DISCLAIMER: This guide is intended to be a guideline and does NOT constitute legal advice. Seek the advice of your brand’s legal counsel to meet the requirements in the regions where you operate.
Based on the GDPR requirement to obtain user consent prior to storing data on the users device, some users may experience one or more requests to enable cookies:
- Users accessing Adobe Acrobat Sign from the locales enforcing GDPR are required to enable the core service cookies
- Performance and personal advertising cookies can be enabled or disabled by clicking the Customize button
- Cookies can be managed at any time by clicking the Cookie Performance link at the bottom right of all Acrobat Sign web pages:
- Accounts migrating to the adobesign.com domain (from echosign.com) have to configure their cookies twice, as each domain must place unique cookies
Įspėjimas:
|
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union's new privacy law that harmonizes and modernizes data protection requirements. While many new or enhanced requirements exist, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that collects personal information of individuals in the EU. Part of the regulation requires that individuals have the right to understand what personal data has been collected and to have that data deleted upon request when appropriate.
For the purpose of this article, the term User refers to a member of a company that sends agreements for Signature. The term "Signer" refers to an individual who receives and either signs or rejects the agreement. A privacy administrator is an Acrobat Sign account administrator with unique controls for removing personal information from the service upon request of a sender or signer.
User uniqueness is predicated on the email address used to identify the individual. A person with multiple email addresses could have multiple discrete user IDs in the system. All GDPR controls in Acrobat Sign use email addresses to find and manage personal information. There is no connection between the unique email addresses, and an Administrator will only find data on the email address provided.
Features that support GDPR
Acrobat Sign offers features to help customers comply with GDPR. For more information on how Adobe protects your privacy, visit www.adobe.com/privacy.
Under GDPR, individuals have enhanced rights to request access, correction, and deletion of their personal information.
- Access – Most personal information about a User or a Signer can be accessed directly by that individual through Acrobat Sign UI. A small amount of activity information isn't currently available directly. An individual account holder must contact the Adobe Privacy office at Adobe.com/privacy to request access to this information. An example of the report is included later in this article.
- Correction – All personal information collected on users or signers is available through the user interface. If changes are required, the User or Signer can make them directly without contacting Adobe or their administrator.
- Deletion – Different actions are available depending on the role played in the signing ceremony. A User sending agreements must make the request to the company they are employed by. Adobe cannot participate in this interaction and does not control the data the employer has collected while doing business. The signing process collects minimal information about a signer during the ceremony. This includes Name, email address, IP address, and optionally, a phone number and OTP code. This information is stored with the agreement with their signature and is controlled by the company that sent the agreement. If a Signer needs information concerning the personal information collected with that agreement, they need to contact the Sender of the agreement. As a data processor, Adobe cannot provide any information to the Signer about the agreement or the company that sent them the agreement. Since the only information saved about the Signer is in the Agreement, deleting the Agreement deletes the Signer's personal information. If the Sender agrees to delete the Signer's information, they use the privacy menu to find and delete the agreements where the Signer was a participant.
In terms of the Acrobat Sign toolset, there are three features in place:
- User level logs - A log of the various events (that include personal information) triggered in the Acrobat Sign environment
- Agreement Deletion - Privacy Administrators have the authority to view and delete any agreement created by any user within their account.
- User Deletion - Privacy Administrators can delete any user within their account.
Privacy Admins can manage user's information and agreements by logging into the Admin Console and editing the user's profile.
User level logs
Any user can request the Adobe Privacy Center to provide the log of their activities in the Acrobat Sign system which includes their private information.
That information is returned in the form of a CSV containing the following:
- The date of the event
- The event type
- The IP address from which the event was triggered
Agreement Deletion
Applicable only to agreements sent by users under the authority of the Privacy Admin.
When a signer requests to have their information removed from the Acrobat Sign system, the account's Privacy Admin can search against the user's email address and return all the agreements that the email address participated in and was created within the admin's organization.
If the Privacy Admin determines that the agreement is no longer needed, he can delete it, wholly and irrevocably, from the service.
Recipients that contact Acrobat Sign will be directed to review their Manage tab and to contact the company that initially created the transaction to delete the agreement.
Acrobat Sign, as a data processor of the Customer, will never delete an agreement at the request of a recipient.
User Deletion
Applicable only to users under the authority of the Privacy Admin
When an employee requests their information to be deleted from your systems, this tool deletes all the user's information from the Acrobat Sign servers.
Users must make this request to the account Privacy Admin directly. Only the Privacy Admin has the authority to delete users.
Acrobat Sign support cannot delete users from an account, and if requested to do so, Support will refer the user to their account administrator.
Individual and free accounts
Users that exist as the only person in an account, or who only have a free account, will not be able to delete themselves. In this case, the user will need to contact the Adobe Privacy Center.
The user needs to provide their email address and explicit instruction to delete the user associated with the email address from the Acrobat Sign systems. The Adobe Privacy Center will then take the appropriate steps to ensure the user is deleted.
How users can request that their data be removed from Acrobat Sign
Having personal information deleted from the Acrobat Sign system requires that the user's assets be properly resolved. This process varies depending on the type of user or account involved, which can be grouped into three categories:
Signers are unique in that some other user created all of their agreements.
The first step in having your content deleted from the Acrobat Sign system is to register your email address and review the content that is associated with your email address.
You can register your email address here.
Once your email address is registered:
- Log in and select the Manage tab at the top of the window.
- Cycle through each filter in the left rail (Waiting for you, Completed, Canceled, and Expired) to find your agreements.
If there is no content on this page, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Acrobat Sign system.
To have your agreement content deleted, you must contact the original sender of the agreement.
Only the original sending account can review the agreement and delete it.
Note: The original sending account Privacy Administrator determines when a contract can be deleted.
To determine who the original sender is:
- Select one record on the Manage tab with a single click (double-clicking will open the agreement).
- The right rail opens to expose the agreement metadata and actions.
- Copy the email address at the top right of the window (next to From: - highlighted in the image above).
- Send an email to the original document creator using their email, indicating that you want them to remove your information from their Acrobat Sign account.
- Be sure to send the email from the same address to which the original agreement was sent so they know you are authorized to make the request.
Repeat the above for all agreements listed on the Manage page in the Completed and In Progress categories.
The contacted companies have 30 days to act on your request to delete the content.
Any agreements in the Waiting for you section should be declined:
- Open the agreement to sign.
- Select the options in the upper-left corner.
- Select I will not e-sign.
- Provide a reason to decline, then select the Decline button.
Once all open agreements are declined and the senders for completed agreements have been contacted, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Acrobat Sign system.
Free and individual service plans have a registered email address and should be able to log into their account to review the content at will.
If you have trouble logging in, select the I forgot my password link under the login fields and reset your password value.
Once you can log in to the service:
- Navigate to the Privacy tab in the admin menu.
- This opens the page where you can use an email address to search for the content you have created using that email value.
- Enter your own email address at the top and select Enter.
- A list of all agreements you have created is returned.
- Select each Completed agreement and download the PDF to review.
- Delete all agreements that are no longer in effect by selecting the garbage can icon on the far right.
- The user cannot be deleted until all Completed agreements have been deleted from the account.
Select the Manage tab at the top of the window.
This page shows all the remaining Acrobat Sign content that has included your email address.
To have agreements sent by other users deleted, you must contact the original sender of the agreement.
Only the original sending account can review the agreement and delete it.
Note: Contracts still in legal effect are not required by GDPR to be deleted. The original sending account Privacy Administrator determines this.
To determine who the original sender is:
- Select one record on the Manage (double-clicking will open the agreement).
- The right rail is exposed, giving access to the agreement metadata and actions.
- Copy the email address at the top right of the window (next to From: - highlighted in the image above).
- Send an email to the original document creator using their email, indicating that you want them to remove your information from their Acrobat Sign account.
- Be sure to send the email from the same address to which the original agreement was sent so they know you are authorized to make the request.
- Companies have 30 days to act on your request to delete the content.
Repeat the above for all agreements listed on the Manage page in the Completed and In Progress categories.
- If you created the agreement In Progress, Cancel it.
- Decline any agreements in the Waiting for You category.
Once all Signed agreements are deleted, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Acrobat Sign system.
Users under the authority of a Privacy Administrator only need to contact their Admin and request to be deleted from the system.
The Privacy Admin can review your content and user and delete all appropriate content.
Adobe Privacy Center
Any request for action not supported by the tools within the user interface or questions regarding GDPR compliance must be submitted to the Adobe Privacy Center.
Support and Success agents cannot access the tools that delete content from the servers.