DocuSign's commitment to privacy
Binding corporate rules
- DocuSign's top priority is the privacy and security of our customers' information, documents, and data.
- DocuSign received approval for Binding Corporate Rules (BCRs) – both as a data processor and as a data controller – from the EU Data Protection Authorities (DPA).
- BCRs require discipline, rigor, and robust internal data protection practices and evidence a strong, global privacy commitment.
- BCR for Processors (BCR-P) permit the processing of customer personal data via the Signature Service outside the European Economic Area (EEA).
- With BCR-P, DocuSign customers are assured that any transfer of personal data outside of the EEA via the Signature service complies with European Union data export rules.
Europe’s data transfer restrictions and the role of binding corporate rules
The European Union (EU) has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that do not ensure an "adequate level of data protection." However, multinational companies that need to conduct such transfers can do so if the data processor has implemented Binding Corporate Rules (BCRs).
Considered the gold standard for data protection, BCRs are a strict set of rules that are recognized as an adequate mechanism for the lawful transfer of data outside of the EEA once an EU data protection authority (DPA) and two additional co-lead DPAs approve them. They are very difficult to obtain, with European DPA approval typically taking over two years and a significant amount of time, money, and resources to draft, implement, and maintain.
Only the most privacy-committed organizations successfully achieve BCR certification. To date, less than 100 companies worldwide have obtained BCR approval – and of those, only a few are approved as BCR for Processors (BCR-P).
BCR for processors
Like standard BCRs, BCR-P are a global, company-wide privacy framework that allows the transfer of customer personal data outside of the EEA once approved by the European DPAs. Specifically, they govern the transfer of personal data by a company acting as a data processor (i.e., it processes data on behalf of a data controller). In the case of DocuSign, for example, they cover all eDocuments.
All DocuSign group members are bound by the BCR codes. This ensures good data protection practices throughout the company and satisfies the European standards of data protection for personal data included in eDocuments and originating within the EEA via the Signature service. Adherence to the BCR codes is backed by audits and staff training programs, which are overseen by an internal privacy compliance team and made binding by a company-adopted legal instrument.
The advantages of a BCR-P certification
DocuSign appreciates that our customers – as the data controllers – have primary responsibility for personal data under EU laws. By relying upon DocuSign’s BCR-P certification, our customers can:
- Ensure compliance with EU data export rules wherever the personal data is processed within the Signature service
- Be assured that personal data is protected whenever a sub-processor comes in contact with it (a sub-processor is any third-party organization, such as a DocuSign vendor or supplier, involved in processing personal information through the Signature service)
- Demonstrate to their own customers that they are applying the gold standard of data transfer mechanisms
- Feel secure in the knowledge that:
- DocuSign's data protection policies and practices are reviewed with intense scrutiny by the European DPAs
- Any DocuSign employee who handles personal data is trained on the BCR principles and obligations (this may also ease the vendor due diligence process)
- The BCR can be considered legally “safer” than the EU Model Clauses and the Privacy Shield, both of which have been challenged and scrutinized by parties within the EU
- Enjoy a number of beneficial rights, including the right to:
- Notification of security breaches and disclosure requests by law enforcement bodies
- Seek cooperation in responding to data subject requests
- Receive notice of third-party sub-processors
- Hold DocuSign liable for breaches by our sub-processors
- Audit DocuSign or receive an audit report
- Enforce the BCR-P against a DocuSign entity in the EEA
DocuSign's responsibilities under the BCRs
When handling customer personal data, DocuSign will:
- Process personal data only on the customer’s behalf and in accordance with the customer’s instructions
- Take appropriate security measures to protect the personal data
- Provide its staff with access to personal data only to the extent necessary to perform services and impose confidentiality obligations on all such staff
Notifications and Cooperation
Under the notification and cooperation requirements, DocuSign will notify customers of:
- Its non-compliance (if any) with applicable law
- Any legally valid and binding disclosure requests made by public authorities – and will do so promptly
- A data security breach as soon as reasonably possible
- Any requests or complaints received from data subjects – and will do so promptly – and will cooperate to help customers address such requests
DocuSign will also deal promptly and appropriately with any inquiries from customers relating to processing of personal data under the contract.
As part of its sub-processor obligations, DocuSign will:
- Deal promptly and appropriately with any inquiries from customers relating to processing of personal data under the contract.
- Require all third-party sub-processors to contractually agree to data protection obligations similar to those in its BCR-P
- Remain liable for the performance of the contract by its sub-processors
- DocuSign must carry out regular internal audits to ensure compliance with its BCR-P
- European DPAs have the right to audit DocuSign’s compliance with its BCR-P
- DocuSign must implement BCR training for all staff that handle EEA personal data
- Customers can enforce the BCR-P directly against a DocuSign entity within the EEA
- EU data subjects have the right to directly enforce breaches of the BCR-P against DocuSign under certain conditions
To find out more about DocuSign's BCR-P, contact [email protected]