Electronic Signature and GDPR: Protection and Informed Consent

Two complementary regulations

In the digital transformation of companies, two European regulatory frameworks make the difference: the eIDAS Regulation (EU 910/2014) and the General Data Protection Regulation (EU 2016/679), known as GDPR.

• The eIDAS Regulation defines how to sign and communicate electronically with legal validity.
• The GDPR regulates how to process personal data lawfully, securely, and transparently.

Both pursue the same goal: to generate trust in the digital environment.

Electronic signatures, especially in their simple or advanced form, act as a bridge between both frameworks, guaranteeing identity, integrity, and traceability in each consent or signed document.

Electronic signature as proof of informed consent

The GDPR requires that consent be:

• Free (without coercion or obligation).
• Specific (referring to a concrete purpose).
• Informed (the data subject knows what data is collected and for what purpose).
• Unambiguous (a clear and verifiable action of acceptance).

An electronic signature with technical traceability, such as that provided by eEvidSign from eEvidence, makes it possible to demonstrate each of these elements:

• Signer identification through email, IP, phone, or document verification.
• Temporal and technical record of the moment and method of acceptance.
• Complete preservation of the signed document, including its content and context.
• Verifiable evidence of the voluntary action of signing.

Thus, each electronic signature not only has legal validity, but also serves as proof of informed consent in accordance with the GDPR.

Data protection in signature processes

Any electronic signature process involves processing personal data, so appropriate security measures must be applied:

• TLS encryption during transmission and storage of documents.
• Cryptographic hash to guarantee content integrity.
• Access control restricted to signers and authorized controllers.
• Limited retention of evidence in accordance with data retention policies.
• Data subject rights (access, rectification, erasure, objection, etc.) clearly enabled.

In the case of eEvidence, these principles are applied at all stages, from document sending to verification of the evidence record, ensuring security and comprehensive compliance.

Responsibilities of the controller and the provider

The data controller (company or entity that requests the signature) must ensure that:

1. There is a legal basis for collecting the signature (contract, consent, legal obligation, etc.).
2. The electronic signature service provider acts as a data processor, offering guarantees of confidentiality and security.
3. A data processing agreement is formalized in accordance with Article 28 of the GDPR.

As a trust service provider and data processor, eEvidence complies with these requirements through security and encryption protocols.

Best practices for GDPR compliance in electronic signatures

• Minimize data: request only the information strictly necessary for the signature process.
• Inform transparently about the processing and purpose of the data.
• Use secure platforms that guarantee traceability, encryption, and storage in the EU.
• Review retention periods for electronic evidence.
• Keep the data processing agreement with the signature provider up to date.

Conclusion

The electronic signature not only provides legal validity to a document; it also strengthens data protection and corporate responsibility.

Each signature registered with technical and legal guarantees constitutes proof of informed consent, in line with GDPR requirements.

With solutions such as eEvidSign from eEvidence, companies can sign securely and demonstrate —in any audit or claim— that consent was free, informed, and verifiable.

In the European digital environment, eIDAS certifies validity and GDPR protects privacy.
Electronic signatures unite both worlds, providing trust, evidence, and compliance.