GDPR and e-signatures — what to know

GDPR (General Data Protection Regulation) applies to every e-signature platform handling EU residents' personal data. Even if your platform is US-based, if you sign with EU residents, GDPR binds you.

The 7 GDPR principles

Article 5 of GDPR lists seven principles that apply to signature platforms:

1. Lawfulness, fairness, transparency — processing must have a legal basis 2. Purpose limitation — collect only for specified purposes 3. Data minimization — only what's necessary 4. Accuracy — keep data accurate 5. Storage limitation — retain only as long as needed 6. Integrity and confidentiality — secure the data 7. Accountability — be able to demonstrate compliance

What this means for e-signatures

Every signing event captures personal data: name, email, IP, device info, signature, signed document content.

• Legal basis — typically "legitimate interest" (contract performance) or consent
• Retention — align with underlying transaction's retention needs (often 6-7 years for contracts)
• Data transfer — if the platform is US-based, need Standard Contractual Clauses (SCCs) or Adequacy Decision
• Access rights — signers can request access, correction, deletion of their data

Data Processing Agreement (DPA)

Every e-signature platform processing EU personal data must have a Data Processing Agreement with their customers. The DPA specifies:

• Purpose and categories of data processed
• Duration of processing
• Rights and obligations of controller and processor
• Sub-processors used

SignBolt publishes a standard DPA on its pricing page, signed by countersignature before enterprise engagement.

Data residency

GDPR doesn't strictly require EU-resident storage, but:

• Transfers to non-adequate countries (US without SCCs, for example) require specific safeguards
• Many EU customers prefer EU-resident storage for trust
• Some regulated industries (healthcare, financial) require EU-resident storage

SignBolt offers EU-resident storage on Business tier via AWS eu-west-1 (Ireland).

The Schrems II problem

The 2020 Schrems II ruling invalidated the EU-US Privacy Shield. For US-based data transfers, you now need:

• Standard Contractual Clauses (SCCs) — the most common approach
• Transfer Impact Assessment (TIA) — documenting safeguards
• Supplementary measures (encryption, pseudonymization)

If you're signing with EU residents on a US-based platform, ensure SCCs are in place.

Signer rights under GDPR

Any signer whose data you process has the right to:

• Access — request a copy of their data (Article 15)
• Correction — fix inaccurate data (Article 16)
• Erasure — delete data (Article 17) — limited by legal retention requirements
• Portability — receive data in a machine-readable format (Article 20)
• Object — to processing for legitimate interests (Article 21)

Your platform must support all of these. SignBolt provides self-service access via the audit trail and email support for correction/erasure/portability.

Breach notification

GDPR Article 33 requires controllers to notify the supervisory authority within 72 hours of a personal data breach. Your e-signature platform must have a breach notification process and notify you promptly so you can meet the 72-hour window.

Practical GDPR checklist

• [ ] Platform has published DPA
• [ ] Platform has Standard Contractual Clauses (if non-EU)
• [ ] Lawful basis documented for each signing workflow
• [ ] Retention policy matches transaction requirements
• [ ] Signer can exercise access/correction/deletion rights
• [ ] Breach notification SLA documented
• [ ] Sub-processors disclosed

Next

• eIDAS Regulation compliance
• SignBolt DPA
• GDPR-compliant document retention