General data protection regulation and DocuSign

Approved and adopted by the European Union (EU) Parliament in April 2016, the General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. This new regulation aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the data that has been collected on them and making data privacy rules as uniform as possible for businesses throughout the EU.

As of May 25, 2018, all companies processing and holding the personal data of individuals residing in the EU must comply with GDPR, regardless of location.

How DocuSign protects privacy under GDPR

As an organization focused on trust and careful handling of customer documents, DocuSign has been committed to privacy since inception. Our strong compliance culture and robust security safeguards, which are reflected in our ISO 27001 certification, provide a solid foundation for ongoing GDPR compliance efforts:

  • We actively monitor regulator guidance and interpretations of key GDPR requirements to inform our ongoing efforts, and we continually review our data protection program to ensure compliance.
  • DocuSign’s GDPR compliance efforts also leverage DocuSign’s approved Binding Corporate Rules (BCRs) and supporting documentation as noted below.

Europe’s data transfer restrictions and the role of BCRs

The EU has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that don’t ensure an "adequate level of data protection." BCRs are one mechanism for lawful exports and are ideal for multinational companies.

Considered the gold standard for data protection, Binding Corporate Rules (BCRs) are a strict set of rules for the members of the corporate family. They’re recognized under current data protection law and the GDPR as a mechanism to protect the privacy and fundamental rights and freedoms of European data subjects and to permit lawful transfer of data outside of the EEA. For more information, visit Binding Corporate Rules and DocuSign.