GDPR

On a general basis, data that we no longer need is erased after 3 years. Erasure takes place in different ways, depending on the type of data concerned. A summary of when we erase different types of data and which requirements apply to erasure is given below:

Notifications

We erase email and SMS notifications 3 years after the last time sending them was attempted.

Signature requests

We erase the signature request 3 years after the archiving requirement lapses. This means that if a sender creates a request today, it will take 40 days (or 50 years if the sender uses a long-term archive) before the actual document is deleted. Three years after this, we erase the request and associated data. The associated data is job events, queue for job changes, information about forwarding to the mailbox, notifications, signers and the actual request.

Availability to the signer

The request is available to the signer for 24 hours after signing. The reason this is not 40 days or 50 years is that we must not need to obtain approved terms from the signer, since this would complicate the signature flow. By making it possible to retrieve the request for some time after signing, we give those who did not realise they had to download it a chance to try again.

Users

Users can be deactivated online in the sender portal, by account managers in the relevant company, or by Norway Post and the Norwegian Digitalisation Agency via the administration portal. A deactivated user will be anonymized and erased according to the following rules:

  • Anonymization: A user is anonymized 3 years after deactivation.
  • Erasure: A user is erased 3 years after deactivation if the user is not connected to any signature request. Any such connection might be that the user has, for example, changed the signing deadline for a request, or that the user created the request.

Note that these events occur at the same time, but have different requirements that must be fulfilled. This means that the requests can run independently of each other, if the needs should change in the longer term.

Organizations

  • Deactivation: An organization can be deactivated with immediate effect. After deactivation, we retain the data for 3 months.
  • Erasure: The organization is erased after the organization has been deactivated for 3 months. This will delete all data associated with the organization.