Practice management11 min read · 07 July 2026

Documenting a VRET Session: GDPR Best Practices in Spain

By Equipo clínico VRET

LinkedIn X / Twitter
TL;DR

A VRET session generates clinical data (scenario, hierarchy level, SUDS, incidents) and, potentially, biometric data (heart rate, eye tracking). Under Spanish law, both qualify as special-category data under Article 9 GDPR, requiring explicit consent, health-record documentation per regional regulations, and retention periods of 5 to 15 years. This guide proposes a documentation template and lists the relevant legal points. It is not legal advice; the practice's DPO or legal advisor must validate the final implementation.

Editorial illustration: documenting a VRET session in the health record — best practices and GDPR in Spain.

What Data a VRET Session Generates (and Why Each Type Matters)

A typical VRET session produces, at minimum, three categories of clinical data worth identifying before discussing how to document them.

1. Descriptive clinical data. Scenario used, hierarchy level addressed, total duration of the session, time spent with the headset on, duration per block (framing, acclimatization, exposure, closing). This data is not controversial; it is equivalent to the record of any psychotherapy session.

2. Quantitative clinical data. Baseline, peak, and final SUDS scores, intermediate measurements with timestamps. Standardized scales administered (STAI, BAI, BDI, FQ, LSAS, PCL-5, as applicable). This is health data, regulated under Article 9 GDPR.

3. Biometric data (if the platform collects it). Heart rate, heart rate variability, skin conductance, gaze direction, and pupil dilation (on headsets with eye tracking). When used to identify or physiologically characterize a person, this data qualifies as special-category biometric data under GDPR.

Additionally, depending on the software, there may be: audio recording of the patient during the session, capture of the patient's field of view (what they see inside the scenario), and body-movement capture. Each has its own processing framework.

Documenting a VRET session in Spain operates under four regulatory layers worth having clearly identified.

1. The General Data Protection Regulation (GDPR, EU 2016/679). Defines health-related and biometric data as special-category data (Article 9), whose processing requires explicit consent or, failing that, one of Article 9's own legal bases (healthcare provision, research purposes, etc.).

2. Organic Law 3/2018 on the Protection of Personal Data and the Safeguarding of Digital Rights (LOPDGDD). Adapts the GDPR to the Spanish legal system; provides further detail on the legal bases for processing and reinforces digital rights.

3. Law 41/2002, the basic law governing patient autonomy and rights and obligations regarding clinical information and documentation. Defines what the health record is, its minimum required content, and general retention periods.

4. Regional health-record regulations. Each of Spain's autonomous regions implements Law 41/2002 with its own retention periods and formats. Madrid, Catalonia, Andalusia, and the Basque Country have specific regulations. This is the most relevant layer for retention rules.

The operational rule for private practice: a VRET patient's health record follows the regional regulations of the community where the practice is located. Any biometric data associated with the session, when it exists, is additionally governed by the GDPR/LOPDGDD framework for special-category data.

General psychotherapy informed consent does not by itself cover VR or biometric data. It is advisable to prepare a specific addendum or consent form that the patient signs before the first VR session.

Recommended minimum content.

1. Identification of the data controller: the psychologist's name and license number, practice address, contact details, and DPO if one exists.

2. Description of the procedure. 'Exposure or relaxation sessions using a VR headset with VRET clinical software. Each session lasts approximately 60-75 minutes.'

3. Categories of data processed. Identifying data, descriptive and quantitative clinical data (SUDS, scales), biometric data where applicable (heart rate, gaze), audio or video recording if used.

4. Purpose of processing. 'Psychological care, clinical documentation of the session, evaluation of the patient's progress, clinical supervision, and, where applicable, training or research using pseudonymized data under separate additional consent.'

5. Legal basis. 'The patient's explicit consent (Article 9(2)(a) GDPR) combined with the healthcare-provision purpose (Article 9(2)(h)).'

6. Recipients. 'Data is kept in the data controller's information systems, hosted with providers located in the European Union. It is not shared with third parties except where legally required, nor used for marketing purposes.'

7. Retention period. 'In accordance with the applicable regional health-record regulations [specify the autonomous region and exact period, typically 5 to 15 years from the last visit].'

8. Patient rights. Access, rectification, erasure, restriction, objection, portability, and withdrawal of consent at any time.

9. Known risks. 'Use of the headset may cause cybersickness, eye strain, headache, or reactivation of clinical symptoms. These risks are mitigated by the protocol described, and the session can be stopped at any time.'

10. Signature. Of the patient, the guardian when applicable, and the psychologist, with date and place.

Session Documentation Template for the Health Record

A reproducible format for each VR session facilitates traceability and clinical supervision. This is an operational template that fits on a single A4 page — for a fuller legal reference, see the GDPR guide for VR practices.

Header. Start date and time, end date and time, session number within the treatment plan, name of the responsible psychologist.

Block 1, scenario identification. Scenario name, software version, hierarchy level addressed (referencing the hierarchy built during the assessment session), adjustable parameters modified during the session (intensity, distance, presence of secondary stimuli).

Block 2, quantitative measurements. Baseline SUDS in a neutral scenario, pre-exposure SUDS, SUDS during exposure with timestamps every 2-3 minutes, post-exposure SUDS. Baseline and peak heart rate if the platform collects it. Other scales administered during the session.

Block 3, clinical observation. Automatic thoughts reported by the patient, behaviors observed during exposure (removing the headset, requesting a pause, crying, nervous laughter), physical sensations reported (rapid heartbeat, sweating, chest tightness).

Block 4, technical or clinical incidents. Dizziness, eye strain, scenario glitches, software failure, early termination. If a relevant clinical incident occurred (anxiety crisis, dissociation, traumatic reactivation), describe it and the management applied.

Block 5, treatment plan. Clinical decision for the next session (repeat the level, move up or down the hierarchy, change scenario, temporarily suspend VR). Between-session tasks assigned to the patient.

Block 6, administrative data. Time with the headset on, total session time, billing if applicable. Psychologist's signature (or electronic identification record in digital health records).

This record should be filed together with the rest of the health record, ideally in the same information system, with the same access controls.

Biometric Data: The Delicate Point

When the VRET platform collects heart rate, skin conductance, gaze direction, or similar variables for clinical measurement purposes, that data qualifies as biometric data under Article 4(14) GDPR if it enables or is intended to identify or physiologically characterize the patient.

Practical implications.

1. Explicit consent must specifically mention this data. A generic reference to 'other clinical data' does not satisfy the requirement.

2. The processing must be documented in the practice's record of processing activities (Article 30 GDPR), detailing the categories, purposes, and retention periods.

3. Technical and organizational measures (Article 32 GDPR) must be proportionate to the level of risk: encryption in transit and at rest, access controls, segregation from general personal data, and encrypted backups.

4. If biometric data is used for research or statistical aggregation beyond the individual patient, it requires an additional legal basis and, depending on the purpose, a data protection impact assessment (DPIA).

5. It is worth checking whether the VRET platform in use allows disabling collection of this data when it is not clinically necessary. If the practice does not analyze heart rate, the prudent choice is to turn off that capture in the settings.

Retention and Deletion: How Long to Keep the Information

Regional health-record regulations set minimum retention periods. These are the main reference points in Spain, with the caveat that each region's details may have changed and should be verified against the official source.

1. Law 41/2002, the basic national framework. A minimum of five years from the discharge date of each care episode, except where exceptions recommend longer retention.

2. Community of Madrid (Law 12/2001). Fifteen years from the discharge date of each care episode, with exceptions.

3. Catalonia (Law 21/2000 and later regulations). A minimum of fifteen years for a significant portion of the health record.

4. Andalusia, the Valencian Community, Galicia, the Basque Country. Similar periods (between five and fifteen years), with their own implementing regulations.

For private practice, the recommended operational rule is to keep the complete health record, including VRET session logs, for fifteen years from the last visit. That period comfortably covers every Spanish regional regulation.

Associated biometric data: if it is not clinically necessary for continuity of care, it is worth considering deletion on a shorter timeline (for example, 12 months) once it has served its clinical purpose. Minimization is a GDPR principle.

Effective deletion: in digital systems, removal must be permanent (including active backups, not just a logical deletion flag). In paper systems, secure destruction with a documented record.

Common Pitfalls and How to Mitigate Them

Some documentation mistakes recur in practices that are just starting with VRET, and it is worth having them clearly identified.

1. Logging SUDS without context. 'Peak SUDS 7' with no scenario, no hierarchy level, and no timestamp is practically useless for clinical decision-making.

2. Forgetting to log technical incidents. Dizziness in session 3 that goes unrecorded tends to recur in session 4, handled worse.

3. Mixing the clinical note with the administrative note. Clinical entries (in the health record) and administrative entries (billing, hours, attendance) should be kept separate.

4. Storing scenario screenshots on a personal computer without encryption. If the platform generates preview images, they belong inside the secure health-record system, not on the desktop.

5. Discussing the case over personal messaging or non-professional email. Clinical information must be communicated between professionals through GDPR-compliant channels; the psychologist's personal WhatsApp is not one of them.

6. Not reviewing vendor contracts. The VRET platform, the health-record system, and the backup provider are all data processors. A signed data processing agreement must be in place with each one, per Article 28 GDPR — a ready-to-use DPA template for psychologists can speed this up.

This article is for informational purposes for psychology professionals. It is not clinical advice for any individual case and does not replace the judgment of the licensed psychologist in charge. VRET is professional clinical-support software, not a CE-marked medical device.

Frequently asked questions

Do I need a DPO (Data Protection Officer) for a solo practice?

GDPR requires appointing a DPO when the core processing activity consists of large-scale operations involving special-category data. A solo practice usually does not reach that threshold, so appointment is not mandatory. That said, it is highly advisable to obtain external advice from a DPO or data protection consultant to validate the consent model, processor contracts, and the record of processing activities. For practices with several professionals or larger clinics, mandatory appointment can indeed apply.

Can I keep the VR health record purely in digital format, without printing it?

Yes. Spanish regulations explicitly allow the electronic format for health records, provided integrity, authenticity, availability, confidentiality, and access traceability are ensured. The system must have backup mechanisms, access controls, and an audit log. Paper format is no longer mandatory if the digital system meets the technical requirements.

Is the VRET platform a data processor or a data controller?

It is a data processor. The controller is the psychologist or clinic that decides the purposes and means of processing the patient's data. The platform processes data on the controller's behalf, under the data processing agreement signed between the two. That contract is mandatory under Article 28 GDPR and must cover technical measures, timelines, permitted sub-processing, and the controller's audit rights.

What should I do with biometric data if the patient withdraws consent?

If the patient withdraws specific consent for biometric data but continues general psychotherapy treatment, collection of that data must stop from that point on. Data collected before the withdrawal can be retained under the healthcare-provision basis (Article 9(2)(h)) if it is necessary for clinical continuity; if not, it must be deleted. The descriptive clinical record (SUDS, scenarios, progress) can continue.

Do I need to notify Spain's data protection authority (AEPD) before starting to use VRET?

No, simply starting to use VR in practice does not require notification. A Data Protection Impact Assessment (DPIA) is mandatory when the processing involves high risk to the data subject's rights, particularly when special-category data is combined with novel technology and systematic monitoring. In practice, a small private practice using standard VRET software may not require a DPIA; it is worth documenting the reasoned decision, and if in doubt, carrying out the DPIA anyway.

Can I share VR session summaries with the patient's family?

Only with the patient's express consent (or the legal guardian's if the patient is a minor), except in specific situations of legal obligation. Consent must be specific to that communication and limited in scope: what information, which family member, and how often. A courtesy verbal note is not sufficient grounds. For minors, the specific framework protecting the minor's right to privacy vis-à-vis their guardians also applies.

VRET is professional clinical-support software, not a CE-marked medical device. Clinical supervision remains with the licensed psychologist in charge.