GDPR Rules for Formsite Accounts

Formsite GDPR Rules example

The European Union’s upcoming General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”) is almost here. On May 25, 2018, all organizations with customers in Europe will need to be compliant with the GDPR rules.

  • What is the GDPR?
  • Who does the GDPR apply to?
  • What does the GDPR require?
  • Where can I read more?


The new regulation is a group of rules that the European Union (EU) has developed to protect the citizens of the Union. These rules essentially outline the rights of users to control their personal data, stay informed of the data collected and how it’s used, and the ability to grant and withdraw consent at any time.

GDPR Applies To

The GDPR applies to any organization that collects or processes personal data on anyone in the EU. Personal data includes names, email addresses, IP addresses, mailing addresses, and any other data that can identify an individual. Forms and surveys that collect any information able to identify an individual in the EU must be GDPR-compliant.

Processors & Controllers

The GDPR recognizes two categories of data handlers: Processors and Controllers.

  • Processor’ means a person or organization which processes personal data on behalf of the controller.
  • Controller’ means a person or organization which determines the purposes and means of the processing of personal data.

In all cases where a customer’s form collects personal information, Formsite is the processor and the account owner is the controller.

All form data is controlled entirely by the account owner. Therefore, as controllers, Formsite account owners must comply with certain rules when collecting and using personal information of EU citizens.

GDPR Requirements

The foundation of the GDPR covers the rights of individuals to know when their information is being collected, what it will be used for, and whether they consent to its use. In addition, GDPR rules give individuals the right to know what information is currently collected on them and request that their information be removed.

  • Formsite GDPR rules opt-inConsent: Specific agreement to the collection and use of their personal information must be granted before collecting the data. For example, adding an Opt-in Checkbox item to the form or survey will be necessary to use that visitor’s information. Be sure to not check the Checkbox by default.
  • Pseudonymisation: The use of pseudonymization means to obscure personal data and prevent the identification of an individual with no other data. An example of pseudonymization would be to assign each visitor a member number instead of using their names.
  • Data Breach Notification: In the event of a data breach, notification of the breach to all affected users must occur within 72 hours of the breach.
  • Right of Access: The right of access means that customers can receive their information upon request.
  • Data Portability: Portability means that the requested information must be available in a common format that enables transfer from one system to another.
  • Right to Erasure: The right to erasure allows for individuals to request complete deletion of their information.
  • Records of Processing Activity: Keep all records of data use and make available to requesting individuals regarding storage and processing of their data.

GDPR Rules for Formsite Account Owners

All Formsite accounts that include any personally identifiable information for any individual in Europe must be GDPR Compliant:

  1. Add an optional consent item before any other input items that lets visitors opt in or out of further use
  2. Provide contact information and instructions to:
    1. Request personal information
    2. Change consent
    3. Request erasure
    4. Obtain the record of activity

Compliance to the GDPR rules is the most important factor to the success of the entire program.

Tracking Consent

On order to demonstrate consent from an individual, processing organizations must maintain these records:

  1. Consent status: Granted or not
  2. Who consented:  The name of the individual or other identifier
  3. When they consented : The result data including the Date column
  4. Consent granted: A copy of the form containing the consent statement at that time

More information

Read more about the upcoming regulations at

Billions of forms submitted