9 min read

GDPR & Client Records: The Complete 2026 Guide for Therapists and Psychologists in France

Everything you need to know about GDPR compliance as a psychologist, psychotherapist, or coach in private practice in France: processing register, data retention, security measures, CNIL enforcement, penalties, and compliant practice management software.

F

FYL.CARE Team

Author

GDPR & Client Records: The Complete 2026 Guide for Therapists and Psychologists in France

The General Data Protection Regulation (GDPR) applies to every independent healthcare professional in France — including psychologists, psychotherapists, and coaches. Since it came into effect on May 25, 2018, the French data protection authority (CNIL) has significantly stepped up enforcement, with over €108,000 in simplified-procedure fines since May 2025 and penalties of up to €20 million or 4 % of global annual revenue in standard proceedings.

Yet surveys by professional associations suggest that most independent psychologists still lack a processing register, and many use non-compliant tools — paper notebooks in shared spaces, unencrypted cloud backups, or practice management software hosted outside the EU.

This guide covers your 7 key obligations, the most common mistakes, and how to fix them — including with a GDPR-compliant, completely free practice management tool.

Free. No credit card. Forever. FYL.care is GDPR-compliant, hosted in Europe, and has no premium tier. No tricks.

1. GDPR applies to you — yes, even as a solo practitioner

A common misconception: GDPR is only for big companies. The truth is, as soon as you collect personal data — name, email, phone number, and especially health data (session notes, diagnoses, psychological assessments) — you are a data controller under GDPR.

GDPR covers:

  • Your digital files (practice management software, spreadsheets, emails)
  • Your paper records (handwritten notes, intake forms)
  • Your communications (emails with patients, SMS, messaging apps)

Health data is classified as special category data (Article 9 of GDPR) and requires enhanced protection.

2. You no longer need to declare your files to the CNIL

Good news: since GDPR took effect, prior notification to the CNIL is no longer required for standard practice-management processing. No more paper forms to mail in.

In return, you must maintain a register of processing activities (Article 30 GDPR). This register is your compliance reference document. It lists every processing activity you perform, its purpose, recipients, retention periods, and security measures.

What to document:

  • Appointment scheduling
  • Client records (session notes, assessments)
  • Billing and receipts
  • Email communications
  • Professional social media account management

The CNIL provides simplified register templates for independent healthcare professionals. You don't need to submit this register — but you must be able to present it upon request during an inspection.

3. You must inform patients — but you don't need their consent

Contrary to popular belief, you do not need explicit consent to collect and store your patients' health data. The legal basis is the provision of healthcare (Article 9.2.h of GDPR) and the performance of a task carried out in the public interest.

However, you must clearly inform your patients:

  • that you collect and process their data
  • for what purposes (therapy, billing, etc.)
  • how long you keep it
  • of their rights (access, rectification, erasure, portability)
  • that they can file a complaint with the CNIL

How to do it: Add a privacy notice to your intake form, therapy contract, or website. A single paragraph at the bottom of your client information sheet is sufficient — no need for a 30-page privacy policy.

4. Data retention: how long should you keep client records?

This is the most common question among independent therapists in France. Here are the rules:

Client records:

  • Health data (session notes, reports) should be kept 20 years from the last consultation (Council of State and MACSF recommendation)
  • This covers the 10-year civil liability prescription period plus additional buffer
  • Some sources cite 10 years as the legal minimum — 20 years is the prudent recommendation for psychologists

Administrative data:

  • Invoices and accounting records: 10 years (tax obligation)
  • Bank details: delete once payment is processed
  • Email marketing lists: until unsubscription or end of relationship

After these periods, data must be:

  • Anonymised if you wish to keep it for statistics
  • Securely destroyed (paper shredding, certified digital erasure)

⚠️ Watch out for automatic backups! If you keep client records in a non-professional cloud service (Google Drive, Dropbox, iCloud), check their retention and deletion policies. Many therapists unknowingly keep years of data in US-based services.

5. Security measures: what the CNIL requires

The CNIL requires appropriate security measures proportionate to the data's sensitivity and processing risks. For a solo practice or small clinic:

Technical measures:

  • Encryption at rest and in transit (TLS/SSL for communications)
  • Strong authentication (robust passwords, ideally 2-factor)
  • Regular encrypted backups with tested restoration
  • Access logging (who viewed what, when)

Organisational measures:

  • Access to records limited to what's strictly necessary
  • Privacy screen in shared office or co-working spaces
  • Written breach notification procedure (report to CNIL within 72 h)
  • Password-protected computer and mobile devices

What many therapists don't know: the CNIL has sanctioned several healthcare professionals in 2025-2026 for basic security failures — default passwords, no encryption, shared access. Since May 2025, the simplified procedure allows fines up to €20,000 without public disclosure, directly affecting independent practitioners.

6. Practice management software: the weakest — or strongest — link

Choosing your practice management tool is the most important GDPR decision you'll make.

✅ What a compliant tool must offer:

  • Data hosting in Europe (EU/EEA) — not subject to the US CLOUD Act
  • End-to-end encryption
  • Access logging (audit trail)
  • Data processing agreement under Article 28 GDPR
  • Configurable retention periods
  • Data export (portability right)
  • Permanent deletion

❌ What to avoid:

  • US-hosted software (even with "EU data centers" — check the fine print)
  • Free consumer tools (Google Drive, Dropbox, Notion, Trello)
  • Unencrypted USB drives, password-less external hard drives
  • Paper notebooks in unlocked cabinets

FYl.care is hosted in Europe, GDPR-compliant, end-to-end encrypted, and 100 % free — no credit card, no limits, no premium upgrade. The ideal tool for independent therapists who want compliance without complexity.

7. Your patients' rights under GDPR

GDPR grants 8 rights to data subjects. As a therapist, you must be able to respond:

RightDescriptionResponse time
Right of accessPatient can request all data you hold on them1 month
Right to rectificationPatient can correct inaccurate data1 month
Right to erasurePatient can request deletion (subject to legal retention)Without undue delay
Right to restrictionPatient can "freeze" processing1 month
Right to portabilityPatient can receive data in reusable format1 month
Right to objectPatient can object to certain processingWithout undue delay
Automated decision-makingNo automated scoring or profiling

Important for therapists: the right of access to session notes can be restricted if disclosure could harm the patient's health (Article L1111-7 of the French Public Health Code). In such cases, refer the patient to a physician of their choice who will review the notes on their behalf.

8. CNIL 2026: what's changing this year

The CNIL's 2026 work programme includes several developments relevant to independent therapists:

📋 EHR Recommendation (Dossier Patient Informatisé) The CNIL will publish a consolidated recommendation on electronic health records in 2026, following a 2025 public consultation. This will clarify technical and legal requirements for practice management software.

🤖 AI in healthcare With the French health authority (HAS), the CNIL launched a public consultation (open until April 16, 2026) on AI best practices in healthcare — including transcription tools and note-taking assistants.

📊 Targeted inspections The CNIL has announced increased sectoral inspections in 2026, particularly in healthcare. Independent professionals are in the spotlight, especially those using non-EU-hosted tools.

FAQ — Frequently Asked Questions

Do I need to appoint a Data Protection Officer (DPO)?

No. As an independent psychologist or small practice, you are not required to appoint a DPO. This obligation applies to public authorities, companies with 250+ employees, or entities processing large-scale sensitive data. You remain responsible for compliance and may appoint an external DPO if you wish.

Can I use Google Drive or Dropbox to store client records?

No. These services are subject to the US CLOUD Act, meaning US authorities can access your data without your consent. For health data, this is a GDPR violation. Use a compliant EU-hosted tool like FYL.care instead.

What should I do if my computer is stolen or data is breached?

You must notify the CNIL within 72 hours using their online notification form. If the breach poses a high risk to patients' rights (e.g., stolen health data), you must also inform affected patients without delay. Prepare a written procedure in advance — it's a recommended organisational measure.

What is the maximum GDPR fine?

Up to €20 million or 4 % of global annual revenue in standard proceedings. For independent professionals, the simplified procedure (since 2025) caps fines at €20,000 with a possible daily penalty of €100/day, without public disclosure. In 2025-2026, the CNIL issued 16 simplified sanctions totalling €108,000.

Does GDPR apply to my handwritten notes?

Yes. GDPR applies to both digital and manual (paper) filing systems. If you take handwritten session notes, they must be kept in a locked filing cabinet in a locked room with controlled access. At the end of the retention period, they must be destroyed via a certified shredding service.

Conclusion

GDPR compliance isn't optional for independent therapists in France. It's a legal obligation that protects both you and your clients. Enforcement is accelerating, and the CNIL is increasingly targeting healthcare professionals.

The good news: with the right tools, compliance is simple and completely free.

FYL.care: 100 % free practice management software, GDPR-compliant, hosted in Europe. No credit card. No premium tier. Forever.

Sources:

  • CNIL — GDPR and independent healthcare professionals
  • CNIL — 2026 Work Programme
  • CNIL — Sanctions 2025-2026
  • MACSF — Medical records retention guidelines
  • French Public Health Code — Article L1111-7
  • Conseil d'État — Health data retention opinion
  • Service-Public.fr — GDPR obligations for businesses in France
F

FYL.CARE Team

Published on June 1, 2026