Skip to content
16/06/2026 Updated: 29/05/2026 8 min read
RSS

Psychologists and therapists: client agreements and consent for sensitive data processing

Therapists and psychologists work with the most sensitive personal data. See how zipzipdoc helps digitise client agreements and GDPR consents in full legal compliance.

Psychologists and therapists: client agreements and consent for sensitive data processing

A therapist, psychologist or psychotherapist works with the most sensitive personal data that exists — health records, mental health, family relationships. GDPR classifies this data as a special category, which means heightened requirements for processing and archiving.

At the same time every therapeutic relationship should be governed by a clear agreement — covering session frequency, fees, confidentiality and cancellation rules.

Health and psychological data falls under GDPR Article 9 — special categories of personal data. Processing this data requires one of the following:

  • Explicit consent of the data subject (most common in therapeutic practice).
  • Processing necessary for medical diagnosis or treatment by a health professional.
  • Processing necessary for reasons of substantial public interest.

For private practitioners — psychologists, psychotherapists, counsellors — the lawful basis is almost always explicit, written, individual consent from each client. This consent must be more specific than standard GDPR consent: it must name the purpose, the types of data, the retention period, and the client’s specific rights.

For therapists and healthcare administrators, this means a properly structured client intake package is not optional — it is the foundation of GDPR compliance.

What psychologists and therapists need

  • Therapeutic agreement with the client: number of sessions, fee, location, therapist confidentiality
  • Consent to process sensitive personal data (GDPR Article 9)
  • Informed consent: the client must understand how therapy works and its limitations
  • Cancellation terms: short-notice cancellations may be charged

The therapeutic agreement: what it must contain

A well-structured therapeutic agreement covers:

  1. Scope of services — what type of therapy is being provided (CBT, psychodynamic, solution-focused)? What are the goals, framed as intentions rather than guaranteed outcomes?
  2. Session frequency and format — weekly, bi-weekly, online, in-person, session length.
  3. Fees and payment — session rate, payment timing (pre-session, post-session), accepted payment methods.
  4. Cancellation and no-show policy — minimum notice period (typically 24–48 hours); whether late cancellations are charged.
  5. Confidentiality — the therapist will not disclose session content to third parties, with explicit exceptions.
  6. Limits of confidentiality — mandatory exceptions: risk of serious harm to client or others, court orders, child safeguarding obligations.
  7. Supervision — professional supervision requirements may mean a supervisor hears anonymised case summaries; inform the client of this.
  8. Emergency protocol — what the client should do between sessions in a crisis.
  9. Therapist’s limits — what the therapist does not provide (e.g. medication, diagnosis for insurance purposes).

A standard GDPR consent is not enough. Psychological and health records fall under the special category of Article 9 GDPR — consent must be explicit, specific and documented. zipzipdoc generates consents specifically designed for healthcare and therapeutic practices.

The therapeutic agreement must explain the confidentiality conditions to the client — including legal exceptions (danger to self or others, court orders). Templates in zipzipdoc include these clauses in plain language.

How it works in practice

A new client books their first session. Before it takes place they receive an email link to sign the therapeutic agreement and GDPR consent. They sign on their phone in 3 minutes. The therapist has everything in the archive before the meeting.

Related contract types: Coaching agreement · GDPR consent · Service agreement

Numbers that speak for themselves

| Statistic | What it means | |---|---| | 100 % | of clients must sign an informed consent | | 72 % | of therapists lack a formal therapy agreement | | 5 min | time to prepare documents via zipzipdoc | | 0 | paper forms with digital signing |

How it works step by step

Step 1: A new client books their first session.

Step 2: The therapist sends them an informed consent, therapy agreement with cancellation terms and GDPR consent via zipzipdoc.

Step 3: The client reads the documents at home in peace and signs online before the first session.

Record-keeping for therapists: what GDPR Article 9 requires

Therapeutic and psychological records are among the most sensitive documents in existence. A mistake in their handling can result in significant GDPR penalties and, more importantly, serious harm to the client. Here is what compliant record-keeping looks like for private practitioners.

What constitutes a health record

GDPR Article 9 defines special categories of personal data, including data concerning health and data revealing a natural person’s physical or mental health. For therapists and psychologists, the following all qualify:

  • Session notes and case summaries
  • Intake questionnaires and assessment results
  • Psychological test results and interpretations
  • Medication history (if relevant to the therapeutic relationship)
  • Diagnosis or therapeutic impressions
  • Contact with the client’s GP or psychiatrist
  • Emergency contact information used in a crisis context

Minimum security standards for health records

The GDPR requires “appropriate technical and organisational measures” for processing health data. For private practitioners, this means:

  • Encryption at rest and in transit: paper notes locked in a filing cabinet do not meet modern standards; digital records must be encrypted with strong standards (AES-256 or equivalent).
  • Access control: only the treating clinician and essential support staff should access client records. If you supervise trainees, document the access granted explicitly.
  • Breach notification: if health records are compromised (device theft, ransomware, unauthorised access), the national data protection authority must be notified within 72 hours.
  • Privacy by design: use systems specifically designed for healthcare data or ensure your general systems are configured with maximum privacy settings.

Retention periods for therapeutic records

Retention requirements for mental health records vary significantly by jurisdiction and professional body guidance:

| Jurisdiction / body | Retention period | |---|---| | Slovak Republic (general health records) | 20 years from last contact | | Slovak Republic (psychotherapist — professional body guidance) | 10 years minimum | | German Psychotherapists Chamber (Bundeskammer) | 10 years from end of treatment | | UK (BACP guidance) | 7 years (adults), 7 years after 18th birthday (minors) | | UK NHS / NHS equivalent | 8 years minimum |

After the retention period, records must be destroyed securely — shredding for paper, certified deletion or overwriting for digital records. zipzipdoc allows you to set retention period reminders aligned with your jurisdiction and professional body requirements.

Cancellation and no-show policy: why the contract must be explicit

Therapists and psychologists lose significant income from late cancellations and no-shows. A client who cancels 30 minutes before a session leaves a 50-minute slot unfillable. Yet many therapists feel uncomfortable enforcing cancellation fees without a clearly signed agreement — and they are right to feel that way: enforcing a policy the client did not explicitly agree to is legally and ethically problematic.

The therapy agreement resolves this cleanly. When the client signs the agreement before the first session, they explicitly acknowledge:

  • The minimum cancellation notice period (typically 24 or 48 hours)
  • The fee for late cancellations (typically 50–100 % of the session fee)
  • The no-show policy (typically 100 % of the session fee)
  • The procedure for rescheduling within the cancellation period

With this signed agreement, enforcing the policy is not an interpersonal negotiation — it is a contractual matter. Most clients who have signed a clear agreement will cancel on time or accept the fee without dispute. The signed contract protects both the therapeutic relationship and the therapist’s income.

Frequently asked questions

What must a therapy agreement contain?

A therapy agreement must include: scope and goals of therapy, session frequency and duration, fee and payment terms, cancellation terms, confidentiality clause, exceptions to confidentiality (e.g. risk of self-harm or harm to others), supervision disclosure, and GDPR consent for processing health data. zipzipdoc templates cover all of these elements.

Is an electronically signed informed consent valid?

Yes. An electronically signed informed consent is legally valid under eIDAS across the EU. The OTP verification confirms the client’s identity, and the audit trail proves the document was read and signed at a specific time — important for regulatory inspections or professional body audits. For guardians signing on behalf of minors, consult your professional body’s guidance.

How do I handle confidentiality in the therapy agreement?

The contract must clearly define the therapist’s confidentiality obligation and its exceptions: mandatory reporting when there is a credible risk of serious harm to the client or others; compliance with court orders; and professional supervision (where the supervisor hears anonymised material). zipzipdoc includes vetted clauses for these situations in plain client-facing language.

How long must therapy notes and consents be retained?

Retention requirements vary by jurisdiction and professional body. A common standard for mental health records is 7–10 years after the end of treatment (longer for minors). Check your professional body’s guidelines. zipzipdoc allows you to set a retention period and schedule automatic deletion reminders.

Can I sign documents with clients who are not technically proficient?

Yes. The client receives an SMS with a link and a one-time code — no app installation, no account creation. If needed, the receptionist or assistant can display the document on a tablet and the client signs with the OTP from their own phone. The process is designed to work for all age groups.

“Clients arrive at the first session with signed documents. We can focus on therapy, not paperwork.” — Dr. Monica K., clinical psychologist

Start free →

Frequently asked questions

A therapy agreement must include: scope and goals of therapy, session frequency and duration, fee and payment terms, cancellation terms, confidentiality clause, exceptions to confidentiality (e.g. risk of self-harm or harm to others), supervision disclosure, and GDPR consent for processing health data. zipzipdoc templates cover all of these elements.
Tool comparison

How does zipzipdoc compare to alternatives?

See a detailed comparison with popular e-signature tools.

zipzipdoc vs Signeasy zipzipdoc vs Dropbox Sign zipzipdoc vs PandaDoc

Related articles

Photographers and videographers: author agreements in 5 minutes before every shoot
Photographers and videographers must protect their copyright. See how zipzipdoc helps create and sign an author agreement before the camera starts rolling.
Accountants and tax advisors: mandate agreement and client consent online
Accountants and tax advisors need a clear mandate agreement with every client. See how zipzipdoc speeds up signing and archiving these documents.
Architects and designers: project contracts and site supervision agreements online
Architects and designers close work contracts, site supervision agreements and subcontractor deals. See how zipzipdoc digitises this entire flow.

Contracts in 60 seconds

Start free