Electronic signature and GDPR: guide for DPOs

What personal data does a signature solution process?

An electronic signature platform processes several categories of personal data.

• Signatory identity: name, first name, email, phone number
• Document content: potentially sensitive personal data (employment contracts, health data, financial data)
• Audit trail data: IP address, timestamp, user-agent
• Behavioral data: handwritten signature trace on tablet (if biometric QES)

Hosting and transfers outside the EU

GDPR requires that personal data be transferred outside the EU only to countries offering an adequate level of protection or under appropriate safeguards (SCCs, BCRs). For signature solutions, this means:

• EU hosting → native transfer, no additional formalities
• US hosting with SCCs → possible but residual Cloud Act risk
• US entity (Cloud Act) → non-eliminable risk even with EU hosting

US Cloud Act and electronic signature

The Cloud Act (2018) authorizes US authorities to access data hosted by US-incorporated companies, even if that data is stored in Europe. DocuSign, Adobe Sign, and Dropbox Sign are US companies subject to the Cloud Act. Certyneo is a French entity, not subject to this extraterritoriality.

Recommendations for DPOs

1. 1Choose a provider whose legal entity is domiciled in the EU or United Kingdom (post-Brexit with adequacy decision)
2. 2Verify that hosting is exclusively in the EU, with no replication on servers outside the EU
3. 3Obtain and sign a DPA compliant with GDPR Article 28
4. 4Document the impact assessment (DPIA) if you process sensitive data in your documents
5. 5Verify data retention duration and deletion policy at end of contract

GDPR questions on electronic signature

Does electronic signature involve personal data processing?

Yes. The signatory's email, name, and potentially phone number are collected. Document content may also contain personal data. The signature provider is a processor under GDPR, subject to Article 28 obligations.

Is DocuSign GDPR compliant?

DocuSign claims GDPR compliance and offers SCCs. However, as a US company, it remains subject to the Cloud Act. CNIL reminded that the Cloud Act creates a non-eliminable risk for European data hosted by US entities, even in the EU.

Is Certyneo GDPR compliant?

Yes. Certyneo is a French entity, hosted in the EU (IONOS Germany), not subject to the Cloud Act. Data is encrypted in transit (TLS 1.3) and at rest. Certyneo offers a DPA compliant with GDPR Article 28.

Is a DPIA required for using a signature solution?

A DPIA is not systematically required for standard electronic signature. It becomes mandatory if you sign documents containing sensitive data (health, HR with union data, etc.) or if your signature usage involves profiling or large-scale surveillance.