GDPR COMPLIANT WEB FORMS
GDPR-compliant data collection
Retrieve, edit, or delete personal data, and obtain proof of consent, all with one secure solution
SECURE FORMS
“FormAssembly provides several practical solutions for helping customers in the EU maintain compliance.”
– Jonathan Payne, Salesforce Specialist
Top questions about FormAssembly’s GDPR compliance
Will data be transferred out of my region at any time?
No. Your data will stay in the region you specify.
Do you offer a Data Processing Agreement that addresses GDPR?
Yes. In addition to our standard Terms of Service and Master Service Agreement, a Data Processing Agreement is created for all customers in the European Union or customers who qualify as a Data Controller under the GDPR. Customers affected by the GDPR must review and sign our Data Processing Addendum.
You can review and sign the agreement here.
The Data Processing Addendum includes provisions between the Data Processor (FormAssembly) and the Data Controller (you, our customer) that are mandatory under the GDPR.
Please note that FormAssembly cannot determine which customers are affected by this regulation. Customers are invited to make their own determination and request our Data Processing Addendum as needed.
Can data be stored in EU data centers?
Yes, customers on our Essentials, Team, Enterprise and Government plans have the option to have data stored in EU-based ISO 27001-certified data centers, to facilitate compliance with data residency requirements. Note that data does not have to be stored in the EU for compliance with the GDPR.
What is informed consent, and can I gather it with a FormAssembly web form?
Under the GDPR, the requirement for consent is a “freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data” and must specifically cover all of the processing activities. Any request for consent must be in clear and plain language and easily distinguishable from other matters. The GDPR requires a “clear affirmative act,” which can be through an electronic signature, ticking a tick box, etc. Silence, pre-ticked boxes, or inactivity on the part of the user do not constitute consent.
We provide guidance on how to obtain consent through web forms, but ultimately, under the GDPR, FormAssembly is considered a Data Processor, and obtaining consent is the responsibility of the data controller (our customer).
Note that Informed Consent is one valid basis for the lawful collection and processing of personal data, but there are others that are equally valid, including the performance of a contract or the data controller’s “legitimate interests” (See Article 6 of the EU GDPR).