Scope

1.1

This CSB Privacy Code addresses the Processing of Personal Information of Customers, Suppliers and Business Partners and other Individuals by DocuSign or a Third Party Processor on behalf of DocuSign (collectively, CSB Information). This CSB Privacy Code does not address the Processing of Personal Information of Employees in the context of their employment relationship with DocuSign unless and to the extent such Employee is a Customer of DocuSign.

Opt-out for Local-for-Local Processing

1.2

A Group Company not established in the EEA and not covered by an Adequacy Decision may opt-out of the applicability of this CSB Privacy Code in respect of Processing of CSB Information collected in connection with the activities of such Group Company, provided such CSB Information is subsequently Processed in the relevant jurisdiction of such Group Company only (Local-for-Local Processing). The opt-out by a Group Company for Local-to-Local Processing requires the prior authorization of the Chief Privacy Officer. Notwithstanding such an authorization, the Local-for-Local Processing shall at least be compliant with applicable local laws and the security and governance requirements of this CSB Privacy Code.

Electronic and paper-based Processing

1.3

This CSB Privacy Code shall apply to the Processing of CSB Information by electronic means and in systematically accessible paper-based filing systems.

Applicability of local law and CSB Privacy Code

1.4

Nothing in this CSB Privacy Code will be construed to take away any rights and remedies that Individuals may have under applicable local law. This CSB Privacy Code provides supplemental rights and remedies to Individuals only.

Sub-policies and notices

1.5

DocuSign may supplement this CSB Privacy Code through sub-policies, procedures or guidelines that are consistent with this CSB Privacy Code.

Accountability

1.6

This CSB Privacy Code is binding on DocuSign. The Responsible Executive is accountable for his or her business organization’s compliance with this CSB Privacy Code. DocuSign Staff must comply with this CSB Privacy Code.

Effective Date

1.7

This CSB Privacy Code will enter into force as of June 11, 2018 (Effective Date) and will be published on the DocuSign’s website and DocuSign’s intranet site and shall be made available to Individuals upon request.

CSB Privacy Code supplements prior policies

1.8

This CSB Privacy Code supplements all DocuSign privacy policies and notices that exist on the Effective Date.

Implementation

1.9

This CSB Privacy Code shall be implemented in the DocuSign organization based on the timeframes specified in Article 22.

Role of DocuSign Ireland

1.10

DocuSign Inc. has tasked DocuSign Ireland with the coordination and implementation of this CSB Privacy Code.

Legitimate Business Purposes

2.1

CSB Information shall be collected, used or otherwise Processed by DocuSign in the context of the provision of Customer Services, use of Supplier Services, and Business Development with Business Partners for one (or more) of the following purposes (Business Purposes):

1. Assessment and acceptance of a Customer, Supplier, or Business Partner; conclusion and execution of agreements with a Customer, Supplier, or Business Partner and the settlement of payment transactions. This purpose includes Processing of CSB Information that is necessary in connection with the assessment and acceptance of Customers, Suppliers, or Business Partners, including confirming and verifying the identity of relevant Individuals (this may involve the use of a credit reference agency or other Third Party), conducting due diligence, and screening against publicly available government and/or law enforcement agency sanctions lists and other third-party data sources, the use of and participation in DocuSign’s incident registers and sector warning systems, and/or third party verification services. This purpose also includes Processing of CSB Information in connection with the execution of agreements, including the delivery of Customer Services and the settlement of payment transactions in the context of which DocuSign may provide CSB Information to the counterparty or other parties as necessary, e.g., for verification or reconstruction purposes;
2. Performance of Customer Services. This purpose addresses Processing of CSB Information necessary for the performance of Customer Services;
3. Use of Supplier Services. This purpose addresses Processing of CSB Information necessary for the use of Supplier Services by DocuSign;
4. Business Development with Business Partners. This purpose addresses Processing of CSB Information necessary for Business Development between DocuSign and Business Partners;
5. Development and improvement of products and/or services. This purpose includes Processing of CSB Information that is necessary for the development and improvement of DocuSign products and/or services, research and development;
6. Relationship management and marketing. This purpose includes activities such as maintaining and promoting contact with Customers, Suppliers and Business Partners, account management, customer service, recalls, collection of CSB Information through DocuSign websites, and the development, execution and analysis of market surveys and marketing strategies;
7. Business process execution, internal management and management reporting. This purpose includes the management of company assets; credit assessment (including setting credit limits) and risk management, conducting audits and investigations; finance and accounting; implementing business controls; provision of central processing facilities for efficiency purposes; managing mergers, acquisitions and divestitures; Processing CSB Information for management reporting and analysis; archive and insurance purposes; legal or business consulting; and preventing, preparing for or engaging in dispute resolution;
8. Health, safety, securityand integrity, including the safeguarding of the security and integrity of the business sector. This purpose includes the protection of the interests of DocuSign and its Employees and Customers, including the safeguarding of the security and integrity of their business sector, in particular detecting, preventing, investigating and combating (attempted) criminal or objectionable conduct directed against DocuSign, its Employees or Customers, including the use of and participation in DocuSign's incident registers and sector warning systems, and activities such as those involving health and safety, the protection of DocuSign and Employee assets, and the authentication of Customer, Supplier or Business Partner status and access rights (such as required screening activities for access to DocuSign’s premises or systems);
9. Compliance with law. This purpose addresses Processing of CSB Information necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which DocuSign is subject, including the disclosure of CSB Information to government institutions or supervisory authorities, including tax authorities, including prevention of money laundering, financing of terrorism and other crimes, customer due diligence and the duty of care towards Customers (e.g., credit monitoring); or
10. Protection of the vital interests of Individuals. This purpose addresses Processing necessary to protect the vital interests of an Individual.

Where there is a question whether a certain Processing of CSB Information can be based on a Business Purpose listed above, the appropriate Privacy Lead should be consulted before the Processing takes place.

Consent

2.2

In addition to the Business Purposes listed in Article 2.1, CSB Information may be Processed if the Individual has given his or her consent to the Processing. If Applicable Data Controller Law requires that DocuSign requests consent of the Individual for the relevant Processing, DocuSign shall, in addition to ensuring that a Business Purpose exists for the Processing, also seek consent of the Individual for the Processing.

When seeking consent, DocuSign must inform the Individual:

1. of the purposes of the Processing for which consent is required;
2. which Group Company is responsible for the Processing;
3. the right to withdraw his or her consent at any time;
4. that withdrawal of consent does not affect the lawfulness of the relevant Processing before such withdrawal.

Where Processing is undertaken at the request of an Individual (e.g., he or she subscribes to a service or seeks a benefit), he or she is deemed to have provided consent to the Processing.

Granting, denial or withdrawal of consent

2.3

The Individual may deny or withdraw consent at any time. Upon withdrawal of consent, DocuSign will discontinue such Processing as soon as reasonably practical. The withdrawal of consent shall not affect (i) the lawfulness of the Processing based on such consent before its withdrawal; and (ii) the lawfulness of Processing for Business Purposes not based on consent after withdrawal.

Use of CSB Information for Secondary Purposes

3.1

Generally, CSB Information shall be used only for the Business Purposes. CSB Information may be Processed for a business purpose other than the Business Purposes (Secondary Purpose) only if the Secondary Purpose is closely related to the Business Purpose(s). Depending on the sensitivity of the relevant CSB Information and whether use of the CSB Information for the Secondary Purpose has potential negative consequences for the Individual, such use may require additional measures such as:

1. limiting access to the CSB Information;
2. imposing additional confidentiality requirements;
3. taking additional security measures, including encryption or pseudonymization;
4. informing the Individual about the Secondary Purpose;
5. providing an opt-out opportunity to the Individual; or
6. obtaining an Individual's consent in accordance with Article 2.2 or Article 4.3 (if applicable).

Generallypermitted uses for Secondary

Purposes

3.2

It is generally permissible to Process CSB Information for the following purposes (even if not listed as a Business Purpose), provided appropriate additional measures are taken in accordance with Article 3.1:

1. transfer of the CSB Information to an Archive;
2. internal audits or investigations;
3. implementation of business controls and operational efficiency;
4. statistical, historical or scientific research;
5. dispute resolution;
6. legal or business consulting; or
7. insurance purposes.

Specific purposes for Processing Sensitive Information

4.1

This Article sets forth specific rules for Processing Sensitive Information. DocuSign shall Process Sensitive Information only to the extent necessary to serve the applicable Business Purpose.

The following categories of Sensitive Information may be collected, used or otherwise Processed for one (or more) of the purposes specified below:

1. Racial or ethnic CSBInformation: in some countries, photos and video images of Individuals qualify as racial or ethnic information. DocuSign may process photos (e.g., a copy of a passport containing a photo) and video images for the protection of DocuSign and Employee assets; site access and security reasons; assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals); Supplier or Business Partner status and access rights; and to verify and confirm advice or record decisions made in the course of business for future reference (e.g. when Individuals participate in video conferencing which is recorded);
2. Criminal CSB Information (including CSB Information relating to criminal behavior, criminal records or proceedings regarding criminal or unlawful behavior), may be processed as necessary for assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals); the execution of an agreement with Customers; and to protect the interests of DocuSign, its Employees and Customers and for the use of and the participation in DocuSign’s incident registers and sector warning systems;
3. Physical or mental health CSB Information: May be processed as necessary for the assessment and acceptance of a Customer, the execution of an agreement with a Customer, and compliance with DocuSign’s duty of care towards Customers;
4. Religion or beliefs: May be processed to accommodate specific products or services for a Customer, such as dietary requirements related to religion or beliefs, or religious holidays;
5. BiometricCSB Information (e.g., fingerprints): for the protection of DocuSign and its Employees, assets, site access and security reasons.

General Purposes for Processing of Sensitive Information

4.2

In addition to the specific purposes listed in Article 4.1 above, all categories of Sensitive Information may be Processed under (one or more of) the following circumstances:

1. as required or allowed for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which DocuSign is subject;
2. for dispute resolution and/or fraud prevention;
3. to protect a vital interest of an Individual, but only where it is impossible to obtain the Individual’s consent first;
4. to the extent necessary to comply with an obligation of international public law (e.g., a treaty); or
5. if the Sensitive Information has been posted or otherwise shared at the Individual’s own initiative on DocuSign social media or has manifestly been made public by the Individual.

Consent, and the denial or withdrawal thereof

4.3

In addition to the specific purposes listed in Article 4.1 and the general purposes listed in Article 4.2, all categories of Sensitive Information may be Processed if the Individual has given his or her explicit consent to the Processing.

If Applicable Data Controller Law requires that DocuSign requests consent of the Individual for the relevant Processing, DocuSign shall, in addition to ensuring that one of the grounds listed in Article 4.1 or 4.2 exists for the Processing, also seek consent of the Individual for the Processing.

The requirements set out in Articles 2.2 and 2.3 apply to the granting, denial or withdrawal of consent.

Prior Authorization of the Chief Privacy Officer

4.4

Where Sensitive Information is Processed based on a requirement of law other than the local law applicable to the Processing, the Processing requires the prior authorization of the appropriate Chief Privacy Officer.

Use of Sensitive Information for Secondary Purposes

4.5

Sensitive Information of Individuals may be Processed for Secondary Purposes in accordance with Article 3.

No Excessive CSB Information

5.1

DocuSign shall restrict the Processing of CSB Information to CSB Information that is reasonably adequate for and relevant to the applicable Business Purpose. DocuSign shall take reasonable steps to delete or make unrecoverable CSB Information that is not required for the applicable Business Purpose.

Storage period

5.2

DocuSign generally shall retain CSB Information only for the period required to serve the applicable Business Purpose, to the extent reasonably necessary to comply with applicable law, or as advisable in light of an applicable statute of limitations. DocuSign may specify (e.g., in a sub-policy, notice or records retention schedule) a time period for which certain categories of CSB Information may be kept.

Promptly after the applicable storage period has ended, the Privacy Lead shall direct that the CSB Information be:

1. securely deleted or destroyed;
2. de-identified; or
3. transferred to an Archive (unless this is prohibited by law or an applicable records retention schedule).

Quality of CSB Information

5.3

CSB Information should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Business Purpose.

‘Privacy by Design’

5.4

DocuSign shall take commercially reasonable technical and organizational steps to ensure that the requirements of this Article 5 are implemented into the design of new systems and processes that Process CSB Information.

Accurate, complete and up-to-date CSB Information

5.5

It is the responsibility of Individuals to ensure that their CSB Information, as held by DocuSign, is accurate, complete and up-to-date. Individuals shall inform DocuSign regarding any changes to their CSB Information in accordance with Article 7.

Information requirements

6.1

DocuSign shall inform Individuals through a privacy policy or notice about:

1. the Business Purposes (including Secondary Purposes) for which their CSB Information is Processed;
2. which Group Company is responsible for the Processing as well as the contact information of the Privacy Office;
3. the categories of Third Parties to which the CSB Information is disclosed (if any), whether any such Third Party is covered by an Adequacy Decision and if not, information on the data transfer mechanism as referred to in Article 11.6 (ii), (iv) or (v) as well as the means to get a copy thereof or access thereto; and
4. other relevant information, e.g.:

1. the nature and categories of the CSB Information Processed;
2. the period for which the CSB Information will be stored or (if not possible) the criteria used to determine this period;
3. an overview of the rights of Individuals under this CSB Privacy Code, how these can be exercised, including the right to obtain compensation;
4. the existence of automated decision making referred to in Article 10 as well as meaningful information about the logic involved and potential negative consequences thereof for the Individual; or
5. the source of the CSB Information (where the CSB Information has not been obtained from the Individual), including whether the CSB Information came from a public source.

CSB Information not obtained from the Individual

6.2

Where CSB Information has not been obtained directly from the Individual, DocuSign shall provide the Individual with the information as set out in Article 6.1:

1. within reasonable period after obtaining CSB Information but at least within one month, having regard to specific circumstances of the CSB Information Processed;
2. if CSB Information is used for communication with the Individual, at the latest at the time of the first communication with the Individual;
3. if a disclosure to another recipient is envisaged, at the latest when CSB Information is first disclosed.

Exceptions

6.3

The requirements of Article 6.1 and 6.2 may be inapplicable if:

1. the Individual already has the information as set out in Article 6.1;
2. it would be impossible or would involve a disproportionate effort to provide the information to Individuals, in which case DocuSign will take additional measures to mitigate potential negative consequences for the Individual, such as those listed in Article 3.1;
3. obtaining CSB Information is expressly laid down in applicable law; or
4. the CSB Information must remain confidential subject to an obligation of professional secrecy regulated by applicable local law, including a statutory obligation of secrecy.

These exceptions to the above requirements qualify as Overriding Interests as set out in Article 12.

Right of Access

7.1

Every Individual has the right to request a copy of his or her CSB Information Processed by or on behalf of DocuSign, and further, where reasonably possible, access to the information listed in Article 6.1 or 6.2.

Right to Rectification, Deletion, and Restriction

7.2

If the CSB Information is incorrect, incomplete, or not Processed in compliance with Applicable Data Controller Law or this CSB Privacy Code, the Individual has the right to have his or her CSB Information rectified, deleted or the Processing thereof restricted (as appropriate). In case the CSB Information has been made public by DocuSign, and the Individual is entitled to deletion of the CSB Information, in addition to deleting the relevant CSB Information, DocuSign shall take commercially reasonable steps to inform Third Parties that are Processing the relevant CSB Information or linking to the relevant CSB Information, that the Individual has requested the deletion of the CSB Information by such Third Parties.

Right to Object

7.3

The Individual has the right to object to:

1. the Processing of his or her CSB Information on the basis of compelling grounds related to his or her particular situation, unless DocuSign can demonstrate a prevailing legitimate interest for the Processing; and
2. receiving marketing communications on the basis of Article 9 (including any profiling related thereto).

Restrictions to Rights of Individuals

7.4

The rights of Individuals set out in Articles 7.1-7.3 above do not apply in one or more of the following circumstances:

1. the Processing is required or allowed for the performance of a task carried out to comply with a legal obligation of DocuSign;
2. the Processing is required by or allowed for a task carried out in the public interest, including in the area of public health and for archiving, scientific or historical research or statistical purposes;
3. the Processing is necessary for exercising the right of freedom of expression and information;
4. for dispute resolution purposes;
5. the exercise of the rights by the Individual adversely affects the rights and freedoms of DocuSign or others; or
6. in case a specific restriction of the rights of Individuals applies under Applicable Data Controller Law.

Procedure

7.5

The Individual should send his or her request to the contact indicated in the relevant privacy statement or notice. Individuals may also send their request to the office of the Chief Privacy Officer via email to Privacy@DocuSign.com.

Prior to fulfilling the request of the Individual, DocuSign may require the Individual to:

1. specify the categories of CSB Information to which he or she is seeking access;
2. specify, to the extent reasonably possible, the system in which the CSB Information is likely to be stored;
3. specify the circumstances in which DocuSign obtained the CSB Information;
4. provide proof of his or her identity when DocuSign has reasonable doubts concerning such identity, or to provide additional information enabling his or her identification;
5. pay a fee to compensate DocuSign for the reasonable costs relating to fulfilling the request of the Individual provided DocuSign can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g., because of its repetitive character; and
6. in case of a request for rectification, deletion, or restriction, specify the reasons why the CSB Information is incorrect, incomplete or not Processed in accordance with Applicable Data Controller Law or this CSB Privacy Code.

Response period

7.6

Within one calendar month of DocuSign receiving the request, DocuSign shall inform the Individual in writing or electronically either (i) of DocuSign’s position with regard to the request and any action DocuSign has taken or will take in response, or (ii) the ultimate date on which he or she will be informed of DocuSign’s position and the reasons for the delay, which shall be no later than two calendar months after the original one month period.

Complaint

7. 7

An Individual may file a complaint in accordance with Article 17.3 and/or file a complaint or claim with the authorities or the courts in accordance with Article 18 if:

1. the response to the request is unsatisfactory to the Individual (e.g., the request is denied);
2. the Individual has not received a response as required by Article 7.6; or
3. the time period provided to the Individual in accordance with Article 7.6 is, in light of the relevant circumstances, unreasonably long, and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he or she will receive a response.

Denial of requests

7.8

DocuSign may deny an Individual’s request if:

1. the request does not meet the requirements of Articles 7.1-7.3 or meets the requirements of Article 7.4;
2. the request is not sufficiently specific;
3. the identity of the relevant Individual cannot be established by reasonable means, including additional information provided by the Individual;
4. DocuSign can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g., because of its repetitive character. A time interval between requests of six months or less shall generally be deemed to be an unreasonable time interval.

No requirement to Process identifying information

7.9

DocuSign is not obliged to Process additional information in order to be able to identify the Individual for the sole purpose of facilitating the rights of the Individual under this Article 7.

Security requirement

8.1

DocuSign shall take appropriate commercially reasonable technical, physical and organizational measures to protect CSB Information from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition or access. To achieve this, DocuSign has developed and implemented the DocuSign Information Security Management System and other sub-policies and guidelines relating to the protection of CSB Information.

Data access and confidentiality

8.2

DocuSign shall provide DocuSign Staff access to CSB Information only to the extent necessary to serve the applicable Business Purpose and to perform their job. DocuSign shall impose confidentiality obligations on Staff with access to CSB Information.

Data Security Breach notification requirement

8.3

DocuSign shall document any Information Security Breaches, comprising the facts relating to the Information Security Breach, its effects and the remedial actions taken, which documentation will be made available to the Irish DPA and a DPA competent to audit under Article 16.2 upon request. Group Companies shall inform DocuSign Ireland of an Information Security Breach without delay. If Applicable Data Controller Law so requires, DocuSign shall notify Individuals of a Data Security Breach as soon as reasonably possible following its determination that a Data Security Breach has occurred, unless otherwise prohibited such as if a law enforcement official or a supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. DocuSign shall respond promptly to inquiries of Individuals relating to such Data Security Breach.

Direct marketing

9.1

This Article sets forth requirements concerning the Processing of CSB Information for direct marketing purposes (e.g., contacting the Individual by email, fax, phone, SMS or otherwise, with a view of solicitation for commercial or charitable purposes).

Consent for direct marketing (opt-in)

9.2

If Applicable Data Controller Law so requires, DocuSign shall only send to Individuals unsolicited commercial communication by email, fax, sms and mms with the prior consent of the Individual ("opt-in"). If Applicable Data Controller Law does not require prior consent of the Individual, DocuSign shall offer the Individual the opportunity to opt-out of such unsolicited commercial communication.

Exception (opt-out)

9.3

Prior consent of the Individual for sending unsolicited commercial communication by email, fax, sms and mms is not required under this CSB Privacy Code if:

1. an Individual has provided his or her electronic contact details to a Group Company in the context of a sale of a product or service of such Group Company;
2. such contact details are used for direct marketing of such Group Company's own similar products or services; and
3. the Individual clearly and distinctly has been given the opportunity to object free of charge, and in an easy manner, to such use of his or her electronic contact details when they are collected by the Group Company.

Information to be provided in each communication

9.4

In every direct marketing communication that DocuSign makes to the Individual, DocuSign shall offer the Individual the opportunity to opt-out of further direct marketing communications from DocuSign.

Objection to direct marketing

9.5

If an Individual objects to receiving marketing communications from DocuSign, or withdraws his or her consent to receive such communications, DocuSign will take steps to refrain from sending further marketing communications as specifically requested by the Individual. DocuSign will do so within the time period required by Applicable Data Controller Law.

Third Parties and Direct marketing

9.6

If Applicable Data Controller Law so requires, DocuSign shall only provide CSB Information to, or use CSB Information on behalf of, Third Parties for Third Parties’ own direct marketing purposes with the prior opt-in consent of the Individual. If Applicable Data Controller Law does not require prior consent of the Individual, DocuSign shall offer the Individual the opportunity to opt-out of such Third Party direct marketing purposes.

Personal Information of Children

9.7

DocuSign shall not use any Personal Information of Children for direct marketing, without the prior consent of the holders of parental responsibility over the Children. DocuSign shall make reasonable efforts to verify that consent is given or authorized by the holders of parental responsibility over the Children.

Direct marketing records

9.8

DocuSign shall keep a record of Individuals that exercised their "opt-in" or "opt-out" right and will regularly check the public opt-out registers in accordance with Applicable Data Controller Law.

Automated decisions

10.1

Automated tools may be used to make decisions about Individuals, but decisions with a significant negative outcome for the Individual may not be based solely on the results provided by the automated tool. This restriction does not apply if:

1. the use of automated tools is necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which DocuSign is subject;
2. the decision is made by DocuSign for purposes of (a) entering into or performing a contract or (b) managing the contract, provided the underlying request leading to a decision by DocuSign was made by the Individual (e.g., where automated tools are used to filter promotional game submissions); or
3. the decision is made based on the explicit consent of the Individual.

Items (i) and (iii) only apply if suitable measures are taken to safeguard the legitimate interests of the Individual (e.g., the Individual has been provided with an opportunity to express his or her point of view).

The requirements set out in Articles 2.2 and 2.3 apply to the requesting, denial or withdrawal of Individual consent.

Transfer to Third Parties

11.1

This Article sets forth requirements concerning the transfer of CSB Information from DocuSign to a Third Party. Note that a transfer of CSB Information includes situations in which DocuSign discloses CSB Information to a Third Party (e.g., in the context of corporate due diligence) or where DocuSign provides remote access to CSB Information to a Third Party.

Third Party Controllers and Third Party Processors

11.2

There are two categories of Third Parties:

1. Third Party Controllers: these are Third Parties that Process CSB Information and determine the purpose and means of the Processing (e.g., DocuSign Business Partners that provide their own goods or services directly to Customers);
2. Third Party Processors: these are Third Parties that Process CSB Information solely on behalf of DocuSign and at its direction (e.g., Third Parties that Process CSB Information in performing service or technical customer support for Customers, or hosting services).

Transfer for applicable Business Purpose only

11.3

DocuSign shall transfer CSB Information to a Third Party to the extent necessary to serve the applicable Business Purpose (including Secondary Purposes as per Article 3 or purposes for which the Individual has provided consent in accordance with Article 2).

Third Party Controller contracts

11.4

Third Party Controllers (other than government agencies) may Process CSB Information transferred by DocuSign only if they have a written or electronic contract with DocuSign. In the contract, DocuSign shall seek to contractually protect the privacy protection interests of its Individuals when CSB Information is Processed by Third Party Controllers. All such contracts shall be drafted consistent with appropriate contracting guidelines.

Third Party Processor contracts

11.5

Third Party Processors may Process CSB Information only if they have a validly entered into written or electronic agreement with DocuSign (Processor Contract). The Processor Contract must include the following provisions:

1. the Third Party Processor shall Process CSB Information only for the purposes authorized by DocuSign and in accordance with DocuSign's documented instructions including on transfers of CSB Information to any Third Party Processor not covered by an Adequacy Decision, unless the Third Party Processor is required to do so under mandatory requirements applicable to the Third Party Processor and notified to DocuSign;
2. the Third Party Processor shall keep the CSB Information confidential and shall impose confidentiality obligations on Staff with access to CSB Information;
3. the Third Party Processor shall take appropriate technical, physical and organizational security measures to protect the CSB Information;
4. the Third Party Processor shall only permit subcontractors to Process CSB Information in connection with its obligations to DocuSign (a) with the prior specific or generic consent of DocuSign and (b) based on a validly entered into written or electronic agreement with the subcontractor, which imposes similar privacy protection-related Processing terms as those imposed on the Third Party Processor under the Processor Contract and provided that the Third Party Processor remains liable to DocuSign for the performance of the subcontractor in accordance with the terms of the Processor Contract. In case DocuSign provides generic consent for involvement of subcontractors, the Third Party Processor shall provide notice to DocuSign of any changes in its subcontractors and will provide DocuSign the opportunity to object to such changes based on reasonable grounds;
5. DocuSign should be able to verify the security measures taken by the Third Party Processor (a) by an obligation of Third Party Processor to submit its relevant information processing facilities to audits and inspections by DocuSign, a Third Party on behalf of DocuSign, or any relevant government authority; or (b) by means of a statement issued by a qualified independent third party assessor on behalf of Third Party Processor certifying that the information processing facilities of the Third Party Processor used for the Processing of the CSB Information comply with the requirements of the Processor Contract;
6. The Third Party Processor shall deal promptly and appropriately with:
   1. requests for information necessary to demonstrate compliance of the Third Party Processor with its obligations under the Processor Contract and will inform DocuSign if any instructions of DocuSign in this respect violate Applicable Data Controller Law;
   2. requests and complaints of CSB individuals as instructed by DocuSign; and
   3. requests for assistance of DocuSign as reasonably required to ensure compliance of the Processing of the CSB Information with Applicable Data Controller Law;
7. The Third Party Processor shall promptly inform DocuSign of a Data Security Breach involving CSB Information; and
8. Upon termination of the Processor Contract, the Third Party Processor shall, at the option of DocuSign, return the CSB Information and copies thereof to DocuSign or shall securely delete such CSB Information, except to the extent the Processor Contract or applicable law provides otherwise.

Transfer of CSBInformation to Third Parties outside the EEA that are not covered by Adequacy Decisions

11.6

This Article sets forth additional rules for CSB Information that is (a) collected originally in connection with activities of a Group Company that is located in the EEA or covered by an Adequacy Decision; and (b) transferred to a Third Party that is located outside the EEA and not covered by an Adequacy Decision.

CSB Information may be transferred only if:

1. the transfer is necessary for the performance of a contract with the Individual, for managing a contract with the Individual, or to take necessary steps at the request of the Individual prior to entering into a contract, e.g., for processing orders;
2. a contract has been concluded between DocuSign and the relevant Third Party requiring that (a) such Third Party shall be bound by the terms of this CSB Privacy Code as were it a Group Company; (b) provides for safeguards at a similar level of protection as that provided by this CSB Privacy Code; or (c) that is recognized under Data Protection Law as providing an “adequate” level of privacy protection;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Individual between DocuSign and a Third Party (e.g., in case of recalls);
4. the Third Party has been certified under a ‘safe harbor’ program that is recognized under Data Protection Law as providing an “adequate” level of privacy protection, such as the EU-U.S. Privacy Shield program;
5. the Third Party has implemented Binding Corporate Rules or a similar transfer control mechanism as providing an “adequate” level of privacy protection;
6. the transfer is necessary to protect a vital interest of the Individual;
7. the transfer is necessary for the establishment, exercise or defense of a legal claim;
8. the transfer is necessary to satisfy a pressing need to protect the public interests of a democratic society; or
9. the transfer is necessary for the performance of a task carried out to comply with a legal obligation to which the relevant Group Company is subject.

Items (viii) and (ix) above require the prior approval of the Chief Privacy Officer.

Consent for transfer

11.7

In addition to the grounds listed in Article 11.6 DocuSign may transfer CSB Information to a Third Party located outside the EEA that is not covered by an Adequacy Decision if the Individual has given his or her consent to the transfer. If Applicable Data Controller Law so requires DocuSign shall, in addition to having one of the grounds listed in Article 11.6, also seek consent of the Individual for the relevant transfer.

Prior to requesting consent, the Individual shall be provided with the following information:

1. the purpose of the transfer;
2. the identity of the transferring Group Company;
3. the identity or categories of Third Parties to which the CSB Information will be transferred;
4. the categories of CSB Information that will be transferred;
5. the country to which the CSB Information will be transferred; and
6. the fact that the CSB Information will be transferred to a Third Party not covered by an Adequacy Decision.

The requirements set out in Articles 2.2 and 2.3 apply to the granting, denial or withdrawal of Individual consent.

Internal Processors

11.8

Internal Processors may Process CSB Information only if they have a validly entered into written or electronic contract with the Group Company acting as the Data Controller of the relevant CSB Information, which contract must in any event include the provisions set out in Article 11.5.

Overriding Interests

12.1

The obligations of DocuSign or rights of Individuals as specified in Articles 12.2. and 12.3. may be overridden if, under the specific circumstances at issue, a pressing need exists that outweighs the interest of the Individual (Overriding Interest). An Overriding Interest exists if there is a need to:

1. protect the legitimate business interests of DocuSign including:

1. the health, security or safety of Employees or Individuals;
2. DocuSign's intellectual property rights, trade secrets or reputation;
3. the continuity of DocuSign's business operations;
4. the preservation of confidentiality in a proposed sale, merger or acquisition of a business; or
5. the involvement of trusted advisors or consultants for business, legal, tax, or insurance purposes;

2. prevent or investigate (including cooperating with law enforcement) suspected or actual violations of law; or
3. otherwise protect or defend the rights or freedoms of DocuSign, its Employees or other persons.

Exceptions in the event of Overriding Interests

12.2

If an Overriding Interest exists, one or more of the following obligations of DocuSign or rights of the Individual may be set aside:

1. Article 3.1 (the requirement to Process CSB Information for closely related purposes);
2. Article 5.2 (data storage and deletion);
3. Articles 6.1 and 6.2 (information provided to Individuals);
4. Articles 7.1-7.3 (rights of Individuals);
5. Article 8.2 (Staff access limitations and confidentiality requirements); and
6. Articles 11.4, 11.5 and 11.6 (ii) (contracts with Third Parties).

Sensitive Information

12.3

The requirements of Articles 4.1 and 4.2 (Sensitive Information) may be set aside only for the Overriding Interests listed in Article 12.1 (i) (a), (b), (c) and (e), (ii) and (iii).

Consultation with Chief Privacy Officer

12.4

Setting aside obligations of DocuSign or rights of Individuals based on an Overriding Interest requires prior consultation of the Chief Privacy Officer. The Chief Privacy Officer shall document his or her advice.

Information to Individual

12.5

Upon request of the Individual, DocuSign shall inform the Individual of the Overriding Interest for which obligations of DocuSign or rights of the Individual have been set aside, unless the particular Overriding Interest sets aside the requirements of Articles 6.1 or 7.1 - 7.3, in which case the request shall be denied.

Chief Privacy Officer

13.1

DocuSign Inc. shall appoint a Chief Privacy Officer who is responsible for:

1. Supervising compliance with this CSB Privacy Code;
2. Providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues;
3. Monitoring the performance and periodic review of a Data Protection Impact Assessment (DPIA) before a new system or a business process involving Processing of CSB Information is implemented as described in Article Error! Reference source not found.14.3;
4. Deciding on complaints as described in Article 16.3; and
5. Coordinating, in conjunction with the appropriate Privacy Lead, official investigations or inquiries into the Processing of CSB Information by a public authority.

Security & Privacy Council

13.2

The Chief Privacy Officer shall maintain an advisory Security & Privacy Council. The Security & Privacy Council has created and shall maintain a privacy compliance framework for:

1. Developing and maintaining (including monitoring and testing) policies, procedures and system information  (as required by Articles 14 and 15);
2. Planning training and awareness programs;
3. Monitoring and reporting on compliance with this CSB Privacy Code;
4. Overseeing the collection, investigation and resolution of privacy inquiries, concerns and complaints; and
5. Determining and updating appropriate sanctions for violations of this CSB Privacy Code (e.g., disciplinary standards in cooperation with other relevant internal functions, such as HR and Legal).

Privacy Leads

13.3

The Chief Privacy Officer has established and shall maintain a global network of Privacy Leads sufficient to direct compliance with this CSB Privacy Code within their respective regions or organizations.

The Privacy Leads shall perform the following tasks:

1. Regularly advise their respective executive teams and the Chief Privacy Officer on privacy risks and compliance issues, including any new legal requirement that the Privacy Lead believes to interfere with DocuSign’s ability to comply with this CSB Privacy Code (as required by Article 20.3);
2. Maintain and ensure that the policies and procedures are implemented, the system information is maintained and Data Protection Impact Assessments (DPIAs) are performed);
3. Implement the privacy compliance framework as required by the Chief Privacy Officer;
4. Be available for requests for privacy approvals or advice as described in Article 7;
5. Own and authorize all appropriate privacy sub-policies in their organizations; and
6. Cooperate with the Chief Privacy Officer, and other Privacy Leads.

Responsible Executive

13.4

The Responsible Executive shall perform at least the following tasks:

1. Ensure that the policies and procedures are implemented, the system information is maintained and DPIAs are performed (as required by Article 14);
2. Ensure that CSB Information is deleted, destroyed, de-identified or transferred (as required by Article 5.2); and
3. Determine how to comply with this CSB Privacy Code when there is a conflict with applicable law (as required by Article 20.2).

Privacy Lead with a statutory position

13.5

Where a Privacy Lead holds his or her position pursuant to law, he or she shall carry out his or her job responsibilities to the extent they do not conflict with his or her statutory position.

Policies and procedures

14.1

DocuSign shall develop and implement policies and procedures to comply with this CSB Privacy Code.

System information

14.2

DocuSign shall maintain readily available information regarding the structure and functioning of all systems and processes that Process CSB Information (e.g., inventory of systems and processes). A copy of this information will be provided to the Irish DPA or to a DPA competent to audit under Article 16.2 upon request.

Data Protection Impact Assessment

14.3

DocuSign shall maintain a procedure to conduct and document a prior assessment of the impact which a given Processing may have on the protection of CSB Information, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used (Data Protection Impact Assessment). Where the Data Protection Impact Assessment shows that, despite mitigating measures taken by DocuSign, the Processing still presents a residual high risk for the rights and freedoms of Customers, the Irish DPA will be consulted prior to such Processing taking place.

Staff training

15.1

DocuSign shall provide training on the obligations and principles laid down in this CSB Privacy Code and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing CSB Information.

Audits

16.1

DocuSign’s internal audit team shall audit business processes and procedures that involve the Processing of CSB Information for compliance with this CSB Privacy Code. The audits shall be carried out in the course of the regular activities of DocuSign’s internal audit team or at the request of the Chief Privacy Officer. The Chief Privacy Officer may request to have an audit as specified in this Article conducted by an external auditor. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Chief Privacy Officer and the appropriate Privacy Leads shall be informed of the results of the audits. Any violations of this CSB Privacy Code identified in the audit report will be reported back to the Responsible Executive. A copy of the audit results related to compliance with this CSB Privacy Code will be provided upon request to the Irish DPA or to any Competent DPA.

DPA audit

16.2

Subject to Article 16.3, the Irish DPA may request an audit of the facilities used by DocuSign for the Processing of CSB Information for compliance with this CSB Privacy Code. In addition, a DPA that has the right under Applicable Data Controller Law to audit a Group Company (a “Competent DPA”) will be authorized to audit the relevant data transfer for compliance with this CSB Privacy Code, subject to the same conditions as would apply to an audit by that DPA under Applicable Data Controller Law.

DPA audit procedure

16.3

DocuSign will facilitate any audit by a DPA under Article 16.2 by undertaking the following actions:

1. Information sharing: DocuSign will attempt to resolve the request by providing information to the DPA including DocuSign audit reports, discussion with DocuSign subject matter experts, and review of security, privacy, and operational controls in place.
2. Examinations: If the information available through these mechanisms is insufficient to address the DPA’s stated objectives, DocuSign will provide the DPA with the opportunity to communicate with DocuSign’s auditor and if required, a direct right to examine DocuSign’s data processing facilities used to process the CSB Information on giving reasonable prior notice and during business hours, with full respect to the confidentiality of the information obtained and to the trade secrets of DocuSign
3. Scope: Nothing in this Article 16.3 will be construed to take away any audit rights that a DPA may have under applicable law. This CSB Privacy Code provides supplemental audit rights to DPAs only. In the event of any conflict between this Article 16.3 and applicable law, the provisions of applicable law shall prevail.

Annual Privacy Report

16.4

The Chief Privacy Officer shall produce an annual CSB Information privacy report for the Chief Executive Officer of DocuSign Inc. on compliance with this CSB Privacy Code, privacy protection risks and other relevant issues.

Each Privacy Lead shall provide information relevant to the report to the Chief Privacy Officer.

Mitigation

16.5

DocuSign shall, if so indicated, ensure that adequate steps are taken to address breaches of this CSB Privacy Code identified during the monitoring or auditing of compliance pursuant to this Article 16.

Complaint

17.1

Individuals may file a complaint in respect of any claim they have under Article 18.1 or violations of their rights under Applicable Data Controller Law in accordance with the complaints procedure set forth in the relevant privacy policy or contract. The complaint shall be forwarded to the appropriate Privacy Lead.

The appropriate Privacy Lead shall:

1. notify the Chief Privacy Officer;
2. analyze the complaint and, initiate an investigation; and
3. when necessary, advise the business on the appropriate measures for compliance, and monitor, through to completion, the steps designed to achieve compliance.

The appropriate Privacy Lead may consult with any government authority having jurisdiction over a particular matter about the measures to be taken.

Reply to Individual

17.2

DocuSign will use reasonable efforts to resolve complaints without undue delay, so that a response is given to the Customer Individual within one calendar month of the date that the complaint was filed. The appropriate Privacy Lead shall inform the Individual in writing via the means that the Individual originally used to contact DocuSign (e.g., via mail or email) either (i) of DocuSign’s position with regard to the complaint and any action DocuSign has taken or will take in response or (ii) when he or she will be informed of DocuSign's position, which shall be no later than two calendar months after the original one month period. The appropriate Privacy Lead shall send a copy of the complaint and his or her written reply to the Chief Privacy Officer.

Complaint to Chief Privacy Officer

17.3

An Individual may file a complaint with the Chief Privacy Officer if:

1. the resolution of the complaint by the appropriate Privacy Lead is unsatisfactory to the Individual (e.g., the complaint is rejected);
2. the Individual has not received a response as required by Article 17.2;
3. the time period provided to the Individual pursuant to Article 17.2 is, in light of the relevant circumstances, unreasonably long and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he or she will receive a response; or
4. in one of the events listed in Article 7.7.

The procedure described in Articles 17.1 through 17.2 shall apply to complaints filed with the Chief Privacy Officer.

If the response of the Chief Privacy Officer to the complaint is unsatisfactory to the Individual (e.g., the request is denied), the Individual can file a complaint or claim with the authorities or the courts in accordance with Article 18.2.

Complaints procedure

18.1

Individuals are encouraged to first follow the complaints procedure set forth in Article 17 of this CSB Privacy Code before filing any complaint or claim with the competent DPAs or the courts.

Rights of Individuals

18.2

If DocuSign violates the Privacy Code with respect to the CSB Information of an Individual (Affected Individual) covered by this Privacy Code, the Affected Individual can as a third party beneficiary enforce any claim as a result of a breach of Articles 1.6, 2 – 11, 12.5, 16.2, 17, 18 and 20.4 - 20.5 in accordance with Article 18.2.

The rights contained in this Article are in addition to, and shall not prejudice, any other rights or remedies that an Individual may otherwise have by law.

Jurisdiction for claims of Individuals

18.2

In case of a violation of this CSB Privacy Code, the Individual may, at his/her choice, submit a complaint or claim to the DPA or the courts:

1. in the EEA country at the origin of the data transfer, against the Group Company in such country of origin responsible for the relevant data transfer;
2. in Ireland, against DocuSign Ireland; or
3. in the EEA country where (a) the Individual has his or her habitual residence or place of work, or (b) the infringement took place, against the Group Company that is the Data Controller of the relevant CSB Information or DocuSign Ireland.

The Group Company against which the complaint or claim is brought (relevant Group Company), may not rely on a breach by another Group Company or a Third Party Processor to avoid liability except to the extent any defense of such other Group Company or Third Party Processor would also constitute a defense of the relevant Group Company.

The DPAs and courts shall apply their own substantive and procedural laws to the dispute. Any choice made by the Individual will not prejudice the substantive or procedural rights he or she may have under applicable law.

Right to claim damages

18.3

In case an Individual has a claim under Article 18.2, and

1. the relevant Processing is governed by Data Protection Law, such Individual shall be entitled to compensation of damages suffered by an Individual resulting from a violation of this CSB Privacy Code to the extent provided by applicable EEA law; or
2. the relevant Processing is not governed by Data Protection Law, such Individual shall be entitled to compensation of actual direct damages (which exclude, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost), suffered by an Individual resulting from a violation of this CSB Privacy Code, to the extent provided by applicable EEA law.

Burden of proof in respect of claim for damages

18.4

In case an Individual brings a claim for damages under Article 18.2, it will be for the Individual to demonstrate that he or she has suffered the relevant damages and to establish facts which show it is plausible that the damage has occurred because of a violation of the CSB Privacy Code. It will subsequently be for the relevant Group Company to prove that the damages suffered by the Individual due to a violation of this CSB Privacy Code are not attributable to DocuSign.

Mutual assistance and redress

18.5

All Group Companies shall co-operate and assist each other to the extent reasonably possible to handle:

1. a request, complaint or claim made by an Individual; or
2. a lawful investigation or inquiry by a competent DPA or government authority.

The Group Company that receives a request, complaint or claim from an Individual is responsible for handling any communication with the Individual regarding his or her request, complaint or claim except where circumstances dictate otherwise.

Advice of the Irish DPA and Competent DPAs

18.6

DocuSign Ireland shall abide by the advice of the Irish DPA and Competent DPAs issued on the interpretation and application of this CSB Privacy Code.

Mitigation

18.7

DocuSign Ireland shall ensure that adequate steps are taken to address violations of this CSB Privacy Code by a Group Company.

Law applicable to Code

18.8

This CSB Privacy Code shall be governed by and interpreted in accordance with Irish law.

Non-compliance

19.1

Non-compliance of Employees with this CSB Privacy Code may result in disciplinary action in accordance with DocuSign policies and local law, up to and including termination of employment.

Conflict of law when transferring CSB Information

20.1

Where a legal requirement to transfer CSB Information conflicts with the laws of the Member States of the EEA, the transfer requires the prior approval of the Chief Privacy Officer. The Chief Privacy Officer may seek the advice of the Irish DPA or another competent government authority.

Conflict between CSB Privacy Code and law

20.2

In all other cases, where there is a conflict between applicable local law and this CSB Privacy Code, the relevant Responsible Executive shall consult with the Chief Privacy Officer to determine how to comply with this CSB Privacy Code and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.

New conflicting legal requirements

20.3

The relevant Privacy Leads, in consultation with the legal department, shall promptly inform the Responsible Executive of any new legal requirement that may interfere with DocuSign's ability to comply with this CSB Privacy Code.

Reporting to Lead DPA

20.4

If DocuSign becomes aware that applicable local law of a non-EEA country is likely to have a substantial adverse effect on the protection offered by this Privacy Code, DocuSign will report this to the Irish DPA.

Requests for Disclosure of CSB Information

20.5

If DocuSign receives a request for disclosure of CSB Information from a law enforcement authority or state security body of a non-EEA country (Authority), it will first assess on a case-by-case basis whether this request (Disclosure Request) is legally valid and binding on DocuSign. Any Disclosure Request that is not legally valid and binding on Company will be resisted in accordance with applicable law.

Subject to the following paragraph, DocuSign shall promptly inform the Irish DPA of any legally valid and binding Disclosure Requests, and will request the Authority to put such Disclosure Requests on hold for a reasonable delay in order to enable the Irish DPA to issue an opinion on the validity of the relevant disclosure.

If suspension and/or notification of a Disclosure Request is prohibited, such as in case of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, DocuSign will request the Authority to waive this prohibition and will document that it has made this request. In any event, DocuSign will on an annual basis provide to the Irish DPA general information on the number and type of Disclosure Requests it received in the preceding 12 month period, to the fullest extent permitted by applicable law.

In any event, any transfers by DocuSign of CBS Information to any Authority in response to a Disclosure Request will not be massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Approval for changes

21.1

Any changes to this CSB Privacy Code require the prior approval of the Chief Executive Officer of DocuSign Inc. and shall thereafter be communicated to the Group Companies. The Chief Privacy Officer shall promptly inform the Irish DPA of changes to this Privacy Code that have a significant impact on the protection offered by this Privacy Code or the Privacy Code itself and will be responsible for coordinating DocuSign’s responses to questions of the Irish DPA in respect thereof. Other changes (if any) will be notified by the Chief Privacy Officer to the Irish DPA on a yearly basis.

Effective Date of changes

21.2

Any change shall enter into force with immediate effect after it has been approved in accordance with Article 21.1 and is published on the DocuSign Global Intranet.

Prior versions

21.3

Any request, complaint or claim of an Individual involving this CSB Privacy Code shall be judged against the version of this CSB Privacy Code as it is in force at the time the request, complaint or claim is made.

Transition period for new Group Companies

22.1

Any entity that becomes a Group Company after the Effective Date shall comply with this CSB Privacy Code within one year of becoming a Group Company.

Transition Period for Divested Entities

22.2

A Divested Entity (or specific parts thereof) will remain covered by this CSB Privacy Code after its divestment for such period as is required by DocuSign to disentangle the Processing of CSB Information relating to such Divested Entity.

Transition period for IT Systems

22.3

Where implementation of this CSB Privacy Code requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.

Transition period for existing agreements

22.4

Where there are existing agreements with Third Parties that are affected by this CSB Privacy Code, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.

Transitional period for Local-for-Local Processing

22.5

Local-for-Local Processing subject to this CSB Privacy Code shall be brought into compliance with this CSB Privacy Code within five years of the Effective Date.

Compliance during the Transitional Period

22.6

During the transition periods set out in Article 22.1 – 22.5, no CSB Information will be transferred to a Group Company under this CSB Privacy Code until that Group Company is (i) fully compliant or (ii) an alternative data transfer mechanism has been put in place, such as standard contractual clauses.

Contact details

DocuSign Privacy Office

c/o DocuSign Ireland

Attn: Legal/Privacy

1 Cumberland Place

Fenian Street, Floor 3

Dublin 2, Republic of Ireland