EU and UK users have extensive legal rights over their personal data held by DocuSign, and their data is transferred internationally using Standard Contractual Clauses as the legal safeguard.
This analysis describes what DocuSign's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU and UK data protection law provides some of the strongest privacy rights globally, and the use of Standard Contractual Clauses for transfers to the US means those rights travel with your data, though the practical enforceability depends on the transfer mechanism's ongoing validity.
If you are in the EU or UK, you can request access to, correction, or deletion of your DocuSign data, and can object to certain processing. Cross-border transfers of your data to the US are governed by Standard Contractual Clauses, which are currently the primary approved mechanism under GDPR.
How other platforms handle this
OpenAI is based in the United States and the information we collect is governed by U.S. law. If you are accessing our services from outside of the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States and by tho...
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been found to provide an adequate level of protection under applicable law, we take steps to provide appropriate safeguards, including through the use of Standard Contract...
We may transfer your personal information to countries other than the country in which you live. We transfer personal data from the European Economic Area, United Kingdom, and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level ...
Monitoring
DocuSign has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are located in the European Economic Area (EEA) or United Kingdom, you have certain rights under applicable data protection laws, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object. Docusign relies on Standard Contractual Clauses as a legal mechanism for transfers of personal data from the EEA and UK to countries that have not received an adequacy decision.— Excerpt from DocuSign's DocuSign Privacy Statement
(1) REGULATORY LANDSCAPE: These provisions are grounded in GDPR Articles 15-22 for data subject rights and Articles 46 and 47 for transfer mechanisms. The UK GDPR mirrors these provisions post-Brexit. Standard Contractual Clauses adopted by the European Commission in 2021 are the referenced transfer mechanism. The Irish Data Protection Commission and UK ICO are the primary supervisory authorities for DocuSign's EU and UK operations respectively. (2) GOVERNANCE EXPOSURE: Medium. The adequacy of Standard Contractual Clauses for US transfers remains subject to regulatory and legal scrutiny following Schrems II, and organizations relying on SCCs must conduct transfer impact assessments. DocuSign's reliance on SCCs without explicit reference to supplementary measures or transfer impact assessments may warrant closer review by EU enterprise customers. (3) JURISDICTION FLAGS: EEA and UK users are directly affected. Organizations subject to sector-specific requirements such as financial services or healthcare should assess whether SCCs alone are sufficient for their data flows through DocuSign. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EU and UK should obtain DocuSign's current SCC documentation and any available transfer impact assessment summaries. Procurement teams should confirm that DocuSign's DPA incorporates the 2021 module SCCs appropriate to the controller-processor relationship. (5) COMPLIANCE CONSIDERATIONS: Enterprise customers should log DocuSign as a sub-processor or processor in their records of processing activities as required by GDPR Article 30, noting the cross-border transfer mechanism and any supplementary measures in place.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU and UK data protection law provides some of the strongest privacy rights globally, and the use of Standard Contractual Clauses for transfers to the US means those rights travel with your data, though the practical enforceability depends on the transfer mechanism's ongoing validity.
If you are in the EU or UK, you can request access to, correction, or deletion of your DocuSign data, and can object to certain processing. Cross-border transfers of your data to the US are governed by Standard Contractual Clauses, which are currently the primary approved mechanism under GDPR.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DocuSign.