The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. The GDPR aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the personal data that has been collected on them and making data privacy rules uniform for businesses handling EU personal data. Show
How DocuSign protects privacy under GDPRAs an organization focused on trust and careful handling of customer data, DocuSign has been committed to privacy since inception. Our strong compliance culture and robust security safeguards, which are reflected in our ISO 27001 certification, provide a solid foundation for ongoing GDPR compliance efforts:
Europe’s data transfer restrictions and the role of BCRsThe EU has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that don’t ensure an "adequate level of data protection." Binding Corporate Rules (BCRs) are one mechanism for lawful exports and are ideal for multinational companies. Considered the gold standard for data protection, BCRs are a strict set of rules for the members of the corporate family. BCRs are recognized under the GDPR as a mechanism to protect the privacy and fundamental rights and freedoms of European data subjects and to permit lawful transfer of data outside of the EEA. For more information, visit Binding Corporate Rules and DocuSign. Data breach notification under the GDPRAs required under GDPR Article 33 (2), the processor (DocuSign) will notify the controller (Customer) “without undue delay” after becoming aware of a personal data breach. In the event of a data breach requiring notification to customers, DocuSign will identify one or more methods of communication to efficiently alert affected customers. We also post a wealth of information relevant to the status and integrity of our service to the DocuSign Trust Center. Interested customers should consider subscribing to the Trust Center’s alert and updates feed. Contractual protections under the GDPRDocuSign provides customers with additional data processing terms as required under GDPR, including the obligation to secure protections from any subprocessor. Brexit StatementWith the ongoing discussions between the EU and UK regarding provisions on data transfers following Brexit, the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”) provides for a further transition period of up to six months (until July 2021) to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. In the meantime, personal data can continue to be exported from the EU to the UK without implementing additional safeguards beyond those currently mandated under GDPR for transfers within the EEA. As DocuSign continues to monitor the privacy landscape with respect to Brexit,
we remain committed to our privacy principles and obligations formalized under our approved EU Binding Corporate Rules (BCRs), which publicly sets out the construct as to how we protect and secure the data entrusted to us by our valued customers, partners, employees, and other business associates. Our EU BCRs, in conjunction with the supplemental measures we implement in compliance with GDPR, serve as the mechanism for data transfers outside of the EEA. Additionally, during the extended Brexit
transition period for data transfers, we are assessing and evaluating UK BCRs to further facilitate data processing activities in the UK, and to strive to meet the growing data protection needs of our customers. Statement on EU-US data transfers Post-Schrems II Decision (October 2020)DocuSign remains committed to complying with our European privacy obligations for data transfers to the US, even with the invalidation of the US-EU Privacy Shield framework by the Court of Justice of the European Union (CJEU) on July 16, 2020 (Schrems II Decision). We hold ourselves to fundamental privacy principles that are reflected in us having obtained Binding Corporate Rules (BCRs) in 2018. This ultimately served to not only provide a transparent approach to privacy, but also limited the impact of the CJEU’s Schrems II Decision to our business. Nonetheless, as we strive to evaluate additional ways to refine our approach to fundamental privacy principles, we are continuing to monitor the latest developments to the extent they may affect any ongoing DocuSign data processing obligations. For our previously acquired SpringCM business that had been certified under EU-US Privacy Shield, we have now completed the migration of that business’ program to now also operate under our BCRs. Of critical import, we hold in the highest regard our role as a trusted service provider to our customers. DocuSign does not sell, rent or trade customers’ personal data. When we access data hosted in the EU, it is in service to our customers, including providing them technical support for their most critical issues, delivering the right security solutions or optimizing or enhancing their experience. Regarding the CJEU’s ruling involving Standard Contractual Clauses (SCCs) and BCRs as remaining legitimate data transfer mechanisms, we take this opportunity to highlight that we adhere to the following key measures as a data importer:
We diligently adhere to and follow these practices when responding to search warrants, subpoenas, governmental orders and similar data requests directed to DocuSign. As the privacy landscape continues to evolve and change to meet the needs of the digital age, we are closely monitoring EU supervisory authorities and await further guidance from them in order to determine how best to comply with the new legal landscape after the Schrems II Decision. We’re poised and ready to address the supplementary measures beyond what we already have in place to assure adequate protections for data transferred out of the EU. The CJEU’s ruling on the Privacy Shield changes little regarding the utmost importance DocuSign places on the privacy and security of our customers’ data. To this end, we maintain a security and privacy program, which is outlined in detail throughout this Trust Center. We remain committed to maintaining levels of privacy and security for our customers to reaffirm the trust that they have placed in DocuSign, and will continue to affect enhancements in these areas to continue to meet our privacy commitments to them, our partners and the broader community around us. For more information about our privacy program and our privacy commitments, please email . What does the General Data Protection Regulation GDPR strive to achieve?The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU.
What does the General Data Protection Regulation GDPR regulate quizlet?GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.
What is the main purpose of GDPR quizlet?What is the purpose of the GDPR? To protect the fundamental rights and freedoms of natural persons with regard to the processing of personal data as well as the free movement of personal data.
|