GDPR

On a general basis, data that we no longer need is erased after 3 years. Erasure takes place in different ways, depending on the type of data concerned. A summary of when we erase different types of data and which requirements apply to erasure is given below:

Notifications

We erase email and SMS notifications 3 years after the last time sending them was attempted.

Signature requests

We erase the signature request 3 years after the archiving requirement lapses. This means that if a sender creates a request today, it will take 40 days (or 50 years if the sender uses a long-term archive) before the actual document is deleted. Three years after this, we erase the request and associated data. The associated data is job events, queue for job changes, information about forwarding to the mailbox, notifications, signers and the actual request.

Availability to the signer

After a signature request has been completed, the signer will have access to the signed document from the service for usually up to 40 days. However, the sender of the request have some opportunities to delete the document earlier, if necessary. The reason for the limited availability for the signer is that we wish to avoid having to obtain approved terms from the signer, since this would complicate the signature flow. By making it possible to retrieve the request for some time after signing, we give those who did not realise they had to download it a chance to try again. The signer is free to download the document and store at their own discretion, and if possible, the signed document is also automatically forwarded to either Digipost or the signer’s chosen digital mailbox in DPI for permanent storage.

Users

Users can be deactivated online in the sender portal, by account managers in the relevant company, or by Norway Post and the Norwegian Digitalisation Agency via the administration portal. A deactivated user will be anonymized and erased according to the following rules:

  • Anonymization: A user is anonymized 3 years after deactivation.

  • Erasure: A user is erased 3 years after deactivation if the user is not connected to any signature request. Any such connection might be that the user has, for example, changed the signing deadline for a request, or that the user created the request.

Note that these events occur at the same time, but have different requirements that must be fulfilled. This means that the requests can run independently of each other, if the needs should change in the longer term.

Organizations

  • Deactivation: An organization can be deactivated with immediate effect. After deactivation, we retain the data for 3 months.

  • Erasure: The organization is erased after the organization has been deactivated for 3 months. This will delete all data associated with the organization.