Contact forms are among the most frequently used methods for collecting personal data. It is, therefore, particularly important to make them GDPR-compliant. Data such as a user’s first name, last name, and email address are generally requested. This data is particularly worthy of protection, especially if it is linked to further information about the person filling it in.
Contact forms are often the first point of contact with a company and should, therefore, be designed to be user-friendly. However, the General Data Protection Regulation requires measures that may conflict with the user-friendliness of a form. This article explains the requirements for a GDPR-compliant form and shows how these can be implemented in the most accessible way possible.
Why is the contact form relevant for data protection?
Contact forms usually collect personal data such as names, email addresses, and phone numbers. According to the General Data Protection Regulation (GDPR), companies are obliged to handle this data securely and transparently. GDPR violations can not only have legal consequences but also lead to a loss of trust among users.
What are the requirements for a GDPR-compliant contact form?
A detailed list of the eleven most essential requirements for the collection and storage of data following the GDPR can be found in the appendix of this article. The following are the key principles.
To be GDPR-compliant, contact forms must:
- Clearly state the purpose of the data collection.
- Only request data that is necessary.
- Obtain informed consent from users.
- Provide data protection information that is easy to understand and access.
- Ensure secure transmission of data, e.g., through HTTPS encryption.
- Store data in a secure country, ideally in the EU or, if outside the EU, explicitly identify the storage location.
- Use double opt-in (DOI) to get permission to store data and verify its correctness. Do not store data without a successful DOI.
The form should only collect necessary data and clearly explain how that data will be used. For example, if you use a contact form as part of a competition, users should be informed whether the data will be used solely to determine the winner and contact them. If the data is also going to be used for a newsletter, a checkbox is required for consent to subscribe to the newsletter. In addition, it should be explained what content the newsletter offers and how often it is sent.
The more precisely you explain the purpose of the data collection, the lower the risk associated with your form.
How do I create a data protection-compliant contact form?
1. Define the goal of the form
Clearly define what the contact form will be used for, for general inquiries, customer support, or competitions.
2. Define necessary and optional information
Only collect the data that is absolutely necessary. Optional information should be marked as such.
3. Provide data protection information
Make sure users can access the data protection information before submitting the form.
4. Set up encrypted data transmission
Use HTTPS to ensure the data is transmitted securely.
5. Obtain consent for data processing
Insert consent checkboxes that must not be pre-ticked. Make sure that consent is documented.
6. Implement double opt-in to confirm the email address
To ensure that the form has been completed by the person who entered their email address, you must verify the accuracy of the address. Otherwise, a malicious user could enter the email address of a stranger, who would then be contacted unintentionally.
There are two ways of implementing double opt-in:
a) After the form is sent, an email with a confirmation link is sent. This email must not contain any advertising but only the request to validate the purpose stated in the form by clicking on the confirmation link.
b) A a numerical code, known as a one-time password (OTP), is sent to the email address provided in the form. The code must be entered before the form is finally sent.
Riddle offers both options for validating email addresses.
Use GDPR-compliant contact forms from Riddle
Riddle offers ready-made solutions for GDPR-compliant contact forms. These ensure that your form meets all legal requirements.
- Data storage in Germany: All data is stored on Riddle’s own servers in Germany. It is neither processed on cloud services nor is it outside the EU.
- Double opt-in options: Riddle supports standard double opt-in methods, such as sending an email link or an OTP code. Your own mail server can also be used to send the confirmation or the OTP code emails.
- Flexibility with checkboxes: You can integrate as many as you like into the form with links to terms and conditions or data protection conditions.
- Security measures: You can insert a CAPTCHA into the form as an additional security measure. In addition to Google and Cloudflare CAPTCHAs, you can also use Riddle-made, GDPR-compliant CAPTCHAs, which are also hosted by Riddle.
- No cookies or trackers: Riddle does not set any cookies or load any trackers when a form is embedded on your website.
- Flexible integration: Riddle forms can be integrated anywhere in quizzes, surveys, polls, or personality quizzes.
- Data storage and forwarding: Form data can be stored securely on the Riddle servers or in a Google Sheet. Alternatively, it can be sent to popular email marketing tools such as Brevo, Mailchimp, ActiveCampaign, or AWeber.
- Easy data deletion: If you store data on the Riddle servers, you can quickly find all form entries for an email address when a user requests deletion and securely delete them with just a few clicks.
Here’s a GDPR-compliant contact form template:
Try Riddle for free and create your own form.
Frequently asked questions
Yes, it is necessary to provide information about the processing of personal data in the context of a contact form. The GDPR stipulates that data subjects must be informed about the collection and processing of their data. This can be done by providing a link to the privacy policy or adding a short notice directly to the form. It is crucial that this information is easily accessible and easy to understand.
Double opt-in (DOI) is generally not required for simple contact forms for direct communication. This procedure is mainly used in email marketing to ensure that consent to receive newsletters or advertising emails comes from the owner of the email address. For contact forms, simple consent is usually sufficient. However, to increase the quality of any collected addresses, we do recommend using DOI. This ensures that the form was sent by the person filling it out and that they want to be contacted.
Personal data should only be stored for as long as necessary for the purpose it was collected. After the purpose has been fulfilled, such as after an inquiry has been answered, the data must be deleted, provided there are no legal obligations to retain it. Setting clear deletion deadlines and communicating these transparently in the privacy policy is advisable.
No, using data from a contact form for marketing purposes is not permitted without the express consent of the data subject. The GDPR requires specific and informed consent to process personal data for marketing purposes. For example, separate consent can be obtained by adding a checkbox to the form that must not be pre-ticked.
Processing personal data without complying with the GDPR is not allowed and can result in significant fines.
The privacy notice should clearly explain the purpose of the data collection, the underlying legal basis, and the users’ rights.
Appendix: The 11 most important GDPR rules for data collection and storage
The General Data Protection Regulation (GDPR) provides clear data collection and storage guidelines that apply throughout the European Economic Area (EEA). Here are the key principles, along with the relevant GDPR articles:
1. Lawfulness, fairness and transparency Art. 5(1)(a) GDPR
Explanation: Personal data may only be processed lawfully and transparently. The data subject must be informed about what data is collected and why.
Example: A privacy policy must be easily accessible and easy to understand.
2. Purpose limitation Art. 5(1)(b) GDPR
Explanation: Data may only be collected for predetermined, clear, and legitimate purposes. Further processing for other purposes is only possible to a limited extent.
Example: If a contact form is used for customer inquiries, the data may not be used for marketing purposes without consent.
3. Data minimization Art. 5(1)(c) GDPR
Explanation: Only data necessary for the intended purpose may be collected.
Example: Questions such as “date of birth” or “address” in a general contact form should only be asked if they are needed.
4. accuracy Art. 5(1)(d) GDPR
Explanation: Data must be accurate and up to date. Incorrect or outdated data must be rectified or erased.
Example: A function for updating or correcting user information should be provided.
5. Storage limitation Art. 5(1)(e) GDPR
Explanation: Data may only be stored for as long as is necessary for the purpose. After this period, they must be deleted or anonymized.
Example: Customer inquiries should be deleted as soon as they have been processed unless legal retention obligations apply.
6. Integrity and confidentiality Art. 5(1)(f) GDPR
Explanation: Data must be protected against unauthorized access, loss, or destruction by appropriate technical and organizational measures.
Example: SSL/TLS encryption should be implemented for data transfers and strict access rights.
7. Accountability Art. 5(2) GDPR
Explanation: The controller must always be able to demonstrate that the processing of personal data complies with the GDPR rules.
Example: Companies should implement a data protection concept and internal logging mechanisms.
8. Legal bases for processing Art. 6 GDPR
Processing is only lawful if it is based on one of the following legal bases:
- Consent of the data subject (Art. 6 (1)(a) GDPR)
- Performance of a contract (Art. 6(1)(b) GDPR)
- Compliance with a legal obligation (Art. 6(1)(c) GDPR)
- Protection of vital interests (Art. 6 (1)(d) GDPR)
- Performance of a task carried out in the public interest (Art. 6 (1)(e) GDPR)
- Protection of legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Art. 6 (1)(f) GDPR)
9. Rights of the data subject Art. 12–22 GDPR
- Right of access (Art. 15 GDPR): Data subjects can request information about the personal data stored about them.
- Right to rectification (Art. 16 GDPR): Incorrect data must be rectified.
- Right to erasure (Art. 17 GDPR): Data subjects can request that their data be erased (right to be forgotten).
- Right to data portability (Art. 20 GDPR): Data subjects can request their data in a machine-readable format.
- Right to object (Art. 21 GDPR): Data subjects can object to their data being processed.
10. Data protection through technology design and data protection-friendly default settings Art. 25 GDPR
Explanation: Systems and processes must be designed to be data protection-friendly from the outset.
Example: Default settings should be configured to ensure that only necessary data is processed (privacy by design and default).
11. Information to be provided Art. 13 and 14 GDPR
Explanation: Data subjects must be provided with comprehensive information when data is collected.
Example: This is usually done using visible data protection notices or pop-ups.
You can find the full GDPR here.
