Skip to main content

Binding Corporate Rules

OverviewController PolicyProcessor Policy

Binding Corporate Rules: Controller Policy

Effective date:  January 26, 2023

PART I: INTRODUCTION

This Binding Corporate Rules: Controller Policy (“Controller Policy”) establishes DocuSign's approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal information for its own purposes as a controller.

Scope of this Controller Policy

This Controller Policy applies when we process personal information as a controller and transfer personal information between group members. This Controller Policy applies regardless of whether our group members process personal information by manual or automated means.

The standards described in the Controller Policy are worldwide standards that apply to all group members when processing any personal information as a controller. As such, this Controller Policy applies regardless of the origin of the personal information that we process, the country in which we process personal information, or the country in which a group member is established.

For an explanation of some of the terms used in this Controller Policy, like "controller", "process", and "personal information", please see the section headed "Important terms used in this Controller Policy" below.

The material scope of this Controller Policy

The material scope of this Controller Policy is set out in Appendix 2. This describes the types of personal information, data subjects, and transfers that are protected by this Controller Policy. However, we must apply the standards described in this Controller Policy to all transfers of personal information to and between group members, even if they are not explicitly listed in Appendix 2.

Our collective responsibility to comply with this Controller Policy

All group members and their staff must comply with, and respect, this Controller Policy when processing personal information as a controller, irrespective of the country in which they are located.

In particular, all group members who process personal information as a controller must comply with:

  • the rules set out in Part II of this Controller Policy;

  • the practical commitments set out in Part III of this Controller Policy;

  • the third party beneficiary rights set out in Part IV; and

  • the policies and procedures appended in Part V of this Controller Policy.

Management commitment and consequences of non-compliance

DocuSign's management is fully committed to ensuring that all group members and their staff comply with this Controller Policy at all times.

Non-compliance may cause DocuSign to be subject to sanctions imposed by competent data protection authorities and courts, and may cause harm or distress to individuals whose personal information has not been protected in accordance with the standards described in this Controller Policy.

In recognition of the gravity of these risks, staff members who do not comply with this Controller Policy will be subject to disciplinary action, up to and including dismissal.

Relationship with DocuSign's Binding Corporate Rules: Processor Policy

This Controller Policy applies only to personal information that DocuSign processes as a controller (i.e. for its own purposes).

DocuSign has a separate Binding Corporate Rules: Processor Policy ("Processor Policy") that applies when it processes personal information as a processor in order to provide a service to a third party (such as an enterprise customer).

In some situations, group members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Office of the Chief Privacy Officer whose contact details are provided below.

Where will this Controller Policy be made available?

This Controller Policy is accessible on DocuSign's corporate website at www.docusign.com/trust/privacy.


Important terms used in this Controller Policy

For the purposes of this Controller Policy:

  • the term applicable data protection laws includes the data protection laws in force in the territory from which a group member initially transfers personal information under this Controller Policy. Where a European group member transfers personal information under this Controller Policy to a non-European group member, the term applicable data protection laws shall include the European data protection laws applicable to that European group member (including Europe's General Data Protection Regulation);

  • the term controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal information. For example, DocuSign is a controller of its Customer data and staff data;

  • the term Europe (and European) as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;

  • the term group member means the members of DocuSign's group of companies listed in Appendix 1;

  • the term personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term personal information shall include any information that is "personal data", "personally identifiable information", "personal information" and any analogous concept under applicable data protection laws;

  • the term processing means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  • the term processor means a natural or legal person which processes personal information on behalf of a controller (for example, a third-party service provider that is processing personal information in order to provide a service to DocuSign);

  • the term Processor Policy refers to DocuSign's Binding Corporate Rules: Processor Policy, which is available on DocuSign's website at www.docusign.com/trust/privacy. The Processor Policy applies where DocuSign processes personal information as a processor on behalf of a third party controller;

  • the term sensitive personal information means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws;

  • the term staff refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any DocuSign group member. All staff must comply with this Controller Policy; and

  • the term transfer impact assessment is further defined in Rule 12 of this Processor Policy and relates to the assessment carried out by DocuSign and applicable DocuSign group members in accordance with Appendix 12 (Transfer Impact Assessment Policy).

How to raise questions or concerns

If you have any questions regarding this Controller Policy, your rights under this Controller Policy or applicable data protection laws, or any other data protection issues, you can contact the Office of the Chief Privacy Officer using the details below. The Office of the Chief Privacy Officer will either deal with the matter directly or forward it to the appropriate person or department within DocuSign to respond.

Attention:

Office of the Chief Privacy Officer

Email:

privacy@docusign.com

Address:

DocuSign Inc.
221 Main Street
Suite 1000
San Francisco
California 94105

 

The Office of the Chief Privacy Officer will ensure that changes to this Policy are notified to the group members and to individuals whose personal information is processed by DocuSign in accordance with Appendix 10.

If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 4. Alternatively, if you are unhappy about the way in which DocuSign has used your personal information, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 8.

Return to top

PART II: OUR OBLIGATIONS

This Controller Policy applies in all situations where a group member processes personal information as a Controller anywhere in the world. All staff and group members must comply with the following obligations:

Rule 1 – Lawfulness:

 

We must ensure that processing is at all times compliant with applicable law and this Controller Policy.

We must at all times comply with any applicable data protection laws, as well as the standards set out in this Controller Policy, when processing personal information.

The rights and obligations that apply to personal information within the scope of this Controller Policy “travel” with the personal information whenever it is transferred to or between group members. This means that where in-scope personal information is transferred to an importing group member in another country, that personal information must be protected to the standards set out in this Controller Policy, even if the importing group member is not subject to applicable data protection laws or is subject to applicable data protection laws that provide for lower standards.

As such:

where applicable data protection laws exceed the standards set out in this Controller Policy, we must comply with those laws; but

where there are no applicable data protection laws, or where applicable data protection laws do not meet the standards set out in this Controller Policy, we must process personal information in accordance with the standards set out in this Controller Policy.

We must always ensure that we have a lawful basis for processing Personal Information, consistent with the requirements of Applicable Data Protection Laws. In particular, if we rely on an individual's consent to process personal information, that consent must be given freely, specific, informed and unambiguous, and given by way of a statement or clear affirmative action. Silence, pre-ticked boxes or inactivity will not constitute consent.

Rule 2 – Fairness and transparency:

 

We must inform individuals how and why their personal information will be processed.

We must provide individuals with the Fair Information Disclosures (see Appendix 3) when we process their personal information.

We must take appropriate measures to communicate the Fair Information Disclosures to individuals in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Fair Information Disclosures shall be provided in writing, or by other means, including, where appropriate, by electronic means. They may be provided orally, at the request of an individual, provided that the identity of that individual is proven by other means.

If we have not obtained Personal Information directly from the individual him or herself then, in certain limited cases, we may not need to provide the Fair Information Disclosures, as explained in Appendix 3. Where this is the case, the Office of the Chief Privacy Officer must be informed and will decide what course of action is appropriate to protect the individual's rights, freedoms and legitimate interests.

Rule 3 – Purpose limitation:

We must process personal information only for specified, explicit and legitimate purposes and not further process that information in a manner that is incompatible with those purposes.

We must only process personal information for specified, explicit and legitimate purposes that have been communicated to the individuals concerned in accordance with Rule 2 We must not process their personal information in a way that is incompatible for those purposes, except in accordance with applicable law or with the individual's consent.

If we intend to process personal information for a purpose which is incompatible with the purpose for which the personal information was originally collected, we may only do so if such further processing is permitted by applicable law or we have the individual's consent. We must also provide the individual with Fair Information Disclosures about the further processing in accordance with Rule 2.

In assessing whether any processing is compatible with the purpose for which the personal information was originally collected, we must take into account:

any link between the purposes for which the personal information was originally collected and the purposes of the intended further processing;

the context in which the personal information was collected, and in particular the reasonable expectations of the individuals whose personal information will be processed;

the nature of the personal information, in particular whether such information may constitute sensitive personal information;

the possible consequences of the intended further processing for the individuals concerned; and

the existence of any appropriate safeguards that we have implemented in both the original and intended further processing operations.

Rule 4 – Data minimisation:

We must only process personal information that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

We must only process personal information that is adequate, relevant and limited in order to properly fulfil the desired processing purposes. We must not process personal information that is unnecessary to achieve those purposes.

Rule 5 – Accuracy:

We must keep personal information accurate and, where necessary, up to date.

We must take appropriate measures to ensure that the information we process is accurate and, where necessary, kept up to date – for example, by giving individuals the ability to inform us when their personal information has changed or become inaccurate.

We must take every reasonable step to ensure that personal information that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Rule 6 – Storage limitation:

We will only keep personal information for as long as is necessary for the purposes for which it is collected and further processed.

We must not keep personal information in a form which permits identification of individuals for longer than is necessary for the purposes for which that information is processed.

In particular, we must comply with DocuSign's record retention policies and guidelines as revised and updated from time to time.

Rule 7 – Security, integrity and confidentiality:

We must implement appropriate technical and organisational measures to ensure a level of security of personal information that is appropriate to the risk for the rights and freedoms of the individuals.

We must implement appropriate technical and organizational measures to protect personal information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where processing involves transmission of personal information over a network, and against all other unlawful forms of processing.

Such measures will ensure a level of security appropriate to the risk and may include as appropriate:

the pseudonymisation and encryption of personal information;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident; and

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In particular, we must comply with the requirements in the security policies in place within DocuSign, as revised and updated from time to time, together with any other security procedures relevant to a business area or function.

We must ensure that any staff member who has access to or is involved in the processing of personal information does so only on instructions from DocuSign and under a duty of confidence.

Rule 8 – Service provider management:

We must ensure that our service providers also adopt appropriate security measures when processing personal information.

Where we appoint a service provider to process personal information on our behalf (i.e. a processor), we must impose contractual terms on the service provider that require it:

to act only on our instructions when processing that information, including with regard to international transfers of personal information;

to ensure that any individuals who have access to the data are subject to a duty of confidence;

to have in place appropriate technical and organizational security measures to safeguard the personal information;

only to engage a sub-processor if we have given our prior specific or general written authorisation, and on condition the sub-processor agreement protects the personal information to the same standard required of the service provider;

to assist us in ensuring compliance with our obligations as a controller under applicable data protection laws, in particular with respect to reporting data security incidents under Rule 9 and responding to requests from individuals to exercise their data protection rights under Rule 10;

to return or delete the personal information once it has completed its services; and

to make available to us all information we may need in order to ensure its compliance with these obligations.

Rule 9 – Security Incident Reporting:

We must comply with any data security incident reporting requirements that exist under applicable law.

When we become aware of a data security incident that presents a risk to the personal information that we process, we must immediately inform the Office of the Chief Privacy Officer and follow our data incident management processes.

The Office of the Chief Privacy Officer will review the nature and seriousness of the data security incident and determine whether it is necessary:

to notify competent data protection authorities, if the incident is likely to create a risk to the rights and freedoms of individuals affected by the incident; and

to notify individuals affected by the incident, if the incident creates a high risk to their rights and freedoms.

The Office of the Chief Privacy Officer shall be responsible for ensuring that any such notifications, where necessary, are made in accordance with the requirements of, and timescales specified by, applicable data protection law.

For example, if the affected personal information is subject to the General Data Protection Regulation and notification is required to competent data protection authorities, then those authorities should be notified without undue delay and, where feasible, within 72 hours of becoming aware of the incident. Where notification to affected individuals is also required, they must be notified without undue delay.

Rule 10 – Honouring individuals' data protection rights:

We must enable individuals to exercise their data protection rights in accordance with applicable law.

Various data protection laws around the world, including European laws, provide individuals with certain data protection rights. These may include:

The right of access: This is a right for an individual to obtain confirmation whether we process personal information about them and, if so, to be provided with access to, and a copy of, that personal information.

The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal information we may process about him or her. Taking into account the purpose of DocuSign’s processing, it also includes the right for an individual to have incomplete Personal Information completed, including by means of a supplementary statement.

The right to erasure: This is a right for an individual to require us to erase personal information about them on certain grounds, as described in the Data Protection Rights Procedure (see Appendix 4) – for example, where the personal information is no longer necessary to fulfill the purposes for which it was collected. If we have made the personal information public, then (taking account of available technology and the cost of implementation) we must also take reasonable steps, including technical measures, to inform controllers which are processing the personal information that the individual has requested the erasure by such controllers of any links to, or copy or replication of, that personal information.

The right to restriction: This is a right for an individual to require us to restrict processing of personal information about them on certain grounds, as described in the Data Protection Rights Procedure (see Appendix 4).

The right to data portability: This is a right for an individual to receive personal information concerning him or her from us in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply as described in the Data Protection Rights Procedure (see Appendix 4).Where technically feasible, this may include direct transmission from DocuSign to another Controller.

The right to object: This is a right for an individual to object at any time, on grounds relating to his or her particular situation, to processing of personal information about him or her, if certain grounds apply as described in the Data Protection Rights Procedure (see Appendix 4).

Where an individual wishes to exercise any of its data protection rights, we must respect those rights in accordance with applicable law by following the Data Protection Rights Procedure (see Appendix 4).

In addition, the relevant DocuSign group member shall communicate any rectification or erasure of personal information or restriction of processing carried out in accordance with this rule to each recipient to whom the Personal Information have been disclosed, unless this proves impossible or involves disproportionate effort. We must inform the individual about those recipients if the individual requests it.

Rule 11 – Ensuring adequate protection for international transfers:

We must not transfer personal information internationally without ensuring adequate protection for the information in accordance with applicable law.

Data transfer compliance

Various data protection laws around the world, including European laws, prohibit international transfers of personal information to third countries unless appropriate safeguards are implemented to ensure the transferred data remains protected to the standard required in the country or region from which it is transferred.

Where these requirements exist, we must comply with them.

Whenever transferring personal information internationally, or onward transferring personal information to third parties, DocuSign's designated representative(s) (as instructed by the Office of the Chief Privacy Officer (the "Responsible Party") will be consulted so that they can ensure appropriate safeguards have been implemented to protect the personal information being transferred and, where necessary, a transfer impact assessment (as described below) has been conducted.

Transfer Impact Assessments

A DocuSign group member may transfer personal information or onward transfer personal information internationally, only where measures necessary to comply with applicable data protection law rules governing international transfers of personal information have been satisfied.  In the case of transfers of personal information protected under European data protection law, these shall include undertaking transfer impact assessments to assess the level of data protection in the recipient territory and implementing any supplementary measures identified by those assessments as necessary to ensure a level of protection that is essentially equivalent to European data protection law.

Where a group member makes an international transfer of personal information that is subject to European data protection laws to another group member or third party located in a third country that does not provide an adequate level of protection ("Non-Adequate Country"), we will:

- undertake a risk assessment ("Transfer Impact Assessment") to assess whether there is reason to believe that the laws and practices in the Non-Adequate Country, including any requirements to disclose personal information to public authorities or measures that authorise access by public authorities, will conflict with DocuSign’s obligations under this Controller Policy; and

- where the Transfer Impact Assessment concludes that additional safeguards are necessary to ensure an adequate level of protection for the personal information and compliance with this Controller Policy, implement such additional safeguards.

In addition, where a group member located in Non-Adequate Country receives personal information that is subject to European data protection laws from another group member or third party, that group member will promptly notify the transferring group member or third party if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of this Controller Policy, including following a change in the laws of the Non-Adequate County.

We will conduct such Transfer Impact Assessments and promptly notify any transfer risks in accordance with the Transfer Impact Assessment Policy in Appendix 12.

Rule 12 – Sensitive Personal Information:

We must only process sensitive personal information collected in Europe where we have obtained the individual’s explicit consent, unless there is an alternative legitimate basis for processing consistent with applicable law.

DocuSign will assess whether sensitive personal information is required for the intended purpose of processing before collecting it.

In principle, we must obtain the individual's explicit consent to collect and process his or her sensitive personal information, unless we are required to do so by applicable law or have another legitimate basis for doing so consistent with the applicable law of the country in which the personal information was collected.

When obtaining an individual's explicit consent in order to process sensitive personal information, the individual must give an express statement of consent (such as by expressly confirming consent in a written statement).

Where processing of sensitive personal information concerns criminal convictions and offences, then this may only be carried out only under the control of official authority or when the processing is authorised by applicable data protection law providing for appropriate safeguards for the rights and freedoms of individuals. The Office of the Chief Privacy Officer must be consulted in every such case.

Rule 13 – Direct marketing:

We must allow customers to opt-out of receiving marketing information.

All individuals must be informed about their right to object, free of charge and at any time, to the use of their personal information for direct marketing purposes. They must be able to raise their objection in an easy-to-exercise manner. We will honour all such opt-out requests.

Rule 14 – Automated individual decision-making, including profiling:

We must respect individuals' rights not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them.

We will not make any decision, which produces legal effects concerning an individual or that similarly significantly affects him or her, based solely on the automated processing of that individual's personal information, including profiling, unless such decision is:

necessary for entering into, or performing, a contract between a group member and that individual;

authorized by applicable law (which, in the case of personal information about individuals in Europe, must be European or Member State law); or

based on the individual's explicit consent.

In the first and third cases above, we must implement suitable measures to protect the individual's rights and freedoms and legitimate interests, including the right to obtain human intervention, to express his or her view and to contest the decision.

We must never make automated individual decisions about individuals using their sensitive personal information unless they have given explicit consent under Rule 12 or another lawful basis applies.

 

Return to top

PART III: DELIVERING COMPLIANCE IN PRACTICE

To ensure we follow the rules set out in this Controller Policy, in particular the obligations set out in Part II, DocuSign and all of its group members must also comply with the following practical commitments:

1. Resourcing and compliance:

We must have appropriate staff and support to ensure and oversee privacy compliance throughout the business.

DocuSign has appointed its Chief Privacy Officer, who reports directly to the Board, to oversee and ensure compliance with this Controller Policy. The Office of the Chief Privacy Officer is responsible for overseeing and enabling compliance with this Controller Policy on a day-to-day basis.

A summary of the roles and responsibilities of DocuSign's privacy team is set out in Appendix 5.

2. Privacy training:

We must ensure staff are educated about the need to protect personal information in accordance with this Controller Policy.

Group members must provide appropriate privacy training to staff members who:

have permanent or regular access to personal information; or

are involved in the processing of personal information or in the development of tools used to process personal information.

We will provide such training in accordance with the Privacy Training Program (see Appendix 6).

3. Records of Data Processing:

We must maintain records of the data processing activities under our responsibility.

We must maintain a record of all categories of processing activities that we conduct in accordance with applicable data protection laws. These records should be kept in writing (including electronic form) and we must make these records available to competent data protection authorities upon request.

The relevant team or function overseeing or managing the processing activity is responsible for ensuring the accuracy of such records, in conjunction with the Office of the Chief Privacy Officer which will maintain such records.

4. Audit:

We must have data protection audits on a regular basis.

We will have data protection audits on a periodic basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct data protection audits on specific request from the Chief Privacy Officer and/or the Board.

We will conduct any such audits in accordance with the Audit Protocol (see Appendix 7).

5. Data Protection Impact Assessments:

We must carry out data protection impact assessments where processing is likely to result in a high risk to rights and freedoms of individuals, and consult with competent data protection authorities where required by applicable law.

Where required by applicable data protection laws, we must carry out data protection impact assessments (DPIA) whenever the processing of personal information, particularly using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. DocuSign will carry out a DPIA prior to processing which will contain at least the following:

a systematic description of the envisaged processing operations and the purposes of the processing;

an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

an assessment of the risks to the privacy rights of individuals; and

the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal information and demonstrate compliance with applicable data protection laws.

Where the DPIA indicates that the processing would still result in a high risk to individuals, DocuSign will consult with local data protection authorities where required by applicable data protection laws.

6. Data protection by design and by default:

We must apply data protection by design and by default principles when designing and implementing new products and systems.

When designing and implementing new products and systems which process personal information, we must apply data protection by design and by default principles. This means we must implement appropriate technical and organisational measures that:

are designed to implement the data protection principles in an effective manner and to integrate the necessary safeguards in order to protect the rights of individuals and meet the requirements of applicable data protection laws ("privacy by design"); and

ensure that, by default, only personal information which are necessary for each specific processing purpose are collected, stored, processed and are accessible; in particular, that by default personal information is not made accessible to an indefinite number of people without the individual's intervention ("privacy by default").

7. Complaint handling:

We must enable individuals to raise data protection complaints and concerns.

Group members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Controller Policy) by complying with the Complaint Handling Procedure (see Appendix 8).

8. Cooperation with competent data protection authorities:

We must always cooperate with competent data protection authorities.

Group members must cooperate with competent data protection authorities by complying with the Cooperation Procedure (see Appendix 9).

9. Updates to this Controller Policy:

We will update this Controller Policy in accordance with our Updating Procedure.

Whenever updating our Controller Policy, we must comply with the Updating Procedure (see Appendix 10).

10. Conflicts between this Controller Policy and national legislation:

We must take care where local laws conflict with this Policy, and act responsibly to ensure a high standard or protection for the personal information in such circumstances.

If local laws applicable to any group member prevent it from fulfilling its obligations under the Controller Policy or otherwise have a substantial effect on its ability to comply with the Controller Policy, the group member or Responsible Executive must promptly inform the Chief Privacy Officer unless prohibited by a law enforcement authority. The Chief Privacy Officer will make a responsible decision on the action to take and will, where appropriate, consult with the competent data protection authority.

11. Government requests for disclosure of personal information:

We must notify the competent supervisory authorities in case of a legally binding request for disclosure of personal information.

If a group member receives a legally binding request for disclosure of personal information by a law enforcement authority or state security body which is subject to this Controller Policy, it must comply with the Government Data Request Procedure set out in Appendix 11.

 

Return to top

 PART IV: THIRD PARTY BENEFICIARY RIGHTS

Application of this Part IV

This Part IV applies where individuals’ personal information are protected under European data protection laws (including the General Data Protection Regulation). This is the case when:

  • those individuals’ personal information are processed in the context of the activities of a group member (or its third-party processor) established in Europe;

  • a non-European group member (or its third-party processor) offers goods and services (including free goods and services) to those individuals in Europe; or

  • a non-European group member (or its third-party processor) monitors the behaviour of those individuals, as far as their behaviour takes place in Europe;

and that group member then transfers those individuals’ personal information to a non-European group member for processing under the Controller Policy.

Entitlement to effective remedies

When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal information is processed by DocuSign in breach of the following provisions of this Controller Policy:

  • Part II (Our Obligations) of this Controller Policy;

  • Paragraphs 6 (Complaints Handling), 7 (Cooperation with Competent Data Protection Authorities), 9 (Conflicts between this Controller Policy and national legislation) and 10 (Government requests for disclosure of personal information) under Part III of this Controller Policy; and

  • Part IV (Third Party Beneficiary Rights) of this Controller Policy.

Individuals’ third party beneficiary rights

When this Part IV applies, individuals may exercise the following rights:​

  • Complaints: Individuals may complain to a group member and/or to a European data protection authority, in accordance with the Complaints Handling Procedure at Appendix 8;

  • Proceedings: Individuals may commence proceedings against a group member for violations of this Controller Policy, in accordance the Complaints Handling Procedure at Appendix 8;

  • Compensation: Individuals who have suffered material or non-material damage as a result of an infringement of this Controller Policy have the right to receive compensation from DocuSign for the damage suffered, as determined by a court of competent jurisdiction in accordance the Complaints Handling Procedure at Appendix 8.

  • Transparency: Individuals also have the right to obtain a copy of the Controller Policy, which they may exercise by making a request to the Office of the Chief Privacy Officer at privacy@docusign.com, or by directly accessing the Controller Policy as published on www.docusign.com/trust/privacy.

Responsibility for breaches by non-European group members

DocuSign International (EMEA) Ltd will be responsible for ensuring that any action necessary is taken to remedy any breach of this Controller Policy by a non-European group member.

In particular:

  • If an individual can demonstrate damage it has suffered likely occurred because of a breach of this Policy by a non-European group member, DocuSign International (EMEA) Ltd will have the burden of proof to show that the non-European group member is not responsible for the breach, or that no such breach took place.

Where a non-European Group Member fails to comply with this Controller Policy, individuals may exercise their rights and remedies above against DocuSign International (EMEA) Ltd and, where appropriate, receive compensation (as determined by a competent court or other competent authority in Europe) from DocuSign International (EMEA) Ltd for any material or non-material damage suffered as a result of a breach of this Controller Policy.

Shared liability for breaches with processors

Where DocuSign has engaged a third-party processor to conduct processing on its behalf, and both are responsible for harm caused to an individual by processing in breach of this Controller Policy, DocuSign accepts that both DocuSign and the processor may be held liable for the entire damage in order to ensure effective compensation of the individual.

Return to top

APPENDIX 1 - LIST OF DOCUSIGN GROUP MEMBERS

The table below lists the DocuSign group members which are bound by DocuSign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy”.

Name

Details

Country

DocuSign International (EMEA) Limited

Address: 5 Hanover Quay,

Ground Floor, Dublin 2,

Republic of Ireland

Reg no.: 549615

Ireland

DocuSign Brasil Soluções Em Tecnologia Ltda. (formerly, Comprova.com)

Address: Tower Bridge Corporate,

02º Andar Conj. 21,

Avenida Jornalista Roberto Marinho,

85,

São Paulo, 

Brazil

Reg no.: 35.218.051.742

Brazil

DocuSign Canada Ltd.

Address: 3200 – 650 West Georgia

Street, Vancouver BC

V6B 4P7 Canada

Reg no.: BC1081751

Canada

Seal Software Egypt LLC

Address: Cairo Festival City, Business

Park B2, Building 12B04

Ground Floor, Street 90

Fifth Settlement, New Cairo

Egypt

Reg no.: 109958

Egypt

DocuSign France SAS

Address: Immeuble Central Park

9-15 rue Maurice Mallet

92130 Issy-les-Moulineaux

France

Reg no.: 812 611 150

France

DocuSign Germany GmbH

Address: c/o Bird & Bird LLP

Maximilianspl. 22

80333 Munchen

Deutschland

Reg no.: HRB 111200

Germany

DocuSign Israel Ltd

Address: SIV Building

1 Ha’arava St. Floor 4,

5400804 Givat Shmuel Israel

Reg no.: 511071086

Israel

DocuSign Japan KK

Address: Shiroyama Trust Tower 35F

4-3-1 Toranomon,

Minato-ku Tokyo 105-6035

Japan

Reg no.: 0100-01-167695

Japan

Seal Software Norway AS

Address: v/advokat Stale R Kristiansen

c/o Advokatfirmaet Thommessen

AS Haakon VIIs gate 10

Reg no.: 921 684 746

Norway

DocuSign International (Asia-Pacific) Private Limited

Address: 71 Robinson Road

Singapore 068895

Reg no.: 201505623H

Singapore

Contract Analytics Development Sweden AB

Address: Kungsgatan 34, 1 tr

411 19 Gothenburg,

Sweden

Reg no.: 556935-3674

Sweden

DocuSign UK Limited

Address: Broadgate Quarter

9 Appold Street, 2nd Floor

London EC2A 2AP UK

Reg no.: 10308354

United Kingdom

DocuSign, Inc.

Address: 221 Main Street,

Suite 1550,

San Francisco, CA 94105

Reg no.: 5711317

United States

DocuSign International, Inc.

Address: 221 Main Street,

Suite 1550,

San Francisco, CA 94105

Reg no.: 4980980

United States

Liveoak Technologies, Inc.

Address: 221 Main Street,

Suite 1550,

San Francisco, CA 94105

Reg no.: 5675735

United States

DocuSign Mexico, S. de R.L de C.V.

Address: Insurgentes Sur 1650, Piso 12,

C.P. 03900,

Mexico CDMX

Reg no.: N-2020078264

Mexico

DocuSign Spain, S.L.U.

Address: Avenida Diagonal, 477, planta 20

   Barcelona,

   Spain

Reg no.: 84628715

Spain

DocuSign Netherlands B.V.

Address: Blaak 34,

   3011TA Rotterdam,

   the Netherlands

Reg no.: 50737449

Netherlands

DocuSign Italy S.r.l.

Address: Osborne Clarke, Corso di Porta Vittoria, 9,

   Milan, 20122, Italy

Reg no.: M-2640635

 

Return to top

APPENDIX 2 - MATERIAL SCOPE OF THIS CONTROLLER POLICY

  1. Background

    1. DocuSign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between DocuSign group members.

    2. This document sets out the material scope of the Controller Policy. It specifies the data transfers or set of transfers, including the nature and categories of personal information, the type of processing and its purposes, the types of individuals affected, and the identification of the third country or countries.

2. Supplier data

Who transfers the personal information described in this section?

Every DocuSign group member inside of the European Economic Area (“EEA”) may transfer the personal information that they control described in this section to every other DocuSign group member inside and outside of the EEA.

Every group member outside of the EEA may also transfer the personal information that they control described in this section to every DocuSign group member inside and outside of the EEA.

Who receives this personal information?

Every DocuSign group member outside of the EEA may receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

Every group member inside of the EEA may also receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

What categories of personal information are transferred?

The personal information of Suppliers, including:

(i) Identification data: first and last name, date of birth, place of birth, nationality, photograph, and vendor ID.

(ii) Contact details: address, professional email address, and professional telephone number (including mobile telephone number).

(iii) Professional details: job title, employer, academic and professional qualifications, data related to transactions involving goods and services.

(iv) National identifiers: tax ID and government identification number.

(v) Financial data: bank account number, bank details

(vi) Sensitive personal information: as described below.

What categories of sensitive personal information (if any) are transferred?

(i) Data concerning health.

This sensitive personal information will be processed for the reasons described below.


Who are the types of individuals whose personal information are transferred?

"Suppliers" – representatives of any third party that provides goods or services to DocuSign.

Why is this personal information transferred and how will it be used?

1. Personal information.

Personal information shall be collected, used or otherwise processed by DocuSign in the context of the use of Supplier-provided services for one (or more) of the following purposes:

(i) Assessment and acceptance of a Supplier; conclusion and execution of agreements with a Supplier and the settlement of payment transactions;

(ii) Use of Supplier services;

(iii) Relationship management and marketing;

(iv) Business process execution, internal management and management reporting;

(v) Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector;

(vi) Compliance with law; and

(vii) Protection of the vital interests of individuals.

 2. Sensitive personal information.

DocuSign shall process sensitive personal information only to the extent necessary for the following purpose(s):

(i) Data concerning health: for on-site screening of data subjects to test for the presence of Covid-19 symptoms, conducted in accordance with applicable data protection laws; and

3. Other processing purposes:

If DocuSign processes personal information or sensitive personal information for any other reasons not listed above then it will ensure such processing is conducted in accordance with applicable data protection laws and this Controller Policy.

Where is this personal information processed?

The personal information described in this section may be processed in every territory where DocuSign group members or their processors are located. A list of DocuSign group member locations is available at Appendix 1 to this Controller Policy.

3. Business Partner data

Who transfers the personal information described in this section?

Every DocuSign group member inside of the European Economic Area (“EEA”) may transfer the personal information that they control described in this section to every other DocuSign group member inside and outside of the EEA.

Every group member outside of the EEA may also transfer the personal information that they control described in this section to every DocuSign group member inside and outside of the EEA.

Who receives this personal information?

Every DocuSign group member outside of the EEA may receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

Every group member inside of the EEA may also receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

What categories of personal information are transferred?

The personal information of Business Partners, including:

(i) Identification data: first and last name, date of birth, place of birth, nationality, photograph, and business partner ID.

(ii) Contact details: address, professional email address, and professional telephone number (including mobile telephone number).

(iii) Professional details: job title, employer, academic and professional qualifications, and data related to transactions involving goods and services.

(iv) National identifiers: tax ID and government identification number.

(v) Financial data: bank account number, bank details

(vi) Sensitive personal information: as described below.

What categories of sensitive personal information (if any) are transferred?

(i) Data concerning health.

This sensitive personal information will be processed for the reasons described below.


Who are the types of individuals whose personal information are transferred?

"Business Partners" – representatives of any third party (other than a Customer or Supplier) that has or had a business relationship or strategic alliance with DocuSign.

Why is this personal information transferred and how will it be used?

1. Personal information.

Personal information shall be collected, used or otherwise processed by DocuSign in the context of business development with Business Partners for one (or more) of the following purposes:

(i) Assessment and acceptance of a Business Partner; conclusion and execution of agreements with a Business Partner and the settlement of payment transactions;

(ii) Business Development with Business Partners;

(iii) Development and improvement of products and/or services;

(iv) Relationship management and marketing;

(v) Business process execution, internal management and management reporting;

(vi) Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector;

(vii) Compliance with law; and

(viii) Protection of the vital interests of individuals.

 2. Sensitive personal information.

DocuSign shall process sensitive personal information only to the extent necessary for the following purpose(s):

(i) Data concerning health: for on-site screening of data subjects to test for the presence of Covid-19 symptoms, conducted in accordance with applicable data protection laws; and

3. Other processing purposes:

If DocuSign processes personal information or sensitive personal information for any other reasons not listed above then it will ensure such processing is conducted in accordance with applicable data protection laws and this Controller Policy.

Where is this personal information processed?

The personal information described in this section may be processed in every territory where DocuSign group members or their processors are located. A list of DocuSign group member locations is available at Appendix 1 to this Controller Policy.

4. Staff data

Who transfers the personal information described in this section?

Every DocuSign group member inside of the EEA may transfer the personal information that they control described in this section to every other DocuSign group member inside and outside of the EEA.

Every group member outside of the EEA may also transfer the personal information that they control described in this section to every DocuSign group member inside and outside of the EEA.

Who receives this personal information?

Every DocuSign group member outside of the EEA may receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

Every group member inside of the EEA may also receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

What categories of personal information are transferred?

Any personal information of a staff member (and his or her dependents) processed in the context of their (former) employment relationship with DocuSign, including:

(i) Identification data: civil/marital status, first and last name, photograph, date and place of birth, nationality, corporate identifier and gender.

(ii) Contact details: address, telephone number (fixed and mobile), email address, fax number, and emergency contact information.

(iii) Employment details: job title, company name, grade, occupation code, geographic location, employee performance and evaluation data, employee discipline information, information regarding previous roles and employment, employee benefits information such as election decisions, leave requests, authorization/declination, and health insurance company.

(iv) National identifiers: national ID/passport number, tax ID, government identification number, driver's license, and visa or immigration status.

(v) Academic and professional qualifications: degrees, titles, skills, language proficiency, training information, employment history, and CV/résumé.

(vi) Financial data: bank account number, IBAN number, bank details including bank name, bank code, sort code, salary and compensation data, bonuses, pension qualification information, payroll data, tax class, and tax office name.

(vii) IT related data: computer ID, user ID and password, domain name, IP address, log files, software and hardware inventory, and software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes).

(viii) Lifestyle: hobbies, social activities, and holiday preferences.

(ix) Sensitive personal information: as described below.

What categories of sensitive personal information (if any) are transferred?

(i) Racial or ethnic data

(ii) Data concerning health

(iii) Criminal background data

(iv) Biometric data


Who are the types of individuals whose personal information are transferred?

Staff members and their dependents

Why is this personal information transferred and how will it be used?

1. Personal information.

Personal information shall be collected, used or otherwise processed for one (or more) of the following purposes:

(i) Human resources and personnel management;

(ii) Business process execution and internal management;

(iii) Health, safety, security and integrity;

(iv) Organizational analysis and development, management reporting and acquisition and divestitures;

(v) Compliance with law; and

(vi) Protecting the vital interests of staff members.

2. Sensitive personal information.

DocuSign shall process sensitive personal information only to the extent necessary for the following purpose(s):

(i) Racial or ethnic data: For the purposes of diversity and inclusiveness monitoring, conducted in accordance with applicable data protection laws;

(ii) Data concerning health: for on-site screening of data subjects to test for the presence of Covid-19 symptoms, conducted in accordance with applicable data protection laws;

(iii) Criminal background data: for background checking purposes in connection with the hiring of prospective staff members, conducted in accordance with applicable data protection laws;

(iv) Biometric data: for security reasons, in order to enable duly authorised staff access to secure premises and systems; and

3. Other processing purposes:

If DocuSign processes personal information or sensitive personal information for any other reasons not listed then it will ensure such processing is conducted in accordance with applicable data protection laws and this Controller Policy.

Where is this personal information processed?

The personal information described in this section may be processed in every territory where DocuSign group members or their processors are located. A list of DocuSign group member locations is available at Appendix 1 to this Controller Policy.

5. Account and prospect data

Who transfers the personal information described in this section?

Every DocuSign group member inside of the European Economic Area (“EEA”) may transfer the personal information that they control described in this section to every other DocuSign group member inside and outside of the EEA.

Every group member outside of the EEA may also transfer the personal information that they control described in this section to every DocuSign group member inside and outside of the EEA.

Who receives this personal information?

Every DocuSign group member outside of the EEA may receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

Every group member inside of the EEA may also receive the personal information described in this section which is sent to them by other DocuSign group members inside and outside of the EEA.

What categories of personal information are transferred?

The personal information of Customers, including:

(i) Contact details: postal address, billing address, delivery address, phone number (fixed and mobile), email address, fax number and other personal details provided by customers of the Data Exporter and visitors to the Data Exporter's websites and other digital properties.

(ii) Professional details: job title, affiliated organization, and data relating to business projects.

(iii) Financial data: bank account number, bank details, and credit card details.

(iv) Order data: purchasing history, return history, and cancellation history.

(v) IT related data: IP addresses of visitors to the Data Exporter's websites and other digital properties, online navigation data, browser type, language preferences, pixel data, cookies data, and web beacon data.

(vi) Sensitive personal information: as described below.

What categories of sensitive personal information (if any) are transferred?

(i) Criminal background data

(ii) Biometric data

Who are the types of individuals whose personal information are transferred?

Customers.

Why is this personal information transferred and how will it be used?

1. Personal information.

Personal information shall be collected, used or otherwise processed by DocuSign in the context of the provision of Customer services for one (or more) of the following purposes:

(i) Assessment and acceptance of a Customer; conclusion and execution of agreements with a Customer and the settlement of payment transactions;

(ii) Performance of Customer Services;

(iii) Development and improvement of products and/or services;

(iv) Relationship management and marketing;

(v) Business process execution, internal management and management reporting;

(vi) Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector;

(vii) Compliance with law; and

(viii) Protection of the vital interests of individuals.

2. Sensitive personal information.

DocuSign shall process sensitive personal information only to the extent necessary for the following purpose(s):

(i) Criminal background data: as necessary for assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant individuals); the execution of an agreement with Customers; and to protect the interests of DocuSign, its staff members and Customers and for the use of and the participation in DocuSign’s incident registers and sector warning systems;

(ii) Biometric data: for the protection of DocuSign and its staff members, assets, site access and security reasons; and

3. All categories under the following circumstances:

DocuSign may also process personal information or sensitive personal information for other reasons not listed above where such processing is conducted in accordance with applicable data protection laws.

Where is this personal information processed?

The personal information described in this section may be processed in every territory where DocuSign group members or their processors are located. A list of DocuSign group member locations is available at Appendix 1 to this Controller Policy.

Return to top

APPENDIX 3 - FAIR INFORMATION DISCLOSURES

  1. Background

    1. DocuSign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between DocuSign group members.

    2. This Fair Information Disclosure document sets out the transparency information that DocuSign must provide to individuals when processing their personal information.

  2. Information to be provided where DocuSign collects personal information directly from individuals

    1. When DocuSign collects personal information directly from individuals, it must provide the following transparency information:

      1. the identity and contact details of the data controller and, where applicable, of its representative;

      2. the contact details of the data protection officer, where applicable;

      3. the purposes of the processing for which the personal information are intended as well as the legal basis for the processing;

      4. where the processing is based on DocuSign's or a third party's legitimate interests, the legitimate interests pursued by DocuSign or by the third party;

      5. the recipients or categories of recipients of the personal information, if any; and

      6. where applicable, the fact that a group member in Europe intends to transfer personal information to a third country or international organisation outside of Europe, and the measures that the group member will take to ensure the personal information remains protected in accordance with applicable data protection laws and how to obtain a copy of such measures.

    2. In addition to the information above, DocuSign shall also provide individuals with the following further information necessary to ensure fair and transparent processing, at the time of collection:

      1. the period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period;

      2. information about the individuals' rights to request access to, rectify or erase their personal information, as well as the right to restrict or object to the processing, and the right to data portability;

      3. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

      4. the right to lodge a complaint with the competent supervisory authority;

      5. whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal information and of the possible consequences of failure to provide such information; and

      6. the existence of automated decision-making, including profiling, where such decisions may have a legal effect or significantly affect the individuals whose personal information are collected, together with any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.

    3. The transparency information described in this paragraph must be provided at the time that DocuSign obtains the personal information from the individual.

  3. Information to be provided where DocuSign collects personal information about individuals from a third party source

    1. When DocuSign collects personal information from a third party source (that is, someone other than the individual him- or herself), it must provide the following transparency information:

      1. the information described in paragraphs 2.1 and 2.2 above;

      2. the categories of personal information that are being processed; and

      3. details of the third party source from which DocuSign obtained the personal information including, if applicable, identifying whether the personal information came from publicly accessible sources.

    2. The transparency information described in this paragraph must be provided within a reasonable period after DocuSign obtains the personal information and, at the latest, within one month, having regard to the specific circumstances in which the personal information are processed. In addition:

      1. if the personal information are to be used for communication with the individual, the transparency information described in this paragraph must be provided at the latest at the time of the first communication to that individual; and

      2. if a disclosure of the personal information to another recipient is envisaged, the transparency information described in this paragraph must be provided at the latest when the personal information are first disclosed.

  4. Derogations from providing transparency disclosures

    1. The requirements to provide transparency information as described in this Fair Information Disclosures document shall not apply where and insofar as:

      1. the individual already has the information;

      2. the provision of such information provides impossible or would involve a disproportionate effort, and DocuSign takes appropriate measures, consistent with the requirements of applicable data protection laws, to protect the individual’s rights and freedoms and legitimate interests, including by making the transparency information publicly available;

      3. obtaining or disclosure is expressly laid down by applicable laws to which DocuSign is subject and these laws provide appropriate measures to protect the individual’s legitimate interests; or

      4. where the personal information must remain confidential subject to an obligation of professional secrecy regulated by applicable laws to which DocuSign is subject, including a statutory obligation of secrecy.

Return to top

APPENDIX 4 - DATA PROTECTION RIGHTS PROCEDURE

  1. Background

    1. DocuSign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the DocuSign group members.

    2. Individuals whose personal information are processed by DocuSign under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is DocuSign or a Customer) (a “Data Protection Rights Request”).

    3. This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how DocuSign will respond to any Data Protection Rights Requests it receives from individuals whose personal information are processed and transferred under the Policies.

  2. Individual’s data protection rights

    1. DocuSign must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:

      1. The right of access: This is the right for individuals to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with access to, and a copy of, that personal information. This process for handling this type of request is described further in paragraph 4 below.

      2. The right to rectification: This is the right for individuals to require a controller to rectify without undue delay any inaccurate personal information a controller may be processing about them. The process for handling this type of request is described further in paragraph 5 below.

      3. The right to erasure: This is the right for individuals to require a controller to erase personal information about them on certain grounds – for example, where the personal information is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.

      4. The right to restriction: This is the right for individuals to require a controller to restrict processing of personal information about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.

      5. The right to object: This is the right for individuals to object, on grounds relating to their particular situation, to a controller’s processing of personal information about them, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.

      6. The right to data portability: This is the right for individuals to receive personal information concerning them from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.

  3. Responsibility to respond to a Data Protection Rights Request

    1. Overview

      1. The controller of an individual’s personal information is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.

      2. As such, when an individual contacts DocuSign to make any Data Protection Rights Request then:

        1. where DocuSign is the controller of that individual’s personal information under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and

        2. where DocuSign processes that individual’s personal information as a processor on behalf of a Customer under the Processor Policy, DocuSign must inform the relevant Customer promptly and provide it with reasonable assistance (which may include in-product self-service functionality) to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.

    2. Assessing responsibility to respond to a Data Protection Rights Request

      1. If a group member receives a Data Protection Rights Request from an individual, it must pass the request to the Office of the Chief Privacy Officer at privacy@docusign.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Office of the Chief Privacy Officer to deal with the request.

      2. The Office of the Chief Privacy Officer will make an initial assessment of the request as follows:

        1. the Office of the Chief Privacy Officer will determine whether DocuSign is a controller or processor of the personal information that is the subject of the request;

        2. where the Office of the Chief Privacy Officer determines that DocuSign is a controller of the personal information, it will then determine whether the request has been made validly under applicable data protection laws (in accordance with section 3.3 below), whether an exemption applies (in accordance with section 3.4 below) and respond to the Request (in accordance with section 3.5 below); and

        3. where the Office of the Chief Privacy Officer determines that DocuSign is a processor of the personal information on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer.

    3. Assessing the validity of a Data Protection Rights Request

      1. If the Office of the Chief Privacy Officer determines that DocuSign is the controller of the personal information that is the subject of the request, it will contact the individual promptly in writing to confirm receipt of the Data Protection Rights Request.

      2. A Data Protection Rights Request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally (for example under Europe's General Data Protection Regulation). A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.

      3. If DocuSign has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. DocuSign may also request any further information which is necessary to action the individual's request.

    4. Exemptions to a Data Protection Rights Request

      1. DocuSign will not refuse to act on Data Protection Rights Request unless it can demonstrate that an exemption applies under applicable data protection laws.

      2. DocuSign may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).

      3. If DocuSign decides not to take action on the Data Protection Rights Request, DocuSign will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent supervisory authority and lodging a claim before the court

    5. Responding to a Data Protection Rights Request

      1. Where DocuSign is the controller of the personal information that is the subject of the Data Protection Rights Request, and DocuSign has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then DocuSign shall handle the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).

      2. DocuSign will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months where necessary, if the request is complex or due to the number of requests that have been made.

  4. Requests for access to personal information

    1. Overview

      1. An individual may require a controller to provide the following information concerning processing of his or her personal information:

        1. confirmation as to whether the controller holds and is processing personal information about that individual;

        2. if so, a description of the purposes of the processing, the categories of personal information concerned, the recipients or categories of recipients to whom the information is, or may be, disclosed, the envisaged period(s) (or the criteria used for determining those period(s)) for which the personal information will be stored;

        3. information about the individual’s right to request rectification or erasure of his or her personal information or to restrict or object to its processing;

        4. information about the individual’s right to lodge a complaint with a competent data protection authority;

        5. information about the source of the personal information if it was not collected from the individual;

        6. details about whether the personal information is subject to automated decision-making (including automated decision-making based on profiling); and

        7. where personal information is transferred outside Europe, the appropriate safeguards that DocuSign has put in place relating to such transfers in accordance with applicable data protection laws.

      2. An individual is also entitled to request a copy of his or her personal information from the controller. Where an individual makes such a request, the controller must provide that personal information to the individual in intelligible form.

    2. Process for responding to access requests from individuals

      1. If DocuSign receives an access request from an individual, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

      2. Where DocuSign determines it is the controller of the personal information and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Office of the Chief Privacy Officer will arrange a search of all relevant electronic and paper filing systems.

      3. The Office of the Chief Privacy Officer may refer any complex cases to the Chief Privacy Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal information may prejudice commercial confidentiality or legal proceedings.

      4. The personal information that must be disclosed to the individual will be collated by the Office of the Chief Privacy Officer into a readily understandable format. A covering letter will be prepared by the Office of the Chief Privacy Officer which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).

    3. Exemptions to the right of access

      1. A valid request may be refused on the following grounds:

        1. if the refusal to provide the information is consistent with applicable data protection law (for example, where a European group member transfers personal information under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the group member is located);

        2. where the personal information is held by DocuSign in non-automated form that is not or will not become part of a filing system; or

        3. the personal information does not originate from Europe, has not been processed by any European group member, and the provision of the personal information requires DocuSign to use disproportionate effort.

      2. The Office of the Chief Privacy Officer will assess each request individually to determine whether any of the above-mentioned exemptions applies. A group member must never apply an exemption unless this has been discussed and agreed with the Office of the Chief Privacy Officer.

  5. Requests to correct, update or erase personal information, or to restrict, cease or object to processing personal information

    1. If DocuSign receives a request to correct, update or erase personal information, or to restrict or cease processing of an individual’s personal information, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

    2. Once an initial assessment of responsibility has been made then:

      1. where DocuSign is the controller of that personal information, the request must be notified to the Office of the Chief Privacy Officer promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.

      2. where a Customer is the controller of that personal information, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. DocuSign shall assist the Customer to fulfill the request in accordance with the terms of its contract with the Customer.

    3. To assist the Office of the Chief Privacy Officer in assessing an individual's objection to processing of his or her personal information, the grounds upon which an individual may object are when:

      1. DocuSign processes the personal information on grounds that:

        1. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in DocuSign;

        2. the processing is necessary for the purposes of legitimate interests pursued by DocuSign or by a third party; or

        3. including profiling based on those grounds. When an individual raises an objection in such circumstances, DocuSign shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.

      2. DocuSign processes the personal information for direct marketing purposes, including profiling to the extent that it is related to direct marketing. When an individual raises an objection in such circumstances, DocuSign shall no longer process the personal information for such direct marketing purposes.

    4. To assist the Office of the Chief Privacy Officer in assessing an individual's request for restriction of processing of his or her personal information, the grounds upon which an individual may request restriction are when:

      1. the accuracy of the personal information is contested by the individual, for a period enabling DocuSign to verify the accuracy of the personal information;

      2. the processing is unlawful and the individual opposes the erasure of the personal information and requests the restriction of its use instead;

      3. DocuSign no longer needs the personal information for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or

      4. the individual has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.

    5. To assist the Office of the Chief Privacy Officer in assessing an individual's request for erasure of his or her personal information, the grounds upon which an individual may request erasure are when:

      1. the personal information are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

      2. the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;

      3. the individual exercises its right to object to processing of his or her personal information and there are no overriding legitimate grounds for continue processing;

      4. the personal information have been unlawfully processed;

      5. the personal information have to be erased for compliance with a legal obligation to which the controller is subject; or

      6. the personal information have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.

    6. When DocuSign must rectify or erase personal information, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, DocuSign will notify other group members and any sub-processor to whom the personal information has been disclosed so that they can also update their records accordingly.

    7. Where DocuSign acting as a controller must restrict processing of an individual's personal information, it must inform the individual before it subsequently lifts any such restriction.

    8. If DocuSign acting as controller has made the personal information public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal information that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal information.

  6. Requests for data portability

    1. If an individual makes a Data Protection Rights Request to DocuSign acting as controller to receive the personal information that he or she has provided to DocuSign in a structured, commonly used and machine-readable format and/or to transmit directly such information to another controller (where technically feasible), the Office of the Chief Privacy Officer will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.

  7. Questions about this Data Protection Rights Procedure

    1. All queries relating to this Procedure are to be addressed to the Office of the Chief Privacy Officer or at privacy@docusign.com.

Return to top

APPENDIX 5 - PRIVACY COMPLIANCE STRUCTURE

  1. Background

    DocuSign's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional Privacy Compliance Structure.

    DocuSign’s Privacy Compliance Structure has the full support of DocuSign’s executive management. Further information about DocuSign's Privacy Compliance Structure is set out below and in the structure chart provided at Annex 1.

  2. Chief Privacy Officer

    DocuSign has appointed a Chief Privacy Officer who provides executive-level oversight of, and has responsibility for, ensuring DocuSign's compliance with applicable data protection laws and the Policies.

    The Chief Privacy Officer has direct line reporting to DocuSign's Board of Directors on all material or strategic issues relating to DocuSign's compliance with data protection laws and the Policies, and is also accountable to DocuSign's independent audit committee.

    The Chief Privacy Officer is supported in the exercise of its responsibilities by the office of the Chief Privacy Officer, the Security & Privacy Council, and any other personnel that the Chief Privacy Officer may designate from time to time to provide such support.

  3. The Office of the Chief Privacy Officer

    The Office of the Chief Privacy Officer is comprised of members of the Legal department and supports the Chief Privacy Officer in the exercise of his/her responsibilities.

    The activities of the Office of the Chief Privacy Officer include:

    • maintaining a comprehensive privacy program that defines, develops, maintains and implements Policies and processes to comply with data protection laws.

    • supervising compliance with the Policies;

    • providing periodic reports, as appropriate, to the Chief Executive Officer and other business executives and staff on data protection risks and compliance issues;

    • overseeing privacy program activities, including privacy impact assessment, data protection impact assessment, and records of processing activities;

    • ensuring that effective data privacy controls as implemented across DocuSign are in place for any third party with which DocuSign share personal information or any third party from whom DocuSign receives personal information;

    • deciding on complaints as described the Complaint Handling Procedure; and

    • overseeing official investigations or inquiries into the processing of personal information by a public authority or employee representative body.

  4. Security & Privacy Council

    The DocuSign Security & Privacy Council comprises representatives from key functional groups for DocuSign’s business, including the office of the Chief Privacy Officer, Information Security, Risk & Compliance, Legal, Engineering, Technical Operations, Finance and Information Technology to ensure appropriate oversight for privacy controls implemented across the business and ensuring business ownership for applicable aspects of DocuSign's data protection compliance.

    The Security & Privacy Council is accountable for assessing privacy controls and identifying potential areas of improvement for DocuSign's data privacy program internally . In this way, the Security & Privacy Council is actively engaged in addressing matters relating to DocuSign's privacy compliance across such key functional groups of DocuSign.

  5. DocuSign Staff
    All staff members within DocuSign are responsible for supporting the functional Security & Privacy Council members on a day-to-day basis and adhering to DocuSign privacy policies.

    In addition, DocuSign personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Security & Privacy Council member, or, if they prefer, the office of the Chief Privacy Officer. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

Annex 1: Overview of DocuSign's Privacy Compliance Structure

DocuSign's privacy compliance structure chart

Return to top

APPENDIX 6 - PRIVACY TRAINING REQUIREMENTS

  1. Background

    1. The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between DocuSign group members. The document sets out the requirements for DocuSign to train its staff members on the requirements of the Policies.

    2. DocuSign must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal information) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws and may include training on any other relevant data protection laws that apply to DocuSign. Training may also include guidance on data protection best practices and any security standards controls applicable to DocuSign (such as ISO 27001 and SSAE 18).

    3. Staff members who have permanent or regular access to personal information and who are involved in the processing of personal information or in the development of tools to process personal information must receive additional, tailored training on the Policies and specific data protection issues relevant to their role. This training is further described below and is repeated on a regular basis.

  2. Responsibility for the Privacy Training Program

    1. DocuSign's Office of the Chief Privacy Officer has overall responsibility for privacy training at DocuSign, with input with colleagues from other functional areas including Information Security, HR and other departments, as appropriate. They will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal information, who are involved in the processing of personal information or in the development of tools to process personal information.

    2. DocuSign's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance will be recorded and monitored via regular audits of the training process. These audits are performed by DocuSign's internal training administration team and/or independent third-party auditors.

    3. If these training audits reveal persistent non-attendance, this will be escalated to the Office of the Chief Privacy Officer for action. Such action may include escalation of non-attendance to appropriate managers within DocuSign who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.

  3. Delivery of the training courses

    1. DocuSign will deliver mandatory electronic training courses, supplemented by live training for staff members in appropriate cases. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.

    2. All DocuSign staff members must complete data protection training (including training on the Policies):

      1. as part of their onboarding activities;

      2. as part of a regular refresher training at least once every calendar year;

      3. as and when necessary to stay aware of changes in the law; and

      4. as and when necessary to address any compliance issues arising from time to time.

    3. Certain staff members may be required to receive supplemental specialist training, such as staff members who work in Marketing, Sales, and Customer Support or whose business activities include processing sensitive personal data. Specialist training shall be delivered as additional modules to the basic training package, and may be tailored as necessary to the course participants.

  4. Training on data protection

    1. DocuSign's training on data protection and the Policies will cover the following main areas:

      1. What is data protection law?

      2. What are key data protection terminology and concepts?

      3. What are the data protection principles?

      4. How does data protection law affect DocuSign globally?

      5. An overview of the Controller and Processor Policies

      6. Practical examples of how and when the Controller and Processor Policies apply

Return to top

APPENDIX 7 - AUDIT PROTOCOL

  1. Background

    1. DocuSign's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the DocuSign group members. Roles are defined in Appendix 5.

    2. DocuSign must audit its compliance with the Policies on a regular basis and this document describes how and when DocuSign must perform such audits. Although this Audit Protocol describes the formal assessment process by which DocuSign will audit its compliance with the Policies, this is only one way in which DocuSign ensures that the provisions of the Policies are observed and corrective actions taken as required.

    3. In particular, DocuSign's Privacy Team provides ongoing guidance about the processing of personal information and must continually assess the processing of personal information by group members for potential privacy-related risks and compliance with these Policies.

  2. Conduct of an audit

    1. Overview of audit requirements

      1. Compliance with the Policies is overseen on a day to day basis by the office of the Chief Privacy Officer. The internal audit team (for itself or through its delegate) is responsible for performing independent audits of compliance with the Policies periodically and will ensure that such audits address all aspects of the Policies, to be overseen by the office of the Chief Privacy Officer. The Chief Privacy Officer will determine the specific privacy controls that the internal audit team will audit in advance of any such audit.

      2. The internal audit team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Chief Privacy Officer and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to the Board of Directors in accordance with paragraph 2.5.1. Any non-compliance with the Policies will be reported back to the Responsible Executive.

      3. Where DocuSign acts as a processor, the Customer (or auditors acting on its behalf) may audit DocuSign for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on DocuSign's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with DocuSign. Where the Customer agrees, DocuSign and its sub-processors may fulfill such Customer audit requirements by providing relevant, complete and accurate evidence of recent data protection and information security audits to which they have been subject.

      4. All audits shall be conducted by an inspections body composed of independent members and in possession of the required professional qualifications, bound by a duty of confidentiality.

    2. Frequency of audit

      1. Audits of compliance with the Policies are conducted:

        1. at least annually in accordance with DocuSign's audit procedures;

        2. at the request of the Chief Privacy Officer and / or the Board of Directors;

        3. as may be determined necessary by the office of the Chief Privacy Officer (for example, in response to a specific incident); and/or

        4. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with DocuSign.

    3. Scope of audit

      1. The Chief Privacy Officer will determine the scope of an audit following a risk-based analysis, taking into account relevant criteria such as:

        1. areas of current regulatory focus;

        2. areas of specific or new risk for the business;

        3. areas with changes to the systems or processes used to safeguard information;

        4. use of innovative new tools, systems or technologies

        5. areas where there have been previous audit findings or complaints;

        6. the period since the last review; and

        7. the nature and location of the personal information processed.

      2. If a Customer exercises its right to audit DocuSign for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to DocuSign's processing of Personal Information for that Customer under the Processor Policy. DocuSign will not provide a Customer with access to systems which process personal information of another Customer.

    4. Auditors

      1. Audit of the Policies (including any related procedures and controls) will be undertaken by the internal audit team and/or the office of the Chief Privacy Officer. In addition, DocuSign may appoint independent and experienced professional auditors acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies (including any related procedures and controls).

      2. If a Customer exercises its right to audit DocuSign for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with DocuSign.

    5. Reporting

      1. Data protection audit reports must be submitted to the Office of the Chief Privacy Officer and, if the report reveals breaches or the potential for breaches of a serious nature (for example, presenting a risk of potential harm to individuals or to the business), to the Board of Directors.

      2. Upon request and subject to applicable law, DocuSign will:

        1. provide copies of the results of data protection audits of the Policies (including any related procedures and controls) to the competent data protection authorities; and

        2. to the extent that an audit of compliance with the Processor Policy relates to personal information DocuSign processes on behalf of a Customer, to that Customer.

      3. The Office of the Chief Privacy Officer is responsible for liaising with the competent data protection authorities for the purpose of providing the information outlined in paragraph 2.5.2.

    6. Data protection authority audits

      1. The competent data protection authorities audit group members for compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure (see Appendix 9).

Return to top

APPENDIX 8 - COMPLAINT HANDLING PROCEDURE

  1. Background

    1. DocuSign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the DocuSign group members.

    2. This Complaint Handling Procedure describes how complaints brought by an individual whose personal information is processed by DocuSign under the Policies must be addressed and resolved.

    3. This procedure will be made available to individuals whose personal information is processed by DocuSign under the Controller Policy and to Customers on whose behalf DocuSign processes personal information under the Processor Policy.

  2. How individuals can bring complaints

    1. Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing DocuSign’s Office of the Chief Privacy Officer at privacy@docusign.com.

  3. Complaints where DocuSign is a controller

    1. Who handles complaints?

      1. The Office of the Chief Privacy Officer will handle all questions, concerns, or complaints in respect of personal information for which DocuSign is a controller (such as personal information processed in the context of HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Office of the Chief Privacy Officer will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.

    2. What is the response time?

      1. The Office of the Chief Privacy Officer will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and making a substantive response within one (1) month.

      2. If, due to the complexity of the question, concern or complaint, a substantive response cannot be given within this period, the Office of the Chief Privacy Officer will advise the individual accordingly and provide reasons why an extension is necessary and a reasonable estimate (not exceeding two (2) months) of the timescale within which a substantive response will be provided.

      3. If, having reviewed the question, concern or complaint, the Office of the Chief Privacy Officer does not take action that has been requested by the individual, the Office of the Chief Privacy Officer shall inform the individual without delay and of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

    3. What happens if an individual disputes a finding?

      1. If the individual notifies the Office of the Chief Privacy Officer that it disputes any aspect of the response finding and wishes to further escalate the matter within DocuSign, the Office of the Chief Privacy Officer will refer the matter to the Chief Privacy Officer. The Chief Privacy Officer will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The Chief Privacy Officer will respond to the complainant within one (1) month from being notified of the escalation of the dispute.

      2. As part of its review, the Chief Privacy Officer may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the Chief Privacy Officer will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed two (2) months from the date the dispute was escalated.

      3. If the complaint is upheld, the Chief Privacy Officer will arrange for any necessary steps to be taken as a consequence (for example, implementing procedures to remedy the complaint and prevent recurrence).

  4. Complaints where DocuSign is a processor

    1. Communicating complaints to the Customer

      1. Where a complaint is brought in respect of the processing of personal information for which DocuSign is a processor on behalf of a Customer, DocuSign will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless DocuSign has agreed in the terms of its contract with the Customer to handle complaints).

      2. DocuSign will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.

    2. What happens if a Customer no longer exists?

      1. In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal information are processed under the Processor Policy have the right to complain to DocuSign and DocuSign will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.

      2. In such cases, individuals also have the right to complain to a competent data protection authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by DocuSign. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.

  5. Right to complain to a competent data protection authority and to commence proceedings

    1. Overview

      1. Where individuals' personal information:

        1. are processed in Europe by a group member acting as a controller and/or transferred to a group member located outside Europe under the Controller Policy; or

        2. are processed in Europe by a group member acting as a processor and/or transferred to a group member located outside Europe under the Processor Policy;

        then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.

      2. The individuals described above have the right to complain to a competent data protection authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3), whether or not they have first complained directly to the Customer in question or to DocuSign under this Complaints Handling Procedure. However, DocuSign's endeavours to resolve all complaints amicably and directly, wherever possible, and for that reason encourages any individual with a complaint to contact the Office of the Chief Privacy Officer before complaining to a competent data protection authority and/or commencing proceedings.

      3. DocuSign accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a non-for-profit body, organisation or association acting on behalf of the individuals concerned.

    2. Complaint to a data protection authority

      1. If an individual wishes to complain about DocuSign’s processing of his or her personal information to a data protection authority, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European group member to the data protection authority in the European territory:

        1. of his or her habitual residence;

        2. of his or her place of work; or

        3. where the alleged infringement occurred.

      2. If an individual wishes to complain about DocuSign’s processing of his or her personal information to a data protection authority, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then DocuSign International (EMEA) Ltd will submit to the jurisdiction of the competent data protection authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European group member, as if the alleged breach had been caused by the DocuSign International (EMEA) Ltd.

    3. Proceedings before a national court

      1. If an individual wishes to commence court proceedings against DocuSign, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then he or she may commence proceedings against that European group member in the European territory:

        1. in which that European group member is established; or

        2. of his or her habitual residence.

      2. If an individual wishes to commence court proceedings against DocuSign, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then DocuSign International (EMEA) Ltd will submit to the jurisdiction of the competent data court (determined in accordance with paragraph 5.3.1 above) in place of that non-European group member, as if the alleged breach had been caused by the DocuSign International (EMEA) Ltd.

An individual's right to lodge proceedings before a competent court shall be without prejudice to any administrative or non-judicial remedy available to that data subjects, including the right to lodge a complaint with a competent data protection authority.

Return to top

APPENDIX 9 - CO-OPERATION PROCEDURE

  1. Background

    1. DocuSign’s Binding Corporate Rules: Cooperation Procedure sets out the way in which DocuSign will cooperate with competent data protection authorities in relation to the "DocuSign Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy").

  2. Cooperation Procedure

    1. Where required, DocuSign will make the necessary personnel available for dialogue with a competent data protection authority in relation to the Policies.

    2. DocuSign will review, consider and implement:

      1. any advice or decisions of relevant competent data protection authorities on any data protection law issues that may affect the Policies; and

      2. any guidance published by data protection authorities (including the European Data Protection Board or any successor to it) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.

    3. Subject to applicable data protection law, DocuSign will provide upon request copies of the results of any audit it conducts of the Policies to a competent data protection authority.

    4. DocuSign agrees that:

      1. a data protection authority may audit any group member over which it exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction; and

      2. a data protection authority may audit any group member who processes personal information for a Customer over which that data protection authority exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction and with full respect to the confidentiality of the information obtained and to the trade secrets of DocuSign (unless this requirement is in conflict with applicable data protection law).

    5. DocuSign agrees to abide by a formal decision of any competent data protection authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that DocuSign is entitled to appeal any such decision and has chosen to exercise such right of appeal).

Return to top

APPENDIX 10 - UPDATING PROCEDURE

  1. Background

    1. DocuSign’s Binding Corporate Rules: Updating Procedure describes how DocuSign must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent data protection authorities, individual data subjects, its Customers and to DocuSign group members bound by the Policies.

    2. The Chief Privacy Officer is accountable for ensuring that the commitments made by DocuSign in this Updating Procedure are met.

  2. Records keeping

    1. DocuSign must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.

    2. DocuSign must also maintain an accurate and up-to-date list of group members that are bound by the Policies and of the sub-processors appointed by DocuSign to process personal information on behalf of Customers. This information must be made available on request to competent data protection authorities and to Customers and individuals who benefit from the Policies.

    3. The Office of the Chief Privacy Officer shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and up-to-date.

  3. Changes to the Policies

    1. All proposed changes to the Policies must be reviewed and approved by the Chief Privacy Officer in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Chief Privacy Officer.

    2. DocuSign will communicate all changes to the Policies (including reasons that justify the changes) or to the list of group members bound by the Policies:

      1. to the group members bound by the Policies via written notice (which may include e-mail or posting on an internal Intranet accessible to all group members);

      2. to Customers and the individuals who benefit from the Policies via online publication at www.docusign.com (and, if any changes are material in nature, DocuSign must also actively communicate the material changes to Customers before they take effect, in accordance with paragraph 4.2 below); and

      3. to the data protection authority that was the lead authority for the purposes of granting DocuSign’s BCR authorisation (“Lead Authority”), and any other relevant data protection authorities the Lead Authority may direct, at least once a year.

  4. Communication of material changes

    1. If DocuSign makes any material changes to the Policies or to the list of group members bound by the Policies that affect the level of protection offered by the Policies or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies), it will promptly report such changes (including the reasons that justify such changes) to the Lead Authority and all other DocuSign group members.

    2. If a proposed change to the Processor Policy will materially affect DocuSign’s processing of personal information on behalf of a Customer, DocuSign will also:

      1. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and

      2. the Customer may then suspend the transfer of personal information to DocuSign and/or terminate the contract, in accordance with the terms of its contract with DocuSign.

  5. Transfers to new group members

    1. If DocuSign intends to transfer personal information to any new group members under the Policies, it must first ensure that all such new group members are bound by the Policies before transferring personal information to them.

Return to top

APPENDIX 11 - GOVERNMENT DATA REQUEST PROCEDURE

  1. Introduction

    1. This Binding Corporate Rules: Government Data Request Procedure sets out DocuSign's procedure for responding to a request received from a law enforcement or other government authority (together the "Requesting Authority") to disclose personal information processed by DocuSign (hereafter "Data Disclosure Request"). The term "Data Disclosure Request" includes requests for voluntary disclosure of personal information, as well as compelled disclosure orders pursuant to a subpoena, warrant or court order.

    2. Where DocuSign receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this Procedure, DocuSign will comply with the relevant requirements of applicable data protection law(s).

  2. General principle on Data Disclosure Requests

    1. As a general principle, DocuSign does not disclose personal information in response to a Data Disclosure Request unless either:

      • it is under a compelling legal obligation to make such disclosure; or

      • taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

    2. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, DocuSign will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) in order to address the Data Disclosure Request.

  3. Handling of a Data Disclosure Request

    1. Receipt of a Data Disclosure Request

      1. If a DocuSign Group Member receives a Data Disclosure Request, the recipient of the request must pass it to DocuSign's Office of the Chief Privacy Officer (or any other group or person within DocuSign's legal department as instructed by the Chief Privacy Officer) (the "Responsible Party") promptly upon receipt, indicating the date on which it was received together with any other information which may assist the Responsible Party to deal with the request.

      2. The request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, howsoever made, must be notified to the Office of the Chief Privacy Officer for review.

    2. Initial steps

      1. DocuSign's Responsible Party will carefully review each Data Disclosure Request on a case-by-case basis, and will liaise with the legal department as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and competent data protection authorities in accordance with paragraph 4.

  4. Notice of a Data Disclosure Request

    1. Notice to the Customer

      1. If a request concerns personal information for which a Customer is the controller, DocuSign will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer, and DocuSign will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.

      2. If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer), DocuSign will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

    2. Notice to the competent data protection authorities

      1. If the Requesting Authority is located in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then DocuSign will also put the Data Disclosure Request on hold in order to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

      2. Where DocuSign is prohibited from notifying the competent data protection authorities and suspending the Data Disclosure Request, DocuSign will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the Data Disclosure Request on hold so that DocuSign can consult with the competent data protection authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. DocuSign will maintain a written record of the efforts it takes.

  5. Transparency reports

    1. DocuSign commits to preparing an annual report (a Transparency Report), which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received for the preceding year and the Requesting Authorities who made those requests. DocuSign shall make this report available upon request to competent data protection authorities.

  6. Bulk transfers

    1. In no event will any Group Member transfer personal information to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

APPENDIX 12 - TRANSFER IMPACT ASSESSMENT POLICY

  1. Background 

    1. DocuSign’s Binding Corporate Rules: Transfer Impact Assessment Policy ("Transfer Impact Assessment Policy") describes how DocuSign will ensure adequate protection for personal information that is subject to European data protection laws when it transfers such personal information internationally under its "Binding Corporate Rules: Controller Policy" ("Controller Policy") and "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies").

    2. It sets out DocuSign's procedure for conducting Transfer Impact Assessments and promptly notifying any transfer risks in accordance with Applicable Data Protection Laws.

    3. The procedures and evaluations undertaken pursuant to this Transfer Impact Assessment Policy, in particular those contained in paragraph 3.4, should be conducted based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the Policies.

    4. Any capitalised terms or expressions used in this Transfer Impact Assessment Policy have the same meanings given in the Policies.

  2. Data transfer compliance

    1. European data protection laws prohibit international transfers of personal information from Europe to third countries that do not provide an adequate level of protection ("Non-Adequate Country") unless appropriate safeguards are implemented to ensure the transferred data remains protected to the standard required under European law. This includes transfers of personal information to DocuSign group members who are subject to the Policies, and transfers (and onward transfers) from DocuSign group members to third parties who are not subject to the Policies. 

    2. In addition, as a processor and always in accordance with Rule 2 of the Processor Policy, DocuSign will also comply with our Customers’ documented instructions in respect of any international transfers of personal information. 

    3. Whenever a DocuSign group member transfers personal information internationally, or onward transfers personal information to third parties, providing such assistance in a reasonable time and to the extent reasonably possible, DocuSign's designated representative(s) (as instructed by the Office of the Chief Privacy Officer) (the "Responsible Party") will be consulted so that they can ensure appropriate safeguards have been implemented to protect the personal information being transferred and, where necessary, a Transfer Impact Assessment has been conducted (as described below in paragraph 3).  

    4. DocuSign group members may transfer personal information or onward transfer personal information internationally, only where measures necessary to comply with: (a) applicable Customers’ documented instructions in the terms of the applicable agreement with a Customer; and (b) the requirements of Applicable Data Protection Laws with respect to international transfers or onward transfers of personal information have been satisfied.      

  3. Transfer Impact Assessments 

    1. Where the GDPR applies to the personal information that will be transferred (or onward transferred), then before a transferring DocuSign group member (a “Data Transferor”) makes an international transfer (or onward transfer) of personal information that is subject to European data protection laws to a recipient group member or third party data recipient (a “Data Recipient”) located in a Non-Adequate Country, the Responsible Party will coordinate with the Data Transferor to undertake a risk assessment of such proposed transfer to confirm no material conflict between the laws and practices in the Non-Adequate Country where the Data Recipient will process the personal information (including any requirements to disclose personal information to public authorities or measures authorising access by public authorities), and DocuSign’s obligations under the Policies (a “Transfer Impact Assessment”).

    2. The Responsible Party will liaise with the Data Transferor and Data Recipient as necessary to conduct the Transfer Impact Assessment, and shall keep DocuSign International (EMEA) Ltd informed of the Transfer Impact Assessment and its findings.

    3. No international transfer (or onward transfer) of personal information may take place to a Non-Adequate Country unless:

      A. Transfer Impact Assessment has been conducted; and 

      B. any additional safeguards that are identified as necessary pursuant to the Transfer Impact Assessment to protect the transfer of personal information to the Data Recipient have been implemented by the Data Transferor and Data Recipient. 

      Factors to consider for Transfer Impact Assessments 

    4. The Transfer Impact Assessment should take into account the following elements:

      A. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, any intended onward transfers, the type of recipient, the purpose of processing, the categories and format of the transferred personal information, the economic sector in which the transfer occurs and the storage location of the data transferred;

      B. the laws and practices of the Non-Adequate Country destination (including those requiring the disclosure of data to public authorities or authorising access by such authorities, as well as those providing for access to these data during the transit between the country of the Data Transferor and the Non-Adequate Country ), relevant in light of the specific circumstances of the transfer and the applicable limitations and safeguards; and

      C. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the Policies, including measures applied during transmission and to the processing of the personal information in the country of destination.

      Laws and practices of third country of destination 

    5. As regards the impact of the laws and practices of the Non-Adequate Country on compliance with the Policies, different factors may be considered as part of an overall assessment. Such factors may include, for example, the Data Recipient's practical experience with prior instances of disclosure requests from public authorities, or the absence of such requests. This may be drawn from internal records or other documentation, provided that this information can be lawfully shared with third parties. 

    6. Where this practical experience is relied upon to conclude that the Data Recipient will not be prevented from complying with the requirements of the Policies, such conclusion needs to be supported with relevant, objective evidence (including that mentioned in Section 3.5 above), and it is for the Responsible Party, the Data Transferor and Data Recipient to assess whether the sufficiency of this evidence, in terms of their reliability and representativeness, supports the conclusion. 

    7. In particular, the Responsible Party, the Data Transferor and Data Recipient will take into account whether upon reasonable diligence, the practical experience is corroborated and not contradicted by publicly available or otherwise accessible and reliable information regarding the application of the laws in practice, such as case law and reports by independent oversight bodies.

      Findings of Transfer Impact Assessments 

    8. The Responsible Party will keep other relevant DocuSign group members informed about the findings of the Transfer Impact Assessment, so that, if required, they can apply any identified additional safeguards determined to be necessary in respect of any identical or similar subsequent transfers they make. 

    9. Where the Transfer Impact Assessment concludes that it is not possible to implement additional safeguards to ensure the Data Recipient’s processing in the Non-Adequate Country will be compatible with the requirements of the Policies, then the Responsible Party will inform the Data Transferor (and other relevant group members) that they should not  proceed with any such transfer of personal information where effective supplementary measures could not be put in place and in such circumstances the transfers at stake will be suspended or ended. 

      Information and cooperation

    10. If the Data Recipient is a group member, the Data Recipient will use its best efforts to cooperate with the Responsible Party and the Data Transferor to ensure compliance with the requirements of the Policies throughout the duration of the transfer and subsequent processing. 

    11. If the Data Recipient is not a group member (i.e. if it is a third party data recipient), the Responsible Party and the Data Transferor will exercise appropriate diligence to ensure that the Data Recipient will continue to provide such cooperation, including where appropriate by seeking documented assurances from the Data Recipient. 

    12. The Responsible Party and the Data Transferor will coordinate with the Data Recipient to document the Transfer Impact Assessment as well as documenting any supplementary measures selected and implemented in relation to such transfers and to make these available to the competent data protection authority, and, where applicable, the Customer, on request.

  4. Transfer Risk Notifications 

    1. If the Data Recipient is a DocuSign group member, the Data Recipient will notify the Responsible Party and the Data Transferor promptly if, at any time during which it transfers, receives or processes personal information, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of the Policies, including following a change in the laws of the Non-Adequate Country where it transfers, receives or processes personal information or a measure (such as a disclosure request) indicating an application of such laws in practice is not in line with the Policies (a “Transfer Risk Notification”). 

    2. When located in an EU Member State, the Data Transferor or Responsible Party will take reasonable steps to monitor, on an ongoing basis, and where appropriate in collaboration with Data Recipients, developments in the Non-Adequate Country to which the Data Transferor has transferred personal information that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers and in particular in relation to developments that may affect the outcome of the Transfer Impact Assessment.

    3. If the Data Recipient is not a group member (i.e. if it is a third party data recipient), the Responsible Party and the Data Transferor will exercise appropriate diligence to ensure that the Data Recipient will provide any such Transfer Risk Notification to the Data Transferor as contemplated in clause 4.1 above, including where appropriate by seeking documented assurances from the Data Recipient. 

    4. Following receipt of a Transfer Risk Notification from the Data Recipient, or if the Responsible Party or the Data Transferor otherwise have reason to believe that the Data Recipient’s processing is not in line with (or is at risk of coming out of line) with the  Policies, the Data Transferor upon consulting the Responsible Party will promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the Data Transferor and Data Recipient to address the situation, if appropriate in consultation with the Controller. 

    5. The Responsible Party will instruct the Data Transferor to suspend the transfer if it considers that appropriate safeguards for such transfer cannot be ensured, or if the Responsible Party is informed that a competent data protection authority or the applicable Controller has instructed suspension of such transfer. 

    6. In this case, the Data Transferor will be entitled to terminate its transfers of personal information to the Data Recipient, insofar as it concerns the processing of personal information under the Policies (in which event, the Data Recipient will be instructed by the Data Transferor to return or destroy the personal information it received). The Responsible Party will inform other relevant DocuSign group members in such cases.

    7. If the Data Transferor transfers personal information to two or more Data Recipients, the Data Transferor may exercise this right to terminate only with respect to the relevant Data Recipient.

Return to top