Meet your GDPR obligations with a structured, auditable process. This data subject request form covers all five primary rights — access, deletion, correction, restriction, and portability — and captures identity verification details and representative relationships so every request is handled correctly and completely.
Under the GDPR, organizations are legally required to respond to data subject requests within 30 days. Without a formal intake process, these requests can arrive via email, live chat, or social media DMs — making them easy to miss, difficult to track, and nearly impossible to audit. A structured data subject request form fixes all of this by creating a single, consistent intake point with a clear timestamp and complete information.
This form covers the full range of GDPR rights: the right to access personal data, the right to erasure ('right to be forgotten'), the right to rectification, the right to restriction of processing, and the right to data portability. Each request type has distinct legal implications and processing steps, so collecting this information upfront lets your privacy team route each case to the right person immediately.
formformform stores every submission with a timestamp, giving your compliance team an auditable record of when each request was received. This is essential for demonstrating GDPR compliance during regulatory inquiries. The form can be embedded on your privacy policy page, linked from your app settings, or featured in a dedicated 'Your Privacy Rights' section of your website.
Includes an order history field so customers can specify whether they want purchase records retained for warranty purposes or fully deleted.
Asks which data export format the user requires (JSON, CSV, XML) and which modules of their account data they want included.
Includes a field for the specific date range and type of records requested, and notes HIPAA parallel requirements alongside GDPR.
Asks whether the user wants only to unsubscribe from communications or to have all tracked behavioral data deleted from the analytics database.
Includes a field for the account type and account number, and notes that some transaction records must be retained for regulatory compliance even after a deletion request.
Routes requests from current employees, former employees, and job applicants to separate handling queues based on employment status.
Mirrors the GDPR structure but uses California-specific rights language — 'Know', 'Delete', 'Opt-Out of Sale' — for US-based privacy compliance.
Captures student ID and enrollment period alongside the request type to route to the correct registrar or data custodian for processing.
Asks the policy number and notes that claim records may be retained beyond a deletion request to fulfill legal obligations.
Collects the user's account email and specific listing interactions they want removed from saved searches and viewing history.
Explains what restriction means in practice (data is stored but not processed) and asks which specific processing activities the user wants restricted.
Asks which loyalty program tier and transaction history period to include in the portable data export, delivered in the user's choice of format.
Click 'Use this template' to load the GDPR data request form into your formformform account.
Update the intro paragraph with your organization's specific 30-day response commitment and contact details for complex cases.
Adjust the identity verification options to match your actual verification process — some organizations use account email confirmation; others require a government ID.
Configure email notifications for your Data Protection Officer or privacy team so requests are never missed.
Embed the form on your Privacy Policy page, your cookie settings page, and your account settings panel.
Document the link to this form in your Privacy Policy as the mechanism for exercising GDPR rights.
GDPR requires this as a maximum. Set up your email notifications immediately and assign a responsible team member to monitor submissions.
update your form's success message or configure an auto-response email confirming receipt and estimated response time.
even after fulfilling a deletion request, you may need to retain the request record itself as evidence of compliance.
confirming identity protects both the requester's data and your organization from fraudulent erasure requests.
ask for documentation of the representative relationship (power of attorney, birth certificate for minors) before acting on their behalf.
GDPR enforcement evolves. Periodic review ensures your process reflects current regulatory guidance.
You aren't legally required to have a specific form, but you are required to respond to data subject requests. A structured form ensures you never miss a request, have a clear timestamp for compliance, and collect all the information needed to fulfill each request type correctly.
Under GDPR Article 12, you must respond within one calendar month (30 days) of receiving a request. In complex cases you can extend by another two months if you notify the requester within the first 30 days.
Yes. Parents can submit on behalf of minor children, and authorized legal representatives can act on behalf of adults. This form captures that relationship and prompts for the required documentation.
Common methods include confirming via the email address registered to the account, requesting a government ID for high-risk erasure requests, or using a secure identity verification link. The form's identity field captures which method the requester will use.
The form structure works for CCPA consumer rights requests as well. You'd want to update the intro copy and options to reference California Consumer Privacy Act rights rather than GDPR terminology, or create a separate form for each regulation.
Collect new client details, case type, and background before consultations.
Collect all the details needed to draft or review a non-disclosure agreement.
Let potential clients inquire about your legal services before booking a consultation.
Triage document review requests with type, context, and deadline details.
Free forever. No credit card required. Customize everything.
Use this template