FormSmarts collects personal data about third parties on behalf of our customers via the online forms they create on FormSmarts. As the data controllers for such data, customers need to understand how the data is processed and stored, and how they can process GDPR Right to Access and Right to Erasure requests from the individual whom data was collected on their behalf and is stored on FormSmarts.

Identifying the Data Stored on FormSmarts

Data on FormSmarts is structured around forms and form entries. Customers can view/download and delete the data associated with an individual form entry. They can also access and delete all data associated with a specific form.

Is data collected stored on FormSmarts?

The primary purpose of FormSmarts is to allow users to collect and process information submitted via online forms. As such, all our users collect data via FormSmarts, and most of them collect personal data. Not all users store collected data on FormSmarts though:

  • Only paying users and free trial customers may store collected data on FormSmarts.
  • If a customer opts to only receive form entries by email and does not enable data storage for any of their forms, the data collected is not stored on FormSmarts.
  • FormSmarts only stores data for forms for which data storage was enabled (as of March 17, 2017, data storage is enabled by default for all Business accounts).

How long is data being retained on FormSmarts?

  • FormSmarts keeps the data submitted for the lifetime of the corresponding form.
  • When a form is deleted, FormSmarts deletes the data submitted via that form within a few days.
  • Once the deletion process is started, the corresponding data is effectively and permanently removed from all our systems within at most 30 days.
  • An advanced FormSmarts feature allow customers to have data automatically deleted after a period of time of their choosing (this features is only included with some types account, contact us for advice if you want to use it).
  • When a customers does not explicitly delete their forms and lets their FormSmarts subscription lapse, the data is kept for a period of six months, after which it is deleted (some clients don't renew their subscription immediately even though they eventually do so).

Processing Right to Access Requests

  1. Find the FormSmarts notification email corresponding to a form entry that includes the email address of the individual who sent the request and follow the View Online link at the bottom of the message.
  2. Use the Related Entries button to look for other entries associated with the same email.
  3. For each entry, download a PDF that you can communicate to the person who requested access to their personal data.

Alternatively, it is possible to access Related Entries via the API Console.

Processing Right to Erasure Requests

After locating form entries associated with the subject of the request as described in the previous section, customers can view individual entries and delete them via the Delete button.