Data Protection Impact Assessments: Guide for Data Controllers using Zoho Sign

Try Zoho Sign


According to Article 35 under the General Data Protection Regulation (GDPR), a Data Protection Impact Assesment (DPIA) should be carried out by data controllers where data processing would be likely to result in a high risk to the rights and freedoms of data subjects. These assessments will help data controllers to understand the data processes, systems, technologies, and take the required measures to ensure data security and privacy of data subjects. 

Companies that fail to conduct a DPIA when mandated are breaching the GDPR and could face enormous fines of up to 4% of global annual revenue. This document will give data controllers information about Zoho Sign that will help them determine whether a DPIA is needed, and if so, what details must be considered.

We recommend you read Zoho's privacy policy first before reading further.

Article 35Relevant Information About Zoho Sign
A systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person

Zoho Sign may perform some automated processing of data for delivering intuitive reports that will help data controllers gain insights on the status of documents.

Additionally, Zoho Sign also offers REST APIs with which data controllers can customize the way they process data.

Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10Zoho Sign is not designed or built for processing special categories of personal data. However, a data controller could use the application to process the enumerated special categories of data. 
Systematic monitoring of a publicly accessible area on a large scaleZoho Sign is not designed or built to conduct such monitoring. However, a data controller could use Sign to process the data collected through such monitoring. 
Purpose(s) of processingThe purpose(s) of processing data using Zoho Sign is based on the intent of the controller who implements, configures, and uses it as required.
Categories of personal data processed
Customer Data

This is all data, including text, signatures, documents, roles, email addresses, phone numbers, image files, and other document fields that customers provide to Zoho Sign.

Log Data

Data that Zoho Sign generates to run the application, such as use or performance data. Most of these data contain pseudonymous identifiers generated by Zoho Sign.

Support Data

Data provided to Zoho Sign by customers to engage with Zoho technical experts and get online support services.

Apart from these data, Zoho Sign also collects administrator and billing data, subscription details, payment data, and contact information for providing effective services. Zoho as a data controller will process these data in its own capacity.

Data retention
Customer Data

Zoho Sign will retain deleted documents at the backend for 60 days. After the 60-day retention period, Zoho Sign will delete the data permanently.

We retain your information for as long as it is required for the purposes stated in our Privacy Policy

Location and transfers of personal dataPlease refer to our Privacy Policy.
Data sharing with third-party sub processorsPlease refer to our Privacy Policy.
Data sharing with independent third-partiesPlease refer to our Privacy Policy.
Data subject rightsPlease refer to our Privacy Policy.
An assessment of the risks to the rights and freedoms of data subjectsThe key risks to the rights and freedoms of data subjects with the use of Zoho Sign depends on how the data controller uses it. The data controller should be aware of the risk of unauthorized access or inadvertent disclosure.
Signature link reaching the hands of malicious insiders and hackersPossibleHighSigning link is sent only to recipient's email. However, users can configure authentication code/OTP for an additional level of security.
Email account of recipients getting hackedPossibleHighUsers can configure signer's authentication code to overcome situations like this.
Signing link being sent to the wrong recipientPossibleMediumUsers can use the recall option.
Signed documents reaching the hands of malicious insiders and hackersPossibleLowUsers can securely manage documents within Zoho Sign. Alternatively, they can also store them on cloud storage services.
Certificate of completion shared with the wrong person PossibleLowThe certificate of completion is sent only to the signers and recipients. 
Loss of users mobile/laptopPossibleLowWe recommend users configure TFA/MFA for their Zoho Sign mobile apps.

Disclaimer : Zoho Sign is not providing any legal advice in this document. This document is being provided for informational purposes only. We recommend you consult with your legal team to determine the need for any DPIAs related to the use of Zoho Sign.