GDPR-compliant form submissions: what you actually need

Pick a lawful basis

Article 6 GDPR lists six lawful bases for processing personal data. For a contact form you'll almost always be picking between two:

• Legitimate interest (Art. 6(1)(f)) — you're responding to an inbound enquiry the user voluntarily sent you. Most defensible basis for "contact us", support, and demo-request forms. No checkbox needed; the user's act of submitting is the request.
• Consent (Art. 6(1)(a)) — required when you'll use the data for anything beyond responding to the request. Marketing newsletters, lead-nurture sequences, sharing with affiliates — all require explicit, granular, opt-in consent that you can prove.

Pick one and document it in your privacy notice. Don't mix them on the same form unless you split the consent UX too.

Consent UX done right

The European Data Protection Board's 2020 guidelines on consent (revised 2024) are explicit: pre-ticked boxes are not consent, bundled consent is not consent, and "continuing to use this site means you agree" is definitely not consent.

Here's a defensible pattern:

<form action="https://splitforms.com/api/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />

  <label>Email <input name="email" type="email" required></label>
  <label>Message <textarea name="message" required></textarea></label>

  <!-- Required to send the message — covered by legitimate interest -->
  <p class="muted">
    We use your message to respond to your enquiry. See our
    <a href="/privacy">privacy notice</a> for details.
  </p>

  <!-- Optional, granular, opt-in. Default UNCHECKED. -->
  <label>
    <input type="checkbox" name="consent_marketing" value="yes">
    I'd like occasional product updates by email. You can unsubscribe anytime.
  </label>

  <button type="submit">Send</button>
</form>

splitforms records the value of consent fields alongside the submission timestamp and IP, which is the audit trail a regulator will ask for.

Data minimization

Article 5(1)(c) requires data to be "adequate, relevant and limited to what is necessary". In practice that means:

• Don't ask for phone number on a contact form unless someone will actually call.
• Don't collect company size and job title on a generic "feedback" form.
• Default to truncating IP addresses to /24 for IPv4 and /48 for IPv6 — splitforms does this automatically unless you opt into full IP logging.
• Don't embed third-party trackers (Hotjar, Fullstory) on form pages unless you have explicit consent.

The smaller your dataset, the smaller the breach blast radius and the easier the DSAR (data subject access request) workflow.

Retention & deletion

GDPR doesn't prescribe a retention period — you set it based on purpose. For most contact forms a defensible policy is:

splitforms supports per-form auto-deletion: set a window in days and submissions are hard-deleted from the database (not just archived) when the timer expires.

The DPA you need

Article 28 GDPR requires a written contract — a Data Processing Agreement — between every controller and every processor. If you receive form submissions through splitforms (or Formspree, Web3Forms, Getform, Basin, etc.), they are your processor. You need a DPA with each.

A compliant DPA covers: subject matter and duration of processing, nature and purpose, types of personal data, categories of data subjects, the controller's rights, and an enumerated list of subprocessors. splitforms publishes ours at splitforms.com/legal/dpa; you click "Accept DPA" in account settings and we generate a signed PDF in your account.

EU data residency

Two changes since 2020 reshape the residency conversation:

1. Schrems II (CJEU, 2020) invalidated Privacy Shield, forcing every US-based processor to either move EU data into EU-region infrastructure or rely on Standard Contractual Clauses with documented Transfer Impact Assessments.
2. EU-US Data Privacy Framework (2023) reinstated a self-certification regime. US processors who self-certify can again receive EU data without per-customer SCCs, though SCCs remain best-practice for high-risk processing.

splitforms offers EU residency (Frankfurt, eu-central-1) on Pro and the 4-Year plan. Submissions never leave EU regions, including for backups and analytics. The Free tier runs in the US under the DPF.

Right to erasure UX

Article 17 gives data subjects a right to have their data deleted. The common engineering mistakes:

• Soft-deleting (setting deleted_at) and calling it done. The data is still there.
• Forgetting backups. If your DR backups retain submissions for 90 days, your erasure SLA is "30 days for live, 90 days for backups, fully gone after 120" — disclose this.
• Forgetting downstream destinations. If a submission was forwarded to Slack, Notion, and your CRM, those copies live by their own retention rules. The DPA should require subprocessors to honor erasure requests; you have to actually trigger them.

splitforms exposes a one-click "Forget this submitter" action that hard-deletes the submission, scrubs it from search indexes, and queues deletion in the next backup rotation. It also fires a submitter.erased webhook so your downstream systems can remove their copies.

Breach notification

Article 33 requires controllers to notify their supervisory authority within 72 hours of becoming aware of a breach. Article 34 requires notifying affected data subjects when the breach is likely to result in a high risk to their rights.

In practical terms: your processor needs to tell you fast enough that you can hit the 72-hour clock. The splitforms DPA commits to notifying customers within 24 hours of confirmed incident, with a status page at status.splitforms.com and an incident timeline you can attach to your own filings.

Cookies on the form page

GDPR is one regulation; the ePrivacy Directive (the "cookie law") is a separate one that often gets bundled in. The short version: any cookie that isn't strictly necessary for the service the user requested needs prior, explicit consent. The form page is one of the most-audited surfaces because it's where you're collecting data and where third-party trackers tend to load.

Practical rules:

• The form's own session/CSRF cookie — strictly necessary, no banner required.
• Google Analytics, Hotjar, Fullstory, Microsoft Clarity — analytics; explicit consent before they load.
• reCAPTCHA — sets multiple Google cookies including _GRECAPTCHA, which is not strictly necessary if a non-cookie alternative exists. Defensible only with consent or a clear legal basis.
• Cloudflare Turnstile, hCaptcha, Friendly Captcha — designed without persistent identifying cookies. The European DPA-friendly options.

If you load reCAPTCHA before the user consents to cookies, Italy's Garante has been the most active regulator on this exact pattern, with fines starting at ~$5,400.

What is not enough

Things I see called "GDPR-compliant" that are not:

• Pre-ticked consent boxes. Explicitly invalid since 2020 EDPB guidance.
• "By submitting this form you agree..." without a real consent action. Implicit consent is not consent.
• A privacy policy hidden in the footer. The notice has to be linked at the point of collection.
• Cookie banner with no actual cookie blocking. If reCAPTCHA, GA, or Hotjar load before consent, the banner is theatre.
• "We're GDPR-compliant" with no DPA on offer. No DPA, no compliance — Art. 28 is mandatory.
• Storing data forever "just in case". Storage limitation is a principle, not a suggestion.

Tech support / troubleshooting

• Auditor asks for the DPA. Sign in, Settings → Legal → DPA → Accept. Download the counter-signed PDF and forward.
• EU customer wants their data deleted. Open the dashboard, search by email, click Forget submitter. The submission is hard-deleted, scrubbed from search, and a submitter.erased webhook fires so downstream systems (Slack, Notion, your CRM) can clean their copies.
• You discover a third-party subprocessor processed EU data without contract. Pause the integration in your splitforms dashboard, run an internal Article 33 timing assessment, and email privacy@splitforms.com — we will produce the subprocessor list and DPA chain you need for your filing.
• SCCs vs DPF questions. If your customer pushes back on the DPF, splitforms supports SCCs as an alternative transfer mechanism on Pro and 4-Year plans.
• You loaded reCAPTCHA without consent. Replace with Cloudflare Turnstile (no cookies) — see best CAPTCHA for contact forms.

Next steps and where to get help

• Read the splitforms docs for retention, IP truncation, and erasure-webhook details.
• The API reference documents the submitter.erased event and the data-export endpoint.
• Plan questions and the EU residency guarantee live in the FAQ.
• For pure no-cookie spam protection: honeypot vs reCAPTCHA and best CAPTCHA.
• Privacy-first feature page: /features/eu-residency.

FAQ