GDPR-Compliant Contact Forms: A Practical Checklist
A plain-English checklist for consent, retention, and processors so your forms collect personal data legally.
The moment your form collects a name or an email, you’re handling personal data — which puts it under the GDPR (and similar laws like the UK GDPR). The good news: for a typical contact or signup form, compliance comes down to a short, learnable checklist.
1. Have a lawful basis
You need a legal reason to process the data. For a contact form that’s usually legitimate interest (you’re responding to an enquiry) or taking steps prior to a contract. Marketing signups, by contrast, need explicit consent. Don’t mix the two on one tick-box.
2. Minimise what you collect
Only ask for fields you genuinely need. Every extra field is more personal data to protect, justify, and eventually delete. A contact form rarely needs more than a name, an email, and a message.
3. Tell people what happens
Link your privacy policy near the submit button and say, in plain words, what you’ll do with the submission and how long you’ll keep it. If you’re using consent (e.g. for a newsletter), use a clear, un-ticked checkbox:
<label> <input type="checkbox" name="newsletter_consent" value="yes" /> Yes, send me occasional product updates. I can unsubscribe any time. </label> <p class="form-note"> We use your details only to reply to your message. See our <a href="/privacy">privacy policy</a>. </p>
4. Know your processor
If a form service stores submissions for you, it’s a data processor and you’re the controller. Make sure there’s a data processing agreement and that you know where data is hosted. Forwarding submissions onward — to a webhook, CRM, or Slack — means those tools become processors too, so include them in your records.
5. Set a retention period
Storage limitation means you shouldn’t keep submissions forever. Decide how long each form’s data is useful, then delete it. With configurable data retention you set the window once and old submissions age out automatically.
6. Be ready for data-subject requests
People can ask to access or delete their data. You need to be able to find a person’s submissions and remove them. SaveForm’s export and per-submission deletion make access and erasure requests quick to honour.
The checklist
- Identify a lawful basis for each form (contact vs. marketing).
- Collect the minimum fields you actually need.
- Link a privacy policy and use un-ticked, specific consent where required (e.g.
newsletter_consent). - Have a DPA with your form provider and any downstream tools.
- Set and enforce a retention period.
- Make sure you can export and delete a person’s data on request.
Frequently asked questions
Does a contact form need to be GDPR-compliant?
If you collect a name, email, or any other detail that can identify a person, you are processing personal data under the GDPR — so yes, the form falls in scope. You need a lawful basis, clear information about what you do with the data, and sensible retention.
Do I need a consent checkbox on my contact form?
Not always. For a contact form, “legitimate interest” or “taking steps prior to a contract” is often the lawful basis, which doesn’t require a tick-box. You do need consent for things like adding the person to a marketing newsletter. Never pre-tick consent boxes, and keep separate purposes separate.
Is a form provider a data processor?
Yes. A service that receives and stores submissions on your behalf is a data processor, and you are the controller. You should have a data processing agreement (DPA) in place and know where the data is stored.
How long can I keep form submissions?
Only as long as you need them for the purpose you collected them. Data minimisation and storage limitation are core GDPR principles, so set a retention period and delete submissions when it passes. A provider with configurable data retention makes this automatic.
Related resources
Collect form data responsibly
SaveForm gives you configurable data retention, export, and deletion so honouring access and erasure requests is a click, not a project.