Skip to content

Data protection and GDPR in online EMDR therapy

The security of your patients' data is not optional — it is part of the clinical work. Clinical data hosted and processed exclusively in the EU, encryption on all communications, and full control from your account.

GDPR compliance

Am I GDPR compliant?

If you use EMDR Digital, you already meet the security dimensions that COP Madrid recommends as best practice for telepsychology platforms: encrypted communications, access traceability, and verifiable authenticity.

The platform guarantees your patients' rights (access, rectification, erasure, portability), applies data minimisation, and requires explicit consent for every clinical feature. Processor agreements and retention policies are aligned with GDPR and Spanish law (Ley 41/2002).

Map of Europe showing EU server locations

Infrastructure

Where is my patients' data?

Everything is processed in the European Union. No transfers to third countries, no intermediaries outside Europe.

  • Clinical data stored in Belgium and the Netherlands (Google Cloud, EU).
  • Signalling and media servers in Germany (Hetzner, EU).
  • Encryption in transit (TLS/DTLS-SRTP) and at rest (AES-256).
  • No personal data transfers outside the European Union.
  • Aligned with COP Madrid recommended security dimensions: encryption, traceability, authenticity.

Compliance

Regulatory compliance without a legal department

A solo practitioner faces the same legal obligations as a clinic with its own legal team. Using the right platform makes the difference.

  1. 1

    Record of Processing Activities (RAT)

    A processing activities record is mandatory under the AEPD. Our processing activities are documented so you can reference them directly in your own RAT.

  2. 2

    Data Protection Impact Assessment (DPIA)

    The AEPD considers a DPIA generally necessary when processing health data. The platform's technical measures cover several phases of the AEPD's "Gestiona EIPD" tool.

  3. 3

    Processor agreements (Art. 28 GDPR)

    Every provider that handles patient data needs a processing agreement. Ours with Google Cloud and Hetzner are already signed.

  4. 4

    Informed consent

    Granular and feature-specific. No clinical data is processed without explicit patient approval.

  5. 5

    Breach notification (72 h)

    Documented incident response protocol, aligned with the AEPD's 72-hour notification requirement.

  6. 6

    Clinical retention (Ley 41/2002)

    The platform supports long-term secure storage aligned with the 5-year minimum required by Spanish law. The therapist is responsible for maintaining records for the legally required period.

We don't sell data or show ads. Sub-processors that operate our infrastructure (Google Cloud, Hetzner) do so exclusively under our instructions and data processing agreements. Every technical decision exists so you can focus on your patient.

Frequently asked questions about data protection

Zoom offers end-to-end encryption, but it is off by default and disables key features like recording and transcription. In standard mode, Zoom manages encryption keys and can access content. Google Meet does not offer end-to-end encryption on its regular plans. Both platforms may process data on servers outside the EU. As a therapist, you are the data controller and bear the obligation to verify that your platform complies with GDPR. The COP Madrid "Security Dimensions" document recommends that telepsychology platforms use EU servers and end-to-end encryption. EMDR Digital encrypts all communications in transit (TLS/DTLS-SRTP). Video calls are not end-to-end encrypted, but the media server is hosted in the EU and managed exclusively by us, with no third-party access to the audio or video stream.
Processing health data (a special category under GDPR Article 9) usually requires a Data Protection Impact Assessment. The Spanish DPA (AEPD) offers a free tool ("Gestiona EIPD") that guides the evaluation process. Using a platform designed for clinical data simplifies several phases of the assessment, since the technical and organisational measures are already in place.
A complaint can trigger an AEPD inspection. They will check whether you have a Record of Processing Activities (RAT), a DPIA, processor contracts with your providers, and a documented breach response protocol. Fines can reach up to 20 million euros or 4% of annual global turnover, whichever is higher (Art. 83 GDPR). Using a platform that already meets these technical requirements significantly reduces your exposure.
Spanish law (Ley 41/2002) establishes a minimum of 5 years from the discharge date of each care process. Autonomous communities may extend this period. During that time, data must be protected, accessible only to you, and stored securely. After the retention period, destruction must use methods that prevent recovery.
Yes. GDPR Article 28 requires a Data Processing Agreement (DPA) with any third party that processes your patients' data: cloud storage, video calls, email, billing. Many therapists use Google Drive or Dropbox without knowing they need this contract. EMDR Digital has signed DPAs with all its sub-processors (Google Cloud, Hetzner).
Yes. EMDR session notes contain detailed descriptions of traumatic experiences, emotional responses during bilateral stimulation, and SUD/VOC scores linked to specific memories. A leak would expose the patient's most private experiences. In EMDR Digital, this data is encrypted, hosted exclusively in the EU, and accessible only to the therapist responsible for the patient.

Explore more about the platform

Online EMDR platform

Bilateral stimulation, collaborative canvas, device settings, and everything that happens during the session.

See the platform

EMDR clinical notes

Clinical templates and automatic notes via transcription. Document your sessions in minutes, with patient consent.

See clinical documentation

Early access

Reserve your spot as a founding therapist. Priority access and exclusive conditions.

No spam. Only important updates about the launch.