need in minutes:
- Privacy policy tailored to psychology practices
- Record of processing activities pre-configured for health data
- Data processing agreements
- Documents automatically updated when regulations change
Get started for free with GDPR.Direct →