If you collect personal data through a contact form — and almost every contact form does — the General Data Protection Regulation applies to you if any of your visitors are located in the European Union. This applies regardless of where your business is based.
GDPR compliance for contact forms is not as complicated as it might appear, but it does require specific elements that many businesses either overlook or implement incorrectly. This guide covers what you need, why it exists, and how to implement it correctly.
Why Contact Forms Are in Scope
A contact form collects personal data at minimum an email address and typically a name, message content, and sometimes a phone number or company. Under GDPR, any collection of personal data from EU residents requires:
- A lawful basis for processing
- Transparency — telling people what their data will be used for
- Data minimization — collecting only what is necessary
- Appropriate security — protecting the data from unauthorized access
- Respect for data subject rights — providing a mechanism for people to access, correct, or delete their data
Most contact forms in practice have a lawful basis and the intent to collect minimal data — but they fail on transparency and the mechanics of consent.
The Most Common Compliance Mistake
Many businesses add a GDPR consent checkbox to their contact form that says something like:
☐ I agree to the Terms of Service and Privacy Policy
This is not valid GDPR consent for two reasons:
- Bundled consent: lumping together terms of service agreement and privacy consent in a single checkbox is not permitted. These are two different things and require separate agreement.
- Pre-ticked checkboxes: GDPR requires active opt-in. A pre-ticked checkbox does not constitute consent.
Valid consent must be:
- Freely given: the visitor must be able to submit the form and contact you without being forced to opt into marketing
- Specific: each purpose requires its own consent statement
- Informed: the visitor must understand what they are consenting to
- Unambiguous: requires a positive action (checking a box, not accepting a default)
Lawful Basis for Contact Form Submissions
Not everything on a contact form requires consent. GDPR provides multiple lawful bases for processing personal data:
Legitimate Interest (Article 6(1)(f))
If someone fills in a contact form and asks you a question, processing their name and email to reply to that question falls under legitimate interest. You have a legitimate interest in responding to inquiries sent to you. The visitor has a legitimate interest in receiving a reply. This does not require a consent checkbox for the core processing — it is inherent in the act of sending you a message.
Consent (Article 6(1)(a))
Required for any processing beyond the scope of answering the inquiry:
- Adding the visitor to a marketing email list
- Using their data for profiling or analytics
- Sharing their data with third parties for marketing purposes
- Contacting them about future offers unrelated to their inquiry
These require a separate, explicit opt-in checkbox — not bundled with the submission itself.
Contract (Article 6(1)(b))
If the form submission is part of initiating a contractual relationship (e.g. requesting a quote), the processing of data necessary to fulfill that contract has a lawful basis without requiring consent.
What Your Contact Form Needs
1. A Privacy Notice Link
Every contact form must include a reference to your privacy policy. The minimum compliant approach is a sentence near the submit button:
By submitting this form, your information will be processed in accordance with our [Privacy Policy].
The link must go to an actual, current privacy policy that describes: what data is collected, how it is used, how long it is retained, who it may be shared with, and how visitors can exercise their rights.
2. A Separate Marketing Consent Checkbox (if applicable)
If you intend to add form submitters to a newsletter or marketing list, this requires a separate, unchecked checkbox with clear wording:
☐ I would like to receive occasional updates and product news by email. I can unsubscribe at any time.
This must be separate from the form submission and must be unchecked by default.
3. Data Minimization
Only collect fields that are necessary to process the inquiry. A contact form should not collect date of birth, nationality, or health information unless your specific business context requires it. Each field you collect must be justifiable.
4. Security in Transit and at Rest
Form submissions must be transmitted over HTTPS. Data stored on your servers must be adequately protected. If you are using a third-party contact form tool or help desk platform, verify their data processing agreement (DPA) and where data is stored.
5. A Data Processing Agreement with Your Processor
If you use any third-party platform to receive or store form submissions (a CRM, a help desk, an email provider), that platform is a data processor under GDPR. You are required to have a signed DPA with them. Most reputable platforms provide a standard DPA on request or as a self-service document in their settings.
Data Retention: How Long Can You Keep Form Submissions?
GDPR requires that personal data is not kept longer than necessary for its purpose. For contact form submissions, a reasonable approach:
- Active inquiries: retain for the duration of the customer relationship
- Closed inquiries with no customer relationship: delete after 12–24 months (adjust based on your business context)
- Marketing consent records: retain for as long as the person is on your list, plus sufficient time to demonstrate the consent was given
Define a retention policy in writing and implement it — either manually or through automated deletion in your help desk or CRM.
Data Subject Rights
Your privacy policy and your processes must support these rights, which any EU resident can invoke regarding their data:
- Right of access: the ability to receive a copy of their data you hold
- Right to erasure ("right to be forgotten"): deletion of their personal data
- Right to rectification: correction of inaccurate data
- Right to restrict processing: limiting what you do with their data
- Right to object: objecting to processing based on legitimate interest
For contact form submissions specifically, you must be able to locate all data associated with a given email address across your systems (help desk tickets, CRM, email lists) and either provide it or delete it on request within 30 days.
Common Questions
Do I need a consent checkbox for every contact form? No. If the processing is based on legitimate interest (responding to the inquiry), no consent checkbox is required for that processing. A consent checkbox is required only for additional processing — like adding the person to a marketing list.
Does this apply if my business is not based in the EU? Yes. GDPR applies to any organization that processes personal data of individuals located in the EU, regardless of the organization's location.
What if a visitor from outside the EU submits the form? GDPR applies only to EU residents. However, adopting GDPR-compliant practices for all form submissions is simpler than attempting to detect and differentiate by visitor location, and prepares you for similar regulations in other jurisdictions (UK GDPR, PIPEDA in Canada, LGPD in Brazil).
How Nura24 Supports GDPR Compliance on Contact Forms
Nura24's contact page module includes a native GDPR consent checkbox component with configurable label text and a required privacy policy link. The checkbox is unchecked by default and can be marked as required, preventing form submission without explicit consent. Marketing opt-in uses a separate additional checkbox. Form submissions are stored within the Nura24 ticketing system with a visible audit trail. Data processing agreements are available for business plan customers. For businesses operating in the EU or serving EU customers, Nura24 provides the structural compliance features built into the contact form configuration — without requiring custom development.