A contact form almost always touches health-related data — if only indirectly, through the reason for the enquiry. That puts it under the GDPR's special-category data. Which is exactly why it's the spot where most practice websites get it wrong. The good news: six points make the form clean.
Why the form in particular is critical
On submit, personal data is sent to your server and processed there. Without a recognisable legal basis, encryption, and clear information, that's a real breach — and in Germany a common trigger for warning letters (Abmahnungen).
The checklist
1. Consent — active, not pre-ticked
A consent checkbox belongs on the form, and it must not be pre-ticked. The text states clearly what is being consented to and links to the privacy policy.
2. Data minimisation
Ask only for what you need to reply. A name, one way to reach the person, and the enquiry are usually enough. Every extra required field is both a legal risk and a cost in lost enquiries.
3. Transport encryption
The form is served over HTTPS only. Without a valid certificate it must not be delivered.
4. Processing in the EU
The form target, the email delivery, and the hosting should all sit in the EU. We send enquiries through a provider with EU processing and keep the data paths short and documented.
5. Plain information at the form itself
A short line by the form pointing to the privacy policy creates transparency under Art. 13 GDPR — in plain language, not buried in fine print.
6. Logging and a deletion plan
Record when consent was given, and delete enquiries once their purpose is met. A simple deletion interval is enough to start.
One sentence that does the job
A plain wording works well as consent text: "I have read the privacy policy and consent to my details being stored to process my enquiry." Clear, brief, understandable.
This article describes practice; it is not legal advice. For a binding review of your forms and copy, please consult a qualified lawyer.