Yes! To let your customers know that you use Cognito Forms, and be in compliance with the GDPR, you can add the following statement to your Privacy Policy:
We use Cognito Forms to securely collect and manage your personal information in compliance with GDPR. You can learn more about how Cognito Forms protects your personal information in the Cognito Forms Privacy Policy.
Most organizations add this text in a section reserved for Third Party Data Processors. You’ll also want to include a link to our privacy policy as part of that statement. And don’t forget to sign our Data Processing Addendum.
To learn more, read these tips for creating GDPR compliant online forms.
You can also access the complete text of GDPR.
The GDPR is a complex piece of legislation that requires those doing business in the European Union to abide be a standardized set of online privacy practices.
If you’re subject to GDPR and use Cognito Forms to collect data, you’ll want to:
- Obtain explicit consent before collecting personal or sensitive data.
- Enable data encryption to encrypt all personal or sensitive data when viewing entries, which. could cause data to be stored in a local database within your browser. (All data is encrypted when at rest.)
- Link your privacy policy to ours.
- Collect a minimal amount of data and delete when it is no longer required.
- Allow data subjects to have their information erased or corrected.
To learn more, read 5 Guidelines for Creating GDPR Forms.
To satisfy the GDPR explicit consent requirement, you must receive consent from every Data Subject through an active opt-in.
An active opt-in is one that requires an individual to take a clear affirmative action, such as by ticking a checkbox. Prefilling a checkbox is considered a “soft” or “silent” opt-in and should be avoided.
With Cognito Forms, you can easily obtain explicit consent on your form using a Yes/No field:
- Add a Yes/No field to your form.
- In the field settings, select the Checkbox type.
- Make sure to include a message written in clear, easily understandable language (ex: “I agree to the terms and conditions”).
- Set the field as required.
Refer to the GDPR provisions or talk to your GDPR consultant for specific requirements.
GDPR defines personal data as any information related to a natural person (or “Data Subject”) that can be used to directly or indirectly identify the person. If you intend to collect personal data from people in the EU, you must first obtain explicit consent from your data subjects.
Please note that the GDPR also refers to “special categories of personal data,” which require additional security. These include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs, or trade union membership
- Genetic data or biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or data concerning a natural person’s sex life or sexual orientation
Refer to the GDPR provisions or talk to your GDPR consultant for specific requirements.
The GDPR applies to people living in the EU (referred to in the provisions as “data subjects”) and any organizations who collect personal data from those individuals.
The legislation provides people living in the EU with control over the personal data they provide to organizations online. Any organization who collects such data must comply with GDPR’s specific requirements or face severe penalties.
Refer to the GDPR provisions or talk to your GDPR consultant for specific requirements.
The General Data Protection Regulation (GDPR) is a set of rules designed to give citizens in the European Union (EU) more control over their personal data. It also addresses the export of personal data outside the EU.
Refer to the GDPR provisions or talk to your GDPR consultant for specific requirements.
On September 27, 2021, we updated our Data Processing Addendum with the Standard Contractual Clauses as required to adhere to new General Data Protection Regulation (GDPR) provisions. Users who signed our DPA before these provisions took effect must sign our new DPA to ensure compliance beyond Dec 2022.
Yes! We are now offering data processing agreements for organizations who use Cognito Forms to collect personal data about people in the UK, EU, and US state of California. View a sample DPA.
To sign a Data Processing Agreement (DPA) with Cognito Forms:
- Login to your Cognito Forms account.
- Select your organization’s name in the top left corner and then click Settings.
- Click Plan in the left-hand navigation, or scroll to the Plan section.
- From your plan settings, find the Privacy Regulation Compliance section and click the Sign our DPA to get started link. If you have an already signed version, click Exit your DPA and then click the Sign our DPA to get started link.
- Review the DPA as written in the dialog, then provide the legal name of your organization along with your title and signature at the bottom of the agreement and click the I Agree button.
Once completed, you’ll see a message indicating that you’ve successfully signed the DPA with Cognito Forms. You can then download a PDF copy of your agreement. (You’ll also automatically receive a copy of your agreement at the email address associated with your organization.)
If you have any questions about GDPR or CCPA compliance, or signing a DPA with Cognito Forms, please contact us.