Forge
Back to Blog
Compliance 6 min read

GDPR & Your Forms: Practical Compliance Checklist

A
Aayush KumarFounder, Forge · Published December 14, 2025

If your forms collect data from EU residents — even if your company is based in the US — GDPR applies to you. And no, putting a cookie banner on your site is not sufficient. Here's the practical compliance checklist that every team using forms should have.

1. Establish a Lawful Basis

Before you can collect any personal data, you need a lawful basis under GDPR Article 6. For most forms:

  • Lead gen forms: Legitimate interest (your interest in acquiring customers) — requires a legitimate interest assessment
  • Newsletter signups: Consent — must be explicit, specific, and freely given
  • Job applications: Pre-contractual necessity
  • Employee onboarding: Legal obligation + contractual necessity

2. Add a Privacy Notice to Every Form

Every form that collects personal data must include a link to your privacy policy and a brief statement explaining what you'll do with the data. It doesn't have to be lengthy — a single sentence works:

“We'll use your information to respond to your enquiry. See our Privacy Policy.”

3. Implement Data Retention Policies

GDPR requires you to keep data “no longer than necessary.” Define specific retention windows for each form type and automate deletion. Forge's retention settings let you configure automatic submission deletion at 30 days, 1 year, or custom intervals per form.

4. Handle Right-to-Erasure Requests

Any EU resident can request deletion of their personal data within 30 days of your receipt. You need a process (not just the intention). With Forge, use the DELETE /api/forms/:id/submissions/:submissionId endpoint to erase individual submissions programmatically when a right-to-erasure request comes in.

5. Data Processor vs Data Controller

Your business is the Data Controller (you decide why data is collected). Forge is a Data Processor (we process data on your behalf). This means you need a Data Processing Agreement (DPA) with Forge. We provide a standard DPA for all paid plans — email legal@useforge.cloud to request it.

6. What About Cookie Consent?

Forge itself only sets a single session cookie for authentication — it's strictly necessary and doesn't require consent. If you embed Forge forms on your website and you use analytics cookies, those require separate consent under the ePrivacy Directive. Make sure your cookie banner covers your analytics tools, not just Forge.

See our Trust Center for full compliance documentation, or contact legal@useforge.cloud for DPA requests.

Ready to build?

Create your free Forge account. 4 forms, 100 submissions/month, forever free.

Start Free

More from the blog

Engineering

Why Headless Forms Are Replacing Embedded iFrames in 2026

6 min readTutorial

Mastering React Hook Form + Zod + Forge in 2026

9 min read