Think about what actually goes into a session note. A person at their most exposed. Their fears, the marriage quietly coming apart, the thing they've never said out loud to anyone. Sometimes something that could surface in a courtroom years down the line. It's about the most sensitive thing a therapist ever writes down.
So guarding those notes isn't only an ethical duty. It's the law.
In Turkey that law is KVKK, formally Law No. 6698 and the local counterpart to the EU's GDPR. Both drop health data into a special, tightly ring-fenced category where the rules run stricter than they do for ordinary personal data. Store it carelessly, hand it to the wrong person, skip the encryption? The administrative fines climb into the millions of lira.
So let's walk through what compliance actually means for an independent therapist or a small practice. What you have to put in place. And the parts that quietly slip through the cracks.
What Does KVKK & GDPR Compliance Mean for Therapists?
The short version
KVKK and GDPR both classify health data as special-category personal data, which you can only process with the client's clear, informed consent. For a therapist that means encrypted note storage, a proper consent and information process, defined retention periods, and a signed agreement with any software that touches the data. A checkbox and a WhatsApp 'ok' don't cut it.
KVKK draws a line around a handful of data types and treats everything inside it as extra-sensitive. Health information sits well inside that line. So does data about someone's sexual life, their ethnic origin, their politics or religious belief. GDPR does the same thing under its "special categories of personal data."
To touch anything in that box, you need the client's explicit consent. And explicit is the word that carries the weight. The person has to actually grasp what you're collecting, why, for how long, and who else might see it, then agree to it. A tucked-away "I accept" checkbox doesn't get you there.
Here's the part most people underestimate: the box is bigger than it looks. Session notes, obviously. But also intake forms, payment records, even the dates someone books. Why the dates? Because "Mr. Demir sees a psychologist every Thursday at 2 PM" is, in the wrong hands, a health inference about Mr. Demir.
Why Does Client Note Security Matter So Much?
The risk here wears two faces. One is legal. The other is human, and it's the one that actually stings.
A client tells you things on the quiet assumption that they never leave the room. Break that, even by accident, and you don't really win it back. A lost phone. An email fired off to the wrong address. One slip does it.
Then there's the legal face. KVKK parks health data in its highest protection tier, and GDPR mirrors that. Improper storage, careless sharing, weak encryption, any of these can trigger administrative fines in the millions of lira, with comparable penalties on the GDPR side. So getting it right isn't optional housekeeping. It's just part of practising responsibly.
The fine is only half the cost
A KVKK breach can mean fines in the millions of lira and a mandatory notification to the authority within 72 hours. The quieter cost is reputational: a leak involving therapy records is exactly the kind of story that follows a practice around. The encryption and the paperwork are cheap by comparison.
Who Is the Data Controller, and Is It You?
The idea of the "data controller" sits right at the centre of KVKK. Put simply, the controller is whoever decides why and how data gets processed.
Work as an independent therapist? Then yes, that's you. And once your annual revenue or headcount crosses certain thresholds, you're also expected to register with VERBİS, Turkey's Data Controllers Registry.
Work under a clinic's roof and the picture shifts. Now the clinic is the controller and you're the "data processor." Mostly. But keep your own notes on a personal laptop, or run an extra app the clinic never signed off on, and suddenly responsibility is shared, blurred, and a lot harder to defend if anyone asks.
One more wrinkle. The moment you use scheduling software, that provider becomes a data processor for you. Which means a Data Processing Agreement, a DPA, isn't a nice extra. It's a requirement.
What Are the Most Common KVKK Mistakes Therapists Make?
Worth naming these up front, because they trip up careful, well-meaning therapists all the time. The good news? Most are easy to fix once you can actually see them.
Collecting consent over WhatsApp. A reply that says "read it, I approve" on WhatsApp is not valid explicit consent under KVKK. What you need is a written, dated document with the client's identity confirmed.
Storing clients in your phone contacts. A contact saved as a name with "therapy client" next to it is, by itself, a data-protection problem. Someone glances at your unlocked phone and there it is.
Emailing notes without encryption. Forwarding a note to a supervisor, an insurer, or a colleague over plain email is a real exposure, not a hypothetical one.
Skipping a backup on a separate device. Your laptop dies, the data goes with it. But the backup has to live somewhere encrypted and compliant too, not on a random USB stick in a drawer.
A lot of this also traces back to where the notes live in the first place. If the honest answer is a spreadsheet, it's worth reading up on the specific risks of tracking clients in Excel before anything else.
The consent that wasn't
A therapist sends the intake terms as a PDF over WhatsApp. The client thumbs back 'read it, all good.' Months later there's a complaint and a request to show valid consent. The chat log isn't it: no signature, no date, no confirmed identity, no clear record of what the client actually agreed to. A signed consent form, kept separate from the information notice, would have closed the whole question in one line.
How Do You Make Your Practice KVKK-Compliant?
The steps below cover what an independent therapist or a small practice actually needs to do. None of it is exotic. Mostly it's a matter of setting things up once and then leaving them to run.
1. Write a real explicit consent text. Plain language, explaining which of the client's data you process, why, for how long, and who touches it. Don't lift a template off the internet. It has to fit your practice, or it doesn't protect you.
2. Keep the information notice separate. Under KVKK, "explicit consent" and "information notice" are two different obligations, not one document doing double duty. The notice is your duty to inform the client, and it comes before you collect consent.
3. Store everything encrypted. Excel, Word, phone notes: none of these clear the bar. You want a system with end-to-end encryption at AES-256 or better, full stop.
4. Keep access logs. Which note got opened, when, by whom. All of it recorded. In an audit, that log is one of the first things anyone asks for.
5. Set retention periods. Health data carries specific ones, generally around 10 years from the last session. Once a record passes its window, it has to be destroyed, not left sitting there indefinitely.
6. Have a breach plan ready. If a breach happens, you've got 72 hours to notify the KVKK authority. Not having a procedure written down in advance is, on its own, grounds for extra penalties.
7. Sign a DPA with every third party. Anything that touches client data needs one. Scheduling software, cloud backup, your email provider. If it sees the data, it gets an agreement.
8. Keep the data in the EU or Turkey. Push it onto US servers and you're into extra permissions and contracts. Keeping it inside the EU is simply the calmer path.
9. Review it once a year. KVKK decisions and regulations keep moving. An annual check is a small habit that saves a lot of scrambling later.
The laptop on the back seat
A therapist's laptop is stolen from a parked car. On it: forty client records, unencrypted, in a folder of Word files. Now the 72-hour clock is running, there's a breach to report, and forty people whose most private sessions may be exposed. Had those files sat inside an encrypted system with access logs, the same theft would have been a lost piece of hardware and nothing more.
How Do You Evaluate Software for KVKK Compliance?
When you're sizing up a scheduling or practice-management tool, push for straight answers to these:
Where does the data physically live? Anywhere outside the EU or Turkey is a red flag worth chasing down.
Is there end-to-end encryption, and at what standard? AES-256 is the floor, not the ceiling.
Will you sign a DPA if I ask? "No" or "not yet" is your answer. Move on.
Do you use my data to train AI? There should be an explicit clause, in writing. If you're weighing this up, it's worth understanding whether AI is safe to use in therapy in the first place.
Can I export everything and have it fully deleted if I leave? KVKK's right to be forgotten applies to you as a customer too, not just to your clients.
What Are the Benefits of Getting Compliance Right?
Compliance can feel like one more layer of admin bolted onto an already full week. Set it up well, though, and it mostly disappears into the background. The payoff runs well past just dodging a fine.
- Client trust. You can tell a client, honestly, that their most private material is actually protected. That's not a marketing line. It's the ground the whole therapeutic relationship stands on.
- Less legal exposure. Encryption, access logs, retention rules, signed DPAs. Together they clear away most of the situations that turn into fines and breach notices.
- A quieter mind. With a breach plan and a yearly review in place, you're not improvising at the worst possible moment.
- A practice that reads as professional. Clean consent and information processes tell clients you take them, and your obligations, seriously.
How Calemio Helps You Stay Compliant
Calemio is encrypted end to end, keeps data in EU data centres, and has been audited for KVKK and GDPR. Client notes, intake forms, and appointment data live in one encrypted record with access logs attached, and a Data Processing Agreement is there for any practitioner who asks. You can start with a free trial.
A Quick Checklist
Reviewing how your practice handles client data? This is a reasonable place to start:
- Client notes live in an end-to-end encrypted system, not in Excel, Word, or phone notes.
- Explicit consent is collected on a written, dated form, kept separate from the information notice.
- Access to records is role-based and logged.
- Retention periods are defined, and data past its window gets destroyed.
- A data breach plan exists, with the 72-hour notification step written out in advance.
- A signed DPA is in place with every provider that touches client data.
- Data is stored in the EU or Turkey, with regular encrypted backups.
- The whole setup gets a compliance review once a year.
Frequently Asked Questions
How should therapists store client notes to stay KVKK and GDPR compliant?
Client notes are special-category health data, so they must be stored with strong encryption (AES-256 or better), not in Excel, Word, or phone notes. You also need access logs, defined retention periods, regular encrypted backups, and a signed Data Processing Agreement with any software provider that touches the data.
Do I need explicit consent from clients, and is a checkbox enough?
Yes, processing health data requires the client's explicit consent. A generic "I accept" checkbox is not sufficient. You need a written, dated document that explains in plain language which data is processed, for what purpose, for how long, and with whom it may be shared, kept separate from the information notice.
Am I the data controller as an independent therapist?
If you work independently, yes, you are the data controller and may also need to register with VERBİS once you pass certain revenue or headcount thresholds. If you work under a clinic, the clinic is usually the controller and you act as a processor, though keeping your own notes or apps can make responsibility shared.
How long do I have to keep client records, and when should I delete them?
Health data is subject to specific retention periods, generally around 10 years from the last session, after which it must be securely destroyed. Keeping data indefinitely, or deleting it too early, both create compliance problems, so define and document your retention rule in advance.
Can I send client notes over WhatsApp or email?
No. An "I approve" message over WhatsApp is not valid explicit consent, and forwarding notes over unencrypted email to a supervisor, colleague, or insurer is a serious data protection risk. Use encrypted, KVKK-compliant channels and keep client details out of your personal phone contacts.
What should I ask a scheduling tool before trusting it with client data?
Ask where data is stored (EU or Turkey is safest), whether there is end-to-end encryption and at what standard, whether the provider will sign a Data Processing Agreement, whether your data is used to train AI, and whether you can export and fully delete your data if you cancel.
Related articles

Try Calemio for free
Encrypted, compliant and simple. Built for independent therapists and clinics.
Start free


