Electronic signature and GDPR: guide for DPOs

What personal data does an electronic signature solution process?

An electronic signature platform processes several categories of personal data.

• Signatory identity: name, surname, email, phone number
• Document content: potentially sensitive personal data (employment contracts, health data, financial data)
• Audit trail data: IP address, timestamp, user-agent
• Behavioural data: handwritten signature trace on tablet (if biometric QES)

Hosting and transfers outside the EU

GDPR requires that personal data be transferred outside the EU only to countries offering an adequate level of protection or under appropriate safeguards (SCCs, BCRs). For signature solutions, this means:

• EU hosting → native transfer, no additional formalities
• US hosting with SCCs → possible but residual Cloud Act risk
• US entity (Cloud Act) → non-suppressible risk even with EU hosting

US Cloud Act and electronic signature

The Cloud Act (2018) authorises US authorities to access data held by US law entities, even if that data is stored in Europe. DocuSign, Adobe Sign and Dropbox Sign are US companies subject to the Cloud Act. Certyneo is a French entity, not subject to this extraterritoriality.

Recommendations for DPOs

1. 1Choose a provider whose legal entity is based in the EU or United Kingdom (post-Brexit with adequacy decision)
2. 2Verify that hosting is exclusively in the EU, with no replication on servers outside the EU
3. 3Obtain and sign a DPA compliant with Article 28 of GDPR
4. 4Document the impact assessment (DPIA) if you process sensitive data in your documents
5. 5Verify the data retention period and deletion policy at the end of contract

GDPR questions on electronic signature

Does electronic signature involve processing personal data?

Yes. The signatory's email, name, and potentially phone number are collected. The content of documents may also contain personal data. The signature provider is a processor within the meaning of GDPR, subject to the obligations of Article 28.

Is DocuSign GDPR-compliant?

DocuSign claims to be GDPR-compliant and offers SCCs. However, as a US company, it remains subject to the Cloud Act. The CNIL has recalled that the Cloud Act creates a non-suppressible risk for European data hosted by US entities, even in the EU.

Is Certyneo GDPR-compliant?

Yes. Certyneo is a French entity, hosted in the EU (IONOS Germany), not subject to the Cloud Act. Data is encrypted in transit (TLS 1.3) and at rest. Certyneo offers a DPA compliant with Article 28 of GDPR.

Must a DPIA be carried out for using an electronic signature solution?

A DPIA is not systematically required for standard electronic signature. It becomes mandatory if you sign documents containing sensitive data (health, HR with trade union data, etc.) or if your signature use involves profiling or large-scale monitoring.