How do I make Quform forms compliant with GDPR?

To make the forms compliant with the EU GDPR, choose one of the solutions below. Please note that we are not lawyers, so it would be best to consult with one. For reference, see the ICO’s Guide to the GDPR.

Solution #1 – Email only

For each form, go to Edit Form → Settings → General and turn off the option Save submitted form data. No data will be stored from form submissions, but you will still be able to manage submissions via email. Note that email is not always 100% reliable, particularly if using the default WordPress settings. To improve email sending reliability, we recommend using a WordPress SMTP plugin for sending email, such as WP Mail SMTP.

Solution #2 – Ask for consent with a Checkbox

Add a Checkbox element to the form, to require consent for storing the user’s data as part of the form submission process. See the image below for an example.

GDPR consent checkbox example

Expand the toggle below for how to configure this element for positive opt-in consent required by the GDPR.

Configuring the consent Checkbox

In the Checkbox element settings on the Basic tab set the following options.

  1. Set the Label field to be empty
  2. Turn on the Customize values option
  3. Set the option Label to the consent text (e.g. I consent to my submitted data being stored in accordance with the <a href="https://www.example.com/privacy-policy" target="_blank">Privacy Policy</a>)
  4. Set the option Value to Yes
  5. Further down in the settings, turn on the Required option

GDPR consent checkbox basic settings

GDPR consent checkbox required

On the Labels tab set the Admin label field to text to help you identify this element (it will not be shown to the user).

Set GDPR consent admin label

Is the submitted data sent to quform.com or themecatcher.net?

No. The submitted data is only stored on your site in the WordPress database. The data would only leave your site if you have configured a notification email or add-on to send it elsewhere.

Does the Quform plugin use cookies?

Quform uses one session cookie to provide security and features within the plugin. We believe this cookie is exempt from requiring prior consent under the PECR/ePR laws. For reference, see Are there any exemptions? | Cookies and similar technologies | ICO. The Quform cookie:

  • Is a session cookie (deleted when the browser closes)
  • Stores only a session ID (no personal data is stored in the cookie)
  • Is required for providing security (protection against Cross Site Request Forgery)
  • Is required for proper functioning of the plugin (e.g. verifying that the CAPTCHA solution was correct)

Does the Quform plugin store IP addresses?

Yes, by default the user’s IP address is saved with the entry data, and is shown when viewing an entry. To disable IP address collection, go to Forms → Settings → Tweaks & Troubleshooting and disable the option Save IP addresses.

Dealing with data requests

Right of access

For reference, see Right of access | ICO. The regulations state that you have one month to respond to a Right of access request.

If you decide to comply with this request, in Quform you can gather data stored about a user by going to Forms → Entries, then searching for the user data (for example enter the user’s email address in the entries search box). For each found entry that applies to the user, View the individual entry then print the page (Ctrl + P) and choose Destination… Save as PDF. Switch to the next form and repeat this search for every form. Send the saved PDF files to the user.

Right to rectification

For reference, see Right to rectification | ICO. The regulations state that you have one month to respond to a Right to rectification request.

If you decide to comply with this request, in Quform you can find the stored by a user by going to Forms → Entries, then searching for the user data (for example enter the user’s email address in the entries search box). For each found entry that applies to the user, Edit the individual entry and make the necessary modifications then click Save. Switch to the next form and repeat this search for every form.

Right to erasure

For reference, see Right to erasure | ICO. The regulations state that you have one month to respond to a Right to erasure request.

If you decide to comply with this request, in Quform you can find the stored by a user by going to Forms → Entries, then searching for the user data (for example enter the user’s email address in the entries search box). For each found entry that applies to the user, Trash the individual entry. Once each entry is in the Trash go to the Trash view and select all entries then permanently delete them. Switch to the next form and repeat this search for every form.

Be inspired. © 2024 ThemeCatcher Ltd. 20-22 Wenlock Road, London, England, N1 7GU | Company No. 08120384 | Built with React | Privacy Policy