Privacy statement of Schüco International KG regarding processing of data for electronic signatures provided via DocuSign
1. Processing of personal data
Schüco International KG (Schüco) uses SAP Signature Management by DocuSign (“DocuSign”) to sign contracts and documents electronically. The privacy of your personal data is important to us here. On this page, we tell you about the personal data we collect from you when you provide an electronic signature via DocuSign and how we process those data. We also inform you of your rights under applicable data protection law and tell you who you can contact if you have questions about data protection.
Personal data are all data which concern you personally, such as your name, address or email address.
2. Data controller
The data controller in accordance with Article 4(7) of the General Data Protection Regulation (GDPR) is
Schüco International KG
Tel.: +49 (0)521 783-0
Contact details for our data protection officer:
Schüco International KG
If you have any questions or comments concerning data protection, you can send an email to:
3. Your rights
(1) You have the following rights regarding your personal data:
a) right of access
b) right to rectification
c) right to erasure (‘right to be forgotten’)
d) right to restriction of processing
e) right to data portability
f) right to object to processing
g) right to withdraw consent
(2) You also have the right to complain to a data protection supervisory authority regarding the processing of your personal data by us.
4. Scope and purpose of processing
(1) To ensure that signatures are legally compliant and contracts are validly concluded, and in order to document this, the following data – depending on the form of signature used – will be processed when you use DocuSign:
- name, user name, email address, telephone number and postal address of the parties involved
- data documenting activities and status changes, including date and time (e.g. sending, signature, rejection, forwarding or cancellation)
- signature type and authentication method used
- transaction metadata, document history and subject line
- system information such as IP addresses as well as other online identifiers and location data
(2) Document contents are encrypted and cannot be accessed by the providers of DocuSign. This means that any personal data contained in documents for signature can be accessed by the other parties to those documents only.
(3) Further information on what data are processed when a transaction is carried out via DocuSign and about data protection at DocuSign is available from https://www.docusign.de/de-de/datenschutzerklaerung/datenschutz/.
5. Place of processing and transfer to third countries
(1) As a rule, personal data collected when you use the SAP Signature Management by DocuSign service are processed and stored on servers in the EU.
The DocuSign service is operated by DocuSign, Inc., 221 Main Street, Suite 1000, San Francisco, CA 94105, United States.
(2) To provide the DocuSign service, personal data may be processed by processors based in the USA (e.g. in connection with support services or the transfer of transaction data).
(3) Please note that the USA is not a secure third country for the purposes of EU data protection law. US companies may be required to disclose personal data to security agencies with no recourse to the courts for you as data subject. Therefore, it is possible that data concerning you held on servers in the US will be processed, analysed and permanently stored by US authorities (e.g. intelligence services) for surveillance purposes. We have no influence on these processing activities.
(4) DocuSign provides the appropriate safeguards for transfer required under Article 46(1) of the GDPR in the form of officially approved binding corporate rules (BCR) in accordance with Article 46(2)(b) in conjunction with Article 47 of the GDPR. DocuSign’s current binding corporate rules can be found at https://www.docusign.com/trust/privacy/binding-corporate-rules
6. Erasure and blocking of personal data
(1) Your data will be erased from our systems as soon as they are no longer required for the purpose for which they were obtained. Your data must also be erased if it is unlawful to store them (e.g. if they are inaccurate but rectification is not possible).
(2) Data will be blocked rather than erased if there are legal or factual obstacles to their erasure. The relevant contractual and/or statutory retention periods for the signed document, particularly under commercial and tax law, must also be observed.
(3) All data processed by DocuSign’s systems will be automatically erased 60 days after completion of the document.
7. Sharing of data with third parties
(1) As a rule, data you provide to us will not be shared with third parties. In particular, your data will not be shared with third parties for the purposes of marketing by those third parties.
(2) However, we may use service providers, e.g. for technical maintenance services or for services ensuring the functionality of the electronic signature. We take great care when selecting and engaging these providers; they are bound by our instructions and are regularly checked.
(3) Similarly, DocuSign, the provider of the e-signature solution, is our processor and the agreement required under Article 28 of GDPR has been entered into.
8. Legal basis for data processing
(1) Use of DocuSign serves Schüco’s legitimate interest in formally simplifying and accelerating the process of providing a legally valid signature on documents by using electronic signatures. As such, the legal basis for the initial processing of your personal data is Article 6(1)(f) GDPR.
(2) By signing a contract electronically via DocuSign, you consent to electronic signature via DocuSign. In this case, the legal basis for processing is your consent under Article(1)(a) GDPR. Use of DocuSign is not mandatory and you can continue to sign documents in the conventional way.
(3) Documents signed via DocuSign are frequently used as the basis for the supply of goods or other contractual performance or consideration. Any further processing required is based on Article 6(1)(b) GDPR.
Last updated: August 2022