GDPR and E-Signatures: Data Protection Compliance Guide

Every e-signature involves personal data — names, email addresses, IP addresses, and sometimes biometric data (drawn signatures). If you operate in the EU/UK or process data of EU/UK residents, GDPR applies to your e-signature workflows. This guide explains the key GDPR principles as they apply to e-signatures, what your obligations are, and a practical compliance checklist.

What personal data do e-signatures involve?

Lawful basis for processing

GDPR requires a lawful basis for processing personal data. For e-signature workflows, the most relevant bases are:

• Contract performance (Art. 6(1)(b)): processing is necessary to execute the contract being signed. This covers the signer's name, email, and signature.
• Legitimate interest (Art. 6(1)(f)): maintaining audit trails for legal compliance and dispute resolution. You have a legitimate business interest in proving that documents were properly executed.
• Legal obligation (Art. 6(1)(c)): if you are legally required to maintain signed records (regulated industries, tax documents), this provides an additional basis.

Key GDPR principles applied to e-signatures

Data minimisation

Only collect the data you actually need. For an e-signature, you need the signer's name and email address to identify them and deliver the document. You may need their IP address for the audit trail. You probably do not need their phone number, physical address, or date of birth unless the document specifically requires it.

Storage limitation

Do not keep signed documents and personal data longer than necessary. Define retention periods based on the purpose:

• Active contracts: keep for the duration of the contract
• Expired contracts: keep for the limitation period (typically 6 years in the UK for contract claims)
• Employment documents: keep for the duration of employment + limitation period
• After retention: securely delete or anonymize

Transparency

Signers must be informed about how their data will be processed. This means:

• Your privacy notice should cover e-signature processing (what data, why, how long, who it is shared with)
• The signing invitation should link to or reference the privacy notice
• If using a third-party e-signature platform, disclose this to signers

International transfers

If your e-signature provider stores data outside the EU/UK, you need a transfer mechanism (Standard Contractual Clauses, adequacy decision, or UK International Data Transfer Agreement). Check where your provider's servers are located and whether they have appropriate transfer safeguards.

Your obligations as a data controller

When you send a document for e-signature through a platform like eSignHub, you are the data controller (you determine the purposes and means of processing). The e-signature platform is a data processor (it processes data on your behalf). Your obligations:

• Ensure you have a lawful basis for processing every piece of personal data
• Sign a Data Processing Agreement (DPA) with your e-signature provider
• Conduct a Data Protection Impact Assessment (DPIA) if you process data at scale or use special category data
• Respond to data subject rights requests (access, erasure, portability) — even for data held by your processor
• Report data breaches to your supervisory authority within 72 hours

Compliance checklist

eSignHub's GDPR approach

eSignHub is designed with GDPR in mind: data is encrypted at rest and in transit, audit trails collect only necessary data, and a DPA is available for all customers. Data is stored in compliance with EU/UK data protection requirements. We maintain a transparent sub-processor list and notify customers of any changes.