GDPR & formX

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.

The full text of the GDPR can be found here

Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

In keeping with our ongoing commitment to privacy and security, formX is committed to making it easier for you to comply with the GDPR.

Important Definitions:

Data Subject : A person who lives in the EU

Personal Data : Any information related to an identified/identifiable data subject (e.g., name,phone number, email id)

Controller : A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed (for example using the formX services to add forms on your site and gain leads and customers), you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.

Processor : A company/organisation that helps a Controller by “processing” data based on its instructions, but doesn’t decide what to do with data. So for example, formX is the processor of the data you collect in your formX application. We don’t control how you collect or use the data; we merely process it on your behalf and on your instruction.

Data Protection Officer (DPO) : A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert.

Data Privacy Impact Assessment (DPIA) : A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing.

Supervisory Authority : Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)

Third Countries : Countries outside the EU

Who is the Controller and who is the Processor, In the case of formX’s relationship with a Customer?

Unless explicitly clarified in any engagement, formX will be the Processor and Customer will be the Controller.

What does formX do to ensure lawful data transfers from the EU?

The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU model clauses (Standard Contractual Clauses or SCC) provide a valid mechanism to lawfully transfer personal data. formX offers a Data Processing Agreement that incorporates the model clauses to our EU/EEA customers.

  • We have included it in our Data Processing Agreement (DPA) incorporating the Standard Contractual Clauses (SCC) to meet the requirements of the GDPR in order to permit our Customers to continue to lawfully transfer EU personal data to formX and permit formX to continue to lawfully receive and process that data;
  • We have updated our Terms of Service to refer to DPA as a mechanism to lawfully transfer data of EU Data Subjects to formX.

What the elements customers should look for in formX to comply with the GDPR?

  • formX has been built keeping the view of the Personal Data being stored and has made several changes to the product iterations.
  • Users can opt for two methods of integration - either JS based on POST, where in the latter will not have Open/ Click tracking enabled – giving you greater power to choose what level of tracking you wish to incorporate in your email campaigns
  • We now enforce appropriate Data Retention periods for Personal information such as Email content, imported and exported CSV files, Cookies (if you are using our JS method of integration)
  • formX permits you to download Data Subjects information in CSV format, and also permanently delete Data Subjects and all of their Personal Data
  • To help Users comply with the Rights of Data Subjects, you can reach out to for reasonable requests
  • Data privacy and security is an ongoing effort and we will continue to release new features to help you comply with GDPR requirements
  • We have updated our Terms of Service to refer to the DPA as a mechanism to lawfully transfer data of EU Data Subjects to formX.

Here is a list of sub processors below,

  • Crisp Chat
  • Heap Inc
  • Google LLC
  • Hotjar Inc
  • Sparkpost Inc
  • Linode LLC
  • Amazon Web Services, Inc

Should you require a copy of our DPA, please send an email to