GDPR starter kit for physiotherapists + coaches

Physiotherapists are healthcare providers (see starter healthcare) under Dutch Medical Treatment Act. Coaches are usually NOT healthcare providers — different route. Physio-specific: (1) Treatment record (WGBO): 20-year retention. Patient has access + correction rights. (2) Health insurance claims: only via DBC codes + treatment date — no detailed complaints. (3) Online appointments: secure platform (Therapieland, ZorgID, own NEN 7510-compliant). NOT WhatsApp for intake info. (4) Physio software (FysioLogica, Spotonmedics, Intramed): DPA + NEN 7510 + local storage where possible. Coach-specific (no WGBO): (1) Intake forms about mental health = Art. 9 special, even without formal care. Consent + strict security. (2) Session notes: minimum needed + retention until service end. (3) Online platforms (Calendly, Zoom, Stripe, Mailerlite): DPA + Schrems II TIA. (4) Coaching data + reviews: client may NOT be in marketing without explicit consent per use. (5) Liability: coaching doesn't fall under WGBO but does fall under Dutch Civil Code 6:162 — civilly liable for damage from sloppy data handling. Tip for both: never discuss client data or sessions via WhatsApp group — breach risk via accidental forwarding.