As more and more people have been utilizing electronic tools for their daily work, signing documents online has become increasingly common. While the convenient aspect of e-signature platforms is known to most, it is not hard to forget the data protection aspect of such tools.
A reliable way to ensure the validity of a signature?
Ensuring that the signature is valid can be a challenge. This challenging task is not always implemented successfully, as seen in the reports from several data protection authorities, e.g., on the 9th of May 2022, the Finnish data protection authority issued a fine of EUR 85 000 to a publishing company Otavamedia Oy, as a result of their failure to act on data subject inquiries and verify their signatures. The controller failed to respond to some of the inquiries from the data subjects due to an email box error. The inquiries had to be signed; however, the company was not processing the signature data in any contexts, so the signatures could not be cross-checked.
This isn’t the only example of GDPR fines issued for failure to verify signatures. In 2019, the Italian DPA issued a fine of EUR 3 000 000 to Eni Gas and Luce for interments resulting from the conclusion of unsolicited contracts for the supply of electricity and gas. Forged and unverified signatures were one of the partial causes of this incident.
Using an electronic signature service provider that ensures the identity of the individual is verified before signing is indeed a way to avoid this issue. This said, the convenience of such platforms also comes with the responsibility of ensuring that the service provider you choose is capable of ensuring your personal data protection obligations and needs.
What are the risks?
- The location – as the legal background of non-EU-EEA countries differs, there is sometimes a risk associated with personal data transfer to third countries. Data controllers should review if the e-signature provider they’re using is located in a country where GDPR can be supported.
- The terms and conditions – data controllers should review if the e-signature provider has access to the contents of the uploaded files, what technical and organizational tools are used to protect them, and if the files are stored in their system. Risk of personal data protection violations increases if the e-signature provider retains the documents you may upload.
- The offered plans and subscriptions – adding another unnecessary expense is something most of the population tends to avoid. If you are a data controller or processor, and your employees use e-signature platforms from their personal accounts, as there isn’t a business account available, the risk of a personal data breach increases. Without the possibility to remove files from another user’s account, previously uploaded documents could remain in possession of previous employees that are no longer associated with your business. Having an activity log of your employee activities within certain platforms is always a convenient tool for any data controller.
- Data processing agreement – e-signature service providers, are considered as personal data processors and, therefore, may require a data processing agreement to be signed. Without an agreement, one cannot determine the scope of personal data processed, how it will be done, etc.
What steps should be taken to ensure the safe use of e-signature platforms?
- review the location of your selected e-signature service provider,
- review the used processors of your selected e-signature service provider,
- review the technical and organizational measures that the selected e-signature service provider has implemented,
- conclude the data processing agreement.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with e-signature service providers and GDPR compliance, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė