How the GDPR Affects Organizations Using Submittable

The General Data Protection Regulation (GDPR) defines and creates laws concerning the privacy of individuals in the European Union. This affects any company that processes the personal data of people who live in the EU—whether that company is based in the EU or not.

While not legal advice, this document can help you understand the GDPR provisions built into Submittable. Within the terms of the GDPR, you are the “controller” and Submittable is the “processor.” Submittable processes data on your behalf.

Your Users' Rights

Submittable helps your organization observe the GDPR by respecting the rights of people as outlined in it. These rights include:

Breach Notification

Submittable is committed to notifying those affected by a data breach within 72 hours of discovery.

Right to Access

Your users have the right to ask you if you are using their personal data, and how it is being used. Submittable has always allowed you to search for users by name to find their data. We also provide self-service features that allow your users to monitor the status of their submissions or applications and review the data they previously submitted.

Right to be Forgotten

Your users have the right to ask you to delete all of their personal data that you process. This excludes information you need for legal purposes such as taxes. This data is not limited to personally identifiable information, but refers to any data directly linked to that person.

Data Portability

Your users have the right to export their data in a “commonly used and machine readable” format. Submittable provides tools that allow your users to easily export their data as a CSV file.

Privacy by Design

Submittable has always held user data securely and privately. We do not share this data with third parties. We are transparent about how the data is used, and we only process what is necessary.


Submittable allows your organization to show your own custom terms and conditions, along with a checkbox to gather consent to processing from your users. We are strengthening these consent measures to directly address requirements in the GDPR. Additionally, we made changes to the application that will allow your users to withdraw consent as easily as they provide it.

Terms and Conditions

We have drafted changes to our Terms and Conditions as well as a clear mapping from the General Data Protection Regulation to our terms and conditions. These updated legal documents are available on the Submittable website, along with the application changes related to consent and data erasure.