Introduction
The EU's General Data Protection Regulation (GDPR) went into effect on May 25th, 2018.
For any FormAssembly user who is collecting data from EU citizens, you must make sure that your forms are in compliance with the GDPR. If you are unsure if the GDPR applies to you, this resource provides additional details and information.
If the GDPR does apply to you, follow the steps below to acknowledge that the GDPR applies to your use of FormAssembly.
- It is incredibly important to note that FormAssembly cannot provide legal guidance of any kind. As a Data Controller under the GDPR, you are responsible for ensuring that all of your forms are built in compliance with the GDPR.
- FormAssembly does not have the authority to evaluate your forms in any capacity to determine if they are in compliance. We highly recommend seeking legal consultation when determining if your forms are in GDPR compliance.
FormAssembly and GDPR
If you have determined that the GDPR applies to you, the next best step is to contact your legal representation to ensure that all forms comply with the GDPR.
As stated above, FormAssembly does not have the authority to evaluate forms to determine if they comply with GDPR.
In addition to consulting with legal services, we ask that you sign our Data Processing Agreement (DPA). Please, download our DPA here.
For customers that opt for hosting in the EU (Essentials plans and up), the DPA is not necessarily required because no data is leaving the EU.
Please discuss your GDPR and regional data hosting preferences with our team, or learn more about FormAssembly and GDPR here.
GDPR-Related FormAssembly Options
Anonymizing Form Response Data
- To help you remain compliant with GDPR, FormAssembly gives you the option to anonymize the IP address of every submission on a form-by-form basis.
- Anonymizing the IP address means that the form respondent's IP address will not be fully recorded so it cannot be used to identify an individual respondent.
Personally Identifiable Information and General Sensitive Data
- In compliance with the GDPR, you may need to label certain fields in your form as containing Personally Identifiable Information (PII) or General Sensitive Data.
- Additionally, you will likely need to determine if the sensitive data being collected is from a first-party or third-party source. For any field marked as sensitive, you can define this respondent data relationship classification.
Form Contact Information
- For a form to be compliant with the GDPR, you are obligated to provide specific contact information to all form respondents. This contact information must be available so that form respondents can easily access information about the data you are collecting, and how that data will be used.
- Additionally, you are obligated to provide form respondents with information about their specific rights under the GDPR.
GDPR FAQ's
Finally, additional FAQs regarding the GDPR and how it relates to FormAssembly and your data collection processes are addressed here on our website.