Comply with GDPR requirements

Adobe Sign

Adobe Sign

Open app

Adobe Acrobat Sign fully supports the General Data Protection Regulation (GDPR) for all users.

Note:

Based on the GDPR requirement to obtain user consent prior to storing data on the users device, some users may experience one or more requests to enable cookies:

  • Users accessing Adobe Acrobat Sign from the locales enforcing GDPR are required to enable the core service cookies
    • Performance and personal advertising cookies can be enabled or disabled by clicking the Customize button
    • Cookies can be managed at any time by clicking the Cookie Performance link at the bottom right of all Acrobat Sign web pages:

  • Accounts migrating to the adobesign.com domain (from echosign.com) have to configure their cookies twice, as each domain must place unique cookies

DISCLAIMER: This guide is intended to be a guideline and does NOT constitute legal advice. Please seek the advice of your brand’s legal counsel for meeting the requirements in the regions where you operate.

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that collects personal information of individuals in the EU. Part of the regulation requires that individuals have the right to understand what personal data has been collected, and to have that data deleted upon request, when appropriate.

For the purpose of this article, the term User refers to a member of a company that sends agreements for Signature.  The term Signer refers to an individual that receives and either signs or rejects the agreement.  A privacy administrator is an Acrobat Sign account administrator with special controls for removing personal information from the service upon request of a Sender or signer.

User uniqueness is predicated on the email address used to identify the individual. A person that has multiple email addresses could have multiple discrete user IDs in the system. All GDPR controls in Acrobat Sign use email address to find and manage personal information.  There is no connection between the unique email addresses and an Administrator will only find data on the email address provided.


Features that support GDPR

Acrobat Sign offers features to help customers comply with GDPR. For more information on how Adobe protects your privacy, visit www.adobe.com/privacy.

Under GDPR, individuals have enhanced rights to request access, correction, and deletion of their personal information.

  • Access – Most personal information about a User or a Signer can be accessed directly by that individual through Acrobat Sign UI.  There is a small amount of activity information that is not currently available directly.  An individual account holder will need to contact the Adobe Privacy office at Adobe.com/privacy to request access to this information.  An example of the report is included later in this article.
  • Correction – All of the personal information that is collected on users or signers is available through the user interface.  If changes are required, the User or Signer can make the changes directly without contacting Adobe or their administrator.
  • Deletion – There are different actions depending on the role played in the signing ceremony.  A User sending agreements must make the request to the company they are employed by.  Adobe cannot participate in this interaction and does not control the data the employer has collected in the course of doing business.  The signing process collects a minimal amount of information about a signer during the ceremony.  This includes Name, email address, IP address and, optionally, phone number and OTP code.  This information is stored with the agreement with their signature and is controlled by the company that sent the agreement.  If a Signer needs information concerning the personal information collected with that agreement, they need to contact the Sender of the agreement.  Adobe, as a data processor, cannot provide any information to the Signer about the agreement or the company that sent them the agreement. Since the only information saved about the Signer is in the Agreement, deleting the Agreement deletes the Signer’s personal information.  If the Sender agrees to delete the Signer’s information, they use the privacy menu to find and delete the agreements where the Signer was a participant.

In terms of the Acrobat Sign toolset, there are three features in place:

  • User level logs - A log of the various events (that include personal information) triggered in the Acrobat Sign environment
  • Agreement Deletion - Privacy Administrators have authority to view and delete any agreement created by any user within their account.
  • User Deletion - Privacy Administrators have the authority to delete any user within their account.

 


User level logs

Any user can make a request to the Adobe Privacy Center to provide the log of their activities in the Acrobat Sign system that include private information.

That information is returned in the form of a CSV containing:

  • The date of the event
  • The event type
  • The IP address from which the event was triggered


Agreement Deletion

Applicable only to agreements sent by users under the authority of the Privacy Admin.

When a Signer makes a request to have their information removed from the Acrobat Sign system, the account Privacy Admin can search against the user's email address, and return all the agreements that email address participated in and that were created in the Admin’s account.

If the Privacy Admin determines that the agreement is no longer needed, he can delete it, wholly and irrevocably, from the service.

Recipients that contact Acrobat Sign will be directed to review their Manage tab, and contact the company that originally created the transaction for the purpose of deleting the agreement.

Acrobat Sign, as a data processor of the Customer, will never delete an agreement at the request of a recipient.


User Deletion

Applicable only to users under the authority of the Privacy Admin

When an employee requests their information to be deleted from your systems, this tool completely deletes all the user's Information from the Acrobat Sign servers. 

Users must make this request to the account Privacy Admin directly. Only the Privacy Admin has the authority to delete users.

Acrobat Sign support cannot delete users from an account, and if requested to do so, will refer the user to the account admin.

Note:

Individual and free accounts

Users that exist as the only person in an account, or who only have a free account, will not be able to delete themselves. In this case, the user will need to contact the Adobe Privacy Center.

The user needs to provide their email address and explicit instruction to delete the user associated with the email address from the Acrobat Sign systems. The Adobe Privacy Center will then take the appropriate steps to ensure the user is deleted.


How users can request that their data be removed from Acrobat Sign

Having personal information deleted from the Acrobat Sign system requires that the assets of the user be properly resolved.  This process varies depending on the type of user/account involved, which can be grouped into four categories:

Signers are unique in that all of their agreements were created by some other user.

The first step in having your content deleted from the Acrobat Sign system is to register your email address and review the content that is associated with your email address.

You can register your email address here

 

Once your email address is registered:

  • Log in and click the Manage tab at the top of the window.
  • Click through each filter in the left rail (Waiting for you, Completed, Canceled, and Expired) to find your agreements

If there is no content on this page, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Acrobat Sign system.

Find the sender of the agreement

To have your agreement content deleted, you must contact the original sender of the agreement.

Only the original sending account has the authority to review the agreement and delete it.

Note: The original sending account Privacy Administrator determines when a contract can be deleted.

 

To determine who the original sender is:

  • Single-click one record on the Manage tab to select it (double-clicking will open the agreement)
    • The right rail opens to expose the agreement metadata and actions
  • Copy the email address at the top right of  the window (next to From: - highlighted in the image above)
  • Send an email to the original document creator using their email, indicating that you want them to remove your information from their Acrobat Sign account.
    • Be sure to send the email from the same address that the original agreement was sent to so they know you are authorized to make the request

Repeat the above for all agreements listed on the Manage page in the Completed and In Progress categories

  • The contacted companies have 30 days to act on your request to delete the content

 

Any agreements in the Waiting for you section should be declined:

  • Open the agreement to sign
  • Click the options in the upper-left corner
  • Select I will not e-sign
  • Porvide a reason to decline, then click the Decline button
Decline

Once all open agreements are declined and the senders for completed agreements have been contacted, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Acrobat Sign system.

Free and individual service plans have a registered email address, and should be able to log into their account to review the content at-will.

If you have trouble logging in, click the I forgot my password link just under the login fields, and reset your password value.

 

Once you can log in to the service:

  • Click the Account tab at the top of the window
  • Click the Privacy option in the left rail
    • This opens the page where you can use an email address to search for the content you have created using that email value
  • Enter your own email address at the top and click Enter
    • A list of all agreements you have created is returned
  • Click each Completed agreement and download the PDF to review
  • Delete all agreements that are no longer in effect by clicking the garbage can icon on the far right
    • The user cannot be deleted until all Completed agreements have been deleted from the account

 

Click the Manage tab at the top of the window.

This page shows all the remaining Acrobat Sign content that has included your email address.

Manage page From

To have agreements sent by other users deleted, you must contact the original sender of the agreement.

Only the original sending account has the authority to review the agreement and delete it.

Note: Contracts that are still in legal effect are not required by GDPR to be deleted. This is determined by the original sending account Privacy Administrator.

 

To determine who the original sender is:

  • Single-click one record on the Manage tab to select it (double-clicking will open the agreement)
    • The right rail is exposed, giving access to the agreement metadata and actions
  • Copy the email address at the top right of  the window (next to From: - highlighted in the image above)
  • Copy the email address
  • Send an email to the original document creator using their email, indicating that you want them to remove your information from their Acrobat Sign account.
    • Be sure to send the email from the same address that the original agreement was sent to so they know you are authorized to make the request
  • The contacted companies have 30 days to act on your request to delete the content

Repeat the above for all agreements listed on the Manage page in the Completed and In Progress categories

  • If you created the agreement in In Progress, Cancel it.
  • Decline any agreements in the Waiting for You category

Once all Signed agreements are deleted, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Acrobat Sign system.

 

 

Users that are under the authority of an Account/Privacy Admin only need to contact their Admin and request to be deleted from the system.

The Privacy Admin has the authority to review your content/ user, and delete all appropriate content.


Delete a user's information

Deleting a user from the Acrobat Sign server requires that you first have system authority over that userID. If the user is not in your account, you do not have any authority to delete them.

To determine if the user is under your authority:

  1. Navigate to the User interface: Account > User

  2. Click the Options icon (three lines on the far right)

  3. Select Show All Users

  4. Search for the email address of the user

    If the email address is not found within the account, No users available using current filter displays on the screen.

    If the user exists, you will have only one record (because email addresses are unique).

Privacy Admins can manage user's information and agreements by logging into the Admin Console and editing the user's profile.

Log in to Acrobat Sign


Delete a user's agreements

Verify the email address is correct, and that you are about to delete the correct userID. 

Once the userID is deleted, it is irrevocably gone.

  1. Single click the user record to highlight it. This exposes the action links just above the user record

  2. If the user is in any status other than Inactive, click the Deactivate User link

    • Only Inactive users can be deleted

  3. Click the Delete User Information link

    Caution:

    The Delete User challenge opens, indicating the ramifications of what you are about to do.

    Deleting a user will:

    • Cancel any agreements that are currently in process initiated by this user
    • Decline any agreements that are in process where the user is a recipient
    • Disable any active web forms created by this user
    • Prevent any integrations associated with this user from making any API calls
    • Remove any saved Library Templates created by this user
    • Delete any account shares to and from this user

  4. Just under the dire warnings, there are three options.

    Select the option that suits the situation and click Delete User Information (or Cancel if you are having second thoughts):

    • Preserve agreements initiated by this user but remove user information including the resources above
      • Select if the user has created agreements that are still valuable to the company
        • Agreements are automatically shared to the account of the Admin deleting the user (See note below)
      • Applies only to completed agreements
      • You can delete these agreements later as needed
    • Remove user information including resources above and all agreements initiated by this user
      • Everything goes
    • Don’t delete user information at this time 
      • The default option

    Note:

    When the Preserve agreements option is selected:

    • All completed content created by the userID is shared to the Admin account that deletes the user
    • The email address of the deleted userID is preserved so it can properly be referenced by the history/audit report
    • Because the email address is preserved, a new user can not be created in the system with that same email value
    • If a new userID must be created using the preserved email address, all shared content must be deleted first, or the user will not be allowed to be created (due to a duplicate email address in the system).

  5. One last challenge appears:

    • Click Delete User Information if you are certain
      • Else, click Cancel

    A success message is delivered, indicating the userID is deleted from the database.

    • No regrets... click OK


Delete a user's agreements

GDPR asserts that users (signers typically) have the right to have all records containing their personal information deleted from systems that no longer have a business need to retain it.

Within the context of Acrobat Sign, this means that the user must contact the company they have signed documents with to evaluate the documents in the system and delete them if appropriate.

A privacy admin must be nominated from the Account admins in the account, granting them the authority to view all agreements and delete them as needed.

The process to comply with GDPR is straightforward, and the decision to delete or retain the agreements rests solely with the privacy admin for the account.

 

To review and delete a users content:

  1. Log in as a privacy admin for your account

  2. Navigate to Account > Privacy

  3. Type the email address of the requesting party into the top field and press Enter

  4. All agreements that have been created by users in your account, and that include the provided email address, are returned

  5. Single click each record, and then click the Download Agreement link at the top of the agreement list

    • Open the downloaded PDF, and review the content to assess if the contract is still in effect, or if you have some other valid reason to retain the agreement
    • If there is no reason to retain the document, click the Delete (garbage can) icon on the far-right of the agreement record
      • Deleting the agreement is absolute and irreversible
    Note:

    GDPR does not require that you delete agreements that are still legally in effect.

  6. A challenge is issued to verify that you really want to delete the agreement

    • Click Delete Agreement if you are very sure you want to delete the agreement

    A Success message displays, indicating that the deletion is in process.

    • It's too late now.... click OK
    Note:

    All /agreements endpoints that have an agreement id path in v6 REST API now return a 404 AGREEMENT_DESTROYED error code if the agreement has been deleted via GDPR tools. 


Enable an admin as a privacy administrator

Access to the Privacy page is limited to Privacy Admins. 

Only when the user is flagged as a Privacy Admin will they have access.


To enable Privacy admin:

  1. Log in as an Account admin

  2. Navigate to Account > Users

  3. Single click the user you want to promote to privacy admin

  4. Select Edit from the menu above the user list

  5. When the user panel opens:

    • Check the box at the bottom of the panel where it says User is a privacy administrator
    • Click Save


Adobe Privacy Center

Any request for action that is not supported by the tools within the user interface, or questions regarding GDPR compliance, must be submitted to the Adobe Privacy Center.

Support and Success agents do not have access to the tools that delete content from the servers.

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy

Copyright © 2024 Adobe. All rights reserved.