Personal Data & GDPR Compliance
FormSmarts collects personal data about third parties on behalf of our customers via the online forms they create on FormSmarts. As the data controllers for such data, customers need to understand how the data is processed and stored, and how they can process GDPR Right to Access and Right to Erasure requests from the individual whom data was collected on their behalf and is stored on FormSmarts.
Identifying the Data Stored on FormSmarts
Data on FormSmarts is structured around forms and form entries. Customers can view/download and delete the data associated with an individual form entry. They can also access and delete all data associated with a specific form.
Is data collected stored on FormSmarts?
The primary purpose of FormSmarts is to allow users to collect and process information submitted via online forms. As such, all our users collect data via FormSmarts, and most of them collect personal data. Not all users store collected data on FormSmarts though:
- Only paying users and free trial customers may store collected data on FormSmarts.
- If a customer opts to only receive form entries by email and does not enable data storage for any of their forms, the data collected is not stored on FormSmarts.
- FormSmarts only stores data for forms for which data storage was enabled (as of March 17, 2017, data storage is enabled by default for all Business accounts).
How long is data being retained on FormSmarts?
- FormSmarts keeps the data submitted for the lifetime of the corresponding form.
- When a form is deleted, FormSmarts deletes the data submitted via that form within a few days.
- Once the deletion process is started, the corresponding data is effectively and permanently removed from all our systems within at most 30 days.
- An advanced FormSmarts feature allow customers to have data automatically deleted after a period of time of their choosing (this features is only included with some types account, contact us for advice if you want to use it).
- When a customer does not explicitly delete their forms and lets their FormSmarts subscription lapse, the data is kept for a period of six months, after which it is deleted (some clients don't renew their subscription immediately even though they eventually do so).
Processing Right to Access Requests
- Search form submissions matching the email address or phone number of the individual who sent the data access request.
- Alternatively, find the FormSmarts notification emails corresponding to the form entries that include the person‘s email address or phone number in your email app, and follow the View Online link at the bottom of the message (or use another way to access the form entry on FormSmarts).
- For each entry, download a PDF that you can communicate to the person who requested access to their personal data.
Processing Right to Erasure Requests
After locating form entries associated with the subject of the request as described in the previous section, customers can view individual entries and delete them via the Delete button.Processing Right to Have Inaccurate Personal Data Rectified
To correct inaccurate or out-of-date information in a form entry, view it on FormSmarts then amend the relevant data fields.