General Data Protection Regulation (GDPR) Form Compliance 

In this Article
Related Articles


The EU's General Data Protection Regulation (GDPR) went into effect on May 25th, 2018.

For any FormAssembly user who is collecting data from EU citizens, you must make sure that your forms are in compliance with the GDPR.  If you are unsure if the GDPR applies to you, this resource provides additional details and information.

If the GDPR does apply to you, you will need to follow the steps below to acknowledge that the GDPR applies to your use of FormAssembly.

Note: It is incredibly important to note that FormAssembly cannot provide legal guidance of any kind. As a Data Controller under the GDPR, you are responsible for ensuring that all of your forms are built in compliance with the GDPR.

FormAssembly does not have the authority to evaluate your forms in any capacity to determine if they are in compliance.  We highly recommend seeking legal consultation when determining if your forms are in GDPR compliance. 

Account Settings for GDPR Compliance

If you have determined that the GDPR applies to your use of FormAssembly, you will need to navigate to your Account page, and then check the box below:

Please note: Any FormAssembly user who currently is, or potentially will be, collecting any response data from EU citizens will need to check this box and make sure that their forms are aligned with GDPR requirements.

Checking this box will let the FormAssembly team know to reach out to you and ask you to sign our Data Processing Addendum.

GDRP Regulations Overview

There are a number of obligations that you must be in compliance with in terms of your data collection processes. In general, there are four main rights that your form respondents are granted under the GDPR, which you are obligated to provide:

  1. The right to information and access
  2. The right to rectification and erasure
  3. The right to withdraw consent and object processing
  4. The right to data portability

Details on these rights and obligations, as well as practical solutions for meeting these obligations within FormAssembly, are discussed below.

The GDPR Applies to Me, Now What?

If you have determined that the GDPR applies to you, the next best step is to contact your legal representation to ensure that all forms are in compliance with the GDPR.  As stated above, FormAssembly does not have the authority to evaluate forms to determine if they are in compliance.

In addition to consulting with legal services, the webinar below provides additional, introductory information on the GDPR, and its general impact on FormAssembly processes.

How to Approach the GDPR and Resources to Help Navigate International Waters

Once you have a basic understanding of the GDPR and how it relates to data collection processes, the following webinar can provide you with additional resources and ideas on how our clients are enacting compliance across their forms.

This webinar will be posted as soon as it is available. 

Understanding Informed Consent and Transparency under the GDPR

Your organization is obligated to provide a number of pieces of information to form respondents such as your identity, contact information, and the purpose of processing their data. 

For a detailed discussion of these obligations, as well as practical solutions for meeting these obligations, please read our post on Rights of the Data Subject: Transparent Information.

Additionally, in order to remain compliant with the GRPR, you must obtain informed consent to process all respondent data.  Our post on Obtaining Informed Consent discusses this obligation in detail, and provides suggestions for implementation. 

Finally, you can view the webinar below for a detailed discussion on informed consent and data transparency.

This webinar will be posted as soon as it is available.

GDPR Request Form Template for Rectification and Erasure 

As a data controller, you are responsible for providing form respondents with the right to access their personal data, the right to rectification in case data is incomplete or inaccurate, and the right to erasure or restriction of processing.

To help meet these obligations, we have created a GDPR request template, that you can customize for your own use.

You can read additional information about these obligations and this requirement here in our blogpost, or in our GDPR ebook.

The GDPR and You: Practical Strategies for Reaching Compliance

In addition to the resources and webinars provided above, the class below provides practical, concrete strategies for reaching GDPR compliance within your forms.

Anonymizing Form Response Data

To help you remain compliant with GDPR, FormAssembly gives you the option to anonymize the IP address of every submission on a form by form basis.

Anonymizing the IP address means that the form respondent's IP address will not be fully recorded so that it cannot be used to identify an individual respondent. 

Additional information on this feature can be found here

Personally Identifiable Information and General Sensitive Data

In compliance with the GDPR, you may need to label certain fields in your form as containing Personally Identifiable Information (PII) or General Sensitive Data.  

Additionally, you will likely need to determine if sensitive data being collected is from a first party or third party source.  For any field marked as sensitive, you have the ability to define this respondent data relationship classification.

You can find additional information about sensitive data here

Form Contact Information

For a form to be compliant with the GDPR, you are obligated to provide specific contact information to all form respondents.  This contact information must be available so that form respondents can easily access information about the data you are collecting, and how that data will be used.

Additionally, you are obligated to provide form respondents with information about their specific rights under the GDPR. 

In order to customize your contact information on a form by form basis, you can find out more information here


Finally, additional FAQ's in regards to the GDPR and how it relates to FormAssembly and your data collection processes are addressed here on our website.  

Terms of Service · Privacy Policy