We are committed to providing data privacy and security to our customers in accordance with global regulations and industry best-practices.
We understand that we are being entrusted with your most important business documents and want to ensure that you have all the information you need regarding the safety and security of your business and customer data. In line with our commitment, we have worked hard to ensure Signeasy’s compliance with legal requirements and best practices concerning data security and privacy at all times. We have successfully completed the SOC2 Type 2 assessment which confirms our adherence to one of the most stringent, industry-accepted auditing standards for service companies while providing additional assurance to our customers, through an independent auditor, that our business process, information technology and risk management controls are properly designed and operating effectively.
The General Data Protection Regulation (“GDPR”) is the European Union’s (“EU”) primary data protection and privacy law, which took effect on May 25th, 2018. GDPR was conceptualized to provide and strengthen the right to data protection of EU individuals, and give them a greater say in how organizations collect and handle their personal data. This significantly changed the way personal data is collected, accessed and used.
Broadly, GDPR emphasizes long-standing data protection principles of lawfulness, transparency, accountability, and security to name a few, and imposes a new set of obligations on organizations that offer goods or services to, or monitor the behavior of EU individuals. The applicability of GDPR extends far beyond the EU, to regulate the processing of personal data by organizations located outside the EU as well.
Frequently Asked Questions
Who must comply with the GDPR?
Any organization that is involved in the processing of the personal data of people in the EU must comply with the GDPR.
- “Processing” is a broad term that covers anything that one can do with data - whether automated or manual: collection, recording, storage, organizing, transmission, structuring, analysis, erasing or any other related activities.
- “Personal data” is any information relating to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so forth.
Even if an organization is not associated with the EU itself, if it is involved in the processing of the personal data of the citizens and people residing in the EU , it is required to comply.
Who is a data controller, processor and subject?
- Data controller is the one who decides how personal data will be processed and the reason for processing it.
- Data processor is the third party that processes personal data on behalf of the data controller.
- Data subject is a person whose data is being processed.
Who is a Data Protection Officer (DPO)?
The data protection officer (DPO) is required to ensure that the organization processes the personal data of its employees, customers, or any other individuals (also referred to as data subjects) in accordance with the required data protection rules. This would include tasks such as consistent training as well as performing regular monitoring and audits of the control environment.
Does the GDPR require EU data to stay in the EU?
GDPR does not impose data residency or localization obligations and organizations are free to choose where they host the data. GDPR prescribes transfer methods which ensure GDPR-equivalent safeguards when personal data is transferred from the European Economic Area (EEA) outside the EEA.
There are certain countries covered by an 'adequacy decision' of the European Commission.
The previously available Privacy Shield framework no longer provides adequate safeguards for the transfer of personal data to the United States from the EEA.
Signeasy takes adequate measures to safeguard the privacy of data that is being transferred to host countries, while the data is at rest and while in transit.
What are the GDPR Data protection principles?
- Lawfulness, fairness and transparency – Processing of data must be lawful, fair, and transparent to the data subject.
- Purpose limitation – Data processing is allowed only for the legitimate purposes clearly specified by the data controller to the data subject.
- Data minimization – Organizations can collect and process only as much data that is absolutely required to fulfill the specified purposes.
- Accuracy – It is required to maintain accurate and up to date personal data.
- Storage limitation – One can only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality – Processing of data must be done while ensuring its appropriate security, integrity, and confidentiality (e.g., by using encryption).
- Accountability – GDPR compliance with all of these principles is the responsibility of the data controller.
What are the data subject’s privacy rights?
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure or right to be forgotten.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
Do we always need consent?
Procuring consent won’t always be the most appropriate or easiest, hence though it is one of the lawful basis for processing, there are five others that need to be considered:
- Contractual relationship
- Compliance with a legal obligation
- Vital interests, to protect someone’s life
- A public interest
- Legitimate interests unless this is outweighed by the individual’s rights and interests