BINDING CORPORATE RULES: PRIVACY CODE FOR CUSTOMER, SUPPLIER AND BUSINESS PARTNER INFORMATION

Introduction

DocuSign’s Code of Conduct expresses DocuSign’s commitment to strive to protect personal information. This Privacy Code for Customer, Supplier and Business Partner Information indicates how DocuSign shall implement this principle in respect of personal information of customers, suppliers, business partners and other individuals, which DocuSign processes in the context of its business activities.

For the Privacy Code applicable to employee information, refer to the Privacy Code for Employee Information at https://docusign2com.sharepoint.com/sites/BCRCodes.

Capitalized terms have the meaning set out in Annex 1 (Definitions).

 

Article 1 – Scope, Applicability and Implementation

Scope

1.1

This CSB Privacy Code addresses the Processing of Personal Information of Customers, Suppliers and Business Partners and other Individuals by DocuSign or a Third Party Processor on behalf of DocuSign (collectively, CSB Information). This CSB Privacy Code does not address the Processing of Personal Information of Employees in the context of their employment relationship with DocuSign unless and to the extent such Employee is a Customer of DocuSign.

Opt-out for Local-for-Local Processing

1.2

A Group Company not established in the EEA and not covered by an Adequacy Decision may opt-out of the applicability of this CSB Privacy Code in respect of Processing of CSB Information collected in connection with the activities of such Group Company, provided such CSB Information is subsequently Processed in the relevant jurisdiction of such Group Company only (Local-for-Local Processing). The opt-out by a Group Company for Local-to-Local Processing requires the prior authorization of the Chief Privacy Officer. Notwithstanding such an authorization, the Local-for-Local Processing shall at least be compliant with applicable local laws and the security and governance requirements of this CSB Privacy Code.

Electronic and paper-based Processing

1.3

This CSB Privacy Code shall apply to the Processing of CSB Information by electronic means and in systematically accessible paper-based filing systems.

Applicability of local law and CSB Privacy Code

1.4

Nothing in this CSB Privacy Code will be construed to take away any rights and remedies that Individuals may have under applicable local law. This CSB Privacy Code provides supplemental rights and remedies to Individuals only.

Sub-policies and notices

1.5

DocuSign may supplement this CSB Privacy Code through sub-policies, procedures or guidelines that are consistent with this CSB Privacy Code.

Accountability

1.6

This CSB Privacy Code is binding on DocuSign. The Responsible Executive is accountable for his or her business organization’s compliance with this CSB Privacy Code. DocuSign Staff must comply with this CSB Privacy Code.

Effective Date

1.7

This CSB Privacy Code will enter into force as of June 11, 2018 (Effective Date) and will be published on the DocuSign’s website and DocuSign’s intranet site and shall be made available to Individuals upon request.

CSB Privacy Code supplements prior policies

1.8

This CSB Privacy Code supplements all DocuSign privacy policies and notices that exist on the Effective Date.

Implementation

1.9

This CSB Privacy Code shall be implemented in the DocuSign organization based on the timeframes specified in Article 22.

Role of DocuSign Ireland

1.10

DocuSign Inc. has tasked DocuSign Ireland with the coordination and implementation of this CSB Privacy Code.

 

Article 2 – Purposes for Processing CSB Information

Legitimate Business Purposes

2.1

CSB Information shall be collected, used or otherwise Processed by DocuSign in the context of the provision of Customer Services, use of Supplier Services, and Business Development with Business Partners for one (or more) of the following purposes (Business Purposes):

  1. Assessment and acceptance of a Customer, Supplier, or Business Partner; conclusion and execution of agreements with a Customer, Supplier, or Business Partner and the settlement of payment transactions. This purpose includes Processing of CSB Information that is necessary in connection with the assessment and acceptance of Customers, Suppliers, or Business Partners, including confirming and verifying the identity of relevant Individuals (this may involve the use of a credit reference agency or other Third Party), conducting due diligence, and screening against publicly available government and/or law enforcement agency sanctions lists and other third-party data sources, the use of and participation in DocuSign’s incident registers and sector warning systems, and/or third party verification services. This purpose also includes Processing of CSB Information in connection with the execution of agreements, including the delivery of Customer Services and the settlement of payment transactions in the context of which DocuSign may provide CSB Information to the counterparty or other parties as necessary, e.g., for verification or reconstruction purposes;
  2. Performance of Customer Services. This purpose addresses Processing of CSB Information necessary for the performance of Customer Services;
  3. Use of Supplier Services. This purpose addresses Processing of CSB Information necessary for the use of Supplier Services by DocuSign;
  4. Business Development with Business Partners. This purpose addresses Processing of CSB Information necessary for Business Development between DocuSign and Business Partners;
  5. Development and improvement of products and/or services. This purpose includes Processing of CSB Information that is necessary for the development and improvement of DocuSign products and/or services, research and development;
  6. Relationship management and marketing. This purpose includes activities such as maintaining and promoting contact with Customers, Suppliers and Business Partners, account management, customer service, recalls, collection of CSB Information through DocuSign websites, and the development, execution and analysis of market surveys and marketing strategies;
  7. Business process execution, internal management and management reporting. This purpose includes the management of company assets; credit assessment (including setting credit limits) and risk management, conducting audits and investigations; finance and accounting; implementing business controls; provision of central processing facilities for efficiency purposes; managing mergers, acquisitions and divestitures; Processing CSB Information for management reporting and analysis; archive and insurance purposes; legal or business consulting; and preventing, preparing for or engaging in dispute resolution;
  8. Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector. This purpose includes the protection of the interests of DocuSign and its Employees and Customers, including the safeguarding of the security and integrity of their business sector, in particular detecting, preventing, investigating and combating (attempted) criminal or objectionable conduct directed against DocuSign, its Employees or Customers, including the use of and participation in DocuSign's incident registers and sector warning systems, and activities such as those involving health and safety, the protection of DocuSign and Employee assets, and the authentication of Customer, Supplier or Business Partner status and access rights (such as required screening activities for access to DocuSign’s premises or systems);
  9. Compliance with law. This purpose addresses Processing of CSB Information necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which DocuSign is subject, including the disclosure of CSB Information to government institutions or supervisory authorities, including tax authorities, including prevention of money laundering, financing of terrorism and other crimes, customer due diligence and the duty of care towards Customers (e.g., credit monitoring); or
  10. Protection of the vital interests of Individuals. This purpose addresses Processing necessary to protect the vital interests of an Individual.

Where there is a question whether a certain Processing of CSB Information can be based on a Business Purpose listed above, the appropriate Privacy Lead should be consulted before the Processing takes place.

Consent

2.2

In addition to the Business Purposes listed in Article 2.1, CSB Information may be Processed if the Individual has given his or her consent to the Processing. If Applicable Data Controller Law requires that DocuSign requests consent of the Individual for the relevant Processing, DocuSign shall, in addition to ensuring that a Business Purpose exists for the Processing, also seek consent of the Individual for the Processing.

When seeking consent, DocuSign must inform the Individual:

  1. of the purposes of the Processing for which consent is required;
  2. which Group Company is responsible for the Processing;
  3. the right to withdraw his or her consent at any time;
  4. that withdrawal of consent does not affect the lawfulness of the relevant Processing before such withdrawal.

Where Processing is undertaken at the request of an Individual (e.g., he or she subscribes to a service or seeks a benefit), he or she is deemed to have provided consent to the Processing.

Granting, denial or withdrawal of consent

2.3

The Individual may deny or withdraw consent at any time. Upon withdrawal of consent, DocuSign will discontinue such Processing as soon as reasonably practical. The withdrawal of consent shall not affect (i) the lawfulness of the Processing based on such consent before its withdrawal; and (ii) the lawfulness of Processing for Business Purposes not based on consent after withdrawal.

 

Article 3 – Use for Other Purposes

Use of CSB Information for Secondary Purposes

3.1

Generally, CSB Information shall be used only for the Business Purposes. CSB Information may be Processed for a business purpose other than the Business Purposes (Secondary Purpose) only if the Secondary Purpose is closely related to the Business Purpose(s). Depending on the sensitivity of the relevant CSB Information and whether use of the CSB Information for the Secondary Purpose has potential negative consequences for the Individual, such use may require additional measures such as:

  1. limiting access to the CSB Information;
  2. imposing additional confidentiality requirements;
  3. taking additional security measures, including encryption or pseudonymization;
  4. informing the Individual about the Secondary Purpose;
  5. providing an opt-out opportunity to the Individual; or
  6. obtaining an Individual's consent in accordance with Article 2.2 or Article 4.3 (if applicable).

Generally permitted uses for Secondary

Purposes

3.2

It is generally permissible to Process CSB Information for the following purposes (even if not listed as a Business Purpose), provided appropriate additional measures are taken in accordance with Article 3.1:

  1. transfer of the CSB Information to an Archive;
  2. internal audits or investigations;
  3. implementation of business controls and operational efficiency;
  4. statistical, historical or scientific research;
  5. dispute resolution;
  6. legal or business consulting; or
  7. insurance purposes.

 

Article 4 – Purposes for Processing Sensitive Information

Specific purposes for Processing Sensitive Information

4.1

This Article sets forth specific rules for Processing Sensitive Information. DocuSign shall Process Sensitive Information only to the extent necessary to serve the applicable Business Purpose.

The following categories of Sensitive Information may be collected, used or otherwise Processed for one (or more) of the purposes specified below:

  1. Racial or ethnic CSB Information: in some countries, photos and video images of Individuals qualify as racial or ethnic information. DocuSign may process photos (e.g., a copy of a passport containing a photo) and video images for the protection of DocuSign and Employee assets; site access and security reasons; assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals); Supplier or Business Partner status and access rights; and to verify and confirm advice or record decisions made in the course of business for future reference (e.g. when Individuals participate in video conferencing which is recorded);
  2. Criminal CSB Information (including CSB Information relating to criminal behavior, criminal records or proceedings regarding criminal or unlawful behavior), may be processed as necessary for assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals); the execution of an agreement with Customers; and to protect the interests of DocuSign, its Employees and Customers and for the use of and the participation in DocuSign’s incident registers and sector warning systems;
  3. Physical or mental health CSB Information: May be processed as necessary for the assessment and acceptance of a Customer, the execution of an agreement with a Customer, and compliance with DocuSign’s duty of care towards Customers;
  4. Religion or beliefs: May be processed to accommodate specific products or services for a Customer, such as dietary requirements related to religion or beliefs, or religious holidays;
  5. Biometric CSB Information (e.g., fingerprints): for the protection of DocuSign and its Employees, assets, site access and security reasons.

General Purposes for Processing of Sensitive Information

4.2

In addition to the specific purposes listed in Article 4.1 above, all categories of Sensitive Information may be Processed under (one or more of) the following circumstances:

  1. as required or allowed for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which DocuSign is subject;
  2. for dispute resolution and/or fraud prevention;
  3. to protect a vital interest of an Individual, but only where it is impossible to obtain the Individual’s consent first;
  4. to the extent necessary to comply with an obligation of international public law (e.g., a treaty); or
  5. if the Sensitive Information has been posted or otherwise shared at the Individual’s own initiative on DocuSign social media or has manifestly been made public by the Individual.

Consent, and the denial or withdrawal thereof

4.3

In addition to the specific purposes listed in Article 4.1 and the general purposes listed in Article 4.2, all categories of Sensitive Information may be Processed if the Individual has given his or her explicit consent to the Processing.

If Applicable Data Controller Law requires that DocuSign requests consent of the Individual for the relevant Processing, DocuSign shall, in addition to ensuring that one of the grounds listed in Article 4.1 or 4.2 exists for the Processing, also seek consent of the Individual for the Processing.

The requirements set out in Articles 2.2 and 2.3 apply to the granting, denial or withdrawal of consent.

Prior Authorization of the Chief Privacy Officer

4.4

Where Sensitive Information is Processed based on a requirement of law other than the local law applicable to the Processing, the Processing requires the prior authorization of the appropriate Chief Privacy Officer.

Use of Sensitive Information for Secondary Purposes

4.5

Sensitive Information of Individuals may be Processed for Secondary Purposes in accordance with Article 3.

 

Article 5 – Quantity and Quality of CSB Information

No Excessive CSB Information

5.1

DocuSign shall restrict the Processing of CSB Information to CSB Information that is reasonably adequate for and relevant to the applicable Business Purpose. DocuSign shall take reasonable steps to delete or make unrecoverable CSB Information that is not required for the applicable Business Purpose.

Storage period

5.2

DocuSign generally shall retain CSB Information only for the period required to serve the applicable Business Purpose, to the extent reasonably necessary to comply with applicable law, or as advisable in light of an applicable statute of limitations. DocuSign may specify (e.g., in a sub-policy, notice or records retention schedule) a time period for which certain categories of CSB Information may be kept.

Promptly after the applicable storage period has ended, the Privacy Lead shall direct that the CSB Information be:

  1. securely deleted or destroyed;
  2. de-identified; or
  3. transferred to an Archive (unless this is prohibited by law or an applicable records retention schedule).

Quality of CSB Information

5.3

CSB Information should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Business Purpose.

‘Privacy by Design’

5.4

DocuSign shall take commercially reasonable technical and organizational steps to ensure that the requirements of this Article 5 are implemented into the design of new systems and processes that Process CSB Information.

Accurate, complete and up-to-date CSB Information

5.5

It is the responsibility of Individuals to ensure that their CSB Information, as held by DocuSign, is accurate, complete and up-to-date. Individuals shall inform DocuSign regarding any changes to their CSB Information in accordance with Article 7.

 

Article 6 – Individual Information Requirements

Information requirements

6.1

DocuSign shall inform Individuals through a privacy policy or notice about:

  1. the Business Purposes (including Secondary Purposes) for which their CSB Information is Processed;
  2. which Group Company is responsible for the Processing as well as the contact information of the Privacy Office;
  3. the categories of Third Parties to which the CSB Information is disclosed (if any), whether any such Third Party is covered by an Adequacy Decision and if not, information on the data transfer mechanism as referred to in Article 11.6 (ii), (iv) or (v) as well as the means to get a copy thereof or access thereto; and
  4. other relevant information, e.g.:
  1. the nature and categories of the CSB Information Processed;
  2. the period for which the CSB Information will be stored or (if not possible) the criteria used to determine this period;
  3. an overview of the rights of Individuals under this CSB Privacy Code, how these can be exercised, including the right to obtain compensation;
  4. the existence of automated decision making referred to in Article 10 as well as meaningful information about the logic involved and potential negative consequences thereof for the Individual; or
  5. the source of the CSB Information (where the CSB Information has not been obtained from the Individual), including whether the CSB Information came from a public source.

CSB Information not obtained from the Individual

6.2

Where CSB Information has not been obtained directly from the Individual, DocuSign shall provide the Individual with the information as set out in Article 6.1:

  1. within reasonable period after obtaining CSB Information but at least within one month, having regard to specific circumstances of the CSB Information Processed;
  2. if CSB Information is used for communication with the Individual, at the latest at the time of the first communication with the Individual;
  3. if a disclosure to another recipient is envisaged, at the latest when CSB Information is first disclosed.

Exceptions

6.3

The requirements of Article 6.1 and 6.2 may be inapplicable if:

  1. the Individual already has the information as set out in Article 6.1;
  2. it would be impossible or would involve a disproportionate effort to provide the information to Individuals, in which case DocuSign will take additional measures to mitigate potential negative consequences for the Individual, such as those listed in Article 3.1;
  3. obtaining CSB Information is expressly laid down in applicable law; or
  4. the CSB Information must remain confidential subject to an obligation of professional secrecy regulated by applicable local law, including a statutory obligation of secrecy.

These exceptions to the above requirements qualify as Overriding Interests as set out in Article 12.

 

Article 7 – Rights of Individuals

Right of Access

7.1

Every Individual has the right to request a copy of his or her CSB Information Processed by or on behalf of DocuSign, and further, where reasonably possible, access to the information listed in Article 6.1 or 6.2.

Right to Rectification, Deletion, and Restriction

7.2

If the CSB Information is incorrect, incomplete, or not Processed in compliance with Applicable Data Controller Law or this CSB Privacy Code, the Individual has the right to have his or her CSB Information rectified, deleted or the Processing thereof restricted (as appropriate). In case the CSB Information has been made public by DocuSign, and the Individual is entitled to deletion of the CSB Information, in addition to deleting the relevant CSB Information, DocuSign shall take commercially reasonable steps to inform Third Parties that are Processing the relevant CSB Information or linking to the relevant CSB Information, that the Individual has requested the deletion of the CSB Information by such Third Parties.

Right to Object

7.3

The Individual has the right to object to:

  1. the Processing of his or her CSB Information on the basis of compelling grounds related to his or her particular situation, unless DocuSign can demonstrate a prevailing legitimate interest for the Processing; and
  2. receiving marketing communications on the basis of Article 9 (including any profiling related thereto).

Restrictions to Rights of Individuals

7.4

The rights of Individuals set out in Articles 7.1-7.3 above do not apply in one or more of the following circumstances:

  1. the Processing is required or allowed for the performance of a task carried out to comply with a legal obligation of DocuSign;
  2. the Processing is required by or allowed for a task carried out in the public interest, including in the area of public health and for archiving, scientific or historical research or statistical purposes;
  3. the Processing is necessary for exercising the right of freedom of expression and information;
  4. for dispute resolution purposes;
  5. the exercise of the rights by the Individual adversely affects the rights and freedoms of DocuSign or others; or
  6. in case a specific restriction of the rights of Individuals applies under Applicable Data Controller Law.

Procedure

7.5

The Individual should send his or her request to the contact indicated in the relevant privacy statement or notice. Individuals may also send their request to the office of the Chief Privacy Officer via email to Privacy@DocuSign.com.

Prior to fulfilling the request of the Individual, DocuSign may require the Individual to:

  1. specify the categories of CSB Information to which he or she is seeking access;
  2. specify, to the extent reasonably possible, the system in which the CSB Information is likely to be stored;
  3. specify the circumstances in which DocuSign obtained the CSB Information;
  4. provide proof of his or her identity when DocuSign has reasonable doubts concerning such identity, or to provide additional information enabling his or her identification;
  5. pay a fee to compensate DocuSign for the reasonable costs relating to fulfilling the request of the Individual provided DocuSign can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g., because of its repetitive character; and
  6. in case of a request for rectification, deletion, or restriction, specify the reasons why the CSB Information is incorrect, incomplete or not Processed in accordance with Applicable Data Controller Law or this CSB Privacy Code.

Response period

7.6

Within one calendar month of DocuSign receiving the request, DocuSign shall inform the Individual in writing or electronically either (i) of DocuSign’s position with regard to the request and any action DocuSign has taken or will take in response, or (ii) the ultimate date on which he or she will be informed of DocuSign’s position and the reasons for the delay, which shall be no later than two calendar months after the original one month period.

Complaint

7.7

An Individual may file a complaint in accordance with Article 17.3 and/or file a complaint or claim with the authorities or the courts in accordance with Article 18 if:

  1. the response to the request is unsatisfactory to the Individual (e.g., the request is denied);
  2. the Individual has not received a response as required by Article 7.6; or
  3. the time period provided to the Individual in accordance with Article 7.6 is, in light of the relevant circumstances, unreasonably long, and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he or she will receive a response.

Denial of requests

7.8

DocuSign may deny an Individual’s request if:

  1. the request does not meet the requirements of Articles 7.1-7.3 or meets the requirements of Article 7.4;
  2. the request is not sufficiently specific;
  3. the identity of the relevant Individual cannot be established by reasonable means, including additional information provided by the Individual;
  4. DocuSign can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g., because of its repetitive character. A time interval between requests of six months or less shall generally be deemed to be an unreasonable time interval.

No requirement to Process identifying information

7.9

DocuSign is not obliged to Process additional information in order to be able to identify the Individual for the sole purpose of facilitating the rights of the Individual under this Article 7.

 

Article 8 – Security and Confidentiality Requirements

Security requirement

8.1

DocuSign shall take appropriate commercially reasonable technical, physical and organizational measures to protect CSB Information from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition or access. To achieve this, DocuSign has developed and implemented the DocuSign Information Security Management System and other sub-policies and guidelines relating to the protection of CSB Information.

Data access and confidentiality

8.2

DocuSign shall provide DocuSign Staff access to CSB Information only to the extent necessary to serve the applicable Business Purpose and to perform their job. DocuSign shall impose confidentiality obligations on Staff with access to CSB Information.

Data Security Breach notification requirement

8.3

DocuSign shall document any Information Security Breaches, comprising the facts relating to the Information Security Breach, its effects and the remedial actions taken, which documentation will be made available to the Irish DPA and a DPA competent to audit under Article 16.2 upon request. Group Companies shall inform DocuSign Ireland of an Information Security Breach without delay. If Applicable Data Controller Law so requires, DocuSign shall notify Individuals of a Data Security Breach as soon as reasonably possible following its determination that a Data Security Breach has occurred, unless otherwise prohibited such as if a law enforcement official or a supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. DocuSign shall respond promptly to inquiries of Individuals relating to such Data Security Breach.

 

Article 9 – Direct Marketing

Direct marketing

9.1

This Article sets forth requirements concerning the Processing of CSB Information for direct marketing purposes (e.g., contacting the Individual by email, fax, phone, SMS or otherwise, with a view of solicitation for commercial or charitable purposes).

Consent for direct marketing (opt-in)

9.2

If Applicable Data Controller Law so requires, DocuSign shall only send to Individuals unsolicited commercial communication by email, fax, sms and mms with the prior consent of the Individual ("opt-in"). If Applicable Data Controller Law does not require prior consent of the Individual, DocuSign shall offer the Individual the opportunity to opt-out of such unsolicited commercial communication.

Exception (opt-out)

9.3

Prior consent of the Individual for sending unsolicited commercial communication by email, fax, sms and mms is not required under this CSB Privacy Code if:

  1. an Individual has provided his or her electronic contact details to a Group Company in the context of a sale of a product or service of such Group Company;
  2. such contact details are used for direct marketing of such Group Company's own similar products or services; and
  3. the Individual clearly and distinctly has been given the opportunity to object free of charge, and in an easy manner, to such use of his or her electronic contact details when they are collected by the Group Company.

Information to be provided in each communication

9.4

In every direct marketing communication that DocuSign makes to the Individual, DocuSign shall offer the Individual the opportunity to opt-out of further direct marketing communications from DocuSign.

Objection to direct marketing

9.5

If an Individual objects to receiving marketing communications from DocuSign, or withdraws his or her consent to receive such communications, DocuSign will take steps to refrain from sending further marketing communications as specifically requested by the Individual. DocuSign will do so within the time period required by Applicable Data Controller Law.

Third Parties and Direct marketing

9.6

If Applicable Data Controller Law so requires, DocuSign shall only provide CSB Information to, or use CSB Information on behalf of, Third Parties for Third Parties’ own direct marketing purposes with the prior opt-in consent of the Individual. If Applicable Data Controller Law does not require prior consent of the Individual, DocuSign shall offer the Individual the opportunity to opt-out of such Third Party direct marketing purposes.

Personal Information of Children

9.7

DocuSign shall not use any Personal Information of Children for direct marketing, without the prior consent of the holders of parental responsibility over the Children. DocuSign shall make reasonable efforts to verify that consent is given or authorized by the holders of parental responsibility over the Children.

Direct marketing records

9.8

DocuSign shall keep a record of Individuals that exercised their "opt-in" or "opt-out" right and will regularly check the public opt-out registers in accordance with Applicable Data Controller Law.

 

Article 10 – Automated Decision Making

Automated decisions

10.1

Automated tools may be used to make decisions about Individuals, but decisions with a significant negative outcome for the Individual may not be based solely on the results provided by the automated tool. This restriction does not apply if:

  1. the use of automated tools is necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which DocuSign is subject;
  2. the decision is made by DocuSign for purposes of (a) entering into or performing a contract or (b) managing the contract, provided the underlying request leading to a decision by DocuSign was made by the Individual (e.g., where automated tools are used to filter promotional game submissions); or
  3. the decision is made based on the explicit consent of the Individual.

Items (i) and (iii) only apply if suitable measures are taken to safeguard the legitimate interests of the Individual (e.g., the Individual has been provided with an opportunity to express his or her point of view).

The requirements set out in Articles 2.2 and 2.3 apply to the requesting, denial or withdrawal of Individual consent.

 

Article 11 – Transfer of CSB Information to Third Parties and Internal Processors

Transfer to Third Parties

11.1

This Article sets forth requirements concerning the transfer of CSB Information from DocuSign to a Third Party. Note that a transfer of CSB Information includes situations in which DocuSign discloses CSB Information to a Third Party (e.g., in the context of corporate due diligence) or where DocuSign provides remote access to CSB Information to a Third Party.

Third Party Controllers and Third Party Processors

11.2

There are two categories of Third Parties:

  1. Third Party Controllers: these are Third Parties that Process CSB Information and determine the purpose and means of the Processing (e.g., DocuSign Business Partners that provide their own goods or services directly to Customers);
  2. Third Party Processors: these are Third Parties that Process CSB Information solely on behalf of DocuSign and at its direction (e.g., Third Parties that Process CSB Information in performing service or technical customer support for Customers, or hosting services).

Transfer for applicable Business Purpose only

11.3

DocuSign shall transfer CSB Information to a Third Party to the extent necessary to serve the applicable Business Purpose (including Secondary Purposes as per Article 3 or purposes for which the Individual has provided consent in accordance with Article 2).

Third Party Controller contracts

11.4

Third Party Controllers (other than government agencies) may Process CSB Information transferred by DocuSign only if they have a written or electronic contract with DocuSign. In the contract, DocuSign shall seek to contractually protect the privacy protection interests of its Individuals when CSB Information is Processed by Third Party Controllers. All such contracts shall be drafted consistent with appropriate contracting guidelines.

Third Party Processor contracts

11.5

Third Party Processors may Process CSB Information only if they have a validly entered into written or electronic agreement with DocuSign (Processor Contract). The Processor Contract must include the following provisions:

  1. the Third Party Processor shall Process CSB Information only for the purposes authorized by DocuSign and in accordance with DocuSign's documented instructions including on transfers of CSB Information to any Third Party Processor not covered by an Adequacy Decision, unless the Third Party Processor is required to do so under mandatory requirements applicable to the Third Party Processor and notified to DocuSign;
  2. the Third Party Processor shall keep the CSB Information confidential and shall impose confidentiality obligations on Staff with access to CSB Information;
  3. the Third Party Processor shall take appropriate technical, physical and organizational security measures to protect the CSB Information;
  4. the Third Party Processor shall only permit subcontractors to Process CSB Information in connection with its obligations to DocuSign (a) with the prior specific or generic consent of DocuSign and (b) based on a validly entered into written or electronic agreement with the subcontractor, which imposes similar privacy protection-related Processing terms as those imposed on the Third Party Processor under the Processor Contract and provided that the Third Party Processor remains liable to DocuSign for the performance of the subcontractor in accordance with the terms of the Processor Contract. In case DocuSign provides generic consent for involvement of subcontractors, the Third Party Processor shall provide notice to DocuSign of any changes in its subcontractors and will provide DocuSign the opportunity to object to such changes based on reasonable grounds;
  5. DocuSign should be able to verify the security measures taken by the Third Party Processor (a) by an obligation of Third Party Processor to submit its relevant information processing facilities to audits and inspections by DocuSign, a Third Party on behalf of DocuSign, or any relevant government authority; or (b) by means of a statement issued by a qualified independent third party assessor on behalf of Third Party Processor certifying that the information processing facilities of the Third Party Processor used for the Processing of the CSB Information comply with the requirements of the Processor Contract;
  6. The Third Party Processor shall deal promptly and appropriately with:
    1. requests for information necessary to demonstrate compliance of the Third Party Processor with its obligations under the Processor Contract and will inform DocuSign if any instructions of DocuSign in this respect violate Applicable Data Controller Law;
    2. requests and complaints of CSB individuals as instructed by DocuSign; and
    3. requests for assistance of DocuSign as reasonably required to ensure compliance of the Processing of the CSB Information with Applicable Data Controller Law; 
  7. The Third Party Processor shall promptly inform DocuSign of a Data Security Breach involving CSB Information; and
  8. Upon termination of the Processor Contract, the Third Party Processor shall, at the option of DocuSign, return the CSB Information and copies thereof to DocuSign or shall securely delete such CSB Information, except to the extent the Processor Contract or applicable law provides otherwise.

Transfer of CSB Information to Third Parties outside the EEA that are not covered by Adequacy Decisions

11.6

This Article sets forth additional rules for CSB Information that is (a) collected originally in connection with activities of a Group Company that is located in the EEA or covered by an Adequacy Decision; and (b) transferred to a Third Party that is located outside the EEA and not covered by an Adequacy Decision.

CSB Information may be transferred only if:

  1. the transfer is necessary for the performance of a contract with the Individual, for managing a contract with the Individual, or to take necessary steps at the request of the Individual prior to entering into a contract, e.g., for processing orders;
  2. a contract has been concluded between DocuSign and the relevant Third Party requiring that (a) such Third Party shall be bound by the terms of this CSB Privacy Code as were it a Group Company; (b) provides for safeguards at a similar level of protection as that provided by this CSB Privacy Code; or (c) that is recognized under Data Protection Law as providing an “adequate” level of privacy protection;
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Individual between DocuSign and a Third Party (e.g., in case of recalls);
  4. the Third Party has been certified under a ‘safe harbor’ program that is recognized under Data Protection Law as providing an “adequate” level of privacy protection, such as the EU-U.S. Privacy Shield program;
  5. the Third Party has implemented Binding Corporate Rules or a similar transfer control mechanism as providing an “adequate” level of privacy protection;
  6. the transfer is necessary to protect a vital interest of the Individual;
  7. the transfer is necessary for the establishment, exercise or defense of a legal claim;
  8. the transfer is necessary to satisfy a pressing need to protect the public interests of a democratic society; or
  9. the transfer is necessary for the performance of a task carried out to comply with a legal obligation to which the relevant Group Company is subject.

Items (viii) and (ix) above require the prior approval of the Chief Privacy Officer.

Consent for transfer

11.7

In addition to the grounds listed in Article 11.6 DocuSign may transfer CSB Information to a Third Party located outside the EEA that is not covered by an Adequacy Decision if the Individual has given his or her consent to the transfer. If Applicable Data Controller Law so requires DocuSign shall, in addition to having one of the grounds listed in Article 11.6, also seek consent of the Individual for the relevant transfer.

Prior to requesting consent, the Individual shall be provided with the following information:

  1. the purpose of the transfer;
  2. the identity of the transferring Group Company;
  3. the identity or categories of Third Parties to which the CSB Information will be transferred;
  4. the categories of CSB Information that will be transferred;
  5. the country to which the CSB Information will be transferred; and
  6. the fact that the CSB Information will be transferred to a Third Party not covered by an Adequacy Decision.

The requirements set out in Articles 2.2 and 2.3 apply to the granting, denial or withdrawal of Individual consent.

Internal Processors

11.8

Internal Processors may Process CSB Information only if they have a validly entered into written or electronic contract with the Group Company acting as the Data Controller of the relevant CSB Information, which contract must in any event include the provisions set out in Article 11.5.

 

Article 12 – Overriding Interests

Overriding Interests

12.1

The obligations of DocuSign or rights of Individuals as specified in Articles 12.2. and 12.3. may be overridden if, under the specific circumstances at issue, a pressing need exists that outweighs the interest of the Individual (Overriding Interest). An Overriding Interest exists if there is a need to:

  1. protect the legitimate business interests of DocuSign including:
  1. the health, security or safety of Employees or Individuals;
  2. DocuSign's intellectual property rights, trade secrets or reputation;
  3. the continuity of DocuSign's business operations;
  4. the preservation of confidentiality in a proposed sale, merger or acquisition of a business; or
  5. the involvement of trusted advisors or consultants for business, legal, tax, or insurance purposes;
  1. prevent or investigate (including cooperating with law enforcement) suspected or actual violations of law; or
  2. otherwise protect or defend the rights or freedoms of DocuSign, its Employees or other persons.

Exceptions in the event of Overriding Interests

12.2

If an Overriding Interest exists, one or more of the following obligations of DocuSign or rights of the Individual may be set aside:

  1. Article 3.1 (the requirement to Process CSB Information for closely related purposes);
  2. Article 5.2 (data storage and deletion);
  3. Articles 6.1 and 6.2 (information provided to Individuals);
  4. Articles 7.1-7.3 (rights of Individuals);
  5. Article 8.2 (Staff access limitations and confidentiality requirements); and
  6. Articles 11.4, 11.5 and 11.6 (ii) (contracts with Third Parties).

Sensitive Information

12.3

The requirements of Articles 4.1 and 4.2 (Sensitive Information) may be set aside only for the Overriding Interests listed in Article 12.1 (i) (a), (b), (c) and (e), (ii) and (iii).

Consultation with Chief Privacy Officer

12.4

Setting aside obligations of DocuSign or rights of Individuals based on an Overriding Interest requires prior consultation of the Chief Privacy Officer. The Chief Privacy Officer shall document his or her advice.

Information to Individual

12.5

Upon request of the Individual, DocuSign shall inform the Individual of the Overriding Interest for which obligations of DocuSign or rights of the Individual have been set aside, unless the particular Overriding Interest sets aside the requirements of Articles 6.1 or 7.1 - 7.3, in which case the request shall be denied.

 

Article 13 – Supervision and Compliance

Chief Privacy Officer

13.1

DocuSign Inc. shall appoint a Chief Privacy Officer who is responsible for:

  1. Supervising compliance with this CSB Privacy Code;
  2. Providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues;
  3. Monitoring the performance and periodic review of a Data Protection Impact Assessment (DPIA) before a new system or a business process involving Processing of CSB Information is implemented as described in Article 14.3;
  4. Deciding on complaints as described in Article 16.3; and
  5. Coordinating, in conjunction with the appropriate Privacy Lead, official investigations or inquiries into the Processing of CSB Information by a public authority.

Security & Privacy Council

13.2

The Chief Privacy Officer shall maintain an advisory Security & Privacy Council. The Security & Privacy Council has created and shall maintain a privacy compliance framework for:

  1. Developing and maintaining (including monitoring and testing) policies, procedures and system information (as required by Articles 14 and 15);
  2. Planning training and awareness programs;
  3. Monitoring and reporting on compliance with this CSB Privacy Code;
  4. Overseeing the collection, investigation and resolution of privacy inquiries, concerns and complaints; and
  5. Determining and updating appropriate sanctions for violations of this CSB Privacy Code (e.g., disciplinary standards in cooperation with other relevant internal functions, such as HR and Legal).

Privacy Leads

13.3

The Chief Privacy Officer has established and shall maintain a global network of Privacy Leads sufficient to direct compliance with this CSB Privacy Code within their respective regions or organizations.

The Privacy Leads shall perform the following tasks:

  1. Regularly advise their respective executive teams and the Chief Privacy Officer on privacy risks and compliance issues, including any new legal requirement that the Privacy Lead believes to interfere with DocuSign’s ability to comply with this CSB Privacy Code (as required by Article 20.3);
  2. Maintain and ensure that the policies and procedures are implemented, the system information is maintained and Data Protection Impact Assessments (DPIAs) are performed);
  3. Implement the privacy compliance framework as required by the Chief Privacy Officer;
  4. Be available for requests for privacy approvals or advice as described in Article 7;
  5. Own and authorize all appropriate privacy sub-policies in their organizations; and
  6. Cooperate with the Chief Privacy Officer, and other Privacy Leads.

Responsible Executive

13.4

The Responsible Executive shall perform at least the following tasks:

  1. Ensure that the policies and procedures are implemented, the system information is maintained and DPIAs are performed (as required by Article 14);
  2. Ensure that CSB Information is deleted, destroyed, de-identified or transferred (as required by Article 5.2); and
  3. Determine how to comply with this CSB Privacy Code when there is a conflict with applicable law (as required by Article 20.2).

Privacy Lead with a statutory position

13.5

Where a Privacy Lead holds his or her position pursuant to law, he or she shall carry out his or her job responsibilities to the extent they do not conflict with his or her statutory position.

 

Article 14 – Policies and Procedures

Policies and procedures

14.1

DocuSign shall develop and implement policies and procedures to comply with this CSB Privacy Code.

System information

14.2

DocuSign shall maintain readily available information regarding the structure and functioning of all systems and processes that Process CSB Information (e.g., inventory of systems and processes). A copy of this information will be provided to the Irish DPA or to a DPA competent to audit under Article 16.2 upon request.

Data Protection Impact Assessment

14.3

 

DocuSign shall maintain a procedure to conduct and document a prior assessment of the impact which a given Processing may have on the protection of CSB Information, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used (Data Protection Impact Assessment). Where the Data Protection Impact Assessment shows that, despite mitigating measures taken by DocuSign, the Processing still presents a residual high risk for the rights and freedoms of Customers, the Irish DPA will be consulted prior to such Processing taking place.

 

Article 15 – Training

Staff training

15.1

DocuSign shall provide training on the obligations and principles laid down in this CSB Privacy Code and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing CSB Information.

 

Article 16 – Monitoring and Auditing Compliance

Audits

16.1

DocuSign’s internal audit team shall audit business processes and procedures that involve the Processing of CSB Information for compliance with this CSB Privacy Code. The audits shall be carried out in the course of the regular activities of DocuSign’s internal audit team or at the request of the Chief Privacy Officer. The Chief Privacy Officer may request to have an audit as specified in this Article conducted by an external auditor. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Chief Privacy Officer and the appropriate Privacy Leads shall be informed of the results of the audits. Any violations of this CSB Privacy Code identified in the audit report will be reported back to the Responsible Executive. A copy of the audit results related to compliance with this CSB Privacy Code will be provided upon request to the Irish DPA or to any Competent DPA.

DPA audit

16.2

Subject to Article 16.3, the Irish DPA may request an audit of the facilities used by DocuSign for the Processing of CSB Information for compliance with this CSB Privacy Code. In addition, a DPA that has the right under Applicable Data Controller Law to audit a Group Company (a “Competent DPA”) will be authorized to audit the relevant data transfer for compliance with this CSB Privacy Code, subject to the same conditions as would apply to an audit by that DPA under Applicable Data Controller Law.

DPA audit procedure

16.3

DocuSign will facilitate any audit by a DPA under Article 16.2 by undertaking the following actions:

  1. Information sharing: DocuSign will attempt to resolve the request by providing information to the DPA including DocuSign audit reports, discussion with DocuSign subject matter experts, and review of security, privacy, and operational controls in place.
  2. Examinations: If the information available through these mechanisms is insufficient to address the DPA’s stated objectives, DocuSign will provide the DPA with the opportunity to communicate with DocuSign’s auditor and if required, a direct right to examine DocuSign’s data processing facilities used to process the CSB Information on giving reasonable prior notice and during business hours, with full respect to the confidentiality of the information obtained and to the trade secrets of DocuSign
  3. Scope: Nothing in this Article 16.3 will be construed to take away any audit rights that a DPA may have under applicable law. This CSB Privacy Code provides supplemental audit rights to DPAs only. In the event of any conflict between this Article 16.3 and applicable law, the provisions of applicable law shall prevail.

 

Annual Privacy Report

16.4

The Chief Privacy Officer shall produce an annual CSB Information privacy report for the Chief Executive Officer of DocuSign Inc. on compliance with this CSB Privacy Code, privacy protection risks and other relevant issues.

Each Privacy Lead shall provide information relevant to the report to the Chief Privacy Officer.

Mitigation

16.5

DocuSign shall, if so indicated, ensure that adequate steps are taken to address breaches of this CSB Privacy Code identified during the monitoring or auditing of compliance pursuant to this Article 16.

 

Article 17 – Complaints Procedure

Complaint

17.1

Individuals may file a complaint in respect of any claim they have under Article 18.1 or violations of their rights under Applicable Data Controller Law in accordance with the complaints procedure set forth in the relevant privacy policy or contract. The complaint shall be forwarded to the appropriate Privacy Lead.

The appropriate Privacy Lead shall:

  1. notify the Chief Privacy Officer;
  2. analyze the complaint and, initiate an investigation; and
  3. when necessary, advise the business on the appropriate measures for compliance, and monitor, through to completion, the steps designed to achieve compliance.

The appropriate Privacy Lead may consult with any government authority having jurisdiction over a particular matter about the measures to be taken.

Reply to Individual

17.2

DocuSign will use reasonable efforts to resolve complaints without undue delay, so that a response is given to the Customer Individual within one calendar month of the date that the complaint was filed. The appropriate Privacy Lead shall inform the Individual in writing via the means that the Individual originally used to contact DocuSign (e.g., via mail or email) either (i) of DocuSign’s position with regard to the complaint and any action DocuSign has taken or will take in response or (ii) when he or she will be informed of DocuSign's position, which shall be no later than two calendar months after the original one month period. The appropriate Privacy Lead shall send a copy of the complaint and his or her written reply to the Chief Privacy Officer.

Complaint to Chief Privacy Officer

17.3

An Individual may file a complaint with the Chief Privacy Officer if:

  1. the resolution of the complaint by the appropriate Privacy Lead is unsatisfactory to the Individual (e.g., the complaint is rejected);
  2. the Individual has not received a response as required by Article 17.2;
  3. the time period provided to the Individual pursuant to Article 17.2 is, in light of the relevant circumstances, unreasonably long and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he or she will receive a response; or
  4. in one of the events listed in Article 7.7.

The procedure described in Articles 17.1 through 17.2 shall apply to complaints filed with the Chief Privacy Officer.

If the response of the Chief Privacy Officer to the complaint is unsatisfactory to the Individual (e.g., the request is denied), the Individual can file a complaint or claim with the authorities or the courts in accordance with Article 18.2.

 

Article 18 – Legal Issues

Complaints procedure

18.1

Individuals are encouraged to first follow the complaints procedure set forth in Article 17 of this CSB Privacy Code before filing any complaint or claim with the competent DPAs or the courts.

Rights of Individuals

18.2

If DocuSign violates the Privacy Code with respect to the CSB Information of an Individual (Affected Individual) covered by this Privacy Code, the Affected Individual can as a third party beneficiary enforce any claim as a result of a breach of Articles 1.6, 2 – 11, 12.5, 16.2, 17, 18 and 20.4 - 20.5 in accordance with Article 18.2.

The rights contained in this Article are in addition to, and shall not prejudice, any other rights or remedies that an Individual may otherwise have by law.

Jurisdiction for claims of Individuals

18.2

In case of a violation of this CSB Privacy Code, the Individual may, at his/her choice, submit a complaint or claim to the DPA or the courts:

  1. in the EEA country at the origin of the data transfer, against the Group Company in such country of origin responsible for the relevant data transfer;
  2. in Ireland, against DocuSign Ireland; or
  3. in the EEA country where (a) the Individual has his or her habitual residence or place of work, or (b) the infringement took place, against the Group Company that is the Data Controller of the relevant CSB Information or DocuSign Ireland.

The Group Company against which the complaint or claim is brought (relevant Group Company), may not rely on a breach by another Group Company or a Third Party Processor to avoid liability except to the extent any defense of such other Group Company or Third Party Processor would also constitute a defense of the relevant Group Company.

The DPAs and courts shall apply their own substantive and procedural laws to the dispute. Any choice made by the Individual will not prejudice the substantive or procedural rights he or she may have under applicable law.

Right to claim damages

18.3

In case an Individual has a claim under Article 18.2, and

  1. the relevant Processing is governed by Data Protection Law, such Individual shall be entitled to compensation of damages suffered by an Individual resulting from a violation of this CSB Privacy Code to the extent provided by applicable EEA law; or
  2. the relevant Processing is not governed by Data Protection Law, such Individual shall be entitled to compensation of actual direct damages (which exclude, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost), suffered by an Individual resulting from a violation of this CSB Privacy Code, to the extent provided by applicable EEA law.

Burden of proof in respect of claim for damages

18.4

In case an Individual brings a claim for damages under Article 18.2, it will be for the Individual to demonstrate that he or she has suffered the relevant damages and to establish facts which show it is plausible that the damage has occurred because of a violation of the CSB Privacy Code. It will subsequently be for the relevant Group Company to prove that the damages suffered by the Individual due to a violation of this CSB Privacy Code are not attributable to DocuSign.

Mutual assistance and redress

18.5

All Group Companies shall co-operate and assist each other to the extent reasonably possible to handle:

  1. a request, complaint or claim made by an Individual; or
  2. a lawful investigation or inquiry by a competent DPA or government authority.

The Group Company that receives a request, complaint or claim from an Individual is responsible for handling any communication with the Individual regarding his or her request, complaint or claim except where circumstances dictate otherwise.

Advice of the Irish DPA and Competent DPAs

18.6

DocuSign Ireland shall abide by the advice of the Irish DPA and Competent DPAs issued on the interpretation and application of this CSB Privacy Code.

Mitigation

18.7

DocuSign Ireland shall ensure that adequate steps are taken to address violations of this CSB Privacy Code by a Group Company.

Law applicable to Code

18.8

This CSB Privacy Code shall be governed by and interpreted in accordance with Irish law.

 

Article 19 – Sanctions for Non-compliance

Non-compliance

19.1

Non-compliance of Employees with this CSB Privacy Code may result in disciplinary action in accordance with DocuSign policies and local law, up to and including termination of employment.

 

Article 20 – Conflicts between this CSB Privacy Code and Applicable Local Law

Conflict of law when transferring CSB Information

20.1

Where a legal requirement to transfer CSB Information conflicts with the laws of the Member States of the EEA, the transfer requires the prior approval of the Chief Privacy Officer. The Chief Privacy Officer may seek the advice of the Irish DPA or another competent government authority.

Conflict between CSB Privacy Code and law

20.2

In all other cases, where there is a conflict between applicable local law and this CSB Privacy Code, the relevant Responsible Executive shall consult with the Chief Privacy Officer to determine how to comply with this CSB Privacy Code and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.

New conflicting legal requirements

20.3

The relevant Privacy Leads, in consultation with the legal department, shall promptly inform the Responsible Executive of any new legal requirement that may interfere with DocuSign's ability to comply with this CSB Privacy Code.

Reporting to Lead DPA

20.4

If DocuSign becomes aware that applicable local law of a non-EEA country is likely to have a substantial adverse effect on the protection offered by this Privacy Code, DocuSign will report this to the Irish DPA.

Requests for Disclosure of CSB Information

20.5

If DocuSign receives a request for disclosure of CSB Information from a law enforcement authority or state security body of a non-EEA country (Authority), it will first assess on a case-by-case basis whether this request (Disclosure Request) is legally valid and binding on DocuSign. Any Disclosure Request that is not legally valid and binding on Company will be resisted in accordance with applicable law.

Subject to the following paragraph, DocuSign shall promptly inform the Irish DPA of any legally valid and binding Disclosure Requests, and will request the Authority to put such Disclosure Requests on hold for a reasonable delay in order to enable the Irish DPA to issue an opinion on the validity of the relevant disclosure.

If suspension and/or notification of a Disclosure Request is prohibited, such as in case of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, DocuSign will request the Authority to waive this prohibition and will document that it has made this request. In any event, DocuSign will on an annual basis provide to the Irish DPA general information on the number and type of Disclosure Requests it received in the preceding 12 month period, to the fullest extent permitted by applicable law.

In any event, any transfers by DocuSign of CBS Information to any Authority in response to a Disclosure Request will not be massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

 

Article 21 – Changes to this CSB Privacy Code

Approval for changes

21.1

Any changes to this CSB Privacy Code require the prior approval of the Chief Executive Officer of DocuSign Inc. and shall thereafter be communicated to the Group Companies. The Chief Privacy Officer shall promptly inform the Irish DPA of changes to this Privacy Code that have a significant impact on the protection offered by this Privacy Code or the Privacy Code itself and will be responsible for coordinating DocuSign’s responses to questions of the Irish DPA in respect thereof. Other changes (if any) will be notified by the Chief Privacy Officer to the Irish DPA on a yearly basis.

Effective Date of changes

21.2

Any change shall enter into force with immediate effect after it has been approved in accordance with Article 21.1 and is published on the DocuSign Global Intranet.

Prior versions

21.3

Any request, complaint or claim of an Individual involving this CSB Privacy Code shall be judged against the version of this CSB Privacy Code as it is in force at the time the request, complaint or claim is made.

 

Article 22 – Transition Periods

Transition period for new Group Companies

22.1

Any entity that becomes a Group Company after the Effective Date shall comply with this CSB Privacy Code within one year of becoming a Group Company.

Transition Period for Divested Entities

22.2

A Divested Entity (or specific parts thereof) will remain covered by this CSB Privacy Code after its divestment for such period as is required by DocuSign to disentangle the Processing of CSB Information relating to such Divested Entity.

Transition period for IT Systems

22.3

Where implementation of this CSB Privacy Code requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.

Transition period for existing agreements

22.4

Where there are existing agreements with Third Parties that are affected by this CSB Privacy Code, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.

Transitional period for Local-for-Local Processing

22.5

Local-for-Local Processing subject to this CSB Privacy Code shall be brought into compliance with this CSB Privacy Code within five years of the Effective Date.

Compliance during the Transitional Period

22.6

During the transition periods set out in Article 22.1 – 22.5, no CSB Information will be transferred to a Group Company under this CSB Privacy Code until that Group Company is (i) fully compliant or (ii) an alternative data transfer mechanism has been put in place, such as standard contractual clauses.

 

Contact details

 

DocuSign Privacy Office

c/o DocuSign Ireland

Attn: Legal/Privacy

1 Cumberland Place

Fenian Street, Floor 3

Dublin 2, Republic of Ireland

 

 

ANNEX 1 Definitions

Adequacy Decision

A decision issued by the European Commission under Article 25 EC Data Protection Directive that a country or region or a category of recipients in such country or region is deemed to provide an "adequate" level of data protection.

Applicable Data Controller Law

APPLICABLE DATA CONTROLLER LAW means the provisions of mandatory law of a country containing rules for the protection of individuals with regard to the Processing of Personal Information including security requirements for and the free movement of such Personal Information as applicable to DocuSign in its capacity as the Data Controller of Personal Information.

Archive

ARCHIVE shall mean a collection of CSB Information that is no longer necessary to achieve the purposes for which the CSB Information originally was collected or that is no longer used for general business activities, but is used only for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. An Archive includes any data set that can no longer be accessed by any Employee other than the system administrator.

Article

ARTICLE shall mean an article in this CSB Privacy Code.

Binding Corporate Rules

BINDING CORPORATE RULES shall mean a privacy policy of a group of undertakings which, under applicable local law (such as Article 25 of the EU Data Protection Directive), is considered to provide an adequate level of protection for the transfer of Personal Information within that group of undertakings.

Business Development

BUSINESS DEVELOPMENT shall mean the tasks and processes aimed at developing and implementing growth opportunities within and between DocuSign and Business Partners.

Business Partner

BUSINESS PARTNER shall mean any Third Party, other than a Customer or Supplier, that has or has had a business relationship or strategic alliance with DocuSign (e.g., joint marketing partner, joint venture or joint development partner, investor).

Business Purpose

BUSINESS PURPOSE shall mean a purpose for Processing CSB Information as specified in Article 2 or 3 or for Processing Sensitive Information as specified in Article 4 or 3.

Chief Privacy Officer

CHIEF PRIVACY OFFICER shall mean the officer as referred to in Article 13.1.

Children

CHILDREN shall mean Individuals under thirteen (13) years of age.

Competent DPA

COMPETENT DPA shall have the meaning set forth in Article 16.2 above.

CSB Information

CSB INFORMATION shall have the meaning set forth in Article 1.1 above

CSB Privacy Code

CSB PRIVACY CODE shall mean this Privacy Code for Customer, Supplier and Business Partner Information.

Customer

CUSTOMER shall mean any person, private organisation, or government body that purchases, may purchase or has purchased a DocuSign product or service.

Customer Services

CUSTOMER SERVICES shall mean the services provided by DocuSign to Customers to support DocuSign products and services offered to or in use with their employees or customers (e.g., DocuSign’s digital transaction management platform and related services). These services may include the maintenance, upgrade, replacement, inspection and related support activities aimed at facilitating continued and sustained use of DocuSign products and services.

Data Controller

DATA CONTROLLER shall mean the entity or natural person which alone or jointly with others determines the purposes and means of the Processing of Personal Information.

Data Protection Impact Assessment (DPIA)

DATA PROTECTION IMPACT ASSESSMENT (DPIA) shall mean a procedure to conduct and document a prior assessment of the impact which a given Processing may have on the protection of CSB Information, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used.

A DPIA shall contain:

      1. a description of:
        1. the scope and context of the Processing;
        2. the Business Purposes for which CSB Information is Processed;
        3. the specific purposes for which Sensitive Information is Processed;
        4. categories of CSB Information recipients, including recipients not covered by an Adequacy Decision;
        5. CSB Information storage periods;
      2. an assessment of:
        1. the necessity and proportionality of the Processing;
        2. the risks to the privacy rights of Individuals; and
        3. the measures to mitigate these risks, including safeguards, security measures and other mechanisms (such as privacy-by-design) to ensure the protection of CSB Information.

Data Protection Law

DATA PROTECTION LAW shall mean the provisions of mandatory law of an EEA country containing rules for the protection of individuals with regard to the Processing of Personal Information including security requirements for and the free movement of such Personal Information.

Data Security Breach

DATA SECURITY BREACH shall mean the unauthorized acquisition, access, use or disclosure of unencrypted CSB Information that compromises the security or privacy of such information to the extent the compromise poses a high risk of financial, reputational, or other harm to the Individual. A Data Security Breach is deemed not to have occurred where there has been an unintentional acquisition, access or use of unencrypted CSB Information by an employee of DocuSign or Third Party Processor or an individual acting under their respective authority, if:

  1. the acquisition, access, or use of CSB Information was made in good faith and within the course and scope of the employment or professional relationship of such employee or other individual; and
  2. the CSB Information is not further acquired, accessed, used or disclosed by any person.

Divested Entity

DIVESTED ENTITY shall mean the divestment by DocuSign of a Group Company or business by means of:

  1. a sale of shares that results in the divested Group Company no longer qualifying as a Group Company; and/or
  2. a demerger, sale of assets, or any other manner or form.

DocuSign

DOCUSIGN shall mean DocuSign Inc. and its Group Companies.

DocuSign Inc.

DOCUSIGN, INC. shall mean DocuSign Inc., a Delaware, US company.

DocuSign Ireland

DOCUSIGN IRELAND shall mean DocuSign International (EMEA) Limited, an Irish company, which serves as DocuSign’s European headquarters.

DPA

DPA shall mean any data protection authority of one of the countries of the EEA.

EEA

EEA or EUROPEAN ECONOMIC AREA shall mean all Member States of the European Union, plus Norway, Iceland and Liechtenstein, and for purposes of this Privacy Code, Switzerland.

Effective Date

EFFECTIVE DATE shall mean the date on which this CSB Privacy Code becomes effective as set forth in Article 1.7.

Employee

EMPLOYEE shall mean the following individuals:

  1. an employee, job applicant or former employee of DocuSign including temporary workers working under the direct supervision of DocuSign (e.g., independent contractors and trainees). This term does not include people working at DocuSign as consultants or employees of Third Parties providing services to DocuSign;
  2. a (former) executive or non-executive director of DocuSign or (former) member of the supervisory board or similar body to DocuSign.

Group Company

GROUP COMPANY shall mean DocuSign Inc. and any company or legal entity of which DocuSign Inc., directly or indirectly owns more than 50% of the issued share capital, has 50% or more of the voting power at general meetings of shareholders, has the power to appoint a majority of the directors, or otherwise directs the activities of such other legal entity; however, any such company or legal entity shall be deemed a Group Company only as long as a liaison and/or relationship exists.

Individual

INDIVIDUAL shall mean any individual (employee of or any person working for) Customer, Supplier or Business Partner and any other individual whose CSB Information DocuSign processes in the context of the provision of its services.

Internal Processor

INTERNAL PROCESSOR shall mean any Group Company that Processes CSB Information as a Data Processor on behalf of another Group Company acting as the Data Controller.

Local-for-Local Processing

LOCAL FOR LOCAL PROCESSING shall have the meaning set forth in Article 1.2 above.

Organizational Unit

ORGANIZATIONAL UNIT shall mean each business unit and staff function of DocuSign.

Overriding Interest

OVERRIDING INTEREST shall mean the pressing interests set forth in Article 12.1 based on which the obligations of DocuSign or rights of Individuals set forth in Article 12.2 and 12.3 may, under specific circumstances, be overridden if this pressing interest outweighs the interest of the Individual.

Personal Information

PERSONAL INFORMATION shall mean any information relating to an identified or identifiable Individual.

Privacy Code

PRIVACY CODE shall mean this Privacy Code for CSB Information.

Privacy Lead

PRIVACY LEAD shall mean a Privacy Lead appointed by the Chief Privacy Officer pursuant to Article 13.3.

Processing

Processing shall mean any operation that is performed on CSB Information, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of CSB Information.

Processor Contract

PROCESSOR CONTRACT shall mean any contract for the Processing of CSB Information entered into by DocuSign and a Third Party Processor.

Responsible Executive

RESPONSIBLE EXECUTIVE shall mean the lowest-level DocuSign business executive or the non-executive general manager of a DocuSign business function/unit who has primary budgetary ownership of the relevant Processing.

Secondary Purpose

SECONDARY PURPOSE shall have the meaning ascribed to that term in Article 3.1.

Security & Privacy Council

Security & PRIVACY COUNCIL shall mean the council referred to in Article 13.2.

Sensitive Information

SENSITIVE INFORMATION shall mean CSB Information that reveals an Individual's racial or ethnic origin, political opinions or membership in political parties or similar organizations, religious or philosophical beliefs, membership in a professional or trade organization or union, physical or mental health including any opinion thereof, disabilities, genetic CSB Information, biometric CSB Information, addictions, sex life, criminal convictions or offenses, or social security numbers issued by the government.

Staff

STAFF shall mean all Employees and other persons who Process CSB Information as part of their respective duties or responsibilities as employees or individuals under the direct authority of DocuSign using DocuSign information technology systems or working primarily from DocuSign's premises.

Supplier

SUPPLIER shall mean any Third Party that provides goods or services to DocuSign (e.g., an agent, consultant or vendor), including Third Party Processors.

Supplier Services

SUPPLIER SERVICES shall mean the goods or services provided by Supplier under an agreement with DocuSign.

Third Party

THIRD PARTY shall mean any person or entity (e.g., an organization or government authority) outside DocuSign.

Third Party Controller

THIRD PARTY CONTROLLER shall mean a Third Party that Processes CSB Information and determines the purposes and means of the Processing.

Third Party Processor

THIRD PARTY PROCESSOR shall mean a Third Party that Processes CSB Information on behalf of DocuSign that is not under the direct authority of DocuSign.

 

Interpretations

 

INTERPRETATION OF THIS CSB PRIVACY CODE:

  1. Unless the context requires otherwise, all references to a particular Article or Annex are references to that Article or Annex in or to this document, as they may be amended from time to time;
  2. headings are included for convenience only and are not to be used in construing any provision of this CSB Privacy Code;
  3. a word or phrase is defined, its other grammatical forms have a corresponding meaning;
  4. the male form shall include the female form;
  5. the words "include", "includes" and "including" and any words following them shall be construed without limitation to the generality of any preceding words or concepts and vice versa;
  6. a reference to a document (including, without limitation, a reference to this CSB Privacy Code) is to the document as amended, varied, supplemented or replaced, except to the extent prohibited by this CSB Privacy Code or that other document; and
  7. a reference to law or a legal obligation includes any regulatory requirement, sectorial guidance, and best practice issued by relevant national and international supervisory authorities or other bodies.