Applicant and Candidate Privacy Notice
Version Date: August 4, 2022
Your privacy is important to us. The purpose of this document is to set out how DocuSign, Inc. and its affiliates (“us,” “our,” or “we”) collect, use, store, or otherwise process personal information about job applicants and/or candidates (collectively, “you”), including when you access or use our careers websites, e.g., https://www.docusign.com/company/careers, with whom we share it, and the rights to which you are afforded.
This Privacy Notice (“Notice”) does not cover your use of DocuSign’s products or services as a consumer (for more information, please read our website Privacy Notice at https://www.docusign.com/company/privacy-policy, or to any third-party websites and apps that you may use, including those to which we link in our websites. You should review the terms and policies for third-party websites and apps before clicking on any links.
We recommend that you read this Notice in full to ensure you are fully informed about the manner in which we collect, use, store, or otherwise process your personal information as well as your privacy rights. However, if you want to skip to a particular section of this Notice, please refer to the table of contents below.
1. Collection of Personal Information
Subject to applicable law, we process your personal information for the purposes of fulfilling open job positions and recruiting job applicants and/or candidates.
Personal Information We Collect from You. Subject to applicable law, we may collect the following categories of personal information from you through the application and recruitment process:
Identifiers and contact information. This includes your name, date of birth, email address, mailing address, phone number, photograph, work and personal references and contact details, beneficiary and emergency contact details, and other similar contact data.
National identifiers and work eligibility information. This includes your national identification number, social security number, social insurance number, government identification number (e.g., CPF, RG, CNH), country, region, and city of birth, nationality, citizenship status, visa status, residency and work permit status, and immigration information.
Demographic information. This includes your age, income, marital/civil partnership status, gender, and military service.
Employment history and background check information. This includes your resume, Curriculum Vitae, work history, professional background and, where applicable and allowed by applicable law, information associated with social media platforms (e.g., social media handle) or professional networking sites (e.g., LinkedIn profile) credit history, criminal records, and other information revealed during background screenings.
Educational information. This includes your educational history, academic degrees, and qualifications, certifications, and skills.
Sensitive personal information. This includes information requiring special handling related to racial and ethnic origin, religious beliefs, trade union membership, and health and medical information, including disability status, where we have obtained your consent or the collection of such data is allowed by applicable law.
On-premise monitoring. We also monitor our offices and other workplace facilities through video monitoring (e.g., closed-circuit television (“CCTV”)) and badge scans for security purposes, subject to the requirements of local law and internal policy. CCTV, which captures images and video footage, is primarily used to monitor office entry/exit points, elevator lobbies, rooms housing valuable equipment (e.g., server rooms), and other select areas that contain highly sensitive assets or are associated with a high risk for theft.
Other Information. Any other information you voluntarily submit to us in connection with your application for employment (e.g., compensation history), including that which you provide via webform, during an interview, or as part of other forms of assessment.
Your main choice for this type of personal information is simply not providing it, such as by not submitting a job application to DocuSign. For other choices you may have, please see Section 5 (Your Choices) of this Notice.
Personal Information We Collect from Other Sources. Subject to applicable law, we may collect personal information about you from others, such as:
Third-Party Sources. Examples of third-party sources include employment screening agencies, background check agencies, recruiting agencies, service providers, former employers and/or schools and educational institutions, publicly available information on websites or social media (e.g., when applying through LinkedIn, where relevant for recruitment purposes and allowed by applicable law), and others where they are legally allowed to share your personal information with us. For example, if you register to be contacted by prospective employers on another website, the website may provide your personal information to us.
Individuals Who Refer You. Other individuals may give us your personal information. For example, if a friend thinks you may be interested in a job at DocuSign, he or she may give us your contact details and resume.
Combining Personal Information from Different Sources. We may combine the personal information we receive from various sources with personal information we collect from you and use it as described in this Notice.
2. Use of Personal Information
In general, and subject to applicable law, we may use your personal information for operational purposes to:
Process your job application for employment.
Manage your relationship with us (e.g., facilitating meetings, communicating with you, providing you with requested information).
Track an application through the recruitment process.
Contact (including by email) you or others on your behalf about suitable job opportunities as they may arise.
Contact references with your authorization.
Conduct background checks with your authorization.
Evaluate you in the recruitment and hiring process, including to assess your eligibility for available positions at DocuSign.
Evaluate you for current and future job opportunities, including matching your skills and interest to applicable job requirements.
Conduct internal analyses to understand the job applicants and/or candidates who apply and to improve our recruitment process, including our diversity and equal employment opportunities efforts.
Comply with legal obligations (e.g., health and safety, anti-discrimination laws).
Analyze job applicants and/or candidate life cycle trends, including generating reports in an aggregated and de-identified or anonymized format.
Other Uses. We may combine the information we collect (“aggregate”) or remove pieces of information (“de-identify”) to limit or prevent identification of any particular individual to help with goals like research and recruiting. Once such information has been aggregated and anonymized such that it is no longer considered personal information under applicable data protection law, this Notice does not apply.
Lawful Basis for Processing Your Personal Information. If applicable law requires a lawful basis for processing, our lawful basis for collecting and using the personal information described in this Notice will depend on the type of personal information concerned and the specific context in which we collect or use it. Depending on the jurisdiction in which you live, there may be other applicable lawful bases for processing your personal information that are not listed here.
We normally collect or use personal information from you or others where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (e.g., to communicate with you, to evaluate your application, to manage our recruitment processes efficiently and fairly), or where applicable, where we have obtained your consent to process for a specific purpose. In certain situations, we may have a legal obligation to collect or retain personal information (e.g., to comply with applicable employment and works council laws and regulations) or need the personal information to protect your vital interests or those of another person.
When we process sensitive personal information about you, we will make sure that one or more of the lawful bases for processing sensitive personal information, as referenced above, applies. For instance, these include processing which is necessary for the purpose of satisfying our obligations in relation to employment law, processing related to data about you that you have made public (e.g., if you tell us that you are ill) and processing which is necessary for the purpose of establishing, making or defending legal claims.
If you have questions about or need further information concerning the lawful bases on which we collect, use, store, or otherwise process your personal information, please contact us using the contact details provided in Section 9 of this Notice.
3. Personal Information Sharing
Subject to applicable law, including consent (as required), we may share personal information in the following circumstances (where applicable):
Internally. Your personal information may be disclosed to personnel involved in the recruiting and hiring processes, Human Resources, or third party administrators for recruitment or other legitimate business purposes.
Service Providers. We may share your personal information with service providers in connection with the provision of services including, but not limited to, the following: recruitment, talent acquisition and administration, technology services, background checks, where allowed by applicable law, and employment history checks. We have contracts with our service providers that address the safeguarding and proper use of your personal information.
Affiliates. We may share your personal information with affiliates under common ownership or control of DocuSign, Inc. for purposes of recruiting or evaluating job applicants and/or candidates, resource planning, and talent and recruitment as well as other legitimate business purposes such as Human Resources administration and general business management and operations.
Recruitment Agencies. We may share your personal information with recruitment agencies with whom you provided your personal information or make your personal information publicly accessible to recruitment agencies.
Your Employer or Organization or Reference Checks. When you apply for a position at DocuSign, we may be required to share personal information when we contact your previous or current employer to verify your employment history or your references.
Public or Government Authorities. We may share your personal information to comply with our legal obligations, regulations, or contracts, or to respond to a court order, administrative, or judicial process, such as a subpoena, government audit, or search warrant where we are legally compelled to do so. We also may share your information when there are threats to the physical safety of any person, violations of DocuSign policies or other agreements, or to protect the legal rights of third parties, including our employees, users, or the public.
Corporate Transactions. Your personal information may be disclosed or transferred to relevant third parties in the event of, or as part of the due diligence for, any proposed or actual reorganization, sale, merger, consolidation, joint venture, assignment, transfer, or other disposition of all or part of our business, assets, or stock (including in connection with any bankruptcy or similar proceeding). If a corporate transaction occurs, we will provide notification of any changes to the control of your information, as well as choices you may have.
Consent. We may share your personal information in other ways if you have asked us to do so or have given consent.
4. Retention of Personal Information
We keep your personal information for no longer than necessary to fulfill the purposes for which it is processed. The length of time for which we retain personal information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws as set out in our records retention policy and/or data handling standard. Generally, this means we retain your personal information to comply with any retention or statutory limitations. For example, if you are offered and accept a job at DocuSign, we retain certain information in your personnel file; if you are not offered or do not accept the job for which you have applied, we will delete your data after 6 months in certain countries, unless you authorize us to retain your information for longer with respect to potential future job opportunities. Where there are technical limitations that prevent deletion or anonymization, we safeguard personal information and limit active use of it.
5. Your Choices
This section describes many of the actions you can take to change or limit the collection, use, storage, or other processing of your personal information.
Application. You can access and review your job application. If any personal information is inaccurate or incomplete, you can make changes by emailing email@example.com. If you are not offered or do not accept the job for which you have applied, we will keep your information on file in case any other suitable opportunities come up. If you wish to opt out, please contact us via the DocuSign Privacy Request Portal.
Recruiting Messages. You can opt out of email recruiting messages (that are not transactional) we send you by clicking on the opt-out link in the email message. Please note that we may send you one message to confirm your decision to opt out.
Complaints. We are committed to resolving valid complaints about your privacy and our collection, use, storage, or other processing of your personal information. For questions or complaints regarding our data use practices or this Notice, please contact us via the DocuSign Privacy Request Portal.
6. Your Privacy Rights
Subject to applicable laws, you may have certain rights related to your personal information as described in more detail below. To exercise any of these rights, please contact us via the DocuSign Privacy Request Portal.
You can access the personal information we store about you, including details of why we are processing it.
You have a right to correct personal information about you that is inaccurate, incomplete, or outdated.
In certain situations, you can ask that we erase your personal information, object to or restrict the use of your personal information, or export your personal information to another controller.
Where we rely on your consent to process your personal information, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing prior to the withdrawal of your consent. At any time, you can request that we stop using your personal information for recruiting purposes. See Section 5 (Your Choices) of this Notice for more information on your choices.
If you are unsatisfied with our response to your complaint, you have a right to raise questions or complaints with your local data protection authority at any time.
If you make a request to exercise the rights referenced above, we will require you to provide certain information for identity verification purposes. You may authorize an agent to make a request to us on your behalf and we will verify the identity of your agent or authorized legal representative by either seeking confirmation from you or documents that establish the agent’s authorization to act on your behalf.
If you wish to exercise these rights, please contact us at firstname.lastname@example.org.
Transfers to the U.S. and Third Countries. Subject to applicable law, we may transfer your personal information outside of your jurisdiction, including for further processing. DocuSign has adopted Binding Corporate Rules to facilitate the transfer of personal information from the European Economic Area and/or United Kingdom ("EEA") to DocuSign outside of the EEA. Transfers outside the DocuSign group are only made to organisations that agree to adhere to the standards in our Binding Corporate Rules or use another valid data transfer mechanism under applicable data protection law. You may view our Binding Corporate Rules at https://www.docusign.com/trust/privacy/bcrc-csb-code.
7. How We Protect Your Personal Information
We have implemented appropriate technical, physical and organizational measures to protect your personal information from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access as well as all other forms of unlawful processing. To achieve this, we have developed and implemented an Information Security Management System and other sub-policies and guidelines relating to the protection of your personal information. For example, our staff is permitted to access job applicant and/or candidate personal information only to the extent necessary to fulfill the applicable business purpose(s) and to perform their job, subject to confidentiality obligations.
8. Changes to This Privacy Notice
This Notice will not form part of any potential employment contract and we may change it from time to time. We will post any changes to this Notice on this page. Each version of this Notice is identified at the top of the page by its version date.
9. How to Contact Us
For questions or complaints regarding our use of your personal information or this Notice, please contact us at email@example.com or mail us at DocuSign, Inc., Attention: Privacy Team, 221 Main Street, Suite 1550, San Francisco, CA 94105.
For job applicants and/or candidates in the EEA, the DocuSign entity to which you applied for a job is the data controller of your personal information, but questions or complaints may still be directed to firstname.lastname@example.org.
10. Supplemental Privacy Disclosures for Job Applicants and/or Candidates in Certain Countries
If you reside in one of the following countries, the below Privacy Notice also applies to the processing of your personal information. To the extent there is a conflict between the country-specific language below and the provisions above, the below provisions control to the extent of that conflict.
Transfers and Disclosures to the U.S. and Third Countries. We may transfer or disclose your personal information to recipients in the following countries: Australia, Brazil, Canada, Germany, United States, France, United Kingdom, Mexico, Singapore, Ireland, Egypt, Israel, India, Japan, Costa Rica, Norway, Philippines, Sweden, Spain, Uruguay, and Georgia.
How We Protect Your Personal Information. Your personal information is likely to be stored on IT infrastructure located within Australia, United States, European Union and/or Canada.
How to Contact Us. To submit a complaint regarding our compliance with Australian law, please contact us at one of the addresses listed above. We will take reasonable steps to investigate the complaint and respond to you within a reasonable timeframe.
Purpose. For purposes of job applicants and/or candidates located in Brazil, the controller is DocuSign Brasil Soluções Em Tecnologia Ltda located at Tower Bridge Corporate, 02º Andar Conj. 21, Avenida Jornalista Roberto Marinho, 85, São Paulo, Brazil, Reg no. 35.218.051.742.
Use of Personal Information. When we process sensitive personal information about you, we will make sure that one or more of the lawful bases for processing sensitive personal information applies. For instance, these include processing which is necessary for the purpose of exercising our rights, including a contract and in judicial, administrative and arbitration.
Your Privacy Rights. In addition to the rights listed above, job applicants and/or candidates located in Brazil have the right to:
Confirm the existence of processing;
Correct inaccurate, incomplete, or out-of-date information;
In certain situations, object to the use of your personal information, requiring the anonymization, blocking, or elimination of your data or the exportation of your personal information to another controller; and
Obtain information about the entities with which we share your personal information.
Purpose. For job applicants and/or candidates located in France, the controller is DocuSign France SAS, located at Immeuble Central Park, 9-15 rue Maurice Mallet, 92130 Issy-les-Moulineaux, France.
Your Privacy Rights.
You have the right to object, on legitimate grounds, to the processing of your personal information, except where we are obliged to process such personal information in compliance with our legal obligations or where we cannot satisfy this request, based on a prohibition from a statutory provision.
Under specific conditions, you have the right to give instructions on how you would like us to store, delete or share your personal information after your death. Please contact us for more information about this.
If you are unsatisfied with our response to a complaint, you have a right to raise questions or complaints with the French supervisory authority (Commission Nationale de l'Informatique et des Libertés – "CNIL") at any time. You can contact this authority by sending a letter to the CNIL at 3 Place de Fontenoy, 75007 Paris, France, or by phone at +33 1 53 73 22 22.
If you make a request to exercise the privacy rights referenced above, we will take reasonable steps to verify your identity. You may authorize an agent to make a request to us on your behalf. In order to do so, we will verify the identity of your agent or authorized legal representative and require proof of your own identity. We can only satisfy such a request if the documents that establish the agent’s authorization to act on your behalf contain the precise duration and purpose of such authorization, and confirmation of whether your agent is entitled to be the recipient of the information we will send.
Collection of Personal Information. You are not legally required by law to provide us with the personal information described in Section 1.
Transfers to the U.S. and Third Countries. We may transfer your personal information outside of your jurisdiction for further processing. If you are resident in a jurisdiction where transfer of personal information related to you to another jurisdiction requires your consent, then you provide us your express and unambiguous consent to such transfer.
How to Contact Us. For questions or complaints regarding our processing of your personal information or this Notice, you may contact Doug Luftman (Chief Privacy Officer) by sending an email to email@example.com, by phone at +1 877 720 2040, or by sending a letter to DocuSign, Inc., Attention: Chief Privacy Officer, Legal Department, 221 Main Street, Suite 1550, San Francisco, CA 94105.