Back to blog
Healthcare2026-03-226 min read

How to Create GDPR-Compliant Patient Intake Forms

Patient data is the highest-risk category under GDPR

Health data is classified as a "special category" under GDPR Article 9. This means it receives the highest level of protection, and processing it requires explicit consent plus additional safeguards.

If your clinic, practice, or healthcare organization collects patient information through online forms, you need to get this right. The penalties for getting it wrong are severe — up to €20 million or 4% of annual turnover, whichever is higher.

What counts as health data?

Under GDPR, health data includes:

  • Patient names and contact information (when linked to health context)
  • Medical history and current conditions
  • Medications and allergies
  • Insurance information
  • Appointment details
  • Mental health information
  • Any data from which health status can be inferred

Even a simple appointment request form that asks "What is the reason for your visit?" constitutes health data processing.

Requirements for GDPR-compliant patient intake forms

1. Lawful basis for processing

For health data, you typically need explicit consent (Article 9(2)(a)) or a healthcare provision basis (Article 9(2)(h)). Your form should include a clear consent checkbox that is:

  • Not pre-checked
  • Specific about what data is collected and why
  • Linked to your privacy notice
  • Recorded with a timestamp

2. Data minimization

Only collect data you actually need. If you don't need a patient's date of birth for an initial inquiry form, don't ask for it. Every field should serve a clear purpose.

3. Secure transmission and storage

Form data must be:

  • Encrypted in transit (HTTPS/TLS)
  • Encrypted at rest (AES-256 or equivalent)
  • Stored in the EU on infrastructure not subject to third-country access laws
  • Access-controlled so only authorized staff can view submissions

4. Data Processing Agreement

If you use a third-party form builder, you need a Data Processing Agreement (DPA) that specifies:

  • What data is processed
  • The purpose of processing
  • Security measures in place
  • Subprocessor details
  • Data retention and deletion policies

5. Patient rights

Your form system must support:

  • Right to access — patients can request a copy of their data
  • Right to deletion — patients can request their data be permanently deleted
  • Right to portability — patients can request their data in a standard format (CSV, JSON)

Common mistakes to avoid

  1. Using Google Forms or Typeform for patient data — these are US-based services that don't meet EU health data requirements
  2. Not having a consent checkbox — implied consent is not valid for health data
  3. Storing form data indefinitely — implement a retention policy
  4. Sharing login credentials — each staff member should have individual access
  5. No audit trail — you should be able to show when data was collected and by whom

Building compliant intake forms with FormGuard

FormGuard is designed for exactly this use case:

  • EU-hosted in Frankfurt, Germany — health data never leaves the EU
  • No US subprocessors — your patient data is not accessible under US law
  • Built-in consent fields — add required checkbox fields for consent
  • CSV export — fulfill data portability requests instantly
  • Submission deletion — delete individual or batch submissions to fulfill deletion requests
  • HTTPS encryption — all data encrypted in transit and at rest

Create a GDPR-compliant patient intake form →

Ready to make your forms GDPR-compliant?

Create your first EU-hosted form in under 5 minutes. Free to start.

Start Free