General Data Protection Regulation and DocuSign

The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. The GDPR aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the personal data that has been collected on them and making data privacy rules uniform for businesses handling EU personal data.

How DocuSign protects privacy under GDPR

As an organization focused on trust and careful handling of customer data, DocuSign has been committed to privacy since inception. Our strong compliance culture and robust security safeguards, which are reflected in our ISO 27001 certification, provide a solid foundation for ongoing GDPR compliance efforts:

  • We actively monitor regulatory guidance and interpretations of key GDPR requirements to inform our ongoing efforts, and we continually review our data protection program to ensure compliance
  • We leverage DocuSign’s approved Binding Corporate Rules (BCRs) and supporting documentation as noted below
  • We continue to provide trust assurance despite any regulatory changes, like Brexit

how docusign protects

Europe’s data transfer restrictions and the role of BCRs

The EU has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that don’t ensure an "adequate level of data protection." Binding Corporate Rules (BCRs) are one mechanism for lawful exports and are ideal for multinational companies.

Considered the gold standard for data protection, BCRs are a strict set of rules for the members of the corporate family. BCRs are recognized under the GDPR as a mechanism to protect the privacy and fundamental rights and freedoms of European data subjects and to permit lawful transfer of data outside of the EEA. For more information, visit Binding Corporate Rules and DocuSign.

Data breach notification under the GDPR

As required under GDPR Article 33 (2), the processor (DocuSign) will notify the controller (Customer) “without undue delay” after becoming aware of a personal data breach.

In the event of a data breach requiring notification to customers, DocuSign will identify one or more methods of communication to efficiently alert affected customers. We also post a wealth of information relevant to the status and integrity of our service to the DocuSign Trust Center. Interested customers should consider subscribing to the Trust Center’s alert and updates feed.

Contractual protections under the GDPR

DocuSign provides customers with additional data processing terms as required under GDPR, including the obligation to secure protections from any subprocessor.

Statement on Brexit

The transition period associated with the United Kingdom’s exit from the European Union runs until the end of 2020. During the transition, European Union law continues to apply in the United Kingdom, so there are no changes to DocuSign’s current policies and practices in relation to data transfers and privacy compliance at this time with respect to Brexit.

DocuSign will continue to actively monitor the ongoing Brexit situation and will provide additional information once formal guidance is issued by the EU and UK on the matter.