GDPR Overview

The General Data Protection Regulation (“GDPR”) is the European Union’s (“EU”) primary data protection and privacy law, which took effect on May 25th, 2018.
Overview
GDPR at Signeasy

The Signeasy data privacy promise

We are committed to providing data privacy and security to our customers in accordance with global regulations and industry best-practices.
‍
We understand that we are being entrusted with your most important business documents and want to ensure that you have all the information you need regarding the safety and security of your business and customer data. In line with our commitment, we have worked hard to ensure Signeasy’s compliance with legal requirements and best practices concerning data security and privacy at all times. We have successfully completed the SOC2 Type 2 assessment which confirms our adherence to one of the most stringent, industry-accepted auditing standards for service companies while providing additional assurance to our customers, through an independent auditor, that our business process, information technology and risk management controls are properly designed and operating effectively.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is the European Union’s (“EU”) primary data protection and privacy law, which took effect on May 25th, 2018. GDPR was conceptualized to provide and strengthen the right to data protection of EU individuals, and give them a greater say in how organizations collect and handle their personal data. This significantly changed the way personal data is collected, accessed and used.

Broadly, GDPR emphasizes long-standing data protection principles of lawfulness, transparency, accountability, and security to name a few, and imposes a new set of obligations on organizations that offer goods or services to, or monitor the behavior of EU individuals. The applicability of GDPR extends far beyond the EU, to regulate the processing of personal data by organizations located outside the EU as well.

Frequently Asked Questions

Who must comply with the GDPR?

Any organization that is involved in the processing of the personal data of people in the EU must comply with the GDPR.

  • “Processing” is a broad term that covers anything that one can do with data - whether automated or manual: collection, recording, storage, organizing, transmission, structuring, analysis, erasing or any other related activities.
  • “Personal data” is any information relating to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so forth.

Even if an organization is not associated with the EU itself, if it is involved in the processing of the personal data of the citizens and people residing in the EU , it is required to comply.

Who is a data controller, processor and subject?

  • Data controller is the one who decides how personal data will be processed and the reason for processing it.
  • Data processor is the third party that processes personal data on behalf of the data controller.
  • Data subject is a person whose data is being processed.

Who​ ​is​ ​a​ ​Data​ ​Protection​ ​Officer​ ​(DPO)​?

The data protection officer (DPO) is required to ensure that the organization processes the personal data of its employees, customers, or any other individuals (also referred to as data subjects) in accordance with the required data protection rules. This would include tasks such as consistent training as well as performing regular monitoring and audits of the control environment.

Does​ ​the​ ​GDPR​ ​require​ ​EU​ ​data​ ​to​ ​stay in​ ​the​ ​EU?

GDPR does not impose data residency or localization obligations and organizations are free to choose where they host the data. GDPR prescribes transfer methods which ensure GDPR-equivalent safeguards when personal data is transferred from the European Economic Area (EEA) outside the EEA.

There are certain countries covered by an 'adequacy decision' of the European Commission.

The previously available Privacy Shield framework no longer provides adequate safeguards for the transfer of personal data to the United States from the EEA.

Signeasy takes adequate measures to safeguard the privacy of data that is being transferred to host countries, while the data is at rest and while in transit.

What are the GDPR Data protection principles?

  1. Lawfulness, fairness and transparency – Processing of data must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation – Data processing is allowed only for the legitimate purposes clearly specified by the data controller to the data subject.
  3. Data minimization – Organizations can collect and process only as much data that is absolutely required to fulfill the specified purposes.
  4. Accuracy – It is required to maintain accurate and up to date personal data.
  5. Storage limitation – One can only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality – Processing of data must be done while ensuring its appropriate security, integrity, and confidentiality (e.g., by using encryption).
  7. Accountability – GDPR compliance with all of these principles is the responsibility of the data controller.

What are the data subject’s privacy rights?

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure or right to be forgotten.
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision making and profiling.

Do we always need consent?

Procuring consent won’t always be the most appropriate or easiest, hence though it is one of the lawful basis for processing, there are five others that need to be considered:

  1. Contractual relationship
  2. Compliance with a legal obligation
  3. Vital interests, to protect someone’s life
  4. A public interest
  5. Legitimate interests unless this is outweighed by the individual’s rights and interests

At Signeasy, we are committed to being GDPR compliant and work hard to keep up-to-date with the legislation. We make constant efforts to adopt and maintain industry best practices for data protection and privacy. We continue to make modifications to ensure that, as further guidance emerges from data protection authorities, our process and practices meet new requirements.

Data Processing Agreement

  1. Contractual Commitments
    ‍
    a) Data Processing Agreement
    Contractual commitments form an essential component of GDPR’s requirements. As part of our standard terms and conditions, we have Data Processing Agreements that automatically apply when you sign up for our services. We work extensively with our legal team to ensure that such agreements reflect continuing developments in EU’s data protection law and are kept up-to-date. 

    b) Standard Contractual Clauses: 
    In order to ensure that the protection guaranteed within the EU travels with personal data when it is transferred to a third country outside the EU, GDPR requires one of the approved transfer methods to be put in place beforehand. One such transfer method is a set of compulsory clauses, called the Standard Contractual Clauses (“SCCs”), that are required to be included in contracts between data exporters and data importers. Our Data Processing Agreements incorporate the updated SCCs published by the EU Commission on June 7th, 2021
  2. Sub Processors 
    We engage third-party sub-processors who may have access to systems containing underlying data, while carrying out specific processing activities on behalf of us or our customers. We engage such sub-processors through a vendor selection process/criteria which deliberately includes focus on GDPR-compliant solutions which aim to provide best-in-class adherence to data protection and compliance standards. We also ensure that our sub-processors comply with their obligations under the Data Processing Agreement and the GDPR.
  3. Product Features
    In compliance with the GDPR’s principle of Privacy by Design, privacy is not only incorporated in our organizational practices, but has been built into our product development cycle. Our product is designed with privacy features which apply by default. Such features include implementation of encryption in transit and encryption at rest in securing and protecting your data, allowing the customer to correct the data - giving them more control over how their personal data are collected and processed, portability of data, and obtaining consent for the data that we hold. Our product team works closely with our IT and legal teams to ensure that any new products, product updates, and features are rolled out with no risk to data security and privacy.
  4. Security Measures
    Serving our customers with secured products is of our utmost concern. We use appropriate technical and organizational measures to protect customer data.
  5. Updated privacy policy
    ‍     We periodically update our privacy policy in line with the emerging requirements of data protection laws and the processing activities we undertake.
  6. Data Protection Officer
    We have appointed a Data Protection Officer (“DPO”) responsible for monitoring our compliance with GDPR, overseeing our data protection policies, its implementation and conducting assessments at regular intervals to mitigate risk. Our DPO is easily accessible as a point of contact for our employees and individuals at [email protected]
  7. Right to Opt-out of marketing communication
    ‍    We only send marketing and promotional emails where we have obtained consent as required by law. We provide an opt-out mechanism in our emails that we send and maintain a do-not-disturb list of recipients that have unsubscribed to our marketing communications.
  8. Internal policy on data protection for employees
    We have established internal policies and processes concerning the handling of personal data, response to data subject access requests, governmental requests, and reporting of data breaches, etc..
  9. Training and sensitisation
    We recognize the need to ensure that our employees understand the importance of data protection and are trained on the basic principles of GDPR. We extend training programs to our employees who handle personal data in the course of their employment in order to familiarize them with GDPR compliance.
  10. Onward compliance
    Prior to engaging vendors, we conduct the required due diligence to evaluate their security, privacy and confidentiality practices and execute agreements that impose GDPR-equivalent obligations on them. 
  11. Safeguards with governmental requests
    We have established and documented internal procedures for responding to search warrants, subpoenas, governmental orders and similar data requests. We diligently adhere to and follow the best practices when responding to search warrants, subpoenas, governmental orders and similar data requests directed to Signeasy.

If ever you need to know more about our compliance with GDPR, please send an email to [email protected].

Disclaimer

The content above is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with your legal and other professional counsel to determine exactly how GDPR may or may not apply to you.

As a trusted electronic signature service provider, Signeasy can easily assist you with your own data protection compliance.