Back to blog
Legal2026-03-257 min read

Secure Client Intake Forms for Law Firms: A GDPR Guide

Law firms have the most to lose from non-compliant forms

Every industry needs to comply with GDPR, but law firms operate under a unique double burden. You're bound by GDPR as a data controller processing personal data, and you're simultaneously bound by professional secrecy obligations — attorney-client privilege — that predate data protection law by centuries.

When a potential client fills out an intake form on your website describing their legal situation, that information is both personal data under GDPR and potentially privileged communication. A compliance failure doesn't just risk a fine — it can undermine the foundational trust of the attorney-client relationship.

What makes law firm data different

Client intake forms for law firms typically collect information that is extraordinarily sensitive:

  • Names and contact details of individuals seeking legal help
  • Description of legal issues — which may involve criminal matters, family disputes, financial problems, or employment conflicts
  • Opposing party information — names of individuals involved in the dispute
  • Financial details — income, assets, debts (especially for family law or insolvency matters)
  • Health information — in personal injury, medical malpractice, or disability cases
  • Immigration status — in immigration law cases

Much of this data falls under GDPR's special categories (Article 9), requiring explicit consent and enhanced protections. But beyond GDPR classification, this data is professionally privileged — meaning it demands a standard of care that exceeds even what GDPR requires.

The attorney-client privilege problem with US-hosted forms

Attorney-client privilege protects communications between lawyers and their clients from disclosure. In most EU jurisdictions, this privilege is absolute — even courts cannot compel disclosure of privileged communications.

Now consider what happens when you use a US-hosted form builder like Google Forms, JotForm, or Typeform:

  1. A potential client fills out your intake form, describing their legal problem
  2. That data is transmitted to and stored on infrastructure controlled by a US company
  3. Under the CLOUD Act, US law enforcement can compel that US company to produce the data
  4. The US company has no obligation to respect EU attorney-client privilege

This isn't a theoretical risk. US authorities have used the CLOUD Act to access data stored in Europe. If your client's privileged information is stored on US-controlled infrastructure, you cannot guarantee the confidentiality that professional ethics demand.

The critical question: can you look your client in the eye and tell them their privileged information is truly confidential when it sits on servers controlled by a foreign government's jurisdiction?

Bar association obligations

Legal professional bodies across the EU impose strict obligations regarding client data:

  • German Federal Bar Association (BRAK) requires lawyers to ensure that electronic communications and data storage meet the same confidentiality standards as physical files
  • French National Bar Council (CNB) has issued guidance that lawyers must assess the data protection practices of all digital tools they use
  • Law Society of England and Wales (while post-Brexit, still influential) emphasizes that lawyers must take reasonable steps to ensure client confidentiality in digital communications
  • Council of Bars and Law Societies of Europe (CCBE) recommends that lawyers evaluate whether their digital tools expose client data to foreign jurisdiction access

Using a US-based form builder without a thorough risk assessment could be considered a breach of professional obligations, independent of any GDPR violation.

GDPR requirements specific to law firm intake forms

Lawful basis

For initial intake forms, the appropriate lawful basis is typically:

  • Article 6(1)(b) — processing necessary for steps prior to entering into a contract (the legal engagement)
  • Article 9(2)(f) — processing necessary for the establishment, exercise, or defense of legal claims (for special category data)

Consent can also be used but is not always the best basis for legal services, as it can be withdrawn.

Data minimization in practice

Your intake form should collect only what's needed for an initial assessment. Common mistakes:

  • Asking for full address when email and phone are sufficient for initial contact
  • Requesting detailed case history when a brief description is enough to assess conflict of interest
  • Including fields for financial information before you've determined whether you'll take the case

Design your intake form in stages: collect the minimum needed to assess the inquiry, then gather additional details once the engagement is confirmed.

Conflict checking

Before reviewing intake form data in detail, many firms need to run a conflict check. The form should collect enough information (names of parties involved) to perform this check, but no more than necessary until the conflict check is cleared.

Retention for rejected inquiries

What happens to intake form data when you decide not to take a case? GDPR requires you to delete the data once it's no longer needed. Best practice:

  • Delete intake data within 30 days if you decline the engagement
  • Inform the prospective client of this retention period in your privacy notice
  • Document the deletion for your records

Building secure intake forms: technical requirements

For law firm intake forms, the technical bar is higher than for general business forms:

  1. End-to-end encryption — data must be encrypted in transit (HTTPS/TLS) and at rest
  2. EU-only infrastructure — servers in the EU, operated by an EU company, with no US subprocessors
  3. Access controls — only authorized lawyers and staff should be able to view submissions
  4. Audit trail — log who accessed each submission and when
  5. Secure deletion — when you delete a submission, it must be permanently removed
  6. No third-party tracking — the form tool should not collect data about respondents for its own purposes

What a compliant intake form looks like

A GDPR-compliant law firm intake form should include:

  • Clear identification of your firm as the data controller
  • A link to your privacy notice specific to intake data processing
  • A consent checkbox (not pre-checked) with specific language about data processing
  • Minimal fields: name, email, phone, area of law, brief description of matter
  • Information about retention: how long you'll keep the data if you don't take the case
  • No tracking scripts or third-party analytics on the form page

How FormGuard supports law firm compliance

FormGuard is designed for exactly this kind of high-sensitivity use case:

  • Frankfurt, Germany data center — client intake data stays in the EU, under EU law
  • No US infrastructure — zero CLOUD Act exposure, protecting attorney-client privilege
  • EU-only processing chain — every subprocessor is EU-incorporated
  • Individual submission deletion — delete rejected inquiry data to meet retention requirements
  • CSV export — fulfill data access requests from data subjects
  • No respondent tracking — FormGuard doesn't collect analytics about people filling out your forms
  • Clean, professional forms — present a trustworthy experience to prospective clients

Your clients trust you with their most sensitive information. Your form builder should be worthy of that trust.

Create a secure client intake form →

Ready to make your forms GDPR-compliant?

Create your first EU-hosted form in under 5 minutes. Free to start.

Start Free