Mental health practitioners across Europe are increasingly being approached by vendors offering AI documentation assistants that promise to reduce the time spent writing clinical notes after therapy sessions. The appeal is real: administrative burden in psychological and psychotherapeutic practice is substantial, and anything that frees up cognitive and emotional capacity for the clinical work itself is worth examining. But therapy is not a standard clinical encounter. What is disclosed in a therapy session — trauma histories, suicidal ideation, sexual identity, relationship violence, psychotic experiences — sits at the most sensitive end of the personal data spectrum. Before any therapist in Europe introduces an AI documentation assistant into their practice, there are legal, ethical, and clinical questions that demand careful answers.

Why AI documentation assistants raise distinct questions in therapy

The documentation challenge in mental health is categorically different from, say, a GP recording a blood pressure reading or a physiotherapist noting a range of movement. Therapy sessions generate disclosures that patients may never have shared with anyone else. The content of those sessions — the precise language a patient uses, the associations they make, the fears they name — is not just clinically sensitive. In many cases, it is constitutive of the therapeutic relationship itself.

An AI documentation assistant that listens to, transcribes, and structures that content introduces a layer of data processing that has no equivalent in most other clinical settings. A 2025 peer-reviewed narrative review in DIGITAL HEALTH found that AI tools in mental health frequently operate in legal grey areas regarding consent, data usage, and cross-border data flows, and that GDPR offers only baseline protections that do not yet account for the unique ethical and clinical nuances of AI-based mental health interventions.

The professional obligations are correspondingly layered. Therapists are bound not only by data protection law but by the ethical codes of their professional associations, the confidentiality obligations intrinsic to their therapeutic modality, and, in many European jurisdictions, specific statutory protections for mental health records that go beyond general health data rules.

How GDPR applies differently to mental health data

Under GDPR compliance in healthcare, data revealing a person's health status is already a special category under Article 9 — but the content of a therapy session goes further still. It may simultaneously engage multiple Article 9 categories: health data, data concerning sexual orientation or gender identity, data revealing religious or philosophical beliefs, and data about a person's mental state. This is not a theoretical point. It has direct implications for which lawful basis a practitioner can rely on when processing session content through an AI tool.

The default position under Article 9 is that processing special category data is prohibited unless one of a closed list of exceptions applies. For most therapy documentation, the operative exception will be either explicit consent (Article 9(2)(a)) or processing necessary for the purposes of preventive or occupational medicine and the provision of health care (Article 9(2)(h)), combined with Article 9(3), which requires that processing under (h) is carried out by or under the responsibility of a professional subject to an obligation of professional secrecy.

What this means in practice is that a therapist cannot simply invoke "legitimate interest" to justify feeding session content into an AI documentation tool. Legitimate interest is a basis available for ordinary personal data, not for special category data. As noted in a 2025 arXiv review on privacy-preserving mental health AI, therapy sessions must be recorded only with explicit, informed patient consent, with clear details on anonymisation, secure storage, and data use. The threshold is higher, the documentation requirements are stricter, and the consequences of getting it wrong are more serious.

A practical implication: therapists who are self-employed or working in small private practices bear this compliance responsibility directly. They are the data controller. The AI vendor, if they process data on the therapist's behalf, is a data processor, and the legal relationship between the two must be formalised in a written Data Processing Agreement before any data is shared.

Consent in therapy is not the same as consent in a GP appointment

GDPR requires that consent be freely given, specific, informed, and unambiguous. In a therapeutic relationship, the "freely given" requirement deserves particular scrutiny. Patients in therapy are often in a position of psychological vulnerability and emotional dependency. There is an inherent power differential between therapist and patient that does not exist in the same way in, for example, a routine GP consultation. Consent to AI-assisted documentation in therapy must therefore be handled with particular care to ensure it is genuinely voluntary.

The American Psychological Association's 2025 ethical guidance on AI in psychological practice emphasises the importance of informed consent and the obligation on practitioners to critically evaluate AI-generated clinical content before applying it. While this guidance is US-origin, European professional associations widely reference it, and its principles translate directly into European ethical frameworks.

A valid, GDPR-compliant consent process for AI documentation in therapy should include, at minimum:

• A clear explanation of what the AI tool does, specifically that it listens to, transcribes, and/or structures session content

• The identity of the AI vendor and the country in which data is processed and stored

• What data is retained, for how long, and who can access it

• An explicit statement that consent is separate from consent to treatment, and that withholding or withdrawing consent for AI documentation will not affect the quality of care provided

• A mechanism for the patient to withdraw consent at any time, with a clear explanation of what happens to previously processed data upon withdrawal

That last point is critical. If a patient withdraws consent and the vendor cannot demonstrate that their data has been deleted from training sets, logs, or processing infrastructure, the practitioner may face a compliance problem that is difficult to resolve retrospectively.

Data residency and processing: what to ask your AI vendor

For European therapists, data residency is not a technical detail — it is a legal requirement. Under GDPR, transferring personal data outside the European Economic Area is restricted unless specific safeguards are in place (adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms). Given that therapy session content is Article 9 special category data, the bar for demonstrating adequate protection in any third-country transfer is correspondingly high.

Before selecting an AI documentation assistant, practitioners should obtain clear written answers to the following questions from any vendor:

• Where is data processed? Is audio transcription performed on-device, on servers within the EU/EEA, or in a third country?

• Where is data stored? Is the medical record system integration or note storage infrastructure located within the EU/EEA?

• Is the vendor acting as a data processor? If so, is a compliant Data Processing Agreement in place before any data is shared?

• What does the Data Processing Agreement specify? It should cover the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.

• Does the vendor hold ISO 27001 certification (an internationally recognised information security standard) or equivalent, and has a Data Protection Impact Assessment been conducted for this processing activity?

• Is data used for model training? If session content is used to train or fine-tune AI models, this constitutes a separate processing purpose requiring its own lawful basis and, almost certainly, explicit consent.

A 2025 arXiv review on clinical mental health AI datasets notes that GDPR places strict limitations on the use and sharing of sensitive health information, complicating both the creation of representative datasets and the deployment of AI tools in psychotherapy contexts. Treat any vendor that is vague about data residency or reluctant to provide a written Data Processing Agreement as a significant compliance risk.

The therapeutic relationship and the "third presence" problem

Beyond the legal framework, there is a clinical and ethical concern that has no straightforward regulatory answer: does the presence of an AI documentation assistant, even one operating silently in the background, alter the therapeutic relationship?

This is not a hypothetical concern. The therapeutic alliance, meaning the quality of the collaborative relationship between therapist and patient, is one of the most robust predictors of therapy outcomes across modalities. Anything that affects a patient's sense of felt safety, trust, or willingness to disclose is therefore clinically significant. Some patients, on learning that their words are being transcribed and processed by an AI system, may self-censor. Others may find the knowledge reassuring if it is presented transparently. The effect is not uniform, and researchers have not yet studied it in depth in the specific context of AI documentation tools.

A landmark JAMA Psychiatry study published in March 2026, the largest study to date on AI ambient scribes in psychiatric documentation, found that while AI scribes in primary care increased the documentation of neuropsychiatric symptoms, they were associated with a significantly lower likelihood of documented psychiatric intervention (referral, new diagnosis, or antidepressant prescription) compared with contemporaneous unscribed visits (adjusted odds ratio 0.83; 95% CI, 0.72 to 0.95). The authors note that further study is required to determine whether these changes are associated with differential patient outcomes. This finding does not establish causation, and the study was conducted in primary care rather than specialist psychotherapy settings. It does, however, represent an important caution against assuming that more documentation automatically translates into better clinical care.

Practitioners should evaluate, before deployment and on an ongoing basis, whether the tool's presence is affecting patient disclosure or the quality of the therapeutic encounter. This may involve directly asking patients about their experience, monitoring for changes in session content or depth of disclosure, and being willing to discontinue use of the tool with specific patients where clinical judgement suggests it is affecting the work.

What goes into the clinical notes, and what should not

AI documentation assistants do not make documentation decisions — the clinician does. This is not just an ethical principle; it is a legal one. As one practitioner-facing legal explainer makes clear, clinicians bear full responsibility for the accuracy of AI-generated notes. An AI-generated draft saved to the medical record system without review becomes the clinician's document, carrying the same legal and professional weight as a note written entirely by hand.

In therapy, this review obligation is particularly consequential. Session content that may be appropriate to hold in the therapist's mind, such as a patient's disclosure about a past abusive relationship, an expression of ambivalence about self-harm, or a reference to a named third party, is not necessarily appropriate to record verbatim in a structured clinical note. That note may be accessible to other healthcare providers, subject to a subject access request, or subpoenaed in legal proceedings.

Practitioners should establish, before deployment, a clear workflow for what the AI assistant captures and what is reviewed, edited, and redacted before saving. Specific categories requiring particular care include:

• Safeguarding disclosures: content that may trigger mandatory reporting obligations should be documented with precision and in accordance with local safeguarding protocols, not left to an AI draft

• Third-party identifiers: names of individuals mentioned by the patient (partners, family members, colleagues) should generally not appear in structured clinical notes

• Sensitive identity markers: sexual orientation, gender identity, immigration status, and similar information disclosed in session requires careful handling; its presence in an AI-generated note may not be appropriate or necessary

• Risk assessments: documentation of suicidal ideation, self-harm, or risk to others carries specific clinical and legal weight and should be written or reviewed with corresponding care

Research using natural language processing of psychotherapy notes for suicide risk prediction has demonstrated that the language used in therapy notes is clinically informative, but also that the predictive value of such analysis is modest and context-dependent. The fact that AI systems can extract meaningful signal from therapy notes is precisely why practitioners must be deliberate about what enters those notes in the first place.

Obligations under national mental health and data protection law

GDPR sets a floor, not a ceiling. Several European countries have enacted national legislation that imposes additional requirements on the processing of mental health data, and practitioners must verify their obligations under domestic law before deploying any AI documentation tool.

A non-exhaustive overview of the national landscape:

• Germany: The Bundesdatenschutzgesetz (Federal Data Protection Act) supplements GDPR with additional provisions, and psychotherapists are subject to strict professional secrecy obligations (Schweigepflicht) under §203 of the Criminal Code. Breaching professional secrecy, including through inadequate data processing arrangements, carries criminal liability.

• France: The Commission Nationale de l'Informatique et des Libertés (National Commission on Informatics and Liberty) has issued specific guidance on health data processing and has regulatory oversight of AI systems handling health data. French practitioners should consult this guidance before deployment.

• The Netherlands: The Autoriteit Persoonsgegevens (Dutch Data Protection Authority) enforces GDPR with particular attention to health data. Dutch mental health practitioners are also subject to the WGBO (medical treatment contract act) and the BIG register obligations.

• Ireland: The Data Protection Commission has enforcement authority and has been active in cross-border data transfer cases. Irish practitioners should also be aware of the Mental Health Act 2001 and its documentation obligations.

• Italy: The Italian Data Protection Authority (Garante) has taken enforcement action against AI companies handling health data, including temporary restrictions and significant fines. Italian practitioners should review the Garante's published decisions before deploying AI documentation tools.

The practical advice is straightforward: before deploying any AI documentation tool, verify your obligations with your national data protection authority, your professional regulatory body, and your professional indemnity insurer.

Medical Device Regulation: when does an AI documentation assistant become a medical device?

The boundary between an AI documentation tool and a medical device is not always obvious, and it matters because the regulatory obligations are substantially different.

Under the EU AI Act and Medical Device Regulation (MDR 2017/745), software is classified as a medical device if it is intended to be used for a medical purpose, including diagnosis, prevention, monitoring, prediction, or treatment of disease. A 2025 peer-reviewed analysis published in the European Heart Journal – Digital Health examined how the EU AI Act interacts with the Medical Device Regulation for healthcare AI, noting that high-risk AI medical devices are subject to dual regulation under both frameworks, with corresponding transparency and conformity assessment obligations.

For AI documentation assistants in therapy, the relevant distinction is:

• A tool that only transcribes speech and structures clinical notes, without interpreting clinical content, flagging risk, or generating clinical recommendations, is generally not classified as a medical device under the Medical Device Regulation.

• A tool that analyses session content to flag suicide risk, suggest diagnoses, or support clinical decision-making is likely to require Medical Device Regulation classification and conformity assessment, and may also be classified as high-risk AI under the EU AI Act.

The EU AI Act analysis from PMC notes a specific provision in Recital 29 that carves out AI systems used for lawful psychological treatment with explicit patient consent. This carve-out applies to prohibited AI practices such as emotion recognition, not to the general regulatory obligations on high-risk AI systems. Practitioners should not assume that any AI tool used in a therapeutic context is automatically exempt from Medical Device Regulation or EU AI Act requirements.

Before adopting any AI documentation assistant, ask the vendor directly: what is the regulatory classification of this tool under the EU Medical Device Regulation and the EU AI Act? A reputable vendor should be able to provide a clear, documented answer.

A practical pre-deployment checklist for mental health practitioners

The following steps represent a minimum standard of due diligence before introducing an AI documentation assistant into a therapy practice in Europe. They are not exhaustive, and practitioners should supplement them with advice from their professional association and legal counsel as appropriate.

Vendor due diligence

• Confirm EU/EEA data residency for both processing and storage

• Obtain and review a signed Data Processing Agreement before any data is shared

• Verify ISO 27001 certification or equivalent security posture

• Confirm the tool's regulatory classification under the EU Medical Device Regulation and EU AI Act

• Clarify whether session data is used for model training and on what lawful basis

Consent and patient communication

• Develop a written consent process that is separate from general treatment consent

• Ensure the consent document explains what the tool does, who the vendor is, where data goes, and how long it is retained

• Confirm that patients can decline AI documentation without any effect on their care

• Establish a clear process for handling consent withdrawal, including data deletion requests

Note review workflow

• Define which parts of session content the AI assistant is permitted to capture

• Establish a mandatory review and editing step before any AI-generated note is saved to the medical record system

• Identify categories of content (safeguarding, third-party names, sensitive identity markers, risk assessments) that require particular care or manual documentation

• Document the review workflow in your practice's data protection policy

Regulatory and professional obligations

• Verify national requirements with your data protection authority and professional regulatory body

• Conduct a Data Protection Impact Assessment — this is mandatory under GDPR Article 35 for large-scale processing of special category data, and strongly advisable even for smaller practices

• Notify your professional indemnity insurer and confirm that AI-assisted documentation is covered under your policy

Ongoing monitoring

• Regularly review whether the tool's presence is affecting therapeutic disclosure or the quality of sessions

• Monitor AI-generated notes for accuracy, completeness, and appropriateness of content

• Stay informed about updates to the EU AI Act implementation timeline, Medical Device Regulation guidance, and national regulatory developments

The American Psychological Association's ethical guidance frames the clinician's responsibility clearly: the obligation to critically evaluate AI-generated clinical content before applying it is not a one-time assessment but an ongoing professional duty. In the context of therapy, where the stakes of documentation errors are high and the content is uniquely sensitive, that duty is particularly demanding.

Frequently asked questions

▶ Why does AI documentation in therapy raise different concerns than in other clinical settings?

Therapy sessions generate disclosures that patients may never have shared with anyone else. The content — trauma histories, suicidal ideation, sexual identity, relationship violence — simultaneously engages multiple special category data types under Article 9 of the General Data Protection Regulation (GDPR). A 2025 peer-reviewed narrative review in DIGITAL HEALTH found that AI tools in mental health frequently operate in legal grey areas regarding consent, data usage, and cross-border data flows. That combination of clinical sensitivity and regulatory complexity makes therapy a categorically different environment from, say, a GP recording a blood pressure reading.

▶ What lawful basis can a therapist rely on when processing session content through an AI documentation assistant?

Therapists cannot rely on legitimate interest, which is only available for ordinary personal data, not special category data. The operative basis will typically be either explicit consent under Article 9(2)(a) of GDPR, or processing necessary for the provision of health care under Article 9(2)(h), combined with Article 9(3), which requires that processing is carried out by or under the responsibility of a professional subject to an obligation of professional secrecy. The threshold is higher than for general health data, the documentation requirements are stricter, and the consequences of getting it wrong are more serious.

▶ What must a valid consent process for AI documentation in therapy include?

A GDPR-compliant consent process should include a clear explanation of what the AI tool does, the identity of the vendor and the country where data is processed and stored, what data is retained and for how long, and an explicit statement that withholding or withdrawing consent for AI documentation will not affect the quality of care provided. It must also include a mechanism for the patient to withdraw consent at any time, with a clear explanation of what happens to previously processed data upon withdrawal. Because patients in therapy are often in a position of psychological vulnerability, the "freely given" requirement deserves particular scrutiny.

▶ What questions should a therapist ask an AI vendor before sharing any session data?

Before selecting an AI documentation assistant, practitioners should obtain written answers to the following: where is data processed and stored (specifically, whether it remains within the European Economic Area); whether the vendor is acting as a data processor and whether a compliant Data Processing Agreement is in place; whether the vendor holds ISO 27001 certification or equivalent; whether a Data Protection Impact Assessment has been conducted; and whether session data is used for model training. Any vendor that is vague about data residency or reluctant to provide a written Data Processing Agreement should be treated as a significant compliance risk.

▶ Can the presence of an AI documentation assistant affect the therapeutic relationship?

This is a genuine clinical concern. The therapeutic alliance — the quality of the collaborative relationship between therapist and patient — is one of the most robust predictors of therapy outcomes across modalities. Some patients, on learning that their words are being transcribed and processed by an AI system, may self-censor. A landmark JAMA Psychiatry study published in March 2026, the largest study to date on AI ambient scribes in psychiatric documentation, found that AI scribes were associated with a significantly lower likelihood of documented psychiatric intervention compared with unscribed visits. Practitioners should evaluate, before deployment and on an ongoing basis, whether the tool's presence is affecting patient disclosure or the quality of the therapeutic encounter.

▶ Who is legally responsible for the accuracy of AI-generated therapy notes?

The clinician bears full responsibility. An AI-generated draft saved to the medical record system without review becomes the clinician's document, carrying the same legal and professional weight as a note written entirely by hand. In therapy, this review obligation is particularly consequential because session content that may be appropriate to hold in the therapist's mind is not necessarily appropriate to record verbatim in a structured clinical note. That note may be accessible to other healthcare providers, subject to a subject access request, or subpoenaed in legal proceedings.

▶ What categories of session content require particular care when reviewing AI-generated notes?

Practitioners should pay particular attention to four categories. First, safeguarding disclosures that may trigger mandatory reporting obligations should be documented with precision and in accordance with local safeguarding protocols, not left to an AI draft. Second, names of third parties mentioned by the patient should generally not appear in structured clinical notes. Third, sensitive identity markers such as sexual orientation, gender identity, and immigration status require careful handling. Fourth, documentation of suicidal ideation, self-harm, or risk to others carries specific clinical and legal weight and should be written or reviewed with corresponding care.

▶ Does GDPR provide sufficient protection for mental health data processed by AI tools?

GDPR sets a floor, not a ceiling. A 2025 peer-reviewed narrative review in DIGITAL HEALTH found that GDPR offers only baseline protections that do not yet account for the unique ethical and clinical nuances of AI-based mental health interventions. Several European countries have enacted national legislation that imposes additional requirements. Germany's psychotherapists are subject to strict professional secrecy obligations under §203 of the Criminal Code, with criminal liability for breaches. France, the Netherlands, Ireland, and Italy each have national data protection authorities with specific guidance or enforcement activity relevant to mental health AI. Practitioners should verify their obligations with their national data protection authority and professional regulatory body before deploying any AI documentation tool.

▶ When does an AI documentation assistant become a medical device under EU law?

A tool that only transcribes speech and structures clinical notes, without interpreting clinical content or generating clinical recommendations, is generally not classified as a medical device under the EU Medical Device Regulation (MDR 2017/745). A tool that analyses session content to flag suicide risk, suggest diagnoses, or support clinical decision-making is likely to require MDR classification and conformity assessment, and may also be classified as high-risk AI under the EU AI Act. A 2025 peer-reviewed analysis in the European Heart Journal – Digital Health notes that high-risk AI medical devices are subject to dual regulation under both frameworks. Practitioners should ask any vendor directly for the tool's regulatory classification under both the MDR and the EU AI Act.

▶ Is a Data Protection Impact Assessment required before deploying an AI documentation assistant in a therapy practice?

A Data Protection Impact Assessment is mandatory under GDPR Article 35 for large-scale processing of special category data, and strongly advisable even for smaller practices. Beyond this, practitioners should notify their professional indemnity insurer and confirm that AI-assisted documentation is covered under their policy. Ongoing obligations also apply: practitioners should regularly review whether the tool's presence is affecting therapeutic disclosure, monitor AI-generated notes for accuracy and appropriateness, and stay informed about updates to the EU AI Act implementation timeline and national regulatory developments.