EU and UK users have extensive legal rights over their personal data held by DocuSign, and their data is transferred internationally using Standard Contractual Clauses as the legal safeguard.
This analysis describes what DocuSign's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU and UK data protection law provides some of the strongest privacy rights globally, and the use of Standard Contractual Clauses for transfers to the US means those rights travel with your data, though the practical enforceability depends on the transfer mechanism's ongoing validity.
This provision consolidates EU/UK data subject rights and cross-border transfer mechanisms in one location with explicit reference to Standard Contractual Clauses, providing critical GDPR/UK GDPR compliance information.
View full change record →If you are in the EU or UK, you can request access to, correction, or deletion of your DocuSign data, and can object to certain processing. Cross-border transfers of your data to the US are governed by Standard Contractual Clauses, which are currently the primary approved mechanism under GDPR.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
Monitoring
DocuSign has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area (EEA) or United Kingdom, you have certain rights under applicable data protection laws, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object. Docusign relies on Standard Contractual Clauses as a legal mechanism for transfers of personal data from the EEA and UK to countries that have not received an adequacy decision.— Excerpt from DocuSign's DocuSign Privacy Statement
(1) REGULATORY LANDSCAPE: These provisions are grounded in GDPR Articles 15-22 for data subject rights and Articles 46 and 47 for transfer mechanisms. The UK GDPR mirrors these provisions post-Brexit. Standard Contractual Clauses adopted by the European Commission in 2021 are the referenced transfer mechanism. The Irish Data Protection Commission and UK ICO are the primary supervisory authorities for DocuSign's EU and UK operations respectively. (2) GOVERNANCE EXPOSURE: Medium. The adequacy of Standard Contractual Clauses for US transfers remains subject to regulatory and legal scrutiny following Schrems II, and organizations relying on SCCs must conduct transfer impact assessments. DocuSign's reliance on SCCs without explicit reference to supplementary measures or transfer impact assessments may warrant closer review by EU enterprise customers. (3) JURISDICTION FLAGS: EEA and UK users are directly affected. Organizations subject to sector-specific requirements such as financial services or healthcare should assess whether SCCs alone are sufficient for their data flows through DocuSign. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EU and UK should obtain DocuSign's current SCC documentation and any available transfer impact assessment summaries. Procurement teams should confirm that DocuSign's DPA incorporates the 2021 module SCCs appropriate to the controller-processor relationship. (5) COMPLIANCE CONSIDERATIONS: Enterprise customers should log DocuSign as a sub-processor or processor in their records of processing activities as required by GDPR Article 30, noting the cross-border transfer mechanism and any supplementary measures in place.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU and UK data protection law provides some of the strongest privacy rights globally, and the use of Standard Contractual Clauses for transfers to the US means those rights travel with your data, though the practical enforceability depends on the transfer mechanism's ongoing validity.
If you are in the EU or UK, you can request access to, correction, or deletion of your DocuSign data, and can object to certain processing. Cross-border transfers of your data to the US are governed by Standard Contractual Clauses, which are currently the primary approved mechanism under GDPR.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DocuSign.