DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Life Coaches: Session Notes, Client Wellbeing Data, and Coaching Records

#gdpr #privacy #coaching #compliance

GDPR for Life Coaches: Session Notes, Client Wellbeing Data, and Coaching Records

Published March 2026 | Industry Guides

If you are a life coach, business coach, or executive coach, GDPR applies to every client you work with in the UK and EU — and potentially to clients based elsewhere if you process their data through EU-based systems. This guide covers the specific privacy obligations that arise from coaching practice: session notes containing sensitive personal information, recordings, client wellbeing data, corporate sponsor arrangements, testimonials, and the question of data retention when there is no statutory period to follow.

Why Coaching Creates Complicated Data Protection Questions

Coaching is not therapy. But in practice, the content of coaching conversations often touches territory that GDPR considers especially sensitive. A life coach working with a client on career transition will inevitably hear about mental health, family relationships, financial anxieties, and personal identity. An executive coach may learn about boardroom conflicts, health conditions affecting leadership capacity, or relationship difficulties affecting performance at work.

This creates a genuine data protection complexity: coaches are not regulated health professionals, but the data they hold can be functionally equivalent to quasi-clinical records. The ICO and equivalent EU supervisory authorities do not give coaches special exemptions from GDPR simply because they lack clinical registration.

Special Category Data: When Coaching Notes Cross the Line

GDPR Article 9 identifies categories of personal data that attract enhanced protection. These include data concerning health, data concerning sex life or sexual orientation, data revealing racial or ethnic origin, and data concerning mental health. General coaching notes — names, contact details, goal-setting conversations — are standard personal data processed under normal GDPR rules. But coaching notes that record:

  • A client's depression, anxiety, or other mental health condition
  • Medical issues affecting their professional life
  • Details of their sexual orientation or relationship structure
  • Substance use or addiction history shared in session

...may constitute special category data, even though the coaching session is not a clinical encounter.

If your session notes contain such information, you need an explicit legal basis under Article 9(2) to process it. The most practical bases for coaches are:

  • Explicit consent (Article 9(2)(a)): The client has given explicit consent to you processing their health or mental health data as part of the coaching relationship. This needs to be clearly documented, separate from general coaching terms, and freely given.
  • Necessary for carrying out obligations in the field of social protection — this is unlikely to apply to most coaches.
  • Processing necessary for the establishment, exercise or defence of legal claims — relevant if notes are ever needed in a dispute.

For most coaches, the most practical route is to use explicit, documented consent that specifically identifies the sensitive categories of information you may record.

Lawful Basis for Standard Coaching Records

For coaching data that does not fall into special category territory, you need a lawful basis under Article 6. The two most relevant for coaches are:

Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract. This covers notes and records you genuinely need to deliver the coaching service — session summaries, goal progress tracking, homework notes, and similar records directly tied to the coaching engagement.

Legitimate interest (Article 6(1)(f)): Processing is in your legitimate interests and those interests are not overridden by the rights of the individual. This might apply to retaining limited records for a period after the engagement ends for business continuity purposes, or holding contact details to send limited service-related communications to former clients. You should conduct a Legitimate Interests Assessment (LIA) before relying on this basis.

You cannot rely on legitimate interest for special category data — that requires an Article 9(2) basis.

Recording Coaching Sessions

Video and audio coaching recordings are increasingly common, particularly for online coaching. A recording is unambiguously personal data — in most cases, it is a complete record of a private conversation. Under GDPR, recording sessions requires:

Explicit, informed consent before recording begins. This consent must:

  • Be freely given (not buried in a long contract the client must sign to proceed)
  • Be specific about the purpose of the recording
  • Explain who will access the recording and for how long it will be retained
  • Be easy to withdraw

You should never record a session without the client's active, prior agreement. Even if your coaching agreement includes a blanket clause permitting recording, you should obtain clear consent at the time of recording — not just at contract signature weeks earlier.

Recordings of sessions that contain health-related or other special category information are themselves special category data. The same enhanced protections apply.

Storage: Coaching recordings should be stored securely, with access controls limiting who can view them. Cloud storage services used for recordings are data processors — you need a Data Processing Agreement (DPA) with each provider.

Confidentiality Agreements vs GDPR Obligations

Coaches routinely ask clients to sign confidentiality agreements, and clients may assume that signing a coaching contract equals GDPR compliance. These are different things.

A confidentiality clause in your coaching agreement governs what you contractually agree not to disclose. GDPR is a legal obligation that operates independently of any contract. A confidentiality agreement:

  • Does not substitute for a privacy notice
  • Does not create a lawful basis for processing
  • Does not give you the right to retain data indefinitely
  • Does not eliminate data subject rights (access, erasure, portability)

Your client's GDPR rights — including the right to request a copy of their data, to request deletion, and to object to certain processing — exist regardless of what your coaching contract says. Any attempt to contractually exclude or limit those rights is not enforceable.

Coaching Platforms as Data Processors

Many coaches use specialist platforms to manage client relationships: CoachAccountable, Paperbell, Satori, Quenza, and others. When you use these platforms to store client data, they are processing personal data on your behalf. Under GDPR, this makes them data processors and you the data controller.

This means you need:

  • A Data Processing Agreement with each platform you use. Most reputable coaching platforms provide these — check their legal documentation.
  • Transparency with clients about which platforms their data is shared with, via your privacy notice.
  • Assurance that the platform operates appropriate security standards.

If the platform is based outside the UK or EU, you also need to ensure adequate safeguards for international data transfers — standard contractual clauses, adequacy decisions, or equivalent mechanisms. Platforms based in the US should be checked for EU-US Data Privacy Framework participation if they process EU client data.

Custodia can scan your website and identify what third-party tools are actually processing visitor data, giving you a starting point for your processor assessment.

Corporate Coaching: Sharing Client Progress Data with Sponsors

Executive coaching is frequently paid for by an employer organisation. This creates a triangular data sharing arrangement that requires careful GDPR management.

When a company pays for coaching, the employer typically wants some assurance that the investment is delivering value. But what can a coach legitimately share with the sponsoring organisation?

The key principle is that coaching conversations are confidential to the coachee. Any sharing of progress data, session summaries, or assessments with the sponsor requires the individual client's explicit, informed consent — not just the employer's contractual expectation.

You should:

  • Clarify data sharing arrangements in your contract with both the sponsor organisation and the individual coachee before coaching begins
  • Obtain clear consent from the coachee for any reports shared with the sponsor
  • Limit shared information to agreed summary-level progress data, not the content of sessions
  • Never share data with the sponsor that the coachee has not agreed to

If the sponsoring organisation instructs you to share information without the coachee's consent, you should refuse. The ICO's position is that coaches cannot simply treat the employer as the data controller giving instructions — the individual retains rights over their personal data regardless of who is paying.

Marketing to Past Clients Under PECR

If you want to send marketing emails or text messages to former clients, the Privacy and Electronic Communications Regulations (PECR) apply in addition to GDPR.

PECR allows a soft opt-in for individual consumers who have previously purchased services from you, provided:

  • You collected their contact details during the previous sale
  • You only market similar services to those they originally purchased
  • You gave them a clear, easy way to opt out when you first collected their details
  • You offer an opt-out in every marketing message

Coaches marketing a new programme to former coaching clients can typically use the soft opt-in. However, if you are targeting business email addresses of corporate coachees, the same soft opt-in applies — but check that you are marketing to the individual, not to a corporate inbox where the individual has no expectation of personal commercial messages.

You should maintain clear records of how each contact was obtained and whether they have opted out. Email platforms like Mailchimp are data processors — you need a DPA with them, and you should not add coaching clients to your mailing list without a valid basis.

Testimonials and Case Studies

Testimonials and case studies are a valuable marketing tool for coaches, but they involve processing personal data — and potentially sensitive personal data if the client's coaching topic was personal.

To use a testimonial or case study lawfully, you need:

  • Explicit written consent from the client that specifically covers the use of their name, their words, and any identifying information
  • Clarity about where the testimonial will appear (website, social media, printed materials)
  • The ability for the client to withdraw consent and have the testimonial removed

Even if a client gives a testimonial enthusiastically at the end of an engagement, using it publicly without written consent is risky. Verbal agreement is difficult to evidence if a complaint arises later.

For case studies that do not name the individual, anonymisation may be appropriate — but take care that the case study cannot be re-identified from context (industry, role, organisation, timeline, and coaching topic in combination can identify someone even without their name).

Data Retention: How Long Should You Keep Coaching Notes?

Unlike medical records (which have statutory retention periods), coaching records have no prescribed retention period. The ICO's position is straightforward: retain data only as long as necessary for the purpose for which it was collected, then securely delete it.

In practice, consider:

  • Active client records: Retain throughout the engagement
  • Post-engagement notes: A short retention period (six to twelve months) may be justified for continuity if the client returns, or for business administration purposes
  • Recordings: Many coaches delete recordings within 30 days unless the client requests them for their own use
  • Financial records: Six years (HMRC requirement for invoicing and payment records)
  • Records held for potential legal claims: Up to six years from the end of the coaching relationship

You should have a documented retention schedule and apply it consistently. Holding notes indefinitely because you are unsure when to delete them is not compliant.

Data Breach Obligations

If coaching session notes, recordings, or client contact details are exposed — through a hacked email account, a stolen laptop, an accidental email to the wrong recipient, or a compromised platform — you face GDPR breach obligations.

Under UK GDPR and EU GDPR:

  • If a breach is likely to result in a risk to individuals' rights and freedoms, you must report it to the ICO within 72 hours
  • If the breach is likely to result in a high risk to individuals — which a breach of session notes containing health information almost certainly would be — you must also notify the affected clients directly
  • You must document all breaches, including those you decide not to report

Given the sensitivity of coaching records, any breach involving session notes should be treated as high-risk until assessed otherwise. Coaches working as sole traders are personally responsible for breach reporting — there is no IT department to handle it on your behalf.

Group Coaching: Processing Multiple Clients' Data Simultaneously

Group coaching programmes — whether delivered in person or online — involve processing the personal data of multiple individuals at once. Additional considerations apply:

  • Video platforms: Zoom, Teams, and similar platforms record session content, collect attendance data, and may process participant information on servers outside the UK or EU. Ensure you have DPAs with any platform used and inform group participants of data flows in your privacy notice.
  • Participant confidentiality: Coaching groups operate on an expectation of confidentiality. Your privacy notice should explain what notes you take, how they are stored, and that you do not share individual participant information with other group members.
  • Group recordings: Participants who object to being recorded must be accommodated. A participant who joins a recorded session but has not consented to recording has a valid concern.
  • Group email communications: Using BCC rather than CC when emailing multiple clients avoids inadvertent disclosure of participants' email addresses to each other.

Online Coaching vs In-Person: Different Data Flows

Online coaching generates data flows that in-person coaching does not. When you deliver coaching online:

  • Video conferencing platforms process participant data, including IP addresses, device information, and potentially location
  • Scheduling tools (Calendly, Acuity) process booking information and may transfer data internationally
  • Email and messaging platforms are involved throughout
  • Cloud storage for notes and recordings may be on servers in multiple jurisdictions

Your privacy notice should reflect the actual data flows in your practice. If you use cloud tools, SaaS scheduling platforms, and video conferencing, these should all be disclosed as data processors. Custodia's scanning tool can help identify what your website and linked booking tools are actually collecting from visitors.

Your Privacy Notice

Every coach who processes personal data needs a privacy notice accessible to clients. It should cover:

  • Who you are and your contact details
  • What personal data you collect (contact details, session notes, recordings, health data if applicable)
  • The lawful basis for each type of processing
  • Who you share data with (platforms, supervisors, sponsors with consent)
  • How long you retain data
  • Clients' rights (access, erasure, portability, objection, withdrawal of consent)
  • How to make a complaint to the ICO (UK) or relevant EU supervisory authority

If you process special category data — health, mental health, or other sensitive data from coaching sessions — this must be explicitly addressed in your privacy notice along with your Article 9(2) basis.

Next Steps for Coaches

GDPR compliance for coaches is achievable without a legal team. Start with:

  1. Audit your data: Map what client data you collect, where it is stored, and who processes it on your behalf
  2. Review your bases: Identify your lawful basis for each type of processing, including any special category data
  3. Update your privacy notice: Ensure it accurately reflects your practice
  4. Check your platforms: Confirm DPAs are in place with every tool you use
  5. Implement a retention schedule: Define and document how long you keep different types of records
  6. Scan your website: Use Custodia's free scan at https://app.custodia-privacy.com/scan to identify what your website is collecting from visitors — especially if you use booking tools, contact forms, or analytics

GDPR compliance for coaches comes down to transparency with clients, documented decision-making, and secure, time-limited data handling. Getting it right protects your clients and your practice.

Top comments (0)