Adobe Sign fully supports the General Data Protection Regulation (GDPR) for all users.
Note:
The below article provides instructions for the classic page layout.
Click here to review the same process for the new page format.
DISCLAIMER: This guide is intended to be a guideline and does NOT constitute legal advice. Please seek the advice of your brand’s legal counsel for meeting the requirements in the regions where you operate.

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that collects personal information of individuals in the EU. Part of the regulation requires that individuals have the right to understand what personal data has been collected, and to have that data deleted upon request, when appropriate.

For the purpose of this article, the term User refers to a member of a company that sends agreements for Signature.  The term Signer refers to an individual that receives and either signs or rejects the agreement.  A privacy administrator is an Adobe Sign account administrator with special controls for removing personal information from the service upon request of a Sender or signer.

User uniqueness is predicated on the email address used to identify the individual. A person that has multiple email addresses could have multiple discrete user IDs in the system. All GDPR controls in Adobe Sign use email address to find and manage personal information.  There is no connection between the unique email addresses and an Administrator will only find data on the email address provided.


Features that support GDPR

Adobe Sign offers features to help customers comply with GDPR. For more information on how Adobe protects your privacy, visit www.adobe.com/privacy.

Under GDPR, individuals have enhanced rights to request access, correction, and deletion of their personal information.

  • Access – Most personal information about a User or a Signer can be accessed directly by that individual through Adobe Sign UI.  There is a small amount of activity information that is not currently available directly.  An individual account holder will need to contact the Adobe Privacy office at Adobe.com/privacy to request access to this information.  An example of the report is included later in this article.
  • Correction – All of the personal information that is collected on users or signers is available through the user interface.  If changes are required, the User or Signer can make the changes directly without contacting Adobe or their administrator.
  • Deletion – There are different actions depending on the role played in the signing ceremony.  A User sending agreements must make the request to the company they are employed by.  Adobe cannot participate in this interaction and does not control the data the employer has collected in the course of doing business.  The signing process collects the minimal amount of information about a signer during the ceremony.  This includes Name, email address, IP address and, optionally, phone number and OTP code.  This information is stored with the agreement with their signature and is controlled by the company that sent the agreement.  If a Signer needs information concerning the personal information collected with that agreement, they need to contact the Sender of the agreement.  Adobe, as a data processor, cannot provide any information to the Signer about the agreement or the company that sent them the agreement. Since the only information saved about the Signer is in the Agreement, deleting the Agreement deletes the Signer’s personal information.  If the Sender agrees to delete the Signer’s information, they use the privacy menu to find and delete the agreements where the Signer was a participant.

In terms of the Adobe Sign toolset, there are three features in place:

  • User level logs - A log of the various events (that include personal information) triggered in the Adobe Sign environment
  • Agreement Deletion - Privacy Administrators have authority to view and delete any agreement created by any user within their account.
  • User Deletion - Privacy Administrators have the authority to delete any user within their account.

 


User level logs

Any user can make a request to the Adobe Privacy Center to provide the log of their activities in the Adobe Sign system that include private information.

That information is returned in the form of a CSV containing:

  • The date of the event
  • The event type
  • The IP address from which the event was triggered
example_user_privacydata


Agreement Deletion

Applicable only to agreements sent by users under the authority of the Privacy Admin.

When a Signer makes a request to have their information removed from the Adobe Sign system, the account Privacy Admin can search against the user's email address, and return all the agreements that email address participated in and that were created in the Admin’s account.

If the Privacy Admin determines that the agreement is no longer needed, he can delete it, wholly and irrevocably, from the service.

Recipients that contact Adobe Sign will be directed to review their Manage tab, and contact the company that originally created the transaction for the purpose of deleting the agreement.

Adobe Sign, as a data processor of the Customer, will never delete an agreement at the request of a recipient.

delete_agreements


User Deletion

Applicable only to users under the authority of the Privacy Admin

When an employee requests their information to be deleted from your systems, this tool completely deletes all the user's Information from the Adobe Sign servers. 

Users must make this request to the account Privacy Admin directly. Only the Privacy Admin has the authority to delete users.

Adobe Sign support cannot delete users from an account, and if requested to do so, will refer the user to the account admin.

delete_user_link

Note:

Individual and free accounts

Users that exist as the only person in an account, or that only have a free account, will not be able to delete themselves. In this case, the user will need to contact the Adobe Privacy Center.

The user needs to provide their email address and an explicit instruction to delete the user associated with the email address from the Adobe Sign systems. The Adobe Privacy Center will then take the appropriate steps to ensure the user is deleted.


How users can request that their data be removed from Adobe Sign

Having personal information deleted from the Adobe Sign system requires that the assets of the user be properly resolved.  This process varies depending on the type of user/account involved, which can be grouped into four categories:

Signers - Users that have never registered their email address with Adobe Sign

Signers are unique in that all of their agreements were created by some other user.

The first step in having your content deleted from the Adobe Sign system is to register your email address and review the content that is associated with your email address.

You can register your email address here: https://secure.na1.echosign.com/public/registerAccount

 

Once your email address is registered, log in and click the Manage tab at the top of the window.

This page shows all of the Adobe Sign content that has included your email address.

If there is no content on this page, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Adobe Sign system.

free_user_-_managetab

 

To have your agreement content deleted, you must contact the original sender of the agreement.

Only the original sending account has the authority to review the agreement and delete it.

Note: The original sending account Privacy Administrator determines when a contract can be deleted.

 

To determine who the original sender is:

  • Single-click one record on the Manage tab to select it (double-clicking will open the agreement)
    • An image of the agreement appears in the panel to the right
  • Click the History tab to the right of the image to open the agreement history
    • The first record in the History report is Document Created. The email address of the party that created the agreement is listed just under that
  • Copy the email address
  • Send an email to the original document creator using their email, indicating that you want them to remove your information from their Adobe Sign account.
    • Be sure to send the email from the same address that the original agreement was sent to so they know you are authorized to make the request

Repeat the above for all agreements listed on the Manage page in the Signed and Out for Signature categories

  • The contacted companies have 30 days to act on your request to delete the content
free_user_-_signeddocumenthistory

 

Decline any agreements in the Waiting for Me to Sign category

decline_agreement

When an agreement is deleted from the system, it is removed from your Manage tab view.

Once all Signed agreements are deleted, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Adobe Sign system.

Free and individual service plans - Registered users that don't have another Administrator

Free and individual service plans have a registered email address, and should be able to log into their account to review the content at-will.

If you have trouble logging in, click the I forgot my password link just under the login fields, and reset your password value.

i_forgot_my_password

 

Once you can log in to the service:

  • Click the Account tab at the top of the window
  • Click the Privacy option in the left rail
    • This opens the page where you can use an email address to search for the content you have created using that email value
  • Enter your own email address at the top and click Enter
    • A list of all agreements you have created is returned
  • Click each Signed agreement and download the PDF to review
  • Delete all agreements that are no longer in effect by clicking the garbage can icon on the far right
    • The user cannot be deleted until all Signed agreements have been deleted from the account
delete_your_own_agreements

 

Click the Manage tab at the top of the window.

This page shows all the remaining Adobe Sign content that has included your email address.

pro_user_-_managetab

 

To have agreements sent by other users deleted, you must contact the original sender of the agreement.

Only the original sending account has the authority to review the agreement and delete it.

Note: Contracts that are still in legal effect are not required by GDPR to be deleted. This is determined by the original sending account Privacy Administrator.

 

To determine who the original sender is:

  • Single-click one record on the Manage tab to select it (double-clicking will open the agreement)
    • An image of the agreement appears in the panel to the right
  • Click the History tab to the right of the image to open the agreement history
    • The first record in the History report is Document Created. The email address of the party that created the agreement is listed just under that
  • Copy the email address
  • Send an email to the original document creator using their email, indicating that you want them to remove your information from their Adobe Sign account.
    • Be sure to send the email from the same address that the original agreement was sent to so they know you are authorized to make the request

Repeat the above for all agreements listed on the Manage page in the Signed and Out for Signature categories

  • If you created the agreement in Out for Signature, Cancel it.

The contacted companies have 30 days to act on your request to delete the content

pro_user_-_signeddocumenthistory

 

Decline any agreements in the Waiting for Me to Sign category

pro_user_-_declineagreement

When an agreement is deleted from the system, it is removed from your Manage tab view.

Once all Signed agreements are deleted, contact the Adobe Privacy Center and request that your user (email address) be deleted from the Adobe Sign system.

Multi-licensed accounts - Users that are under the authority of another user (Administrator)

Users that are under the authority of an Account/Privacy Admin only need to contact their Admin and request to be deleted from the system.

The Privacy Admin has the authority to review your content/user, and delete all appropriate content.


Delete a user's information

Deleting a user from the Adobe Sign server requires that you first have system authority over that userID. If the user is not in your account, you do not have any authority to delete them.

To determine if the user is under your authority:

  1. Navigate to the User interface: Account > User

  2. Click the Options icon (three lines on the far right)

  3. Select Show All Users

  4. Search for the email address of the user

    navigate_to_users

    If the email address is not found within the account, No users available using current filter displays on the screen.

    user_not_found

    If the user exists, you will have only one record (because email addresses are unique).


Delete a user's agreements

Verify the email address is correct, and that you are about to delete the correct userID. 

Once the userID is deleted, it is irrevocably gone.

  1. Single click the user record to highlight it. This exposes the action links just above the user record

  2. If the user is in any status other than Inactive, click the Deactivate User link

    • Only Inactive users can be deleted
  3. Click the Delete User Information link

    delete_the_user

    Caution:

    The Delete User challenge opens, indicating the ramifications of what you are about to do.

    Deleting a user will:

    • Cancel any agreements that are currently in process initiated by this user
    • Decline any agreements that are in process where the user is a recipient
    • Disable any active web forms created by this user
    • Prevent any integrations associated with this user from making any API calls
    • Remove any saved Library Templates created by this user
    • Delete any account shares to and from this user

  4. Just under the dire warnings, there are three options.

    Select the option that suits the situation and click Delete User Information (or Cancel if you are having second thoughts):

    • Preserve agreements initiated by this user but remove user information including the resources above
      • Select if the user has created agreements that are still valuable to the company
        • Agreements are automatically shared to the account of the Admin deleting the user (See note below)
      • Applies only to completed agreements
      • You can delete these agreements later as needed
    • Remove user information including resources above and all agreements initiated by this user
      • Everything goes
    • Don’t delete user information at this time 
      • The default option
    delete_user_challenge

    Note:

    When the Preserve agreements option is selected:

    • All completed content created by the userID is shared to the Admin account that deletes the user
    • The email address of the deleted userID is preserved so it can properly be referenced by the history/audit report
    • Because the email address is preserved, a new user can not be created in the system with that same email value
    • If a new userID must be created using the preserved email address, all shared content must be deleted first, or the user will not be allowed to be created (due to a duplicate email address in the system).

  5. One last challenge appears:

    • Click Delete User Information if you are certain
      • Else, click Cancel
    delete_user_challenge-part2

    A success message is delivered, indicating the userID is deleted from the database.

    • No regrets... click OK


Delete a user's agreements

GDPR asserts that users (signers typically) have the right to have all records containing their personal information deleted from systems that no longer have a business need to retain it.

Within the context of Adobe Sign, this means that the user must contact the company they have signed documents with to evaluate the documents in the system and delete them if appropriate.

A privacy admin must be nominated from the Account admins in the account, granting them the authority to view all agreements and delete them as needed.

The process to comply with GDPR is straightforward, and the decision to delete or retain the agreements rests solely with the privacy admin for the account.

 

To review and delete a users content:

  1. Log in as a privacy admin for your account

  2. Navigate to Account > Privacy

  3. Type the email address of the requesting party into the top field and press Enter

  4. All agreements that have been created by users in your account, and that include the provided email address, are returned

    delete_agreements
  5. Single click each record, and then click the Download Agreement link at the top of the agreement list

    • Open the downloaded PDF, and review the content to assess if the contract is still in effect, or if you have some other valid reason to retain the agreement
    • If there is no reason to retain the document, click the Delete (garbage can) icon on the far-right of the agreement record
      • Deleting the agreement is absolute and irreversible

    Note:

    GDPR does not require that you delete agreements that are still legally in effect.

  6. A challenge is issued to verify that you really want to delete the agreement

    • Click Delete Agreement if you are very sure you want to delete the agreement
    delete_agreementchallenge

    A Success message displays, indicating that the deletion is in process.

    • It's too late now.... click OK


Enable an admin as a privacy administrator

Access to the Privacy page is limited to Privacy Admins. 

Only when the user is flagged as a Privacy Admin will they have access.


To enable Privacy admin:

  1. Log in as an Account admin

  2. Navigate to Account > Users

  3. Single click the user you want to promote to privacy admin

  4. Select Edit from the menu above the user list

    navigate_to_users
  5. When the user panel opens:

    • Check the box at the bottom of the panel where it says User is a privacy administrator
    • Click Save


Adobe Privacy Center

Any request for action that is not supported by the tools within the user interface, or questions regarding GDPR compliance, must be submitted to the Adobe Privacy Center.

Support and Success agents do not have access to the tools that delete content from the servers.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy