The extent to which a company is subject to obligations under EU data protection law depends on whether they are a data controller or a data processor.
There are a lot of similarities between controllers and processors. To give a distinction; a data controller is someone who collects personal data and manages how it is processed. A party who handles personal data on behalf of the data controller is generally known as a data processor. And is subject to far fewer obligations under GDPR.
So, which is it for Signable?
Why can’t it be both?
The nature of eSigning means that Signable acts as both a data processor and a data controller. Double the fun.
You can read a formal definition of each role here. Or, read on to learn what each role means specifically for us…
Our GDPR roles
GDPR Data Controller
We act as a data controller for all of our customers, including any users which are added to any Signable account. This is because we are managing the personal data our customers upload and it is our responsibility to determine the purposes and means of processing and managing that data. According to criteria set out by GDPR.
Basically, when it comes to your document’s data, we’re your electronic babysitter. We look after the information you’re uploading and we are entrusted to watch over it appropriately. This includes total transparency around how we are using your information (if at all) and still giving you total control.
What does Signable need to do?
We need to make it possible for you to:
- store data securely
- export any information you may need when you need it
- action whatever your customers/signers ask of you
You can rest assured by the fact that we are a company that handles a lot of data, daily. Which means we already know a thing or two about doing it properly. In order to stay on top of this, we’re going to be complying with the new GDPR act and then some.
GDPR Data Processor
We are a data processor for the information that our customers request and process from their signers. Think of this role as you uploading information to your own PC or laptop. We’re your PC or laptop.
How data is collected is how we determine the difference here. And so, as our customers are collecting information from signers, this defines them as the data controller.
Just like your computer, it’s for you to control how you manage its content. However, your computer also gives you all the tools you need to manage that appropriately. This is how GDPR and eSigning work with Signable.
What does Signable have to do?
To fulfil our computer role we have to maintain a record of all processing operations and be directly responsible for implementing appropriate security measures. Which means we give you the tools you need to act as responsible data controllers. This includes giving you:
- The ability to export envelopes (and history) and templates from your account
- Introducing new team permissions to handle permanently deleting data from your account
- Any inactive accounts removed after 12 months