KVKK & GDPR Compliance for Therapists: How to Store Client Notes Legally

For a psychologist, a client's session note is among the most sensitive outputs of professional practice. It holds that person's most vulnerable moments, their relationships, their fears — and sometimes information that could become relevant in a legal context. Protecting these notes is not just an ethical responsibility; it's a legal obligation.

In Turkey, Law No. 6698 — KVKK (Turkey's data protection law, equivalent to GDPR) — places health data in the "special category personal data" classification. The rules for this category are considerably stricter. Improper storage, improper sharing, or inadequate encryption can result in administrative fines running into the millions of Turkish liras.

This article covers what KVKK compliance means for independent therapists and clinics, which steps need to be taken, and what tends to get overlooked in practice.

Why Is Health Data Classified as "Special Category"?

Article 6 of KVKK separates certain data categories from the rest. Health information, data relating to sexual life, racial or ethnic origin, political opinions, and religious beliefs all fall into this special category.

Processing this data requires the "explicit consent of the data subject." This means the client must clearly understand and approve which of their data is being processed, for what purpose, for how long, and with whom it may be shared. A generic "I accept" checkbox is not sufficient.

The session notes a therapist keeps, intake forms, payment information, and even appointment dates fall within this scope. Because even the information "Mr. Smith sees psychologist X every Thursday at 2 PM" — if it reaches a third party — constitutes a health-related inference about that person.

Who Is the Data Controller? Is That You?

The concept of "data controller" is central to KVKK. The data controller is the person or organization that decides why and how data is processed.

If you work as an independent therapist, yes — you are the data controller. If your annual revenue or number of employees exceeds certain thresholds, you are also required to register with VERBİS (Turkey's Data Controllers Registry).

If you work under the umbrella of a clinic, the clinic is the data controller and you are in the position of "data processor." But if you keep notes on your own device or use additional software without notifying the clinic, responsibility becomes shared — and complicated.

If you use scheduling software, your software provider becomes your "data processor." In this case, signing a Data Processing Agreement (DPA) with the provider is a legal requirement.

9 Steps Toward a KVKK-Compliant Practice

The checklist below covers the practical steps an independent therapist or small clinic needs to take for KVKK compliance.

1. Prepare an explicit consent text. You need a document that explains in plain language which of the client's data is being processed, for what purpose, for how long, and by whom. Don't copy a template from the internet — it must be tailored to your specific practice.

2. Keep the information notice as a separate document. Under KVKK, "explicit consent" and "information notice" are two separate obligations. The information notice is the duty to inform the client even before obtaining consent.

3. Store data with encryption. Excel, Word, and phone notes are not acceptable. You need a system with end-to-end encryption at AES-256 standard or better.

4. Maintain access logs. Which note was opened, when, and by whom must be recorded. This log can be requested in an audit.

5. Define data retention periods. Health data is subject to specific retention periods (generally 10 years from the last session). Data that has passed its retention period must be destroyed.

6. Prepare a data breach notification plan. If a data breach occurs, you are required to notify the KVKK Authority within 72 hours. Failing to have a pre-planned procedure is itself grounds for additional penalties.

7. Sign a DPA with all third-party software. Every service that touches client data — scheduling software, cloud backup, email provider — requires a Data Processing Agreement.

8. Keep data in the EU or Turkey. Transferring data to servers in the United States requires additional permissions and contracts. In practice, keeping data within the EU is the safest approach.

9. Review annually. KVKK decisions and regulations evolve. An annual compliance check is a good habit to build.

4 Common Mistakes in Practice

It's worth naming the most common errors, because they happen even to well-intentioned therapists.

Collecting consent via WhatsApp. An "I read it and approve" message sent over WhatsApp does not qualify as valid explicit consent under KVKK. A written, dated, and identity-verified document is required.

Storing clients in your phone contacts. Having a client listed by name with a note like "therapy client" in your phone is itself a data protection risk. All it takes is someone picking up your phone.

Sending notes by unencrypted email. Forwarding notes to a supervisor, an insurance provider, or a colleague over unencrypted email is a serious risk.

Not keeping a backup on a separate device. If your device fails, data is lost. But the backup must also be stored in an encrypted, KVKK-compliant environment.

Evaluating Software: 5 KVKK Questions to Ask

When assessing a scheduling or clinic management tool, ask for clear answers to these questions:

Where is data stored? Locations outside the EU or Turkey are risky.

Is there end-to-end encryption, and what standard is used? AES-256 is the minimum acceptable standard.

Will you sign a Data Processing Agreement on request? If the answer is "no" or "not yet," look elsewhere.

Are my data used to train AI? There should be an explicit clause in the contract.

If I cancel, can I export my data and have it fully deleted from the system? KVKK's "right to be forgotten" principle should apply to you as well.

Closing Thoughts: Compliance Is Part of the Profession

KVKK compliance can feel like an added bureaucratic burden for therapists. But with the right tools, once set up, it largely runs in the background.

And the greatest benefit of compliance is not avoiding the risk of fines. The real benefit is being able to tell your clients: "Your data is my responsibility, and it is genuinely protected." That is the foundation of the therapeutic relationship.

Calemio is encrypted end-to-end, data is stored in EU data centers, and the platform has been audited for KVKK and GDPR compliance. A Data Processing Agreement is available to all practitioners who request one. You can start with a free trial.