Electronic signature and GDPR: guide for DPOs

What personal data does a signature solution process?

An electronic signature platform processes several categories of personal data.

• Signatory identity: name, surname, email, phone number
• Document content: potentially sensitive personal data (employment contracts, health data, financial data)
• Audit trail data: IP address, timestamp, user-agent
• Behavioural data: handwritten signature trace on tablet (if biometric QES)

Hosting and transfers outside the EU

GDPR requires that personal data be transferred outside the EU only to countries offering an adequate level of protection or under appropriate safeguards (SCCs, BCRs). For signature solutions, this means:

• EU hosting → native transfer, no additional formalities
• US hosting with SCCs → possible but residual Cloud Act risk
• US entity (Cloud Act) → non-removable risk even with EU hosting

US Cloud Act and electronic signature

The Cloud Act (2018) authorises US authorities to access data hosted by US law entities, even if that data is stored in Europe. DocuSign, Adobe Sign and Dropbox Sign are US companies subject to the Cloud Act. Certyneo is a French entity, not subject to this extraterritoriality.

Recommendations for DPOs

1. 1Choose a provider whose legal entity is domiciled in the EU or the United Kingdom (post-Brexit with adequacy decision)
2. 2Verify that hosting is exclusively in the EU, with no replication on servers outside the EU
3. 3Obtain and sign a DPA compliant with Article 28 of GDPR
4. 4Document the impact assessment (DPIA) if you process sensitive data in your documents
5. 5Verify data retention periods and deletion policy at end of contract

GDPR questions on electronic signature

Does electronic signature involve processing of personal data?

Yes. The signatory's email, name, and potentially phone number are collected. Document content may also contain personal data. The signature provider is a processor under GDPR, subject to Article 28 obligations.

Is DocuSign GDPR-compliant?

DocuSign claims to be GDPR-compliant and offers SCCs. However, as a US company, it remains subject to the Cloud Act. The CNIL has recalled that the Cloud Act creates a non-removable risk for European data hosted by US entities, even in the EU.

Is Certyneo GDPR-compliant?

Yes. Certyneo is a French entity, hosted in the EU (IONOS Germany), not subject to the Cloud Act. Data is encrypted in transit (TLS 1.3) and at rest. Certyneo offers a DPA compliant with Article 28 of GDPR.

Is a DPIA required for using a signature solution?

A DPIA is not systematically required for standard electronic signature. It becomes necessary if you sign documents containing sensitive data (health, HR with union data, etc.) or if your signature use involves profiling or large-scale monitoring.