A notebook with patient histories, a spreadsheet with packages, treatment photos on your phone. That's what documentation looks like in many animal physiotherapy clinics — and nobody thinks about it until a client asks about their data, or an audit does. This piece sorts out which parts of your clinic's records fall under GDPR, and shows where to start. It is not legal advice — for anything unclear, talk to a lawyer.
An animal's data isn't personal data. But…
GDPR protects people, not animals — Rex's treatment history is not personal data by itself. That's the theory. In practice, a patient record always drags the owner's data along with it: name, phone number, address, payment history, sometimes notes about the household. If a person can be identified — and described — through their animal's record, you treat the whole record as containing personal data. Because it does.
What you actually process
Make a short inventory — it's usually longer than expected:
- owners' contact details (including the ones in your phone and Messenger threads),
- invoicing data and payment history,
- visit notes — often with information about the owner, not just the animal,
- photos and videos from sessions, with people sometimes in frame,
- calendar appointments — with names in the event titles.
On what basis, and for how long
The good news: you don't need consent to keep client records. Your basis is the contract you're performing for them, your tax obligations around invoices, and your legitimate interest — for example, in case of claims.
The less good news: "how long" has no single answer. There is no dedicated retention rule for animal physiotherapy, so in practice the frame comes from tax law (in Poland, accounting documents are kept for 5 years) and limitation periods for claims. The rule worth remembering: you must be able to say why you keep data and when you'll delete it. "Forever, just in case" is precisely the answer GDPR forbids.
Where it all lives — and what GDPR thinks of that
The notebook won't leak over the internet, but it has no backup, no access control, and no way to "erase data on request" other than scissors.
The spreadsheet on a laptop has the same problems plus a single disk that will eventually fail.
A personal Google Calendar or Messenger means handing client data to an external company with no data processing agreement — we covered this in the Google Calendar piece.
The conclusion isn't "the cloud is bad" — it's that every provider you entrust client data to should have a data processing agreement (DPA) with you, and should be able to account for where and how that data is kept.
The minimal checklist
- you know where all client data lives (all the places, not just the main one),
- only people who need access have it,
- backups exist — and someone has actually tested them,
- every tool that processes client data has a DPA with you,
- you can find and erase one person's data when they ask,
- you can say how long you keep data and why.
How this looks in Fiolo
We can't write your data protection policy for you, but we can take the technical half of that checklist off your plate: each clinic's data is isolated, every change to records lands in an audit log, backups run at least every 24 hours, and the data processing agreement and sub-processor register are in writing — details on the Security & GDPR page.
If your documentation currently lives in a notebook, a spreadsheet, and a phone all at once — give it a try. The first 30 days are free, no credit card required.