General Data Protection Regulation and DocuSign

The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. The GDPR aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the personal data that has been collected on them and making data privacy rules uniform for businesses handling EU personal data.

How DocuSign protects privacy under GDPR

As an organization focused on trust and careful handling of customer data, DocuSign has been committed to privacy since inception. Our strong compliance culture and robust security safeguards, which are reflected in our ISO 27001 certification, provide a solid foundation for ongoing GDPR compliance efforts:

  • We actively monitor regulatory guidance and interpretations of key GDPR requirements to inform our ongoing efforts, and we continually review our data protection program to ensure compliance
  • We leverage DocuSign’s approved Binding Corporate Rules (BCRs) and supporting documentation as noted below
  • We continue to provide trust assurance despite any regulatory changes, like Brexit

how docusign protects

Europe’s data transfer restrictions and the role of BCRs

The EU has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that don’t ensure an "adequate level of data protection." Binding Corporate Rules (BCRs) are one mechanism for lawful exports and are ideal for multinational companies.

Considered the gold standard for data protection, BCRs are a strict set of rules for the members of the corporate family. BCRs are recognized under the GDPR as a mechanism to protect the privacy and fundamental rights and freedoms of European data subjects and to permit lawful transfer of data outside of the EEA. For more information, visit Binding Corporate Rules and DocuSign.

Data breach notification under the GDPR

As required under GDPR Article 33 (2), the processor (DocuSign) will notify the controller (Customer) “without undue delay” after becoming aware of a personal data breach.

In the event of a data breach requiring notification to customers, DocuSign will identify one or more methods of communication to efficiently alert affected customers. We also post a wealth of information relevant to the status and integrity of our service to the DocuSign Trust Center. Interested customers should consider subscribing to the Trust Center’s alert and updates feed.

Contractual protections under the GDPR

DocuSign provides customers with additional data processing terms as required under GDPR, including the obligation to secure protections from any subprocessor.

Statement on Brexit

The transition period associated with the United Kingdom’s exit from the European Union runs until the end of 2020. During the transition, European Union law continues to apply in the United Kingdom, so there are no changes to DocuSign’s current policies and practices in relation to data transfers and privacy compliance at this time with respect to Brexit.

DocuSign will continue to actively monitor the ongoing Brexit situation and will provide additional information once formal guidance is issued by the EU and UK on the matter.

Statement on Privacy Shield (July 2020)

DocuSign has been monitoring the progress of the European Court of Justice’s review of the US-EU Privacy Shield framework. DocuSign remains committed to continuing to comply with our European privacy obligations for data transfers to the US, and has been doing so under our approved Binding Corporate Rules (BCRs) rather than the Privacy Shield framework, so we are less impacted by the decision of the European Court of Justice on July 16, 2020 striking down this framework. We are continuing to monitor this latest development to the extent it may affect any ongoing DocuSign data processing obligations. With respect to our EU-US Privacy Shield certification for our SpringCM business, we were already in the process of taking steps to certify this business under our approved BCRs, which we plan to complete in the near term.