GDPR

GDPR-compliant data collection

No fuss, no code, fully GDPR-compliant data collection stored on EU-based servers.

GDPR-COMPLIANT BENEFITS

Peace of mind for you. Privacy for your customers.

GDPR-compliant policies

FormAssembly’s robust information security procedures and policies are designed to meet the requirements of the GDPR and other strict requirements such as PCI DSS Level 1 and the U.S. HIPAA regulation. Additionally, we provide an agreement that includes the legal provisions required by the GDPR.

Meet article 28 obligations

By choosing FormAssembly as your data processor, you will meet your obligations under Article 28 of the GDPR to work with a Data Processor that implements appropriate technical and organizational measures and ensures the protection of the rights of the data subject.

Legally binding

As your Data Processor, we will enter into an additional agreement (the Data Processing Addendum) which contractually binds us to meet our Data Processing obligations to protect the rights of the data subjects.

Annonymous IP addresses

To help you remain compliant with GDPR, FormAssembly gives you the option to anonymize the IP address of every submission on a form by form basis.

Anonymizing the IP address means that the form respondent’s IP address will not be fully recorded so it cannot be used to identify an individual respondent.

GDPR-Compliant data collection

“FormAssembly provides several practical solutions for helping customers in the EU maintain compliance.”

– Jonathan Payne, Salesforce Specialist

Read the case study

How to be GDPR compliant in data collection

Learn more about FormAssembly’s GDPR compliance:

Will data be transferred out of my region at any time?

No. Your data will stay in the region you specify.

Do you offer a Data Processing Agreement that addresses GDPR?

Yes. In addition to our standard Terms of Service and Master Service Agreement, a Data Processing Agreement is created for all customers in the European Union or customers who qualify as a Data Controller under the GDPR. Customers affected by the GDPR must review and sign our Data Processing Addendum.

You can review and sign the agreement here.

The Data Processing Addendum includes provisions between the Data Processor (FormAssembly) and the Data Controller (you, our customer) that are mandatory under the GDPR.

Please note that FormAssembly cannot determine which customers are affected by this regulation. Customers are invited to make their own determination and request our Data Processing Addendum as needed.

Can data be stored in EU data centers?

Yes, customers on our Essentials, Team, Enterprise and Government plans have the option to have data stored in EU-based ISO 27001-certified data centers, to facilitate compliance with data residency requirements. Note that data does not have to be stored in the EU for compliance with the GDPR.

What is informed consent, and can I gather it with a FormAssembly web form?

Under the GDPR, the requirement for consent is a “freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data” and must specifically cover all of the processing activities. Any request for consent must be in clear and plain language and easily distinguishable from other matters. The GDPR requires a “clear affirmative act,” which can be through an electronic signature, ticking a tick box, etc. Silence, pre-ticked boxes, or inactivity on the part of the user do not constitute consent.

We provide guidance on how to obtain consent through web forms, but ultimately, under the GDPR, FormAssembly is considered a Data Processor, and obtaining consent is the responsibility of the data controller (our customer).

Note that Informed Consent is one valid basis for the lawful collection and processing of personal data, but there are others that are equally valid, including the performance of a contract or the data controller’s “legitimate interests” (See Article 6 of the EU GDPR).