GDPR-Compliant Forms: What You Need to Know

If your form collects personal data from people in India, India's Digital Personal Data Protection Act 2023 (DPDPA) applies; if you collect it from people in the EU, the GDPR applies — regardless of where your business is based. Both sound intimidating, but compliance mostly comes down to a few common-sense practices. Here's a practical, jargon-free guide for Indian businesses and global teams alike.

This article is general information, not legal advice. For specifics, consult a qualified professional.

What counts as personal data?

Personal data is anything that can identify someone: name, email, phone number, IP address, and more. If your form collects any of it from Indian or EU residents, the principles below apply.

India's DPDPA 2023 in brief

India's DPDPA 2023 governs how the personal data of people in India is collected and processed. It requires clear consent, data minimization and a way for people to exercise their rights. For Indian users, those rights include the right to access, correction, erasure and grievance redressal. Indian startups and SMBs collecting data through forms should treat DPDPA the same way global teams treat GDPR.

1. Collect only what you need

Data minimization is a core principle of both DPDPA and GDPR. Every field should have a clear purpose. Fewer fields also means higher completion — a rare win-win. See our form design tips for how to trim.

2. Get clear consent

When you process data based on consent, it must be freely given and specific. In practice that means an unticked checkbox with plain-language wording, linking to your privacy policy — never pre-checked boxes or buried clauses.

3. Be transparent

Tell respondents who you are, what you'll do with their data, and how long you'll keep it. A short note near the submit button plus a link to your privacy policy covers this.

4. Respect respondent rights

Under both DPDPA and GDPR, people can request access to, correction of, or deletion of their data. Make sure you can find and remove an individual's submissions when asked. FormMaker lets you delete individual responses or entire forms at any time — see our GDPR & DPDPA page.

5. Choose compliant infrastructure

Where your data is stored matters. FormMaker hosts submission data on servers in India and EU regions, encrypts it at rest, and offers a Data Processing Agreement. Our sub-processor list is published so you always know who touches your data.

A quick compliance checklist

• Only ask for data you genuinely need.
• Add an explicit, unticked consent checkbox where required.
• Link to a clear privacy policy.
• Be able to delete a person's data on request.
• Use compliant India/EU hosting and sign a DPA.

How FormMaker helps

FormMaker is built privacy-first: India & EU hosting, encryption, granular access controls, audit logs, and one-click data deletion. That gives you a foundation that's compliant with DPDPA and GDPR, so you can focus on the wording and consent that fit your use case.

Create a compliant form for free, or read more on our GDPR & DPDPA compliance page.