GDPR in psychology practice isn't the same as in other businesses. You handle special category data (health), and most non-compliance comes from missing this distinction. A GDPR fine can range from a few euros to tens of thousands, and Spain's AEPD has stepped up healthcare inspections since 2024.

This guide explains how to comply with GDPR and LOPDGDD in your practice without becoming a lawyer.

Why clinical data is special category

Article 9 GDPR classes health, biometric, ethnicity and sexual-orientation data as special category. This means:

  • Reinforced legal basis: explicit consent or another art. 9.2 case.
  • Reinforced security: encryption, access control, traceability.
  • Higher fines: up to €20M or 4% of turnover (GDPR caps).
  • DPIA assessment recommended for larger centres.

Informed consent

Each patient signs informed consent with specific GDPR clauses covering:

  • Identification of the controller (you or the centre).
  • Purpose: providing psychological services.
  • Legal basis (explicit consent + healthcare contract).
  • Retention: 5-15 years per regional regulation.
  • ARCO rights and how to exercise them.
  • Communication to third parties (only when relevant).

More in our informed-consent template.

Data Processor

Any provider that sees patient data is a processor and must sign a contract:

  • Clinical software (My Psico Agenda).
  • Video-call platform.
  • Email with clinical data.
  • Transcription service.
  • Cloud backup.

Without a DPA, any incident is twice as serious.

ARCO and patient rights

The patient can exercise at any time:

  • Access: copy of their record.
  • Rectification: correct wrong data.
  • Cancellation / Erasure: limited; clinical data has its own rules.
  • Objection: limit marketing processing.
  • Portability: structured format (JSON, PDF).

You have 30 days (extendable to 90) to respond.

GDPR checklist for your practice

  1. ✅ Signed informed consent with GDPR clauses.
  2. ✅ Clinical software with EU servers and a DPA.
  3. ✅ AES-256 encryption at rest.
  4. ✅ Privacy policy published on your website.
  5. ✅ ARCO request procedure.
  6. ✅ Retention per regional regulation.
  7. ✅ Secure deletion at end of treatment.
  8. ✅ Breach notification within 72h to AEPD.

Preguntas frecuentes

Most frequent questions about GDPR for psychologists.

How long must I keep clinical history?

5 years minimum from end of treatment under state regulation; some Spanish regions go up to 15. After that, secure deletion.

Do I need a DPO (Data Protection Officer)?

Not mandatory for an individual practice. Yes for large centres (>250 employees or massive health-data processing).

What if a patient requests deletion of their data?

Assess: active treatment vs post-discharge request. Clinical data has specific retention rules that limit deletion. Document your response and legal basis.

Can I use Google Drive for patient documents?

Only with a DPA-signed Google Workspace contract with EU server option and credentials in your business domain. Personal Drive: no.

What sanction do I risk in case of a breach?

Depends on severity. Breaches notified within 72h with mitigation taken often resolve with a warning. Unreported breaches can reach €10,000-50,000 in individual practices.

Want clinical software that complies with GDPR by default?

My Psico Agenda has EU servers, AES-256 encryption, a DPA and traceability built-in.

Crear cuenta gratis Ver precios