Setting Up a GDPR-Compliant Contact Form: What You Need to Get Right
A contact form is one of the most common ways a website collects data – which is exactly why data protection regulators pay close attention to it. The moment a user enters their name or email address, you are processing personal data, and the GDPR applies. The good news: a legally sound form is not rocket science. You just need to implement a handful of core principles properly. We'll walk you through what matters – honestly, without scaremongering, and without selling you things you don't need.
1. Data Minimisation: Only Ask for What You Actually Need
The most important principle of the GDPR is data minimisation. You may only collect data that is genuinely necessary for the purpose – in this case, getting in touch. In practice, that means:
- An email address or phone number is usually enough to reply.
- Keep mandatory fields to a minimum. Clearly mark optional fields as voluntary.
- Skip fields such as date of birth, full postal address or company size if they aren't needed for an initial response.
Every unnecessary field is a potential risk – and it puts prospects off too. Less is better here, both legally and from a conversion perspective.
2. Legal Basis and Consent
You need a legal basis for the processing. For a plain contact form, that is usually your legitimate interest (Art. 6(1)(f) GDPR) or the steps prior to entering into a contract (lit. b) when someone requests a quote. A separate consent checkbox is not strictly required for this – a mandatory tick box can actually be problematic.
It's a different story if you want to use the data beyond simply replying, for example for a newsletter. In that case you need separate, voluntary and un-pre-ticked consent. Never mix the two. What is mandatory, however, is a clearly visible reference to your privacy policy right next to the form – for example a sentence stating that the details are processed to handle the enquiry and that the full information can be found in the privacy policy.
3. Transparency: The Privacy Policy Must Match
Your privacy policy must describe precisely what happens to the form data. That includes:
- The purpose of the processing (handling the contact enquiry).
- The legal basis you are relying on.
- The retention period or the criteria for it – enquiries should be deleted once they are resolved and no statutory retention periods still apply.
- A reference to data subject rights (access, erasure, objection).
- Any named recipients or processors, if third parties are involved.
A boilerplate privacy policy that doesn't even mention the form won't help you. It has to reflect the technology you actually use.
4. Technical Security: Encryption Is Mandatory
The GDPR requires appropriate technical measures. For a contact form, that primarily means:
- HTTPS/SSL is non-negotiable. Form data must never travel across the network unencrypted. A valid SSL certificate is available free of charge today – there's no excuse for running without one.
- The data should be processed on a server in the EU or with a provider that has a GDPR-compliant contract in place.
- Basic spam protection guards against abuse. Favour data-minimising options such as a honeypot field; with external services like captchas, check whether they themselves transfer data to third countries.
5. Keep an Eye on Data Processing Agreements
As soon as an external service provider processes form data – say an email delivery service, a third-party form plugin or your hosting company – you usually need a data processing agreement (DPA). This is an often-overlooked point. If your form simply sends the entries by email to your own inbox and runs on your own server, you keep the data chain lean. That's exactly why we prefer to build forms in a way that involves as few third parties as possible.
6. Common Mistakes We See Again and Again
- A mandatory checkbox saying "I agree to the privacy policy" – legally questionable, because consent has to be voluntary.
- No SSL or an expired certificate.
- Form data ending up unfiltered in a cloud tool with no DPA.
- A privacy policy that doesn't mention the form.
- Enquiries that are never deleted and pile up in the inbox for years.
Our Experience in Practice
We run seven of our own brands in production – from an accessibility scanner and a product portal to several SaaS applications. Every one of these sites has contact or enquiry forms, and we've learned that the most data-minimising and technically simplest solution is almost always the safest one legally too. A GDPR-compliant form isn't a cost factor; it's simply solid web development. One thing to keep in mind: this guidance is well-founded orientation, but in case of doubt it does not replace individual legal advice – especially with sensitive data or complex processing chains, having a data protection officer take a look pays off.