GDPR & Your Forms: Practical Compliance Checklist
If your forms collect data from EU residents, GDPR applies to you — regardless of where your company is incorporated. A cookie banner is not enough. This practical checklist covers the six steps every team using forms needs to have documented and operational: lawful basis, privacy notices, data retention, right to erasure, the data processor relationship, and cookie consent.
This guide is informational, not legal advice. For anything affecting your specific legal obligations, consult a qualified data protection practitioner.
1. Establish a Lawful Basis Before You Collect Anything
Before you can collect any personal data, you need a lawful basis under GDPR Article 6. For most forms:
- Lead gen forms: Legitimate interest (your interest in acquiring customers) — requires a legitimate interest assessment
- Newsletter signups: Consent — must be explicit, specific, and freely given
- Job applications: Pre-contractual necessity
- Employee onboarding: Legal obligation + contractual necessity
2. Add a Privacy Notice to Every Form
Every form that collects personal data must include a link to your privacy policy and a brief statement explaining what you'll do with the data. It doesn't have to be lengthy — a single sentence works:
“We'll use your information to respond to your enquiry. See our Privacy Policy.”
3. Implement Data Retention Policies — and Automate Them
GDPR requires you to keep data “no longer than necessary.” Define specific retention windows for each form type and automate deletion. Forge's retention settings let you configure automatic submission deletion at 30 days, 1 year, or custom intervals per form.
4. Handle Right-to-Erasure Requests Within 30 Days
Any EU resident can request deletion of their personal data within 30 days of your receipt. You need a process (not just the intention). With Forge, use the DELETE /api/forms/:id/submissions/:submissionId endpoint to erase individual submissions programmatically when a right-to-erasure request comes in.
// Build an erasure request handler using the Forge API
export async function POST(req: Request) {
const { email } = await req.json();
// 1. Find submissions matching this email
const find = await fetch(
`https://api.useforge.cloud/forms/${FORM_ID}/submissions?email=${email}`,
{ headers: { Authorization: `Bearer ${process.env.FORGE_API_KEY}` } }
);
const { submissions } = await find.json();
// 2. Delete each one
for (const sub of submissions) {
await fetch(
`https://api.useforge.cloud/forms/${FORM_ID}/submissions/${sub.id}`,
{ method: "DELETE", headers: { Authorization: `Bearer ${process.env.FORGE_API_KEY}` } }
);
}
return Response.json({ deleted: submissions.length });
}5. Data Processor vs Data Controller — Sign a DPA
Your business is the Data Controller (you decide why data is collected). Forge is a Data Processor (we process data on your behalf). This means you need a Data Processing Agreement (DPA) with Forge. We provide a standard DPA for all paid plans — email legal@useforge.cloud to request it.
6. Cookie Consent — What Forms Actually Require
Forge itself only sets a single session cookie for authentication — it's strictly necessary and doesn't require consent. If you embed Forge forms on your website and you use analytics cookies, those require separate consent under the ePrivacy Directive. Make sure your cookie banner covers your analytics tools, not just Forge.
See our Trust Center for full compliance documentation, or contact legal@useforge.cloud for DPA requests.
GDPR-ready form infrastructure
Forge includes configurable data retention, right-to-erasure API, and a DPA for all paid plans.
Start building freeReady to build?
Create your free Forge account. 4 forms, 100 submissions/month, forever free.
Start Free