Trust Center BCR Processor Policy
Binding Corporate Rules: Processor Policy
Effective date: January 26, 2023
PART I: INTRODUCTION
This Binding Corporate Rules: Processor Policy (“Processor Policy”) establishes Docusign's approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal information on behalf of a third-party controller.
Scope of this Processor Policy
This Processor Policy applies when we process personal information as a processor on behalf of a third-party controller, including when the personal information is transferred to a group member for processing. This Processor Policy applies regardless of whether our group members process personal information by manual or automated means.
The standards described in the Processor Policy are worldwide standards that apply to all group members when processing any personal information as a processor. As such, this Processor Policy applies regardless of the origin of the personal information that we process, the country in which we process personal information, or the country in which a group member is established.
For an explanation of some of the terms used in this Processor Policy, like "controller", "process", and "personal information", please see the section headed "Important terms used in this Processor Policy" below.
The material scope of this Processor Policy
The material scope of this Processor PolicyThe material scope of this Processor Policy is set out in Appendix 2. This describes the types of personal information, data subjects, and transfers that are protected by this Processor Policy. However, we must apply the standards described in this Processor Policy to all transfers of personal information to and between group members, even if they are not explicitly listed in Appendix 2.
Our collective responsibility to comply with this Processor Policy
All group members and their staff must comply with this Processor Policy when processing personal information as a processor on behalf of a Customer, irrespective of the country in which they are located.
In particular, all group members who process personal information as a processor must comply with:
the rules set out in Part II of this Processor Policy;
the practical commitments set out in Part III of this Processor Policy;
the third party beneficiary rights set out in Part IV ; and
the related policies and procedures appended in Part V of this Processor Policy.
Responsibility towards the Customer
As a data processor, Docusign will have a number of direct legal obligations under applicable data protection laws. In addition, the Customer will also pass certain data protection obligations on to Docusign in its contract appointing Docusign as its processor. If Docusign fails to comply with the terms of its processor appointment, this may put the Customer in breach of its applicable data protection laws and Customer may initiate proceedings against Docusign for breach of contract, resulting in the payment of compensation or other judicial remedies.
A Customer may enforce this Processor Policy against any group member that is in breach of it. Where a non-European group member (or a non-European third-party processor appointed by a group member) processes personal information for which the Customer is a controller in breach of this Processor Policy, that Customer may enforce the Processor Policy against Docusign International (EMEA) Ltd. In such event, Docusign International (EMEA) Ltd will be responsible for demonstrating that such group member (or third-party processor) is not responsible for the breach, or that no such breach took place.
When a Customer transfers personal information to a group member for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer. If a Customer chooses not to rely upon this Processor Policy when transferring personal information to a group member outside Europe, that Customer is responsible for implementing other appropriate safeguards in accordance with applicable data protection laws.
Management commitment and consequences of non-compliance
Docusign's management is fully committed to ensuring that all group members and their staff comply with this Processor Policy at all times.
Non-compliance may cause Docusign to be subject to sanctions imposed by competent data protection authorities and courts, and may cause harm or distress to individuals whose personal information has not been protected in accordance with the standards described in this Processor Policy.
In recognition of the gravity of these risks, staff members who do not comply with this Processor Policy will be subject to disciplinary action, up to and including dismissal.
Relationship with Docusign's Binding Corporate Rules: Controller Policy
This Processor Policy applies only to personal information that Docusign processes as a processor in order to provide a service to a Customer.
Docusign has a separate Binding Corporate Rules: Controller Policy that applies when it processes personal information as a controller (i.e. for its own purposes). When a Docusign group member processes personal information as a controller, it must comply with the Controller Policy.
In some situations, group members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Office of the Chief Privacy Officer whose contact details are provided below.
Where will this Processor Policy be made available?
This Processor Policy is accessible on Docusign's corporate website at www.docusign.com/trust/privacy.
Important terms used in this Processor Policy
For the purposes of this Processor Policy:
the term applicable data protection laws includes the data protection laws in force in the territory in which the controller of the personal information is located. Where a group member processes personal information on behalf of a European controller under this Processor Policy, the term applicable data protection laws shall include the European data protection laws applicable to that controller (including Europe's General Data Protection Regulation, when applicable);
the term controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal information. For example, Docusign is a controller of its Customer data and staff data;
the term Controller Policy refers to Docusign’s Binding Corporate Rules: Controller Policy, which is available on Docusign's website at www.docusign.com/trust/privacy. The Controller Policy applies where Docusign processes personal information as a controller (i.e. for its own purposes);
the term Customer refers to the third-party controller on whose behalf Docusign processes personal information. This includes Docusign's third-party customers, when we process personal information on their behalf in the course of providing data processing services to them;
the term Docusign Platform is defined in Appendix 2 (Processor);
the term Europe (and European) as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;
the term group member means the members of Docusign's group of companies listed in Appendix 1;
the term personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term personal information shall include any information that is "personal data", "personally identifiable information", "personal information" and any analogous concept under applicable data protection laws;
the term processing means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
the term processor means a natural or legal person which processes personal information on behalf of a controller. For example, Docusign is a processor of the personal information it processes to provide services to its Customers;
the term Processor Policy refers to this Binding Corporate Rules: Processor Policy. The Processor Policy applies where Docusign processes personal information as a processor on behalf of a third party controller;
the term sensitive personal information means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws;
the term staff refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Docusign group member. All staff must comply with this Processor Policy; and
the term transfer impact assessment is further defined in Rule 11 of this Controller Policy and relates to the assessment carried out by Docusign and applicable Docusign group members in accordance with Appendix 12 (Transfer Impact Assessment Policy).
How to raise questions or concerns
If you have any questions regarding this Processor Policy, your rights under this Processor Policy or applicable data protection laws, or any other data protection issues, you can contact the Office of the Chief Privacy Officer using the details below. The Office of the Chief Privacy Officer will either deal with the matter directly or forward it to the appropriate person or department within Docusign to respond.
Attention: | Office of the Chief Privacy Officer |
Email: | |
Address: | Docusign Inc. |
The Office of the Chief Privacy Officer will ensure that changes to this Policy are notified to the group members and to individuals whose personal information is processed by Docusign in accordance with Appendix 10.
If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 4. Alternatively, if you are unhappy about the way in which Docusign has used your personal information, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 8.
PART II: OUR OBLIGATIONS
This Processor Policy applies in all situations where a group member processes personal information as a processor anywhere in the world. All staff and group members must comply with the following obligations:
Rule 1 – Lawfulness:
We must ensure that processing is at all times compliant with applicable law and this Processor Policy. | We must at all times comply with any applicable data protection laws, as well as the standards set out in this Processor Policy, when processing personal information. The rights and obligations that apply to personal information within the scope of this Processor Policy “travel” with the personal information whenever it is transferred to or between group members (or their sub-processors). This means that where in-scope personal information is transferred to an importing group member (or its sub-processor) in another country, that personal information must be protected to the standards set out in this Processor Policy, even if the importing group member (or its sub-processor) is not subject to applicable data protection laws or is subject to applicable data protection laws that provide for lower standards. As such: where applicable data protection laws exceed the standards set out in this Processor Policy, we must comply with those laws; but where there are no applicable data protection laws, or where applicable data protection laws do not meet the standards set out in this Processor Policy, we must process personal information in accordance with the standards set out in this Processor Policy. |
Rule 2 – Cooperation with Customers:
We must cooperate with and assist the Customer to comply with its obligations under applicable data protection laws in a reasonable time and to the extent reasonably possible. | We must cooperate with and assist our Customer to comply with its obligations under applicable data protection laws. We must provide such assistance in a reasonable time and to the extent reasonably possible, and as required under the terms of our contract with the Customer. Assistance may include, for example, helping our Customer to keep the personal information we process on its behalf accurate and up to date, helping it to provide individuals with access to their personal information, or helping it to conduct data protection impact assessments in accordance with applicable data protection laws. |
Rule 3 – Fairness and transparency: We must, to the extent reasonably possible, assist a Customer to comply with the requirement to explain to individuals how their personal information will be processed. | Our Customer has a duty to explain to the individuals whose information it processes (or instructs us to process), how and why that information will be used. This information must be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is usually done by means of an easily accessible fair processing statement. We will provide such assistance and information to the Customer in accordance with the terms of our contract with the Customer to comply with this requirement. For example, the terms of our contract with a Customer may require us to provide information about any sub-processors we appoint to process personal information on our Customer’s behalf. |
Rule 4 – Purpose limitation: We will only process personal information on behalf of, and in accordance with the instructions of, the Customer. | We must only process personal information on behalf of the Customer and in accordance with its documented instructions (for example, as set out in the terms of our contract with the Customer and including instructions from individual users of the Docusign Platform), including with regard to any international transfers of personal information. If we are unable to comply with our Customer’s instructions (or any of our obligations under this Processor Policy), we will inform the Customer promptly. The Customer may then suspend its transfer of personal information to us and/or terminate its contract with us (in accordance with the terms of the contract). In such circumstances, we will return or delete the personal information, including any copies of the personal information, in a secure manner or as otherwise required, in accordance with the terms of our contract with the Customer and, if requested, certify to the Customer that this has been done. If we are prevented from returning the personal information to our Customer or from deleting it (for example, due to applicable law requirements), we must inform the Customer. In such event, we must continue to maintain the confidentiality of the personal information and not process the personal information further other than in accordance with the terms of our contract with the Customer. |
Rule 5 – Data accuracy and minimisation: We will assist our Customer to keep the personal information accurate and up to date. | We must assist our Customer to comply with its obligation to keep personal information accurate and up to date. In particular, where a Customer informs us that personal information is inaccurate, we must assist our Customer to update, correct or erase that information without delay. We must also take measures to inform group members or third-party processors to whom the personal information has been disclosed of the need to update, correct or erase that personal information. |
Rule 6 – Storage limitation: We will assist our Customer to store personal information only for as long as is necessary for the purpose for which the information was initially collected. | Where a Customer instructs us that personal information we process on its behalf is no longer needed for the purposes for which it was collected, we will assist our Customer to erase, restrict or anonymise that personal information without delay and in accordance with the terms of our contract with the Customer. We must also take measures to inform group members or third-party processors to whom the personal information has been disclosed of the need to erase, restrict or anonymise that personal information. |
Rule 7 – Security, integrity and confidentiality: We must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process on behalf of a Customer. | Where we provide a service to a Customer which involves the processing of personal information, the contract between us and that Customer will set out the technical and organisational security measures we must implement to safeguard that information consistent with applicable data protection laws. We must ensure that any staff member who has access to personal information processed on behalf of a Customer does so only for purposes that are consistent with the Customer’s instructions and is subject to a duty of confidence. |
Rule 8 – Security incident reporting: We must notify a Customer of any security incident that we experience if it presents a risk to the personal information we process on the Customer’s behalf. | When we become aware of a data security incident that presents a risk to the personal information that we process on behalf of a Customer, we must immediately inform the Office of the Chief Privacy Officer and follow our data incident management processes. Docusign's Chief Privacy Officer will review the nature of the data security incident and determine whether a personal data breach has occurred and thus whether it is necessary to notify a Customer. The Chief Privacy Officer shall be responsible for ensuring that any such notifications, where necessary, are made without undue delay and in accordance with applicable law. |
Rule 9 – Engaging sub-processors We may only appoint, add or replace sub-processors with authorisation from the Customer and in accordance with its requirements. | We must obtain a Customer’s authorisation before appointing, adding or replacing a sub-processor to process personal information on its behalf. Authorisation must be obtained in accordance with the terms of our contact with the Customer. We must make available to our Customer up-to-date information about the sub-processors we intend to appoint in order to obtain its authorisation. If, on reviewing this information, a Customer objects to the appointment of a sub-processor, that Customer may take such steps as are consistent with the terms of its contract with us and as referred to in Rule 4 of this Processor Policy regarding the return or destruction of the personal information. |
Rule 10 – Sub-processor contracts We must only appoint external sub-processors who protect personal information to a standard that is consistent with this Processor Policy and our contractual terms with Customers. | We must only appoint external sub-processors who provide sufficient guarantees in respect of the commitments made by us in this Processor Policy. In particular, external sub-processors must implement appropriate technical and organisational security measures to protect the personal information they process, and such measures must be consistent with our commitments to our Customer under our contractual terms with the Customer. Where we intend to appoint an external sub-processor to process personal information, we must undertake due diligence to ensure it has in place appropriate technical and organisational security measures to protect the personal information. We must impose contractual obligations in writing on the sub-processor that require it: to protect the personal information to a standard that is consistent with our commitments to our Customer under the terms of our contract with the Customer; to maintain the security of the personal information, consistent with standards contained in this Processor Policy (and in particular Rules 7, 8 and 9 above); to process personal information only on our instructions (which instructions will be consistent with the instructions of the Customer) or on the Customer’s instructions; and to fulfill such additional obligations as may be necessary to ensure that the commitments made by the sub-processor reflect those made by us in this Processor Policy, and which, in particular, provide for adequate safeguards with respect to the privacy and fundamental rights and freedoms of individuals in respect of any international transfers of personal information. |
Rule 11 – Respect for individuals’ data protection rights: We will assist a Customer to respond to queries or requests made by individuals in connection with their personal information. | We must assist our Customer to comply with its duty to respect the data protection rights of individuals, in accordance with the instructions of our Customer and the terms of our contract with the Customer. In particular, if any group member receives a request from any individual wishing to exercise his or her data protection rights in respect of personal information for which the Customer is the controller, the group member must transfer such request promptly to the relevant Customer (in accordance with the Data Protection Rights Procedure in Appendix 4). |
Rule 12 – Ensuring adequate protection for international transfers: We will not transfer personal information internationally without ensuring adequate protection for the information in accordance with applicable law. | Data transfer compliance Various data protection laws around the world, including European laws, may prohibit international transfers of personal information to third countries unless appropriate safeguards are implemented to ensure the transferred data remains protected to the standard required in the country or region from which it is originally transferred. This includes transfers of personal information to group members who are subject to this Processor Policy, and transfers (and onward transfers) from group members to third parties who are not subject to this Processor Policy. Where these requirements exist, we will comply with them. In addition, as a processor, we will also comply with our Customers’ documented instructions in respect of any international transfers of personal information (as described in Rule 4). Whenever transferring personal information internationally, or onward transferring personal information to third parties, Docusign's designated representative(s) (as instructed by the Office of the Chief Privacy Officer) (the "Responsible Party") will be consulted so that they can ensure appropriate safeguards have been implemented to protect the personal information being transferred and, where necessary, a transfer impact assessment (as described below) has been conducted. Transfer Impact Assessments Docusign group members may transfer personal information or onward transfer personal information internationally, only where measures necessary to comply with: (a) applicable Customers’ documented instructions in the terms of the applicable agreement with a Customer; and (b) the requirements of Applicable Data Protection Laws with respect to international transfers or onward transfers of personal information have been satisfied. In the case of transfers of personal information protected under European data protection law, these efforts shall include undertaking transfer impact assessments to assess the level of data protection in the recipient territory and implementing any supplementary measures identified by those assessments as necessary to ensure a level of protection that is essentially equivalent to European data protection law. Where a group member makes an international transfer of personal information that is subject to European data protection laws to another group member or third party located in a third country that does not provide an adequate level of protection ("Non-Adequate Country"), we will: - undertake a risk assessment ("Transfer Impact Assessment") to assess whether there is reason to believe that the laws and practices in the Non-Adequate Country, including any requirements to disclose personal information to public authorities or measures that authorise access by public authorities, will conflict with Docusign’s obligations under this Processor Policy; - where the Transfer Impact Assessment concludes that additional safeguards are necessary to ensure an adequate level of protection for the personal information and compliance with this Processor Policy, implement such additional safeguards (if appropriate, in consultation with the Controller); and - if such additional safeguards are necessary but cannot be implemented, either prohibit or suspend the transfer or, if we intend to continue the transfer despite the lack of additional safeguards, notify the Controller. In addition, where a group member located in Non-Adequate Country receives personal information that is subject to European data protection laws from another group member or third party, that group member will monitor the situation on an ongoing basis and promptly notify the transferring group member or third party if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of this Processor Policy, including following a change in the laws of the Non-Adequate County. We will conduct such Transfer Impact Assessments and promptly notify any transfer risks in accordance with the Transfer Impact Assessment Policy in Appendix 12. |
PART III: DELIVERING COMPLIANCE IN PRACTICE
To ensure we follow the rules set out in our Processor Policy, in particular the obligations set out in Part II, Docusign and all of its group members must also comply with the following practical commitments:
1. Resourcing and compliance: We must have appropriate staff and support to ensure and oversee privacy compliance throughout the business. | Docusign has appointed its Chief Privacy Officer to oversee and ensure compliance with this Processor Policy. The Office of the Chief Privacy Officer is responsible for overseeing and enabling compliance with this Controller Policy on a day-to-day basis. A summary of the roles and responsibilities of Docusign's privacy team is set out in Appendix 5. |
2. Privacy training: We must ensure staff are educated about the need to protect personal information in accordance with this Processor Policy | Group members must provide appropriate privacy training to staff members who: have permanent or regular access to personal information; or are involved in the processing of personal information or in the development of tools used to process personal information. We will provide such training in accordance with the Privacy Training Program (see Appendix 6). |
3. Records of Data Processing: We must maintain records of the data processing activities carried out on behalf of a Customer. | We must maintain a record of the processing activities that we conduct on behalf of a Customer in accordance with applicable data protection laws. These records should be kept in writing (including electronic form) and we must make these records available to competent data protection authorities upon request. The relevant team or function overseeing or managing the processing activity is responsible for ensuring the accuracy of such records, in conjunction with the Office of the Chief Privacy Officer which will maintain such records. |
4. Audit: We must have data protection audits on a regular basis. | We will have data protection audits on a periodic basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct data protection audits on specific request from the Chief Privacy Officer and/or the Board. We will conduct any such audits in accordance with the Audit Protocol (see Appendix 7). |
5. Data protection by design and by default: We must provide our products and services in a way that assists our Customer to apply data protection by design and by default principles. | We must provide our products and services in a way that assists our Customer to implement data protection by design and data protection by default principles. This means that we must implement appropriate technical and organizational measures when providing our products and services that: are designed to implement the data protection principles in an effective manner and to integrate the necessary safeguards in order to protect the rights of individuals and meet the requirements of applicable data protection laws ("privacy by design"); and ensure that, by default, only personal information which are necessary for each specific processing purpose are collected, stored, processed and are accessible; in particular, that by default personal information is not made accessible to an indefinite number of people without the individual's intervention ("privacy by default"). These measures must be implemented in accordance with the terms of our agreement with our Customer. |
6. Complaint handling: We must enable individuals to raise data protection complaints and concerns | Group members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Processor Policy) by complying with the Complaint Handling Procedure (see Appendix 8). |
7. Cooperation with competent data protection authorities: We must always cooperate with competent data protection authorities | Group members must cooperate with competent data protection authorities by complying with the Cooperation Procedure (see Appendix 9). |
8. Updates to this Processor Policy: We will update this Processor Policy in accordance with our Updating Procedure | Whenever updating our Processor Policy, we must comply with the Updating Procedure (see Appendix 10). |
9. Conflicts between this Processor Policy and national legislation: We must take care where local laws conflict with this Policy, and act responsibly to ensure a high standard or protection for the personal information in such circumstances. | If local laws applicable to any group member prevent it from fulfilling its obligations under the Processor Policy or otherwise has a substantial effect on its ability to comply with the Processor Policy or the instructions it has received from a Customer, the group member must promptly inform: the Customer (consistent with the requirements of Rule 4); the Office of the Chief Privacy Officer; the competent supervisory authority for the Customer; and the competent supervisory authority for the group member; unless otherwise prohibited by law. |
10. Government requests for disclosure of personal information: We must notify the competent supervisory authorities in case of a legally binding request for disclosure of personal information. | If a group member receives a legally binding request for disclosure of personal information by a law enforcement authority or state security body which is subject to this Processor Policy, it must: notify the Customer promptly unless prohibited from doing so by applicable law; and use its best efforts to put the request on hold and notify the appropriate data protection authority competent for the Customer by complying with the requirements of its Government Data Request Procedure set out in Appendix 11. In no event must transfers of personal information from a group member to any law enforcement, state security or similar public authority be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society. |
PART IV: THIRD PARTY BENEFICIARY RIGHTS
Application of this Part IV
This Part IV applies where individuals’ personal information are protected under European data protection laws (including the General Data Protection Regulation). This is the case when:
those individuals’ personal information are processed in the context of the activities of a third-party controller or a group member (acting as processor) established in Europe;
a non-European Customer (acting as controller) or group member (acting as processor) offers goods and services (including free goods and services) to those individuals in Europe; or
a non-European Customer (acting as controller) or group member (acting as processor) monitors the behaviour of those individuals, as far as their behaviour takes place in Europe;
and that Customer or group member (as applicable) then transfers those individuals’ personal information to a non-European group member (or its sub-processor) for processing under the Processor Policy.
Entitlement to effective remedies
When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal information is processed by Docusign in breach of the following provisions of this Processor Policy:
Part II (Our Obligations) of this Processor Policy;
Paragraphs 5 (Complaints Handling), 6 (Cooperation with Competent Data Protection Authorities), 8 (Conflicts between this Processor Policy and national legislation) and 9 (Government requests for disclosure of personal information) under Part III of this Processor Policy; and
Part IV (Third Party Beneficiary Rights) of this Processor Policy.
Individuals’ third party beneficiary rights
When this Part IV applies, the right for individuals to pursue effective remedies against Docusign apply only if either (i) the requirements at stake are specifically directed at Docusign as a processor in accordance with applicable data protection law (and in accordance with the guidance published by competent data protection authorities), or (ii) the individuals cannot bring a claim against a Customer because:
the Customer has factually disappeared or ceased to exist in law or has become insolvent; and
no successor entity has assumed the entire legal obligations of the Customer by contract or by operation of law.
In such cases, individuals may exercise the following rights:
Complaints: Individuals may complain to a group member and/or to a European data protection authority, in accordance with the Complaints Handling Procedure at Appendix 8;
Proceedings: Individuals may commence proceedings against a group member for violations of this Processor Policy, in accordance the Complaints Handling Procedure at Appendix 8;
Compensation: Individuals who have suffered material or non-material damage as a result of an infringement of this Processor Policy have the right to receive compensation from Docusign for the damage suffered.
Transparency: Individuals also have the right to obtain a copy of the Processor Policy, which they may exercise by making a request to the Office of the Chief Privacy Officer at privacy@docusign.com or by directly accessing the Processor Policy as published on www.docusign.com/trust/privacy.
Responsibility for breaches by non-European group members
Docusign International (EMEA) Ltd will be responsible for ensuring that any action necessary is taken to remedy any breach of the Processor Policy by a non-European group member (or any non-European sub-processor appointed by a group member).
In particular:
If an individual or a Customer (acting as controller) can demonstrate damage it has suffered likely occurred because of a breach of this Processor Policy by a non-European group member (or a non-European sub-processor appointed by a group member), Docusign International (EMEA) Ltd will have the burden of proof to show that the non-European group member (or non-European sub-processor) is not responsible for the breach, or that no such breach took place.
where a non-European group member (or any non-European third-party sub-processor acting on behalf of a group member) fails to comply with this Processor Policy, individuals may exercise their rights and remedies above against Docusign International (EMEA) Ltd and, where appropriate, receive compensation (as determined by a competent court or other competent authority) from Docusign International (EMEA) Ltd for any material or non-material damage suffered as a result of a breach of this Processor Policy.
Shared liability for breaches with controllers
Where Docusign is engaged by a Customer to conduct processing and both are responsible for harm caused by the processing in breach of this Processor Policy, Docusign accepts that both Docusign and the Customer may be held liable for the entire damage in order to ensure effective compensation of the individual.
PART V: RELATED POLICIES AND PROCEDURES
APPENDIX 1 - LIST OF DOCUSIGN GROUP MEMBERS
The table below lists the Docusign group members which are bound by Docusign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy”.
Name | Details | Country |
Docusign International (EMEA) Limited | Address: 5 Hanover Quay, Ground Floor, Dublin 2, Republic of Ireland Reg no.: 549615 | Ireland |
Docusign Brasil Soluções Em Tecnologia Ltda. (formerly, Comprova.com) | Address: Tower Bridge Corporate, 02º Andar Conj. 21, Avenida Jornalista Roberto Marinho, 85, São Paulo, Brazil Reg no.: 35.218.051.742 | Brazil |
Docusign Canada Ltd. | Address: 3200 – 650 West Georgia Street, Vancouver BC V6B 4P7 Canada Reg no.: BC1081751 | Canada |
Seal Software Egypt LLC | Address: Cairo Festival City, Business Park B2, Building 12B04 Ground Floor, Street 90 Fifth Settlement, New Cairo Egypt Reg no.: 109958 | Egypt |
Docusign France SAS | Address: Immeuble Central Park 9-15 rue Maurice Mallet 92130 Issy-les-Moulineaux France Reg no.: 812 611 150 | France |
Docusign Germany GmbH | Address: c/o Bird & Bird LLP Maximilianspl.22 80333 Munchen Deutschland Reg no.: HRB 111200 | Germany |
Docusign Israel Ltd | Address: SIV Building 1 Ha’arava St. Floor 4, 5400804 Givat Shmuel Israel Reg no.: 511071086 | Israel |
Docusign Japan KK | Address: Shiroyama Trust Tower 35F 4-3-1 Toranomon, Minato-ku Tokyo 105-6035 Japan Reg no.: 0100-01-167695 | Japan |
Seal Software Norway AS | Address: v/advokat Stale R Kristiansen c/o Advokatfirmaet Thommessen AS Haakon VIIs gate 10
Reg no.: 921 684 746 | Norway |
Docusign International (Asia-Pacific) Private Limited | Address: 71 Robinson Road Singapore 068895 Reg no.: 201505623H | Singapore |
Contract Analytics Development Sweden AB | Address: Kungsgatan 34, 1 tr 411 19 Gothenburg, Sweden Reg no.: 556935-3674 | Sweden |
Docusign UK Limited | Address: Broadgate Quarter 9 Appold Street, 2nd Floor London EC2A 2AP UK Reg no.: 10308354 | United Kingdom |
Docusign, Inc. | Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 5711317 | United States |
Docusign International, Inc. | Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 4980980 | United States |
Liveoak Technologies, Inc. | Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 5675735 | United States |
Docusign Mexico, S. de R.L de C.V. | Address: Insurgentes Sur 1650, Piso 12, C.P. 03900, Mexico CDMX Reg no.: N-2020078264 | Mexico |
Docusign Spain, S.L.U. | Address: Avenida Diagonal, 477, planta 20 Barcelona, Spain Reg no.: 84628715 | Spain |
Docusign Netherlands B.V. | Address: Blaak 34, 3011TA Rotterdam, the Netherlands Reg no.: 50737449 | Netherlands |
Docusign Italy S.r.l. | Address: Osborne Clarke, Corso di Porta Vittoria, 9, Milan, 20122, Italy Reg no.: M-2640635 | Italy |
APPENDIX 2 - MATERIAL SCOPE OF THIS PROCESSOR POLICY
Background
Docusign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between Docusign group members.
This document sets out the material scope of the Processor Policy. It specifies the data transfers or set of transfers, including the nature and categories of personal information, the type of processing and its purposes, the types of individuals affected, the identification of the third country or countries and lists the Docusign products that are covered by the Processor Policy.
2. Important terms used within this Appendix
The following terms have the following meanings:
"Customer Services" means services provided by Docusign to Customers through the Docusign Platform. Such services include hosting and processing contract documentation and other documents of Customers on the Docusign Platform on behalf of Customers.
"Docusign Platform" means the digital transaction management platform provided by Docusign to its Customers, which is used by Customers to facilitate digital transactions that include the signing process of contractual documents and other documents of the Customer. Specifically, the Docusign Platform is comprised of the Docusign products listed in paragraph 4.
3. Content data
Who transfers the personal information described in this section? | Every Docusign group member inside of the European Economic Area (“EEA”) may transfer the personal information that they process on behalf of a third-party Controller described in this section to every other Docusign group member inside and outside of the EEA. Every group member outside of the EEA may also transfer the personal information that they process on behalf of a third-party Controller described in this section to every Docusign group member inside and outside of the EEA. Transfers made directly from a third-party Controller (whether inside or outside of the EEA) directly to a group member as processor (whether inside or outside of the EEA) will also be within the scope of the Processor Policy. |
Who receives this personal information? | Every Docusign group member outside of the EEA may receive the personal information described in this section which is sent to them by other Docusign group members or third-party controllers inside and outside of the EEA. Every group member inside of the EEA may also receive the personal information described in this section which is sent to them by other Docusign group members or third-party controllers inside and outside of the EEA. |
What categories of personal information are transferred? | Personal information of individuals processed by Docusign as a processor in the course of delivering Customer Services. The type and nature of personal information that data subjects choose to enter into Docusign's services is determined by the data subject, but may include (without limitation) some or all of the following: Document contents (e.g. correspondence, contracts and other documents that data subjects choose to upload to Docusign's products and services); Data subject names; Data subject email addresses; and Data subject IP addresses. |
What categories of sensitive personal information (if any) are transferred? | Docusign group members do not intentionally collect or process any sensitive personal information on behalf of controllers, unless expressly authorized and instructed by a respective Customer. |
Who are the types of individuals whose personal information are transferred? | Individuals whose personal information is processed by Docusign on behalf of its Customers through the Docusign Platform. |
Why is this personal information transferred and how will it be used? | Providing Customer Services including: operating the Docusign Platform and performing Customer Services through the Docusign Platform; hosting, storage, backup, or archiving documents and related transactional data on the Docusign Platform; reporting on the use of the Customer Services by a Customer; security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security, managing incidents); Support services including: providing (local and remote) assistance to Customers and end users in the use of the Docusign Platform; Docusign generation of service level reports or other reports on a Customer's use of Docusign products or services for Customer management information purposes; Customer-specific custom services including: adjusting the Docusign Platform to meet a Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system); the collection and analysis of Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Customer's internal operations); the provision of training for Customer staff or third parties related to the Docusign Platform; Docusign internal business process execution and management leading to incidental Processing of personal information for: internal auditing of Docusign processor-related activities; activities related to compliance with applicable law or regulation (e.g., data processing law); and data de-identification and aggregation of de-identified data for data minimization. |
Where is this personal information processed? | The personal information described in this section may be processed in every territory where Docusign group members or their processors are located. A list of Docusign group member locations is available at Appendix 1 to this Processor Policy. |
4. Docusign products
The Docusign Platform covered by this Processor Policy will include all Docusign products and services, including but not limited to the following Docusign Products:
Docusign eSignature and Docusign eSignature-based products and services (including Rooms, Docusign Gen and Docusign Negotiate)
Docusign CLM (Contract Lifecycle Management) service
SpringCM (Contract Management) service
Intelligent Seal-branded software and service, and other Docusign products and services based on Seal technology
Liveoak digital software service and other Docusign products and services based on the Liveoak technology
APPENDIX 3 - FAIR INFORMATION DISCLOSURES
Background
Docusign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between Docusign group members.
This Fair Information Disclosure document sets out the transparency information that Docusign must provide to individuals when processing their personal information.
Information to be provided where Docusign collects personal information directly from individuals
When Docusign collects personal information directly from individuals, it must provide the following transparency information:
the identity and contact details of the data controller and, where applicable, of its representative;
the contact details of the data protection officer, where applicable;
the purposes of the processing for which the personal information are intended as well as the legal basis for the processing;
where the processing is based on Docusign's or a third party's legitimate interests, the legitimate interests pursued by Docusign or by the third party;
the recipients or categories of recipients of the personal information, if any; and
where applicable, the fact that a group member in Europe intends to transfer personal information to a third country or international organisation outside of Europe, and the measures that the group member will take to ensure the personal information remains protected in accordance with applicable data protection laws and how to obtain a copy of such measures.
In addition to the information above, Docusign shall also provide individuals with the following further information necessary to ensure fair and transparent processing, at the time of collection:
the period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period;
information about the individuals' rights to request access to, rectify or erase their personal information, as well as the right to restrict or object to the processing, and the right to data portability;
where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
the right to lodge a complaint with the competent supervisory authority;
whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal information and of the possible consequences of failure to provide such information; and
the existence of automated decision-making, including profiling, where such decisions may have a legal effect or significantly affect the individuals whose personal information are collected, together with any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.
The transparency information described in this paragraph must be provided at the time that Docusign obtains the personal information from the individual.
Information to be provided where Docusign collects personal information about individuals from a third party source
When Docusign collects personal information from a third party source (that is, someone other than the individual him- or herself), it must provide the following transparency information:
the information described in paragraphs 2.1 and 2.2 above;
the categories of personal information that are being processed; and
details of the third party source from which Docusign obtained the personal information including, if applicable, identifying whether the personal information came from publicly accessible sources.
The transparency information described in this paragraph must be provided within a reasonable period after Docusign obtains the personal information and, at the latest, within one month, having regard to the specific circumstances in which the personal information are processed. In addition:
if the personal information are to be used for communication with the individual, the transparency information described in this paragraph must be provided at the latest at the time of the first communication to that individual; and
if a disclosure of the personal information to another recipient is envisaged, the transparency information described in this paragraph must be provided at the latest when the personal information are first disclosed.
Derogations from providing transparency disclosures
The requirements to provide transparency information as described in this Fair Information Disclosures document shall not apply where and insofar as:
the individual already has the information;
the provision of such information provides impossible or would involve a disproportionate effort, and Docusign takes appropriate measures, consistent with the requirements of applicable data protection laws, to protect the individual’s rights and freedoms and legitimate interests, including by making the transparency information publicly available;
obtaining or disclosure is expressly laid down by applicable laws to which Docusign is subject and these laws provide appropriate measures to protect the individual’s legitimate interests; or
where the personal information must remain confidential subject to an obligation of professional secrecy regulated by applicable laws to which Docusign is subject, including a statutory obligation of secrecy.
APPENDIX 4 - DATA PROTECTION RIGHTS PROCEDURE
Background
Docusign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the Docusign group members.
Individuals whose personal information are processed by Docusign under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Docusign or a Customer) (a “Data Protection Rights Request”).
This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Docusign will respond to any Data Protection Rights Requests it receives from individuals whose personal information are processed and transferred under the Policies.
Individual’s data protection rights
Docusign must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:
The right of access: This is the right for individuals to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with access to, and a copy of, that personal information. This process for handling this type of request is described further in paragraph 4 below.
The right to rectification: This is the right for individuals to require a controller to rectify without undue delay any inaccurate personal information a controller may be processing about them. The process for handling this type of request is described further in paragraph 5 below.
The right to erasure: This is the right for individuals to require a controller to erase personal information about them on certain grounds – for example, where the personal information is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.
The right to restriction: This is the right for individuals to require a controller to restrict processing of personal information about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.
The right to object: This is the right for individuals to object, on grounds relating to their particular situation, to a controller’s processing of personal information about them, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.
The right to data portability: This is the right for individuals to receive personal information concerning them from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.
Responsibility to respond to a Data Protection Rights Request
Overview
The controller of an individual’s personal information is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.
As such, when an individual contacts Docusign to make any Data Protection Rights Request then:
where Docusign is the controller of that individual’s personal information under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and
where Docusign processes that individual’s personal information as a processor on behalf of a Customer under the Processor Policy, Docusign must inform the relevant Customer promptly and provide it with reasonable assistance (which may include in-product self-service functionality) to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.
Assessing responsibility to respond to a Data Protection Rights Request
If a group member receives a Data Protection Rights Request from an individual, it must pass the request to the Office of the Chief Privacy Officer at privacy@docusign.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Office of the Chief Privacy Officer to deal with the request.
The Office of the Chief Privacy Officer will make an initial assessment of the request as follows:
the Office of the Chief Privacy Officer will determine whether Docusign is a controller or processor of the personal information that is the subject of the request;
where the Office of the Chief Privacy Officer determines that Docusign is a controller of the personal information, it will then determine whether the request has been made validly under applicable data protection laws (in accordance with section 3.3 below), whether an exemption applies (in accordance with section 3.4 below) and respond to the Request (in accordance with section 3.5 below); and
where the Office of the Chief Privacy Officer determines that Docusign is a processor of the personal information on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer.
Assessing the validity of a Data Protection Rights Request
If the Office of the Chief Privacy Officer determines that Docusign is the controller of the personal information that is the subject of the request, it will contact the individual promptly in writing to confirm receipt of the Data Protection Rights Request.
A Data Protection Rights Request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally (for example under Europe's General Data Protection Regulation). A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.
If Docusign has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. Docusign may also request any further information which is necessary to action the individual's request.
Exemptions to a Data Protection Rights Request
Docusign will not refuse to act on Data Protection Rights Request unless it can demonstrate that an exemption applies under applicable data protection laws.
Docusign may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).
If Docusign decides not to take action on the Data Protection Rights Request, Docusign will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent supervisory authority and lodging a claim before the court
Responding to a Data Protection Rights Request
Where Docusign is the controller of the personal information that is the subject of the Data Protection Rights Request, and Docusign has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Docusign shall handle the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).
Docusign will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months where necessary, if the request is complex or due to the number of requests that have been made.
Requests for access to personal information
Overview
An individual may require a controller to provide the following information concerning processing of his or her personal information:
confirmation as to whether the controller holds and is processing personal information about that individual;
if so, a description of the purposes of the processing, the categories of personal information concerned, the recipients or categories of recipients to whom the information is, or may be, disclosed, the envisaged period(s) (or the criteria used for determining those period(s)) for which the personal information will be stored;
information about the individual’s right to request rectification or erasure of his or her personal information or to restrict or object to its processing;
information about the individual’s right to lodge a complaint with a competent data protection authority;
information about the source of the personal information if it was not collected from the individual;
details about whether the personal information is subject to automated decision-making (including automated decision-making based on profiling); and
where personal information is transferred outside Europe, the appropriate safeguards that Docusign has put in place relating to such transfers in accordance with applicable data protection laws.
An individual is also entitled to request a copy of his or her personal information from the controller. Where an individual makes such a request, the controller must provide that personal information to the individual in intelligible form.
Process for responding to access requests from individuals
If Docusign receives an access request from an individual, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
Where Docusign determines it is the controller of the personal information and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Office of the Chief Privacy Officer will arrange a search of all relevant electronic and paper filing systems.
The Office of the Chief Privacy Officer may refer any complex cases to the Chief Privacy Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal information may prejudice commercial confidentiality or legal proceedings.
The personal information that must be disclosed to the individual will be collated by the Office of the Chief Privacy Officer into a readily understandable format. A covering letter will be prepared by the Office of the Chief Privacy Officer which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).
Exemptions to the right of access
A valid request may be refused on the following grounds:
if the refusal to provide the information is consistent with applicable data protection law (for example, where a European group member transfers personal information under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the group member is located);
where the personal information is held by Docusign in non-automated form that is not or will not become part of a filing system; or
the personal information does not originate from Europe, has not been processed by any European group member, and the provision of the personal information requires Docusign to use disproportionate effort.
The Office of the Chief Privacy Officer will assess each request individually to determine whether any of the above-mentioned exemptions applies. A group member must never apply an exemption unless this has been discussed and agreed with the Office of the Chief Privacy Officer.
Requests to correct, update or erase personal information, or to restrict, cease or object to processing personal information
If Docusign receives a request to correct, update or erase personal information, or to restrict or cease processing of an individual’s personal information, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
Once an initial assessment of responsibility has been made then:
where Docusign is the controller of that personal information, the request must be notified to the Office of the Chief Privacy Officer promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.
where a Customer is the controller of that personal information, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Docusign shall assist the Customer to fulfill the request in accordance with the terms of its contract with the Customer.
To assist the Office of the Chief Privacy Officer in assessing an individual's objection to processing of his or her personal information, the grounds upon which an individual may object are when:
Docusign processes the personal information on grounds that:
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Docusign;
the processing is necessary for the purposes of legitimate interests pursued by Docusign or by a third party; or
including profiling based on those grounds. When an individual raises an objection in such circumstances, Docusign shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.
Docusign processes the personal information for direct marketing purposes, including profiling to the extent that it is related to direct marketing. When an individual raises an objection in such circumstances, Docusign shall no longer process the personal information for such direct marketing purposes.
To assist the Office of the Chief Privacy Officer in assessing an individual's request for restriction of processing of his or her personal information, the grounds upon which an individual may request restriction are when:
the accuracy of the personal information is contested by the individual, for a period enabling Docusign to verify the accuracy of the personal information;
the processing is unlawful and the individual opposes the erasure of the personal information and requests the restriction of its use instead;
Docusign no longer needs the personal information for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or
the individual has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.
To assist the Office of the Chief Privacy Officer in assessing an individual's request for erasure of his or her personal information, the grounds upon which an individual may request erasure are when:
the personal information are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;
the individual exercises its right to object to processing of his or her personal information and there are no overriding legitimate grounds for continue processing;
the personal information have been unlawfully processed;
the personal information have to be erased for compliance with a legal obligation to which the controller is subject; or
the personal information have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.
When Docusign must rectify or erase personal information, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Docusign will notify other group members and any sub-processor to whom the personal information has been disclosed so that they can also update their records accordingly.
Where Docusign acting as a controller must restrict processing of an individual's personal information, it must inform the individual before it subsequently lifts any such restriction.
If Docusign acting as controller has made the personal information public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal information that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal information.
Requests for data portability
If an individual makes a Data Protection Rights Request to Docusign acting as controller to receive the personal information that he or she has provided to Docusign in a structured, commonly used and machine-readable format and/or to transmit directly such information to another controller (where technically feasible), the Office of the Chief Privacy Officer will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.
Questions about this Data Protection Rights Procedure
All queries relating to this Procedure are to be addressed to the Office of the Chief Privacy Officer or at privacy@docusign.com.
APPENDIX 5 - PRIVACY COMPLIANCE STRUCTURE
Background
Docusign's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional Privacy Compliance Structure.
Docusign’s Privacy Compliance Structure has the full support of Docusign’s executive management. Further information about Docusign's Privacy Compliance Structure is set out below and in the structure chart provided at Annex 1.
Chief Privacy Officer
Docusign has appointed a Chief Privacy Officer who provides executive-level oversight of, and has responsibility for, ensuring Docusign's compliance with applicable data protection laws and the Policies.
The Chief Privacy Officer has direct line reporting to Docusign's Board of Directors on all material or strategic issues relating to Docusign's compliance with data protection laws and the Policies, and is also accountable to Docusign's independent audit committee.
The Chief Privacy Officer is supported in the exercise of its responsibilities by the office of the Chief Privacy Officer, the Security & Privacy Council, and any other personnel that the Chief Privacy Officer may designate from time to time to provide such support.
The Office of the Chief Privacy Officer
The Office of the Chief Privacy Officer is comprised of members of the Legal department and supports the Chief Privacy Officer in the exercise of his/her responsibilities.
The activities of the Office of the Chief Privacy Officer include:
maintaining a comprehensive privacy program that defines, develops, maintains and implements Policies and processes to comply with data protection laws.
supervising compliance with the Policies;
providing periodic reports, as appropriate, to the Chief Executive Officer and other business executives and staff on data protection risks and compliance issues;
overseeing privacy program activities, including privacy impact assessment, data protection impact assessment, and records of processing activities;
ensuring that effective data privacy controls as implemented across Docusign are in place for any third party with which Docusign share personal information or any third party from whom Docusign receives personal information;
deciding on complaints as described the Complaint Handling Procedure; and
overseeing official investigations or inquiries into the processing of personal information by a public authority or employee representative body.
Security & Privacy Council
The Docusign Security & Privacy Council comprises representatives from key functional groups for Docusign’s business, including the office of the Chief Privacy Officer, Information Security, Risk & Compliance, Legal, Engineering, Technical Operations, Finance and Information Technology to ensure appropriate oversight for privacy controls implemented across the business and ensuring business ownership for applicable aspects of Docusign's data protection compliance.
The Security & Privacy Council is accountable for assessing privacy controls and identifying potential areas of improvement for Docusign's data privacy program internally . In this way, the Security & Privacy Council is actively engaged in addressing matters relating to Docusign's privacy compliance across such key functional groups of Docusign.
Docusign Staff
All staff members within Docusign are responsible for supporting the functional Security & Privacy Council members on a day-to-day basis and adhering to Docusign privacy policies.
In addition, Docusign personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Security & Privacy Council member, or, if they prefer, the office of the Chief Privacy Officer. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.
Annex 1: Overview of Docusign's Privacy Compliance Structure
APPENDIX 6 - PRIVACY TRAINING REQUIREMENTS
Background
The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between Docusign group members. The document sets out the requirements for Docusign to train its staff members on the requirements of the Policies.
Docusign must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal information) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws and may include training on any other relevant data protection laws that apply to Docusign. Training may also include guidance on data protection best practices and any security standards controls applicable to Docusign (such as ISO 27001 and SSAE 18).
Staff members who have permanent or regular access to personal information and who are involved in the processing of personal information or in the development of tools to process personal information must receive additional, tailored training on the Policies and specific data protection issues relevant to their role. This training is further described below and is repeated on a regular basis.
Responsibility for the Privacy Training Program
Docusign's Office of the Chief Privacy Officer has overall responsibility for privacy training at Docusign, with input with colleagues from other functional areas including Information Security, HR and other departments, as appropriate. They will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal information, who are involved in the processing of personal information or in the development of tools to process personal information.
Docusign's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance will be recorded and monitored via regular audits of the training process. These audits are performed by Docusign's internal training administration team and/or independent third-party auditors.
If these training audits reveal persistent non-attendance, this will be escalated to the Office of the Chief Privacy Officer for action. Such action may include escalation of non-attendance to appropriate managers within Docusign who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.
Delivery of the training courses
Docusign will deliver mandatory electronic training courses, supplemented by live training for staff members in appropriate cases. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.
All Docusign staff members must complete data protection training (including training on the Policies):
as part of their onboarding activities;
as part of a regular refresher training at least once every calendar year;
as and when necessary to stay aware of changes in the law; and
as and when necessary to address any compliance issues arising from time to time.
Certain staff members may be required to receive supplemental specialist training, such as staff members who work in Marketing, Sales, and Customer Support or whose business activities include processing sensitive personal data. Specialist training shall be delivered as additional modules to the basic training package, and may be tailored as necessary to the course participants.
Training on data protection
Docusign's training on data protection and the Policies will cover the following main areas:
What is data protection law?
What are key data protection terminology and concepts?
What are the data protection principles?
How does data protection law affect Docusign globally?
An overview of the Controller and Processor Policies
Practical examples of how and when the Controller and Processor Policies apply
APPENDIX 7 - AUDIT PROTOCOL
Background
Docusign's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the Docusign group members. Roles are defined in Appendix 5.
Docusign must audit its compliance with the Policies on a regular basis and this document describes how and when Docusign must perform such audits. Although this Audit Protocol describes the formal assessment process by which Docusign will audit its compliance with the Policies, this is only one way in which Docusign ensures that the provisions of the Policies are observed and corrective actions taken as required.
In particular, Docusign's Privacy Team provides ongoing guidance about the processing of personal information and must continually assess the processing of personal information by group members for potential privacy-related risks and compliance with these Policies.
Conduct of an audit
Overview of audit requirements
Compliance with the Policies is overseen on a day to day basis by the office of the Chief Privacy Officer. The internal audit team (for itself or through its delegate) is responsible for performing independent audits of compliance with the Policies periodically and will ensure that such audits address all aspects of the Policies, to be overseen by the office of the Chief Privacy Officer. The Chief Privacy Officer will determine the specific privacy controls that the internal audit team will audit in advance of any such audit.
The internal audit team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Chief Privacy Officer and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to the Board of Directors in accordance with paragraph 2.5.1. Any non-compliance with the Policies will be reported back to the Responsible Executive.
Where Docusign acts as a processor, the Customer (or auditors acting on its behalf) may audit Docusign for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Docusign's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Docusign. Where the Customer agrees, Docusign and its sub-processors may fulfill such Customer audit requirements by providing relevant, complete and accurate evidence of recent data protection and information security audits to which they have been subject.
All audits shall be conducted by an inspections body composed of independent members and in possession of the required professional qualifications, bound by a duty of confidentiality.
Frequency of audit
Audits of compliance with the Policies are conducted:
at least annually in accordance with Docusign's audit procedures;
at the request of the Chief Privacy Officer and/or the Board of Directors;
as may be determined necessary by the office of the Chief Privacy Officer (for example, in response to a specific incident); and/or
(with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Docusign.
Scope of audit
The Chief Privacy Officer will determine the scope of an audit following a risk-based analysis, taking into account relevant criteria such as:
areas of current regulatory focus;
areas of specific or new risk for the business;
areas with changes to the systems or processes used to safeguard information;
use of innovative new tools, systems or technologies
areas where there have been previous audit findings or complaints;
the period since the last review; and
the nature and location of the personal information processed.
If a Customer exercises its right to audit Docusign for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to Docusign's processing of Personal Information for that Customer under the Processor Policy. Docusign will not provide a Customer with access to systems which process personal information of another Customer.
Auditors
Audit of the Policies (including any related procedures and controls) will be undertaken by the internal audit team and/or the office of the Chief Privacy Officer. In addition, Docusign may appoint independent and experienced professional auditors acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies (including any related procedures and controls).
If a Customer exercises its right to audit Docusign for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with Docusign.
Reporting
Data protection audit reports must be submitted to the Office of the Chief Privacy Officer and, if the report reveals breaches or the potential for breaches of a serious nature (for example, presenting a risk of potential harm to individuals or to the business), to the Board of Directors.
Upon request and subject to applicable law, Docusign will:
provide copies of the results of data protection audits of the Policies (including any related procedures and controls) to the competent data protection authorities; and
to the extent that an audit of compliance with the Processor Policy relates to personal information Docusign processes on behalf of a Customer, to that Customer.
The Office of the Chief Privacy Officer is responsible for liaising with the competent data protection authorities for the purpose of providing the information outlined in paragraph 2.5.2.
Data protection authority audits
The competent data protection authorities audit group members for compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure (see Appendix 9).
APPENDIX 8 - COMPLAINT HANDLING PROCEDURE
Background
Docusign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the Docusign group members.
This Complaint Handling Procedure describes how complaints brought by an individual whose personal information is processed by Docusign under the Policies must be addressed and resolved.
This procedure will be made available to individuals whose personal information is processed by Docusign under the Controller Policy and to Customers on whose behalf Docusign processes personal information under the Processor Policy.
How individuals can bring complaints
Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Docusign’s Office of the Chief Privacy Officer at privacy@docusign.com.
Complaints where Docusign is a controller
Who handles complaints?
The Office of the Chief Privacy Officer will handle all questions, concerns, or complaints in respect of personal information for which Docusign is a controller (such as personal information processed in the context of HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Office of the Chief Privacy Officer will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.
What is the response time?
The Office of the Chief Privacy Officer will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and making a substantive response within one (1) month.
If, due to the complexity of the question, concern or complaint, a substantive response cannot be given within this period, the Office of the Chief Privacy Officer will advise the individual accordingly and provide reasons why an extension is necessary and a reasonable estimate (not exceeding two (2) months) of the timescale within which a substantive response will be provided.
If, having reviewed the question, concern or complaint, the Office of the Chief Privacy Officer does not take action that has been requested by the individual, the Office of the Chief Privacy Officer shall inform the individual without delay and of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
What happens if an individual disputes a finding?
If the individual notifies the Office of the Chief Privacy Officer that it disputes any aspect of the response finding and wishes to further escalate the matter within Docusign, the Office of the Chief Privacy Officer will refer the matter to the Chief Privacy Officer. The Chief Privacy Officer will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The Chief Privacy Officer will respond to the complainant within one (1) month from being notified of the escalation of the dispute.
As part of its review, the Chief Privacy Officer may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the Chief Privacy Officer will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed two (2) months from the date the dispute was escalated.
If the complaint is upheld, the Chief Privacy Officer will arrange for any necessary steps to be taken as a consequence (for example, implementing procedures to remedy the complaint and prevent recurrence).
Complaints where Docusign is a processor
Communicating complaints to the Customer
Where a complaint is brought in respect of the processing of personal information for which Docusign is a processor on behalf of a Customer, Docusign will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless Docusign has agreed in the terms of its contract with the Customer to handle complaints).
Docusign will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.
What happens if a Customer no longer exists?
In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal information are processed under the Processor Policy have the right to complain to Docusign and Docusign will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.
In such cases, individuals also have the right to complain to a competent data protection authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Docusign. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.
Right to complain to a competent data protection authority and to commence proceedings
Overview
Where individuals' personal information:
are processed in Europe by a group member acting as a controller and/or transferred to a group member located outside Europe under the Controller Policy; or
are processed in Europe by a group member acting as a processor and/or transferred to a group member located outside Europe under the Processor Policy;
then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.
The individuals described above have the right to complain to a competent data protection authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3), whether or not they have first complained directly to the Customer in question or to Docusign under this Complaints Handling Procedure. However, Docusign's endeavours to resolve all complaints amicably and directly, wherever possible, and for that reason encourages any individual with a complaint to contact the Office of the Chief Privacy Officer before complaining to a competent data protection authority and/or commencing proceedings.
Docusign accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a non-for-profit body, organisation or association acting on behalf of the individuals concerned.
Complaint to a data protection authority
If an individual wishes to complain about Docusign’s processing of his or her personal information to a data protection authority, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European group member to the data protection authority in the European territory:
of his or her habitual residence;
of his or her place of work; or
where the alleged infringement occurred.
If an individual wishes to complain about Docusign’s processing of his or her personal information to a data protection authority, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then Docusign International (EMEA) Ltd will submit to the jurisdiction of the competent data protection authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European group member, as if the alleged breach had been caused by the Docusign International (EMEA) Ltd.
Proceedings before a national court
If an individual wishes to commence court proceedings against Docusign, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then he or she may commence proceedings against that European group member in the European territory:
in which that European group member is established; or
of his or her habitual residence.
If an individual wishes to commence court proceedings against Docusign, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then Docusign International (EMEA) Ltd will submit to the jurisdiction of the competent data court (determined in accordance with paragraph 5.3.1 above) in place of that non-European group member, as if the alleged breach had been caused by the Docusign International (EMEA) Ltd.
An individual's right to lodge proceedings before a competent court shall be without prejudice to any administrative or non-judicial remedy available to that data subjects, including the right to lodge a complaint with a competent data protection authority.
APPENDIX 9 - CO-OPERATION PROCEDURE
Background
Docusign’s Binding Corporate Rules: Cooperation Procedure sets out the way in which Docusign will cooperate with competent data protection authorities in relation to the "Docusign Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy").
Cooperation Procedure
Where required, Docusign will make the necessary personnel available for dialogue with a competent data protection authority in relation to the Policies.
Docusign will review, consider and implement:
any advice or decisions of relevant competent data protection authorities on any data protection law issues that may affect the Policies; and
any guidance published by data protection authorities (including the European Data Protection Board or any successor to it) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.
Subject to applicable data protection law, Docusign will provide upon request copies of the results of any audit it conducts of the Policies to a competent data protection authority.
Docusign agrees that:
a data protection authority may audit any group member over which it exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction; and
a data protection authority may audit any group member who processes personal information for a Customer over which that data protection authority exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction and with full respect to the confidentiality of the information obtained and to the trade secrets of Docusign (unless this requirement is in conflict with applicable data protection law).
Docusign agrees to abide by a formal decision of any competent data protection authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that Docusign is entitled to appeal any such decision and has chosen to exercise such right of appeal).
APPENDIX 10 - UPDATING PROCEDURE
Background
Docusign’s Binding Corporate Rules: Updating Procedure describes how Docusign must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent data protection authorities, individual data subjects, its Customers and to Docusign group members bound by the Policies.
The Chief Privacy Officer is accountable for ensuring that the commitments made by Docusign in this Updating Procedure are met.
Records keeping
Docusign must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.
Docusign must also maintain an accurate and up-to-date list of group members that are bound by the Policies and of the sub-processors appointed by Docusign to process personal information on behalf of Customers. This information must be made available on request to competent data protection authorities and to Customers and individuals who benefit from the Policies.
The Office of the Chief Privacy Officer shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and up-to-date.
Changes to the Policies
All proposed changes to the Policies must be reviewed and approved by the Chief Privacy Officer in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Chief Privacy Officer.
Docusign will communicate all changes to the Policies (including reasons that justify the changes) or to the list of group members bound by the Policies:
to the group members bound by the Policies via written notice (which may include e-mail or posting on an internal Intranet accessible to all group members);
to Customers and the individuals who benefit from the Policies via online publication at www.docusign.com (and, if any changes are material in nature, Docusign must also actively communicate the material changes to Customers before they take effect, in accordance with paragraph 4.2 below); and
to the data protection authority that was the lead authority for the purposes of granting Docusign’s BCR authorisation (“Lead Authority”), and any other relevant data protection authorities the Lead Authority may direct, at least once a year.
Communication of material changes
If Docusign makes any material changes to the Policies or to the list of group members bound by the Policies that affect the level of protection offered by the Policies or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies), it will promptly report such changes (including the reasons that justify such changes) to the Lead Authority and all other Docusign group members.
If a proposed change to the Processor Policy will materially affect Docusign’s processing of personal information on behalf of a Customer, Docusign will also:
actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and
the Customer may then suspend the transfer of personal information to Docusign and/or terminate the contract, in accordance with the terms of its contract with Docusign.
Transfers to new group members
If Docusign intends to transfer personal information to any new group members under the Policies, it must first ensure that all such new group members are bound by the Policies before transferring personal information to them.
APPENDIX 11 - GOVERNMENT DATA REQUEST PROCEDURE
Introduction
This Binding Corporate Rules: Government Data Request Procedure sets out Docusign's procedure for responding to a request received from a law enforcement or other government authority (together the "
Requesting Authority
") to disclose personal information processed by Docusign (hereafter "
Data Disclosure Request
"). The term "Data Disclosure Request" includes requests for voluntary disclosure of personal information, as well as compelled disclosure orders pursuant to a subpoena, warrant or court order.
Where Docusign receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this Procedure, Docusign will comply with the relevant requirements of applicable data protection law(s).
General principle on Data Disclosure Requests
As a general principle, Docusign does not disclose personal information in response to a Data Disclosure Request unless either:
it is under a compelling legal obligation to make such disclosure; or
taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Docusign will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) in order to address the Data Disclosure Request.
Handling of a Data Disclosure Request
Receipt of a Data Disclosure Request
If a Docusign Group Member receives a Data Disclosure Request, the recipient of the request must pass it to Docusign's Office of the Chief Privacy Officer (or any other group or person within Docusign's legal department as instructed by the Chief Privacy Officer) (the "
Responsible Party
") promptly upon receipt, indicating the date on which it was received together with any other information which may assist the Responsible Party to deal with the request.
The request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, howsoever made, must be notified to the Office of the Chief Privacy Officer for review.
Initial steps
Docusign's Responsible Party will carefully review each Data Disclosure Request on a case-by-case basis, and will liaise with the legal department as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and competent data protection authorities in accordance with paragraph 4.
Notice of a Data Disclosure Request
Notice to the Customer
If a request concerns personal information for which a Customer is the controller, Docusign will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer, and Docusign will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.
If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer), Docusign will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
Notice to the competent data protection authorities
If the Requesting Authority is located in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then Docusign will also put the Data Disclosure Request on hold in order to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
Where Docusign is prohibited from notifying the competent data protection authorities and suspending the Data Disclosure Request, Docusign will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the Data Disclosure Request on hold so that Docusign can consult with the competent data protection authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. Docusign will maintain a written record of the efforts it takes.
Transparency reports
Docusign commits to preparing an annual report (a Transparency Report), which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received for the preceding year and the Requesting Authorities who made those requests. Docusign shall make this report available upon request to competent data protection authorities.
Bulk transfers
In no event will any Group Member transfer personal information to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
APPENDIX 12 - TRANSFER IMPACT ASSESSMENT POLICY
Background
Docusign’s Binding Corporate Rules: Transfer Impact Assessment Policy ("Transfer Impact Assessment Policy") describes how Docusign will ensure adequate protection for personal information that is subject to European data protection laws when it transfers such personal information internationally under its "Binding Corporate Rules: Controller Policy" ("Controller Policy") and "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies").
It sets out Docusign's procedure for conducting Transfer Impact Assessments and promptly notifying any transfer risks in accordance with Applicable Data Protection Laws.
The procedures and evaluations undertaken pursuant to this Transfer Impact Assessment Policy, in particular those contained in paragraph 3.4, should be conducted based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the Policies.
Any capitalised terms or expressions used in this Transfer Impact Assessment Policy have the same meanings given in the Policies.
Data transfer compliance
European data protection laws prohibit international transfers of personal information from Europe to third countries that do not provide an adequate level of protection ("Non-Adequate Country") unless appropriate safeguards are implemented to ensure the transferred data remains protected to the standard required under European law. This includes transfers of personal information to Docusign group members who are subject to the Policies, and transfers (and onward transfers) from Docusign group members to third parties who are not subject to the Policies.
In addition, as a processor and always in accordance with Rule 2 of the Processor Policy, Docusign will also comply with our Customers’ documented instructions in respect of any international transfers of personal information.
Whenever a Docusign group member transfers personal information internationally, or onward transfers personal information to third parties, providing such assistance in a reasonable time and to the extent reasonably possible, Docusign's designated representative(s) (as instructed by the Office of the Chief Privacy Officer) (the "Responsible Party") will be consulted so that they can ensure appropriate safeguards have been implemented to protect the personal information being transferred and, where necessary, a Transfer Impact Assessment has been conducted (as described below in paragraph 3).
Docusign group members may transfer personal information or onward transfer personal information internationally, only where measures necessary to comply with: (a) applicable Customers’ documented instructions in the terms of the applicable agreement with a Customer; and (b) the requirements of Applicable Data Protection Laws with respect to international transfers or onward transfers of personal information have been satisfied.
Transfer Impact Assessments
Where the GDPR applies to the personal information that will be transferred (or onward transferred), then before a transferring Docusign group member (a “Data Transferor”) makes an international transfer (or onward transfer) of personal information that is subject to European data protection laws to a recipient group member or third party data recipient (a “Data Recipient”) located in a Non-Adequate Country, the Responsible Party will coordinate with the Data Transferor to undertake a risk assessment of such proposed transfer to confirm no material conflict between the laws and practices in the Non-Adequate Country where the Data Recipient will process the personal information (including any requirements to disclose personal information to public authorities or measures authorising access by public authorities), and Docusign’s obligations under the Policies (a “Transfer Impact Assessment”).
The Responsible Party will liaise with the Data Transferor and Data Recipient as necessary to conduct the Transfer Impact Assessment, and shall keep Docusign International (EMEA) Ltd informed of the Transfer Impact Assessment and its findings.
No international transfer (or onward transfer) of personal information may take place to a Non-Adequate Country unless:
Transfer Impact Assessment has been conducted; and
any additional safeguards that are identified as necessary pursuant to the Transfer Impact Assessment to protect the transfer of personal information to the Data Recipient have been implemented by the Data Transferor and Data Recipient.
Factors to consider for Transfer Impact Assessments
The Transfer Impact Assessment should take into account the following elements:
the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, any intended onward transfers, the type of recipient, the purpose of processing, the categories and format of the transferred personal information, the economic sector in which the transfer occurs and the storage location of the data transferred;
the laws and practices of the Non-Adequate Country destination (including those requiring the disclosure of data to public authorities or authorising access by such authorities, as well as those providing for access to these data during the transit between the country of the Data Transferor and the Non-Adequate Country ), relevant in light of the specific circumstances of the transfer and the applicable limitations and safeguards; and
any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the Policies, including measures applied during transmission and to the processing of the personal information in the country of destination.
Laws and practices of third country of destinationAs regards the impact of the laws and practices of the Non-Adequate Country on compliance with the Policies, different factors may be considered as part of an overall assessment. Such factors may include, for example, the Data Recipient's practical experience with prior instances of disclosure requests from public authorities, or the absence of such requests. This may be drawn from internal records or other documentation, provided that this information can be lawfully shared with third parties.
Where this practical experience is relied upon to conclude that the Data Recipient will not be prevented from complying with the requirements of the Policies, such conclusion needs to be supported with relevant, objective evidence (including that mentioned in Section 3.5 above), and it is for the Responsible Party, the Data Transferor and Data Recipient to assess whether the sufficiency of this evidence, in terms of their reliability and representativeness, supports the conclusion.
In particular, the Responsible Party, the Data Transferor and Data Recipient will take into account whether upon reasonable diligence, the practical experience is corroborated and not contradicted by publicly available or otherwise accessible and reliable information regarding the application of the laws in practice, such as case law and reports by independent oversight bodies.
Findings of Transfer Impact AssessmentsThe Responsible Party will keep other relevant Docusign group members informed about the findings of the Transfer Impact Assessment, so that, if required, they can apply any identified additional safeguards determined to be necessary in respect of any identical or similar subsequent transfers they make.
Where the Transfer Impact Assessment concludes that it is not possible to implement additional safeguards to ensure the Data Recipient’s processing in the Non-Adequate Country will be compatible with the requirements of the Policies, then the Responsible Party will inform the Data Transferor (and other relevant group members) that they should not proceed with any such transfer of personal information where effective supplementary measures could not be put in place and in such circumstances the transfers at stake will be suspended or ended.
Information and cooperationIf the Data Recipient is a group member, the Data Recipient will use its best efforts to cooperate with the Responsible Party and the Data Transferor to ensure compliance with the requirements of the Policies throughout the duration of the transfer and subsequent processing.
If the Data Recipient is not a group member (i.e. if it is a third party data recipient), the Responsible Party and the Data Transferor will exercise appropriate diligence to ensure that the Data Recipient will continue to provide such cooperation, including where appropriate by seeking documented assurances from the Data Recipient.
The Responsible Party and the Data Transferor will coordinate with the Data Recipient to document the Transfer Impact Assessment as well as documenting any supplementary measures selected and implemented in relation to such transfers and to make these available to the competent data protection authority, and, where applicable, the Customer, on request.
Transfer Risk Notifications
If the Data Recipient is a Docusign group member, the Data Recipient will notify the Responsible Party and the Data Transferor promptly if, at any time during which it transfers, receives or processes personal information, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of the Policies, including following a change in the laws of the Non-Adequate Country where it transfers, receives or processes personal information or a measure (such as a disclosure request) indicating an application of such laws in practice is not in line with the Policies (a “Transfer Risk Notification”).
When located in an EU Member State, the Data Transferor or Responsible Party will take reasonable steps to monitor, on an ongoing basis, and where appropriate in collaboration with Data Recipients, developments in the Non-Adequate Country to which the Data Transferor has transferred personal information that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers and in particular in relation to developments that may affect the outcome of the Transfer Impact Assessment.
If the Data Recipient is not a group member (i.e. if it is a third party data recipient), the Responsible Party and the Data Transferor will exercise appropriate diligence to ensure that the Data Recipient will provide any such Transfer Risk Notification to the Data Transferor as contemplated in clause 4.1 above, including where appropriate by seeking documented assurances from the Data Recipient.
Following receipt of a Transfer Risk Notification from the Data Recipient, or if the Responsible Party or the Data Transferor otherwise have reason to believe that the Data Recipient’s processing is not in line with (or is at risk of coming out of line) with the Policies, the Data Transferor upon consulting the Responsible Party will promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the Data Transferor and Data Recipient to address the situation, if appropriate in consultation with the Controller.
The Responsible Party will instruct the Data Transferor to suspend the transfer if it considers that appropriate safeguards for such transfer cannot be ensured, or if the Responsible Party is informed that a competent data protection authority or the applicable Controller has instructed suspension of such transfer.
In this case, the Data Transferor will be entitled to terminate its transfers of personal information to the Data Recipient, insofar as it concerns the processing of personal information under the Policies (in which event, the Data Recipient will be instructed by the Data Transferor to return or destroy the personal information it received). The Responsible Party will inform other relevant Docusign group members in such cases.
If the Data Transferor transfers personal information to two or more Data Recipients, the Data Transferor may exercise this right to terminate only with respect to the relevant Data Recipient.