General Data Protection Regulation and DocuSign

The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. The GDPR aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the personal data that has been collected on them and making data privacy rules uniform for businesses handling EU personal data.

How DocuSign protects privacy under GDPR

As an organization focused on trust and careful handling of customer data, DocuSign has been committed to privacy since inception. Our strong compliance culture and robust security safeguards, which are reflected in our ISO 27001 certification, provide a solid foundation for ongoing GDPR compliance efforts:

  • We actively monitor regulatory guidance and interpretations of key GDPR requirements to inform our ongoing efforts, and we continually review our data protection program to ensure compliance
  • We leverage DocuSign’s approved Binding Corporate Rules (BCRs) and supporting documentation as noted below
  • We continue to provide trust assurance despite any regulatory changes, like Brexit

how docusign protects

Europe’s data transfer restrictions and the role of BCRs

The EU has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that don’t ensure an "adequate level of data protection." Binding Corporate Rules (BCRs) are one mechanism for lawful exports and are ideal for multinational companies.

Considered the gold standard for data protection, BCRs are a strict set of rules for the members of the corporate family. BCRs are recognized under the GDPR as a mechanism to protect the privacy and fundamental rights and freedoms of European data subjects and to permit lawful transfer of data outside of the EEA. For more information, visit Binding Corporate Rules and DocuSign.

Data breach notification under the GDPR

As required under GDPR Article 33 (2), the processor (DocuSign) will notify the controller (Customer) “without undue delay” after becoming aware of a personal data breach.

In the event of a data breach requiring notification to customers, DocuSign will identify one or more methods of communication to efficiently alert affected customers. We also post a wealth of information relevant to the status and integrity of our service to the DocuSign Trust Center. Interested customers should consider subscribing to the Trust Center’s alert and updates feed.

Contractual protections under the GDPR

DocuSign provides customers with additional data processing terms as required under GDPR, including the obligation to secure protections from any subprocessor.

Statement on Brexit

The transition period associated with the United Kingdom’s exit from the European Union runs until the end of 2020. During the transition, European Union law continues to apply in the United Kingdom, so there are no changes to DocuSign’s current policies and practices in relation to data transfers and privacy compliance at this time with respect to Brexit.

DocuSign will continue to actively monitor the ongoing Brexit situation and will provide additional information once formal guidance is issued by the EU and UK on the matter.

Statement on EU-US data transfers Post-Schrems II Decision (October 2020)

DocuSign remains committed to complying with our European privacy obligations for data transfers to the US, even with the invalidation of the US-EU Privacy Shield framework by the Court of Justice of the European Union (CJEU) on July 16, 2020 (Schrems II Decision).

We hold ourselves to fundamental privacy principles that are reflected in us having obtained Binding Corporate Rules (BCRs) in 2018. This ultimately served to not only provide a transparent approach to privacy, but also limited the impact of the CJEU’s Schrems II Decision to our business. Nonetheless, as we strive to evaluate additional ways to refine our approach to fundamental privacy principles, we are continuing to monitor the latest developments to the extent they may affect any ongoing DocuSign data processing obligations. For our previously acquired SpringCM business that had been certified under EU-US Privacy Shield, we have now completed the migration of that business’ program to now also operate under our BCRs.

Of critical import, we hold in the highest regard our role as a trusted service provider to our customers. DocuSign does not sell, rent or trade customers’ personal data. When we access data hosted in the EU, it is in service to our customers, including providing them technical support for their most critical issues, delivering the right security solutions or optimizing or enhancing their experience. 

Regarding the CJEU’s ruling involving Standard Contractual Clauses (SCCs) and BCRs as remaining legitimate data transfer mechanisms, we take this opportunity to highlight that we adhere to the following key measures as a data importer:

  1. Supplier screening. With data subprocessors and other suppliers, we employ a screening process to understand and obtain assurances around our supplier’s privacy policies and practices. Additionally, as a matter of standard practice, we use SCCs as the relevant data transfer mechanism with our suppliers.
  2. Privacy by design. Our product architectures are designed with privacy in mind, supporting data residency features to keep EU data in the EU.  For more information on this, please see https://www.docusign.com/content/data-residency.
  3. Product security measures. We implement encryption in transit and encryption at rest in securing and protecting your data. For more information about DocuSign product security, see https://www.docusign.com/trust/security/product-security.
  4. Safeguards with governmental requests. We have established, documented internal procedures for responding to search warrants, subpoenas, governmental orders and similar data requests. In order to promote transparency regarding our practices, we published our policies for responding to governmental requests and our BCRs on our website. 

We diligently adhere to and follow these practices when responding to search warrants, subpoenas, governmental orders and similar data requests directed to DocuSign.

As the privacy landscape continues to evolve and change to meet the needs of the digital age, we are closely monitoring EU supervisory authorities and await further guidance from them in order to determine how best to comply with the new legal landscape after the Schrems II Decision. We’re poised and ready to address the supplementary measures beyond what we already have in place to assure adequate protections for data transferred out of the EU. 

The CJEU’s ruling on the Privacy Shield changes little regarding the utmost importance DocuSign places on the privacy and security of our customers’ data. To this end, we maintain a security and privacy program, which is outlined in detail throughout this Trust Center. We remain committed to maintaining levels of privacy and security for our customers to reaffirm the trust that they have placed in DocuSign, and will continue to affect enhancements in these areas to continue to meet our privacy commitments to them, our partners and the broader community around us. 

For more information about our privacy program and our privacy commitments, please email privacy@docusign.com.