diff --git a/CHANGES.rst b/CHANGES.rst
index 6d455259..dd8620f1 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -5,7 +5,8 @@ Changelog
 4.1.5 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- check for "collective.easyform.DownloadSavedInput" permission, before including the saved data in serializer.
+  [MrTango]
 
 
 4.1.4 (2023-07-27)
diff --git a/api.http b/api.http
new file mode 100644
index 00000000..0fd1dd05
--- /dev/null
+++ b/api.http
@@ -0,0 +1,9 @@
+@baseUrl = http://localhost:8080/Plone
+
+###
+
+get {{baseUrl}}/form
+
+###
+get {{baseUrl}}/form
+Authorization: Basic admin:admin
diff --git a/src/collective/easyform/serializer.py b/src/collective/easyform/serializer.py
index 80e2da5b..14a1ab03 100644
--- a/src/collective/easyform/serializer.py
+++ b/src/collective/easyform/serializer.py
@@ -12,6 +12,7 @@
 from zope.schema import getFieldsInOrder
 from zope.schema.interfaces import ISet, IDate, IDatetime
 
+from plone import api
 from plone.restapi.serializer.dxcontent import SerializeToJson as DXContentToJson
 from plone.restapi.deserializer.dxcontent import (
     DeserializeFromJson as DXContentFromJson,
@@ -24,6 +25,7 @@
 
 from collective.easyform.api import get_actions
 from collective.easyform.api import get_schema
+from collective.easyform.config import DOWNLOAD_SAVED_PERMISSION
 from collective.easyform.interfaces import IEasyForm
 from collective.easyform.interfaces import ISaveData
 from Products.CMFPlone.utils import safe_unicode
@@ -37,8 +39,8 @@
 class SerializeToJson(DXContentToJson):
     def __call__(self, version=None, include_items=True):
         result = super(SerializeToJson, self).__call__(version, include_items)
-        self.serializeSavedData(result)
-
+        if api.user.has_permission(DOWNLOAD_SAVED_PERMISSION, obj=self.context):
+            self.serializeSavedData(result)
         return result
 
     def serializeSavedData(self, result):