GDPR for Therapist Websites: What You Really Need to Know

Why GDPR is especially important for therapists

You are a therapist. You work with the most intimate information a person can share. Fears, traumas, mental health conditions. Under the GDPR, this data belongs to the special categories of personal data under Article 9.

This means stricter rules apply to your website than to an online shop or restaurant. And the consequences of violations are more severe.

But do not worry. The requirements are manageable once you understand them. This guide explains everything you need to know without legal jargon.

The 5 most important requirements for your practice website

There are five areas you need to implement correctly on your website. None of them is technically complicated, but all are legally relevant.

First: the legal notice. Every commercial website in Germany, Austria, and Switzerland needs a legal notice (Impressum). For therapists, it must additionally include your professional title, the responsible supervisory authority, and for licensed psychotherapists, the licensing authority.

Second: the privacy policy. It must precisely describe what data is collected on your website. This includes contact form data, cookies, hosting log files, and any analytics tools. Each processing purpose needs a legal basis.

Third: SSL encryption. Your website must be accessible via HTTPS. Without an SSL certificate, contact form data is transmitted unencrypted. For health data, this is a clear GDPR violation.

Fourth: cookie consent. If you use analytics tools like Google Analytics, you need a cookie banner with genuine opt-in. Technically necessary cookies such as session cookies do not require consent.

Fifth: contact form and consent. When patients send health-related information through your contact form, you need explicit consent for processing. A simple notice is not enough. It must be an active checkbox.

Where most therapist websites make mistakes

In practice, we see the same problems over and over.

Google Fonts loaded directly. When your website loads Google Fonts directly from Google servers, your visitors' IP addresses are transmitted to Google in the USA. Since the 2022 ECJ ruling, this is not permitted without consent. There have been waves of cease-and-desist letters with damage claims.

The solution: host Google Fonts locally. Or use a platform that does this automatically.

Contact form without encryption. Many WordPress themes send form data unencrypted via email. This is problematic when patients describe their concerns in the contact form, which they almost always do.

Outdated privacy policy. A privacy policy from 2019 does not meet today's requirements. Especially if you have since added tools or plugins.

No data processing agreement. If your hosting provider or form service has access to personal data, you need a data processing agreement. Many therapists are not aware of this.

GDPR-compliant website: the checklist

Here is a practical checklist for your therapist website.

For the legal notice you need your full name and address, professional title and license, responsible chamber or supervisory authority, a phone number or comparable contact method, and VAT ID if applicable.

For the privacy policy you need a description of all processing activities with legal basis, information about cookies and tracking, notes on contact form and email, naming the hosting provider, retention periods and deletion deadlines, and data subject rights such as access, deletion, and objection.

For technical implementation you need an SSL certificate, locally hosted fonts, a cookie consent banner for tracking, encrypted form submission, and data processing agreements with all service providers.

How PraxisFlow automates GDPR compliance

PraxisFlow was built from the ground up for the therapeutic context. This means GDPR compliance is not an add-on but the foundation.

Servers in Frankfurt. No US cloud, no data transfers to insecure third countries. Your data stays in Germany.

Automatic legal notice and privacy policy. Based on your practice data, PraxisFlow generates legally compliant mandatory pages. You do not need to pay a lawyer.

Locally hosted fonts. No loading from Google servers. No risk of cease-and-desist letters.

Encrypted forms. All patient inquiries are transmitted and stored with end-to-end encryption. No unencrypted email transmission.

Integrated cookie consent. GDPR-compliant cookie banner with opt-in, automatically embedded on your website.

+Do I need a data protection officer as a therapist?

Generally no, if you operate as a solo practice. The requirement only applies from 20 people who regularly work with personal data. However, you still need to meet all GDPR requirements.

+Can I use Google Analytics on my practice website?

Technically yes, but only with genuine cookie consent and a data processing agreement with Google. In practice, we advise against it. Privacy-friendly alternatives such as server-side tracking without cookies are the better choice.

+What does a GDPR violation cost?

Theoretically up to 20 million EUR or 4 percent of annual revenue. In practice, fines for small practices range from 500 to 5,000 EUR. Add legal costs on top. The Google Fonts cease-and-desist wave showed that even small violations can become expensive.

+Does the GDPR also apply to Swiss practices?

Switzerland has its own data protection law, the nDSG, which has been in effect since September 2023 and is very similar to the GDPR. PraxisFlow is compliant with both GDPR and nDSG.