Do therapists in Ireland need a GDPR-compliant website?

Yes. If you are a therapist in Ireland collecting client information through your website, even just a contact form, you are subject to GDPR. This applies whether you are a sole trader, a limited company, or working as a self-employed practitioner.

This is not a technicality that applies only to large organisations. The General Data Protection Regulation applies to any person or organisation that processes personal data, and a contact form that receives a client's name and email address is processing personal data. If that client also tells you about their mental health concerns, as many do in initial enquiries, that is sensitive personal data, which carries additional obligations.

Key takeaways

• GDPR applies to every therapist in Ireland who has a website with a contact form
• Health data (including mental health information) is a special category of personal data under GDPR Article 9
• You need a privacy policy, cookie consent, secure data handling practices, and a process for handling data subject rights requests
• The Data Protection Commission Ireland is the regulator and has issued fines to sole traders
• A GDPR-compliant website is not complicated to build but does require the right setup from the start

What GDPR means for therapists specifically

GDPR, the General Data Protection Regulation, came into force in May 2018 and was given effect in Irish law through the Data Protection Acts 1988-2018. It sets out rules for how personal data must be collected, stored, processed, and deleted.

For therapists, the relevant categories of data include:

• Names, email addresses, and phone numbers collected through contact forms or booking systems
• Session notes and records
• Intake forms, which often include information about mental health history, medication, and presenting concerns
• Payment records

Mental health information is explicitly listed as a special category of personal data under Article 9 of GDPR. This means it is subject to stricter rules than ordinary personal data. Processing it requires either explicit consent from the data subject or another specific legal basis.

As a therapist, you are likely processing this data under Article 9(2)(h), which permits processing for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, and the management of health or social care systems. But this only applies when the data is processed by a health professional subject to a professional secrecy obligation. If you are accredited with a body like the IACP, the ICP, or the APCP, this likely covers you, but it is worth confirming with your professional body.

What makes a website GDPR-compliant

A GDPR-compliant therapy website is not simply a website with a privacy policy bolted on. Compliance runs through every part of how the site collects and handles data. Here is what is required.

A privacy policy

Your privacy policy must explain what data you collect, why you collect it, how long you keep it, who you share it with, and what rights the person has in relation to their data. It needs to be written in plain language, not legal jargon, and it needs to be easily accessible from your website, typically linked in the footer.

Generic privacy policies downloaded from the internet are not sufficient. Your policy needs to reflect what your practice actually does. If you use Google Workspace to store session notes, your policy needs to say so. If you use a booking system that processes client data, that needs to be disclosed.

Cookie consent

SI 336/2011 (the ePrivacy Regulations) requires that you obtain user consent before placing non-essential cookies on a visitor's device. If your website uses Google Analytics, Meta Pixel, or any third-party tracking tools, you must have a cookie consent banner that allows users to accept or decline tracking before it begins.

Consent must be freely given, specific, and informed. A banner that says "By using this site you agree to cookies" does not meet the standard. The user must be able to say no.

Secure data handling

Data you collect must be stored securely. This means using HTTPS (a padlock in the browser address bar), not storing sensitive information in unencrypted email, and using platforms that meet appropriate data security standards.

Contact form submissions that include sensitive information about a client's mental health should not be stored indefinitely in an email inbox. You need a process for moving that information to secure storage and deleting it from email.

Data retention policies

You must not keep personal data for longer than is necessary for the purpose for which it was collected. For therapists, this means having a clear data retention policy. In Ireland, the Health Service Executive recommends retaining client records for at least eight years from the last date of contact. Your privacy policy should state your retention period.

Right to erasure and data subject rights

Under GDPR, individuals have the right to access their personal data, correct it, and in some circumstances delete it. They also have the right to know what data you hold about them and to receive it in a portable format.

You need a process for handling these requests. This does not have to be complicated, but it does need to exist. If a former client emails asking for a copy of their data, you need to be able to respond within one month.

The Data Protection Commission Ireland

The Data Protection Commission (DPC) is the Irish supervisory authority responsible for enforcing GDPR and the Data Protection Acts. It has the power to investigate complaints, conduct audits, and impose fines.

Under GDPR, fines can reach €20 million or 4% of annual global turnover, whichever is higher. For a sole trader therapist, a fine of even a few thousand euros would be significant.

The DPC has taken action against a range of organisations, including small businesses and healthcare providers. Non-compliance is not just a theoretical risk. Most DPC investigations are triggered by complaints from individuals, which in the context of therapy could include a former client who is unhappy about how their data was handled.

The DPC website includes guidance specifically for healthcare providers and small organisations that is worth reading if you are setting up your data handling processes for the first time.

What a compliant setup actually looks like in practice

A GDPR-compliant therapy website in Ireland typically includes the following.

A website with HTTPS, a privacy policy, and a cookie consent tool. Cookie consent tools like CookieYes or Cookiebot can be added to most websites and handle the technical requirements of obtaining and recording consent.

A booking system that processes data within the EEA, or that has appropriate data transfer mechanisms in place if it processes data outside the EEA. Cal.com, which is widely used by therapists, stores data in the European Union.

Intake forms hosted on secure platforms with restricted access. Google Forms connected to a Google Workspace account with access controls is one approach. Purpose-built practice management software is another.

A process for handling data subject rights requests, including a named contact (you) and a clear timeline for responding.

Documentation of your data processing activities. Under Article 30 of GDPR, controllers are required to maintain a record of processing activities. For a sole practitioner, this is a straightforward document but it does need to exist.

What happens if you do not comply

The most immediate risk is a complaint to the DPC. If a client, former client, or any visitor to your website believes you have mishandled their data, they can file a complaint. The DPC must investigate and may require you to change your practices, issue a reprimand, or impose a fine.

Beyond the regulatory risk, non-compliance can damage the trust your practice depends on. Therapy clients are disclosing sensitive information. If they do not trust that you are handling it properly, they are less likely to engage fully in the therapeutic process.

Getting GDPR right is not just a legal obligation. It is part of providing a professional service.

How to get started

If you have an existing website that is not GDPR-compliant, the steps are:

1. Add cookie consent software and review what tracking tools you are using
2. Write or update your privacy policy to accurately reflect your data practices
3. Review how you store client data and move it to secure, access-controlled storage
4. Create a brief data retention policy and data subject rights procedure
5. Document your processing activities under Article 30

If you are building a new website, it is significantly easier to build compliance in from the start than to retrofit it.

If you are ready to make the move to private practice with a GDPR-compliant setup from day one, we build everything for therapists in Ireland and the UK, including the website, booking, payments, and data compliance setup. See how it works.