GDPR and VR Practices: 7 Questions Regulators Ask in Spain
By Equipo VRET
Spain's data protection authority doesn't inspect because you use virtual reality — it inspects because a patient complained or because your practice has grown. When inspectors arrive, they check seven concrete things. If you have them documented and reproducible in 15 minutes, the visit is routine. If not, the average fine in private clinical psychology in 2024-2025 ran €5,000 to €30,000. This guide walks through all seven in order.

Before We Start: Why It's Your Turn
Spain's data protection authority (the AEPD, Agencia Española de Protección de Datos) doesn't show up at random. Three situations trigger an inspection of a Spanish private practice in 2025-2026:
- A patient files a complaint about improper use of their data (usually a former patient with a conflictual relationship).
- A health insurer reports an incident involving data exchange without a DPA.
- A competitor or a former employee of the practice files a deliberate complaint (more common than it seems in group practices).
When they arrive (in person or through a written request) they ask for documentation within a window of 10 to 30 calendar days. The seven pieces you will have to show are the ones covered in this article. If you're missing one, get it today.
Question 1 — What Legal Basis Are You Using to Process Clinical VR Data?
The canonical answer for a Spanish private practice: Article 9(2)(h) GDPR (processing necessary for the purposes of preventive medicine, medical diagnosis, the provision of health or social care, or treatment, on the basis of Union or Member State law), complemented by the seventeenth additional provision of Spain's GDPR implementing law, the LOPDGDD (Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales).
What the inspector wants to see: that this legal basis appears in writing in your agreement with the patient (the informed consent form) and in your record of processing activities. If your consent form doesn't mention the GDPR and Article 9(2)(h), the first item of the inspection is already unfavorable.
Question 2 — Where Is the Clinical Data Generated by the VR System Hosted?
The AEPD wants to hear “on servers in the European Union” or “on my own equipment at the practice, with no transmission to the cloud.” Any answer that involves the United States without Standard Contractual Clauses plus an up-to-date EU-US Data Privacy Framework certification will trigger a follow-up question.
VRET hosts clinical data on infrastructure located in EU territory and signs a specific DPA with every practice. If you use another vendor, make sure your DPA specifies this in writing and that your vendor can provide a data-location certificate. For a longer review, see our dedicated analysis of what your GDPR vendor must comply with.
Question 3 — Have You Signed a DPA With Your VR Software Vendor?
The DPA (data processing agreement, an Article 28 GDPR contract) is mandatory for any vendor that processes your patients' personal data. It is not optional, and it is not replaced by generic terms and conditions.
What the inspector asks for: the signed DPA, dated before the first processing of clinical data, identifying the technical security measures, the retention period, any sub-processors, and any cross-border data flows. Ready-to-use template: DPA template for licensed psychologists.
Question 4 — Do You Have a Record of Processing Activities (RoPA)?
The RoPA is mandatory (Article 30 GDPR) and must be kept up to date. For a private practice that integrates VR, the RoPA must document at least:
- Purpose: psychological diagnosis and treatment with VR support.
- Data categories: identifying data, mental health data, SUDS records, session video if recorded.
- Legal basis: Article 9(2)(h) GDPR + LOPDGDD, 17th additional provision.
- Processors: VR vendor (with a DPA), hosting, backups.
- Retention period: 5 years post-treatment (17th additional provision), unless sector-specific legislation applies.
- Security measures: encryption, pseudonymization, access control, encrypted backups.
If you don't have a RoPA, the inspection stalls until you provide one. In the meantime, you have to prove that NO processing took place during the undocumented period, which in practice is impossible. Create your RoPA today if you don't already have one.

Question 5 — How Do You Handle Patient Rights (Access, Rectification, Erasure, Objection)?
The patient can request access to their clinical record, including the VR portion (SUDS records, session video if it exists, the exposure hierarchy used). The legal deadline is one month, extendable to three in complex cases.
What the inspector asks: what procedure you have for responding to these requests, who receives them, how you verify the requester's identity, and how you document the response. If your answer is “that hasn't come up,” the inspector will ask to see the document that describes the procedure even if it has never been executed. The absence of a procedure is the violation.
Question 6 — Do You Encrypt Clinical Data at Rest and in Transit?
The expected answer is yes, both at rest (on the server or on local equipment) and in transit (when data moves between the headset, the psychologist's dashboard, and the clinical record). Algorithms accepted by the AEPD: AES-256 at rest, TLS 1.2/1.3 in transit.
If you use a VR system where data travels unencrypted between the headset and the psychologist's computer (uncommon but not impossible in older setups), you have a problem that goes well beyond the AEPD inspection. For correctly documenting the session, see the electronic health record documentation protocol.
Question 7 — Is There Video Recording of Sessions? Who Has Access?
Recording a VR session (from the psychologist's view or the patient's view) requires specific informed consent, separable from the general consent form. The AEPD asks:
- Is there recording? Yes or no, and what exactly is recorded.
- Has the patient signed a specific consent form for the recording?
- Who has access to the videos? Just you, or also a team? Are there clinical supervision sessions using video?
- How long are they kept? How are they deleted?
If you record for clinical supervision and share with a senior psychologist, the recipient is either an ad hoc data processor or an authorized recipient. Document that relationship. For more on common mistakes in clinical supervision with VR, we have a dedicated article.
The Sealed Envelope: How to Get Organized Before the Inspection Arrives
The psychologist who passes an AEPD inspection without stress keeps a folder (physical or digital) with seven documents. Prepare them today so you don't have to improvise tomorrow:
- Standard informed consent form (general + recording, if applicable).
- Privacy policy published on your website or given to the patient.
- Signed DPA with your VR software vendor.
- Record of processing activities (RoPA), updated to the current date.
- Written procedure for responding to patient rights (access, rectification, erasure, objection).
- Technical documentation from your vendor on encryption, server location, and business continuity plan.
- Risk analysis or data protection impact assessment (DPIA), if patient volume requires it.
If you want a longer version with ready-to-fill templates and a legal explanation of each item, the GDPR guide for VR practices brings all seven pieces together in a downloadable 14-page resource. It's our most-requested resource among practices facing an upcoming inspection.
And if your question is “is this worth it for using VR once a month?”, the honest answer is that the RoPA, the legal basis, and rights management are mandatory whether or not you use VR. VR doesn't add disproportionate GDPR complexity — it only adds two questions (vendor DPA + data location). Everything else was already your obligation.
This article is for informational purposes for psychology professionals. It is not clinical advice for any individual case and does not replace the judgment of the licensed psychologist in charge. VRET is professional clinical-support software, not a CE-marked medical device.
Frequently asked questions
What's the real probability that a Spanish private practice gets an AEPD inspection?
Low in absolute terms (fewer than 1 inspection per 10,000 active practices/year, per 2024-2025 sector data), but high once conditioned on a patient complaint — a formal complaint raises the probability above 60%. If your monthly patient volume is above 30 and you work with health insurers, assume it will happen to you sooner or later.
Is the average fine in private mental healthcare between €5,000 and €30,000?
Those are the ranges published in AEPD 2023-2025 rulings for small-to-medium private mental health and wellness practices. Fines above €50,000 tend to correspond to large-scale data processing (hospitals, insurers, clinic networks). For an individual practice, that's the realistic range.
Do I need a DPO (Data Protection Officer) if I'm a solo psychologist?
It's not mandatory for an individual psychologist if you don't process data at large scale (typically more than a few thousand patients/year). But it's strongly advisable to hire a DPO advisor as an external consultant whenever you're integrating new technology with clinical data (VR, biofeedback, AI). The cost is a few hundred euros for an initial review, and it can save you the fine.
If the patient gives me broad consent, does that cover the rest of GDPR?
No. Informed consent is one piece, not a substitute for compliance. The AEPD inspects the vendor's objective compliance, not the patient's attitude. No matter what your patient signs, you remain responsible for the RoPA, the DPA, encryption, legal basis, and the rights procedure.
If I use a US platform like TRIPP or Healium for clinical use, can I still be GDPR-compliant?
It's difficult, and rarely defensible in an inspection for clinical data. Even with Standard Contractual Clauses in place, the cross-border transfer of sensitive clinical data to the US requires a deep risk analysis and, in many cases, additional safeguards that consumer wellness platforms don't offer. That's why platforms like VRET or C2Care, designed for European clinical practice, run on EU soil. If you're interested in the comparison, <a href="/blog/vret-vs-tripp-healium-limbix-vr-clinica">we have a dedicated analysis of wellness versus clinical platforms</a>.
Keep reading
VRET Referrals: Working with GPs, Psychiatrists, Insurers
How to present VR exposure therapy to referring physicians: a one-page evidence sheet, standardized outcome reports, and a medication-coordination protocol.
Practice managementHow Much to Charge for a VR Exposure Session in Private Practice
Real VR exposure session pricing in Spanish private practice: €75-130 by city, the typical €20-40 premium over standard fees, and how to justify it to patients.
Practice managementVR Equipment for Your Psychology Practice: What You Need
Everything you need to bring VR into your psychology practice: headset, clinical software, space, cost, and how the investment pays off.
VRET is professional clinical-support software, not a CE-marked medical device. Clinical supervision remains with the licensed psychologist in charge.