Electronic signature and GDPR: guide for DPOs

What personal data does a signature solution process?

An electronic signature platform processes several categories of personal data.

• Signatory identity: surname, first name, email, telephone number
• Document content: potentially sensitive personal data (employment contracts, health data, financial data)
• Audit trail data: IP address, timestamp, user-agent
• Behavioural data: handwritten signature trace on tablet (if biometric QES)

Hosting and transfers outside the EU

GDPR requires that personal data be transferred outside the EU only to countries offering an adequate level of protection or under appropriate safeguards (SCCs, BCRs). For signature solutions, this means:

• EU hosting → native transfer, no additional formalities
• US hosting with SCCs → possible but residual Cloud Act risk
• US entity (Cloud Act) → non-suppressible risk even with EU hosting

US Cloud Act and electronic signature

The Cloud Act (2018) authorises US authorities to access data hosted by US law entities, even if that data is stored in Europe. DocuSign, Adobe Sign and Dropbox Sign are US companies subject to the Cloud Act. Certyneo is a French entity, not subject to this extraterritoriality.

Recommendations for DPOs

1. 1Choose a provider whose legal entity is domiciled in the EU or United Kingdom (post-Brexit with adequacy decision)
2. 2Verify that hosting is exclusively in the EU, with no replication on servers outside the EU
3. 3Obtain and sign a DPA compliant with Article 28 of GDPR
4. 4Document the impact assessment (DPIA) if you process sensitive data in your documents
5. 5Check data retention duration and deletion policy at end of contract

GDPR questions on electronic signature

Does an electronic signature involve personal data processing?

Yes. The signatory's email, name, and potentially telephone number are collected. Document content may also contain personal data. The signature provider is a processor under GDPR, subject to Article 28 obligations.

Is DocuSign GDPR compliant?

DocuSign claims to be GDPR compliant and offers SCCs. However, as a US company, it remains subject to the Cloud Act. The CNIL has reminded that the Cloud Act creates a non-suppressible risk for European data hosted by US entities, even in the EU.

Is Certyneo GDPR compliant?

Yes. Certyneo is a French entity, hosted in the EU (IONOS Germany), not subject to the Cloud Act. Data is encrypted in transit (TLS 1.3) and at rest. Certyneo offers a DPA compliant with Article 28 of GDPR.

Must a DPIA be carried out for the use of a signature solution?

A DPIA is not systematically required for standard electronic signature. It is necessary if you sign documents containing sensitive data (health, HR with union data, etc.) or if your signature usage involves profiling or large-scale surveillance.