GDPR requires more than consent forms. Here is what third-party verified compliance looks like for AI-powered psychological assessment, and why data residency matters.
By Stephen Stearman, CEO, Psynth
The Problem with "GDPR Compliant" Labels
If you are a psychologist practising in the UK or EU and evaluating AI tools for report writing, you have likely seen vendors claim GDPR compliance on their websites. In most cases, that claim amounts to a privacy policy, a cookie banner, and a data processing agreement. These are necessary components, but they are not proof of compliance.
GDPR imposes specific, enforceable obligations on any organisation that processes personal data of EU and UK residents. For AI tools handling psychological assessment data, those obligations are especially demanding. Assessment data falls under GDPR's "special category" protections (Article 9), which means it requires explicit consent, a documented lawful basis for processing, and technical safeguards proportional to the sensitivity of the data.
Most AI platforms built for the US market treat European compliance as a checkbox. Psynth treats it as architecture.
Why Psychological Assessment Data Gets Extra Protection
Under GDPR, health data is classified as a special category of personal data. Psychological assessment data pushes this further. A single evaluation can contain cognitive functioning profiles, mental health diagnoses, behavioural observations, developmental histories, and clinical formulations that directly inform legal, educational, and occupational decisions.
This data carries consequences. An IQ score can determine a child's school placement. A diagnostic impression can affect an adult's employment prospects or insurance coverage. A forensic evaluation can influence court proceedings. GDPR recognises this sensitivity by requiring organisations to implement safeguards that go beyond standard data protection.
When you process this data through an AI tool, you need to know exactly where it goes, how long it stays there, and who can access it. If your vendor cannot answer these questions with specifics, they have not met the bar that GDPR sets.
What Psynth's GDPR Compliance Includes
Psynth achieved third-party verified GDPR compliance in early 2026, audited by Glocert, an accredited independent assessor. This is not a self-assessment or a legal opinion. It is an independent verification that our policies, infrastructure, and data handling procedures meet GDPR's requirements.
Here is what that covers in practice:
- Data residency in Dublin, Ireland — All data for European users is processed and stored within the EU. No transatlantic data transfers are required.
- Lawful basis documentation — Clear documentation of the legal basis for every processing activity involving personal data.
- Data Protection Impact Assessment — A completed DPIA for our AI processing workflows, as required under Article 35 for high-risk processing of special category data.
- Zero-retention AI models — No patient data is stored, cached, or used for training by any LLM provider. Data is tokenized during processing and discarded.
- Data subject rights — Full support for access, rectification, erasure, and portability requests. One-click data deletion is available at any time.
- Subprocessor agreements — Data processing agreements with every downstream provider, including AI model providers (Claude, Gemini, OpenAI).
- Breach notification procedures — Documented incident response plan meeting GDPR's 72-hour notification requirement.
Every policy is documented and publicly available at trust.psynth.ai.
Data Residency: Why It Matters
One of the most significant GDPR requirements for psychologists is data residency. Under GDPR, personal data transferred outside the European Economic Area must be protected by adequate safeguards, such as Standard Contractual Clauses or an adequacy decision.
Many AI tools process data through US-based servers, which introduces legal complexity. The Schrems II ruling invalidated the EU-US Privacy Shield, and while the EU-US Data Privacy Framework was adopted in 2023, the legal landscape around transatlantic data transfers remains uncertain.
Psynth eliminates this complexity. European data stays in Europe. Our Dublin data centre processes and stores all data for UK and EU users entirely within EU jurisdiction. There is no transatlantic transfer to navigate, no supplementary measures to document, and no legal grey area to manage.
For psychologists who work across borders or handle referrals from multiple jurisdictions, this matters. Your compliance posture should not depend on the outcome of the next international data transfer ruling.
The UK Data Protection Act and Post-Brexit Considerations
UK psychologists operate under the UK GDPR and the Data Protection Act 2018, which mirror EU GDPR in most respects. The UK currently holds an adequacy decision from the EU, meaning data can flow between the UK and EU without additional safeguards.
Psynth's GDPR compliance covers both the EU and UK regulatory frameworks. Our Dublin data residency serves UK practitioners under the adequacy arrangement, and our compliance documentation addresses the specific requirements of the UK Data Protection Act alongside EU GDPR.
If the adequacy decision is revisited in the future, Psynth's architecture already supports regional data isolation. Your data stays where it should regardless of regulatory changes.
The EU AI Act: What Is Coming
Beyond GDPR, EU and UK psychologists should be aware of the EU Artificial Intelligence Act, which is being phased in through 2026. AI systems used in healthcare, including those that process psychological assessment data, may be classified as high-risk under the Act.
High-risk AI systems face requirements around transparency, human oversight, data quality, and documentation. Psynth's architecture already aligns with many of these requirements. The clinician remains the decision-maker on every report. AI surfaces patterns and drafts content; the psychologist reviews, edits, and finalises every clinical conclusion. This "human in the loop" model is precisely what the EU AI Act envisions for high-risk applications.
We are monitoring the Act's implementation closely and will update our compliance posture as final guidelines are published.
What to Ask Any AI Vendor Serving European Psychologists
If you are evaluating AI tools for your practice, these questions will quickly reveal whether a vendor has done the work or is relying on a privacy policy and good intentions:
- Where is my data processed and stored? If the answer is "the US" or "we use Standard Contractual Clauses," ask whether they have a European data centre option.
- Have you completed a Data Protection Impact Assessment? GDPR requires a DPIA for high-risk processing of special category data. If they have not done one, they are not compliant.
- Can you show me a third-party audit? A privacy policy is not proof. An independent verification is.
- What is your data retention policy for AI-processed data? Zero retention should be the standard for psychological assessment data.
- Do you support data subject rights? Access, erasure, and portability should be built into the platform, not handled by email request.
- Do you have data processing agreements with your AI model providers? Your agreement with the vendor is incomplete without downstream subprocessor agreements.
Part of a Broader Commitment
GDPR compliance is one component of Psynth's security posture. We have also achieved third-party verified HIPAA compliance (US) and PIPEDA compliance (Canada), with SOC 2 Type 2 and ISO 27001 certifications in progress. Regional data residency is available in the United States, Canada (Ontario), and the EU (Dublin).
This means that regardless of where you practise or where your patients are located, Psynth meets the data protection standard that applies. For the full details of our compliance strategy, read Security as Strategy: Why Psynth Pursued Five Compliance Certifications.
Frequently Asked Questions
Is Psynth GDPR compliant?
Yes. Psynth achieved third-party verified GDPR compliance in early 2026, audited by Glocert. All documentation is available at trust.psynth.ai.
Where is my data stored if I am a UK or EU psychologist?
All data for European users is processed and stored in Dublin, Ireland. No transatlantic data transfers are involved.
Does Psynth comply with the UK Data Protection Act?
Yes. Our GDPR compliance covers both EU GDPR and the UK GDPR / Data Protection Act 2018.
Does the AI retain any patient data after processing?
No. Psynth operates on a zero-retention architecture. Data is tokenized during processing and is not stored, cached, or used for model training.
How does Psynth handle data subject access requests?
Psynth supports access, rectification, erasure, and portability requests directly within the platform. Complete data deletion is available at any time with one click.
Will Psynth comply with the EU AI Act?
Psynth's architecture aligns with the EU AI Act's requirements for high-risk AI systems, including human oversight and transparency. We are actively monitoring implementation guidelines and will update our compliance posture as needed.
