General Data Protection Regulation and E-Sign

E-Sign explains what this legislation means for you and your customers when processing electronic document transactions.

About eSign the Company

What is GDPR?

The General Data Protection Regulation (GDPR) is a raft of legislation (part of Article 8 of the European Convention on Human Rights) that aims to bring the laws regarding data into line with the realities of the Information Age.

It has been the biggest change in information security legislation since the Data Protection Act of 1998, and is part of an EU policy that aims to make companies accountable for the security of the data they hold, and enforce serious fines if they do not measure up to the new standards of responsibility.

The legislation has a complex set of standards that companies must adhere to and eye-watering fines (up to €20 million or 4% of global turnover, whichever is the higher) for non-compliance.

The legislation gives comprehensive oversight on all data-related issues, and effects almost every business that deals with customer data on any level. It will include:

  • Increased territorial scope, impacting more businesses including many outside the EU
  • Tighter requirements for obtaining valid consent to the processing of personal data
  • New restrictions on profiling and targeted advertising
  • New data breach reporting obligations
  • Direct legal compliance obligations for “data processors”
  • Extended data protection rights for individuals, including the “right to be forgotten”.

Is E-Sign GDPR Compliant?

Yes. E-Sign is ISO 27001 compliant with robust security safeguards in place. E-Sign continues to monitor the regulator guidance and interpretations of key GDPR requirements, ensuring compliance with the General Data Protection Regulation (GDPR). E-Sign also aligns with the intention as well as the detail of the GDPR, as using E-Sign’s digital signature platform increases both the security and the accountability of your transactions and data.

Europe’s data transfer restrictions and the role of BCRs

The EU has some of the world’s most stringent and extensive regulations regarding data exports. The transfer of personal data from the European Economic Area (EEA) to non-EEA nations that do not guarantee an “adequate level of data protection” is forbidden by European data protection laws. Multinational corporations find Binding Corporate Rules (BCRs) to be the most suitable mechanism for legal exports.

BCRs, which are regarded as the gold standard for data protection, impose stringent guidelines on all corporate family members. Under the GDPR, BCRs are accepted as a means of safeguarding European data subjects’ privacy as well as their fundamental rights and freedoms, as well as enabling the legitimate transfer of data outside of the European Economic Area.

Data breach notification under the GDPR

The processor (E-Sign) shall notify the controller (Customer) “without undue delay” upon becoming aware of a personal data breach, in accordance with GDPR Article 33 (2).

E-Sign will designate one or more channels of communication to effectively notify impacted customers in the event of a data breach that necessitates notification to them.

Contractual protections under the GDPR

As mandated by GDPR, E-Sign offers its clients extra terms for data processing, such as the need to obtain safeguards from any subprocessor.

As a data importer, E-Sign complies with the following important guidelines:

  1. Supplier screening. We use a screening procedure with data subprocessors and other suppliers to learn about and get guarantees regarding our suppliers’ privacy policies and practises. We also use SCCs as the appropriate data transfer mechanism with our suppliers as standard procedure.
  2. Privacy by design. Our product architectures support data residency features to maintain UK data within the UK, all while keeping privacy in mind.
  3. Product security measures. To secure and safeguard your data, we use encryption both in transit and at rest.

Safeguards with governmental requests. For the purpose of responding to government orders, subpoenas, search warrants, and other comparable data requests, we have established and documented internal procedures.

GDPR Frequently Asked Questions

When did GDPR come into Effect?

The (GDPR) was approved and adopted by the EU parliament in April 2016 and came into effect into effect on 25 May 2018. GDPR does not require any enabling legislation to be passed by government (unlike Europe’s Data Protection Directive 95/46/EC).

What are the Key Changes in Data Privacy?

One of significant features of the GDPR is about making it clear to individuals what and how their personal data is being used, by whom and for how long. Data controllers will be required to be transparent about what data is being processed and for what reasons. Companies must handle data with transparency, competency and accountability. The legislation recognises the value of data, both in terms of personal privacy of your customers and data as a resource that can be bought and traded.

Individuals must also be informed what their data is being used for. Contact details must also be made available in respect of any part of the data controller’s data processing actions. One of the most important changes involves strengthening the standards of obtaining consent to process data. Failure to obtain proper consent to process data, which includes contacting individuals, risks substantial fines.

What is Considered Personal Data?

Personal data refers to any information that relates to an identified or identifiable individual. This information can be used, directly or indirectly, to identify a specific person. Personal data can be collected, processes and stored in various forms, including physical records and electronic formats. Some common examples of personal data include

1.Name: full name, first name, last name or any variation of the name
2. Contact information: Phone number, email address, postal address or social media handles
3. Identification numbers: social security number, passport number, drivers license number, or national insurance number
4. Data of birth: birthdate, age or birthplace
5. Financial information: bank account numbers, credit card details, income or tax-related information
6. Health information: medical records, health conditions, or any other health-related data
7. Biometric data: fingerprints, facial recognition data or voiceprints
8. Internet identifiers: IP addresses, cookies or online identifiers
9. Employment information: job title, employment history, or performance reviews
10. Demographic information: gender, ethnicity, maritial status or nationality


Accreditations & Awards

Crown Commerical Provider
Cyber Essentials Plus
ISO 9001 Quality Management
ISO 27001 Information Security Management
Information Commissioner's Office
2023 SME Committed Badge

Reviews & Security

Capterra User Reviews
G2 Crowd Reviews
Trustpilot Logo
Secure Trusted Commerce
Rapid SSL Logo
Select Language