Electronic signature and GDPR: a guide for data protection officers (DPOs)

What personal data does a signature solution process?

An electronic signature platform processes several categories of personal data.

• Signatory identity: last name, first name, email, phone number
• Document content: potentially sensitive personal data (employment contracts, health data, financial data)
• Audit trail data: IP address, timestamp, user agent
• Behavioral data: handwritten signature stroke on a tablet (for biometric QES)

Where is the data hosted and are there transfers outside the EU?

GDPR requires that personal data only be transferred outside the EU to countries offering an adequate level of protection or under appropriate safeguards (SCCs, BCRs). For signature solutions, this means:

• EU hosting → native transfer, no additional formalities
• US hosting with SCCs → possible but residual Cloud Act risk
• US entity (Cloud Act) → unavoidable risk even with EU hosting

The US Cloud Act and electronic signatures

The Cloud Act (2018) allows US authorities to access data held by companies incorporated under US law, even if that data is stored in Europe. DocuSign, Adobe Sign and Dropbox Sign are US companies subject to the Cloud Act. Certyneo is a French entity, not subject to this extraterritorial reach.

What GDPR recommendations should DPOs follow?

1. 1Choose a provider whose legal entity is based in the EU or in the United Kingdom (post-Brexit, with an adequacy decision)
2. 2Verify that hosting is exclusively in the EU, with no replication to servers outside the EU
3. 3Obtain and sign a DPA compliant with Article 28 of the GDPR
4. 4Document the impact assessment (DPIA) if you process sensitive data in your documents
5. 5Check the data retention period and the deletion policy at the end of the contract

GDPR questions about electronic signatures

Does an electronic signature involve the processing of personal data?

Yes. The signatory's email, name, and potentially phone number are collected. The document content may also contain personal data. The signature provider acts as a processor within the meaning of the GDPR, subject to the obligations of Article 28.

Is DocuSign GDPR-compliant?

DocuSign claims GDPR compliance and offers SCCs. However, as a US company, it remains subject to the Cloud Act. The CNIL has reminded stakeholders that the Cloud Act creates an unavoidable risk for European data held by US entities, even when hosted in the EU.

Is Certyneo GDPR-compliant?

Yes. Certyneo is a French entity, hosted in the EU (IONOS Germany), not subject to the Cloud Act. Data is encrypted in transit (TLS 1.3) and at rest. Certyneo provides a DPA compliant with Article 28 of the GDPR.

Do you need to carry out a DPIA before using a signature solution?

A DPIA is not systematically required for standard electronic signatures. It becomes mandatory if you sign documents containing sensitive data (health, HR with trade union data, etc.) or if your use of signatures involves profiling or large-scale monitoring.