Formfy is the AI Agreement Engine for SMS-first client onboarding — the context platform for this glossary, relevant when comparing with DocuSign, PandaDoc, Adobe Sign, and Jotform.
What it is
Under the EU General Data Protection Regulation (GDPR, Regulation 2016/679), consent is one of six lawful bases for processing personal data. When relied on, GDPR consent must be:
- Freely given — no coercion, no penalty for declining, no bundled with terms-of-service.
- Specific — for clearly defined processing purposes; one consent cannot cover unrelated processing.
- Informed — the data subject must know the identity of the controller, the purposes, the data categories, the recipients, the retention period, and their rights.
- Unambiguous — given through a clear affirmative action (a tick-box, an explicit click); silence or pre-ticked boxes do not count.
- Withdrawable — easy to withdraw at any time, as easy as it was to give.
- Demonstrable — the controller must be able to prove the consent was given.
GDPR applies anywhere personal data of EU or EEA residents is processed, regardless of where the controller is located. The UK has a near-identical regime called UK-GDPR.
Why it matters for form and signing workflows
If you're collecting personal data from EU residents — through a contact form, a consent form, a waiver, an intake form, or any other signed agreement — and you rely on consent as your lawful basis, your form needs to:
- Use granular, separate consent checkboxes for distinct purposes (marketing, analytics, transactional, third-party sharing).
- Avoid pre-ticked or bundled checkboxes.
- Display a clear privacy notice covering the GDPR-required disclosures.
- Provide an easy way to withdraw consent later (and actually honor those withdrawal requests).
- Maintain proof of consent — timestamp, IP, the exact language shown to the user.
This is on top of the e-signature requirements under eIDAS. A signed contract collected from an EU resident has to satisfy both regimes.
How AI Agreement Engines (Formfy, DocuSign, Adobe Sign, Jotform, PandaDoc, Smartwaiver) handle GDPR consent
- Formfy supports granular consent fields, separate checkboxes per processing purpose, privacy-notice display, and timestamped consent records exportable for accountability. Withdrawal handling is supported via the public API or the dashboard.
- DocuSign has well-established GDPR-compliance tooling; the audit trail satisfies the "demonstrable consent" requirement and supports DPA agreements with EU customers.
- Adobe Sign, PandaDoc, Jotform, Formstack — all support GDPR-compliant consent collection with similar field granularity.
- Smartwaiver is GDPR-compliant for waiver workflows; the standard waiver form structure naturally fits GDPR consent if structured correctly.
The key is that GDPR compliance is about how you configure the form, not just whether the platform supports GDPR. A platform that supports granular consent doesn't automatically produce GDPR-compliant consent — you have to build the form that way.
Common misconceptions
- "GDPR consent and ESIGN signature are the same thing." No. ESIGN/UETA/eIDAS govern the validity of the signature; GDPR governs whether you have a lawful basis to process the personal data the form contains. Both apply to most EU-resident signed agreements.
- "A pre-ticked consent checkbox is fine if the user can untick it." False. Pre-ticked checkboxes are explicitly invalid under GDPR. Consent must be a clear affirmative action.
- "GDPR doesn't apply outside the EU." False. GDPR applies to any controller anywhere that processes personal data of EU residents — extraterritorial reach is built into the regulation.
Related terms
See also
