Recording or transcribing a remote therapy session is not simply a technical decision — it is a legal one. Under the General Data Protection Regulation (GDPR), mental health information sits at the highest level of data sensitivity, and the obligations that flow from that classification affect every private practitioner and institutional clinician who uses a digital documentation tool. As AI documentation tools become more accessible, therapists across Europe increasingly face questions that their training rarely prepared them to answer: What lawful basis do I need? Can I store a transcript? What must I tell my patient? The answers are specific, consequential, and in some cases carry significant financial penalties for non-compliance.

Why GDPR applies with extra force to therapy session data

Mental health data is classified as a special category of personal data under GDPR Article 9, placing it in the same protected tier as genetic data, biometric data, and data concerning racial or ethnic origin. The default position under Article 9(1) is that processing this category of data is prohibited unless one of the ten enumerated exceptions in Article 9(2) applies. This is a materially higher bar than the standard Article 6 lawful basis required for ordinary personal data.

This elevated classification applies regardless of the practice setting. Even a single-person psychotherapy practice must comply with Article 9's requirements in full, because it processes special category health data by definition. The sensitivity of therapy session content — which may include disclosures of trauma, suicidal ideation, sexual identity, or substance use — means that national data protection authorities treat any failure to establish a valid Article 9(2) basis as a serious breach.

GDPR operates as a floor, not a ceiling. Member states may impose additional national-level obligations. Germany's §203 of the Criminal Code, for example, imposes professional secrecy obligations on therapists that interact directly with how session data may be processed or shared. Therapists should verify their specific national requirements with their relevant data protection authority before deploying any documentation tool.

What counts as 'processing' when you record or transcribe a session

Under GDPR, the term 'processing' covers any operation performed on personal data, whether automated or manual. In the context of a remote therapy session, the following all constitute processing:

• Recording audio or video of the session

• Generating a real-time or post-session transcript

• Storing a summary or AI-generated clinical note

• Passing session content through a third-party AI documentation tool

• Uploading a recording to a cloud storage service

Processing applies equally to fully automated tools and to manual transcription assisted by technology. There is no exemption for tools described as 'assistive' or 'supportive' rather than fully autonomous. If session content is being handled in any way by a system or service, GDPR's obligations apply from that moment.

The lawful basis therapists must establish before using any documentation tool

Because therapy session data is special category data, therapists must satisfy two distinct legal requirements simultaneously: a lawful basis under Article 6, and a separate condition under Article 9(2).

The two Article 9(2) conditions most relevant to therapists are:

• Article 9(2)(a): Explicit consent from the data subject

• Article 9(2)(h): Processing necessary for the provision of health or social care, subject to professional secrecy obligations

Article 9(2)(h) is the most widely applicable condition for healthcare organisations providing direct clinical care. It is subject to the condition that processing is carried out by a professional bound by a legal obligation of secrecy, and it does not automatically extend to every downstream use of session data, such as passing content to an AI tool operated by a third party.

For private practitioners, relying on legitimate interests alone is rarely sufficient for special category data. Explicit consent under Article 9(2)(a) is generally the most defensible route, because it directly documents the patient's agreement to the specific processing activity. Whichever basis is chosen, it must be documented before any processing begins. The therapist, as data controller, bears the burden of demonstrating that a valid basis exists.

What explicit consent actually requires in this context

Valid explicit consent under GDPR has a precise legal meaning. It must be:

• Freely given: The patient must not face any detriment for refusing

• Specific: Consent to recording does not imply consent to transcription, AI processing, or sharing with a supervisor — each purpose requires separate consent

• Informed: The patient must understand what they are consenting to, including who will process their data and how

• Unambiguous: A pre-ticked box or passive acceptance does not meet the standard

• Explicit: For special category data, the consent must be expressed clearly and actively — implied consent is insufficient

Consent buried in a general terms and conditions document does not meet this standard. The European Data Protection Board's guidance makes clear that consent must be granular and purpose-specific. A therapist who obtains a patient's signature on a general therapy agreement has not thereby obtained consent to run session audio through an AI transcription service.

Consent must also be obtained before any recording or transcription begins. Retrospective consent — asking a patient after the session whether they minded being recorded — does not satisfy the requirement.

Data minimisation: only capturing what you actually need

Article 5(1)(c) of the GDPR establishes the data minimisation principle: personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. Applied to therapy documentation, this has direct practical implications.

If a structured clinical note captures everything clinically necessary from a session, retaining the full audio recording or verbatim transcript may not be justifiable under this principle. The relevant question is whether the more granular data serves a purpose that the less granular data cannot.

In practice, this means:

• AI documentation tools should be configured to generate a structured note and then delete the underlying transcript, unless there is a specific clinical or legal reason to retain it

• Full session recordings should not be stored by default as a matter of administrative convenience

• The scope of what the tool captures should be reviewed against what the therapist actually uses

A 2025 review of AI-driven note-generation tools in mental healthcare found that critical information about data handling — including what is retained after a note is generated — was frequently absent from vendor communications. Therapists should ask specific questions rather than rely on general product descriptions.

Where session data can be stored and processed: EU data residency rules

Under GDPR, transferring personal data outside the European Economic Area (EEA) is restricted unless the destination country offers an adequate level of data protection, or an appropriate safeguard such as Standard Contractual Clauses (SCCs) is in place. For special category mental health data, this requirement carries additional weight.

Consumer-grade platforms such as general video conferencing applications — even well-known ones — frequently process and store data on servers outside the EEA, and may not offer the contractual safeguards GDPR requires for health data. A therapist using such a platform for a remote session, with auto-transcription enabled, may be transferring special category data to a third country without a valid legal mechanism.

When evaluating any transcription or AI documentation tool, therapists should ask vendors directly:

• Where is session data processed? (Which country, which cloud region?)

• Where is data stored at rest?

• Are any subprocessors located outside the EEA?

• If data is processed outside the EEA, what transfer mechanism applies?

EU data residency is a key compliance criterion for any tool handling therapy session content, and vendors should be able to answer these questions in writing.

The data processor relationship: your obligations when using a third-party tool

When a therapist uses an external AI or transcription tool, that vendor becomes a data processor under GDPR. The therapist, as data controller, remains legally responsible for ensuring the processor handles data in accordance with GDPR's requirements.

Article 28 GDPR requires a signed Data Processing Agreement (DPA) between the therapist and any vendor who processes patient data on their behalf. A Data Processing Agreement that meets GDPR requirements must specify:

• The subject matter, duration, and purpose of the processing

• The type of personal data and categories of data subjects

• The obligations and rights of the controller

• That the processor will only act on documented instructions from the controller

• The security measures the processor has implemented

• The processor's obligations regarding subprocessors

• Provisions for data deletion or return at the end of the contract

The absence of a Data Processing Agreement does not make the processing lawful — it makes it a breach. Therapists should not use any tool that processes patient session data without first obtaining a signed Data Processing Agreement. If a vendor is unwilling or unable to provide one, that is itself a compliance signal.

What you must disclose to patients before using an AI documentation tool

GDPR's transparency obligations under Articles 13 and 14 require that patients are informed about the processing of their data at the point of collection. For therapy sessions, this means patients must be told:

• What categories of data are being collected (for example, audio recording, transcript, AI-generated note)

• The identity of the data controller (the therapist or practice)

• The identity of any data processors (the AI tool vendor)

• The lawful basis for processing

• Where data is stored and for how long

• Their rights, including the right to access, rectify, and request deletion of their data

This disclosure must be delivered in a way that is genuinely informative, not buried in a lengthy document. Best practice for therapists using AI documentation tools includes:

• Updating the practice's privacy notice to specifically address AI-assisted documentation

• Providing a verbal explanation before the first session in which the tool is used

• Offering written confirmation (for example, a one-page summary) that the patient can retain

• Documenting that the disclosure was given and that consent was obtained

Legal analysis of telemedicine and data protection obligations confirms that transparency requirements apply with full force to digital health interactions, including remote therapy sessions conducted via video platforms.

Retention periods: how long can you keep transcripts or AI-generated notes?

The storage limitation principle under Article 5(1)(e) requires that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. For therapy session transcripts and AI-generated notes, therapists must define and document a retention period — and apply it.

Several considerations interact here:

• Professional regulatory body guidelines on clinical record retention set a minimum floor (for example, retention requirements vary by country and professional body — therapists should consult their national regulatory body for the applicable minimum period)

• AI-generated notes and session transcripts are not automatically subject to the same retention rules as formal clinical records — a verbatim transcript may have a much shorter justifiable retention period than the clinical note derived from it

• Where a transcript is retained only to generate a note, it should be deleted once that purpose is fulfilled

Therapists should document their retention policy in writing, specifying different periods for different data types (recording, transcript, structured note, patient letter), and ensure that their AI tool vendor's data deletion practices align with that policy.

Security requirements for storing mental health session data

GDPR's Article 32 requires data controllers and processors to implement technical and organisational measures appropriate to the risk. For special category mental health data, the risk level is high by default, and the measures required reflect that.

Minimum security expectations for tools handling therapy session data include:

• Encryption at rest and in transit: Session recordings, transcripts, and notes must be encrypted both when stored and when transmitted

• Access controls: Only authorised individuals should be able to access session data, with role-based permissions and authentication requirements

• Audit trails: Systems should log who accessed what data and when

• Incident response: Vendors should have documented procedures for detecting and reporting data breaches

Consumer-grade tools — including general video conferencing applications with auto-transcription enabled — are unlikely to meet these requirements without specific enterprise or healthcare-grade agreements in place. The fact that a platform is widely used in clinical settings does not mean it is GDPR-compliant for the processing of special category data without appropriate contractual and technical safeguards.

A 2025 peer-reviewed review of AI note-generation tools in mental healthcare found that while most vendors provided information on data protection and privacy measures on their websites, critical details — including specific security certifications, subprocessor lists, and data deletion practices — were frequently absent. Therapists should not assume compliance; they should verify it.

Practical steps for private practitioners selecting a compliant documentation tool

Private practitioners evaluating AI documentation tools typically do so without institutional IT or legal support. The following checklist covers the minimum due diligence GDPR requires:

• Confirm EU data residency: Ask the vendor in writing where session data is processed and stored. Confirm that no subprocessors are located outside the EEA, or that adequate transfer mechanisms are in place

• Obtain a signed Data Processing Agreement: Do not use any tool that processes patient data without a signed Data Processing Agreement that meets Article 28 requirements

• Check for ISO 27001 certification: ISO 27001 certification indicates that the vendor has implemented an internationally recognised information security management system. It is not a GDPR guarantee, but it is a meaningful baseline indicator

• Review the subprocessor list: Vendors typically rely on subprocessors (for example, cloud infrastructure providers). Request the full list and assess whether each subprocessor's location and security posture is acceptable

• Understand the data deletion policy: Confirm how long the vendor retains data after a session, what triggers deletion, and whether you can request deletion of specific records

• Verify the tool supports patient rights requests: The system must be able to respond to access requests and deletion requests within GDPR's required timeframes

The lack of transparency in vendor communications identified in peer-reviewed research means that therapists should ask specific, written questions rather than relying on marketing materials. A vendor that cannot answer these questions clearly is not a compliant choice.

When a patient withdraws consent or requests deletion

Patients have enforceable rights under GDPR that therapists must be operationally prepared to honour. Two are particularly relevant to AI-assisted documentation.

Right to withdraw consent (Article 7(3)): A patient may withdraw consent to the processing of their data at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but it must take effect going forward. Research on implementing consent withdrawal in health data contexts highlights the operational complexity: data may exist across multiple systems — the AI tool, a cloud backup, a local copy — and must be identified and addressed in each.

Right to erasure (Article 17): Where processing was based on consent, a patient who withdraws consent has a right to request deletion of their data. The therapist, as data controller, must act on this request within one month and must instruct any data processors — including the AI tool vendor — to delete the relevant data from their systems.

In practice, therapists should:

• Document consent withdrawal in writing and record the date

• Contact the AI tool vendor immediately and request deletion of all session data associated with that patient

• Obtain written confirmation from the vendor that deletion has been completed

• Check whether any local copies (for example, downloaded transcripts) also need to be deleted

The right to erasure is not absolute. Where data must be retained to comply with a legal obligation — such as professional regulatory requirements to maintain clinical records for a minimum period — that obligation may override the erasure request in respect of the formal clinical record. Raw transcripts or recordings that go beyond what the clinical record requires are unlikely to benefit from this exception, and should generally be deleted on request.

Professional ethics frameworks in mental health practice consistently identify documentation and data governance as core components of clinician accountability. The ability to respond to patient rights requests is increasingly part of that expectation in a digitally mediated clinical environment.

Frequently asked questions

▶ Does GDPR apply to therapy session recordings and transcripts?

Yes. Under the General Data Protection Regulation, mental health data is classified as a special category of personal data under Article 9, placing it at the highest level of data sensitivity. Recording a session, generating a transcript, storing an AI-generated clinical note, or passing session content through a third-party tool all constitute processing under GDPR. This applies to every practitioner who handles session data digitally, including single-person psychotherapy practices.

▶ What lawful basis do therapists need before using an AI documentation tool?

Therapists must satisfy two legal requirements simultaneously: a lawful basis under Article 6 of GDPR, and a separate condition under Article 9(2). The two most relevant Article 9(2) conditions are explicit consent from the patient (Article 9(2)(a)) and processing necessary for the provision of health or social care, subject to professional secrecy obligations (Article 9(2)(h)). For private practitioners, explicit consent is generally the most defensible route, because it directly documents the patient's agreement to the specific processing activity. Whichever basis is chosen, it must be documented before any processing begins.

▶ What does valid explicit consent require when recording or transcribing a therapy session?

Valid explicit consent under GDPR must be freely given, specific, informed, unambiguous, and actively expressed. Consent to recording does not imply consent to transcription, AI processing, or sharing with a supervisor — each purpose requires separate consent. Consent buried in a general terms and conditions document does not meet this standard. It must also be obtained before any recording or transcription begins; retrospective consent does not satisfy the requirement.

▶ What is the data minimisation principle and how does it apply to therapy documentation?

Article 5(1)(c) of GDPR requires that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. In practice, if a structured clinical note captures everything clinically necessary from a session, retaining the full audio recording or verbatim transcript may not be justifiable. AI documentation tools should be configured to generate a structured note and then delete the underlying transcript, unless there is a specific clinical or legal reason to retain it. Full session recordings should not be stored by default as a matter of administrative convenience.

▶ Can therapy session data be stored or processed outside the European Economic Area?

Transferring personal data outside the European Economic Area is restricted under GDPR unless the destination country offers an adequate level of data protection, or an appropriate safeguard such as Standard Contractual Clauses is in place. Consumer-grade platforms, including general video conferencing applications, frequently process and store data on servers outside the European Economic Area and may not offer the contractual safeguards GDPR requires for health data. Therapists should ask vendors in writing where session data is processed and stored, whether any subprocessors are located outside the European Economic Area, and what transfer mechanism applies if data leaves the region.

▶ What is a Data Processing Agreement and do therapists need one?

When a therapist uses an external AI or transcription tool, that vendor becomes a data processor under GDPR. Article 28 of GDPR requires a signed Data Processing Agreement between the therapist and any vendor who processes patient data on their behalf. The agreement must specify the purpose and duration of processing, the security measures in place, the processor's obligations regarding subprocessors, and provisions for data deletion or return at the end of the contract. The absence of a Data Processing Agreement does not make the processing lawful — it makes it a breach. Therapists should not use any tool that processes patient session data without a signed agreement in place.

▶ What must therapists tell patients before using an AI documentation tool?

GDPR's transparency obligations under Articles 13 and 14 require that patients are informed about the processing of their data at the point of collection. Therapists must tell patients what categories of data are being collected, the identity of the data controller and any data processors, the lawful basis for processing, where data is stored and for how long, and the patient's rights including access, rectification, and deletion. Best practice includes updating the practice's privacy notice to address AI-assisted documentation specifically, providing a verbal explanation before the first session in which the tool is used, and documenting that disclosure was given and consent obtained.

▶ How long can therapists retain transcripts and AI-generated notes?

The storage limitation principle under Article 5(1)(e) of GDPR requires that personal data is kept no longer than is necessary for the purposes for which it is processed. Therapists must define and document a retention period for each data type and apply it consistently. AI-generated notes and session transcripts are not automatically subject to the same retention rules as formal clinical records. Where a transcript is retained only to generate a note, it should be deleted once that purpose is fulfilled. Therapists should confirm that their AI tool vendor's data deletion practices align with their documented retention policy.

▶ What happens if a patient withdraws consent or requests deletion of their session data?

A patient may withdraw consent to the processing of their data at any time under Article 7(3) of GDPR. Where processing was based on consent, the patient also has a right to request deletion of their data under Article 17. The therapist must act on a deletion request within one month and must instruct the AI tool vendor to delete the relevant data from their systems, obtaining written confirmation that deletion has been completed. The right to erasure is not absolute: where data must be retained to comply with a legal obligation, such as professional regulatory requirements for clinical records, that obligation may override the erasure request in respect of the formal clinical record. Raw transcripts or recordings that go beyond what the clinical record requires are unlikely to benefit from this exception.

▶ What security standards should therapists look for when choosing an AI documentation tool?

Article 32 of GDPR requires data controllers and processors to implement technical and organisational measures appropriate to the risk. For special category mental health data, the risk level is high by default. Minimum expectations include encryption of session recordings, transcripts, and notes both at rest and in transit, role-based access controls, audit trails logging who accessed data and when, and documented incident response procedures. ISO 27001 certification indicates that a vendor has implemented an internationally recognised information security management system and serves as a meaningful baseline indicator, though it is not a GDPR guarantee in itself. A 2025 peer-reviewed review of AI note-generation tools in mental healthcare found that critical security details, including specific certifications, subprocessor lists, and data deletion practices, were frequently absent from vendor communications. Therapists should verify compliance directly rather than relying on marketing materials.