e-Boks Privacy Policy
Privacy Policy
- e-Boks as data controller
- Categories of data subjects, types of personal data, purposes, and lawfulness of processing
- Recipients or categories of recipients
- Transfer to recipients in third countries, including international organisations
- Storage of your personal data
- Your rights
- Changes to Privacy Policy
1. e-Boks as data controller
This Privacy Policy explains how e-Boks, as data controller, processes personal data about you as
- a private end-user who has a digital mailbox and receives digital messages (‘Private End-User’);
- an employee of an enterprise which has a digital mailbox and receives digital messages (‘End-User Enterprise’);
- an employee of an enterprise or authority which sends mail to Private End-Users and/or End-User Enterprises (‘Sender Customers’);
- a recipient of newsletters, or a participant in a webinar;
- a participant in an event;
- a participant in a user survey;
- a contact working for one of e-Boks’s partners.
Please note that e-Boks is not the data controller for the content of the digital mailbox, including messages from/to Private End-Users or End-User Enterprises. e-Boks is therefore not the data controller of personal data processed, stored, and displayed in the digital mailbox. e-Boks is thus solely the data controller for data connected with the administration of the digital mailbox, including, for example, login details and data about activities in your digital mailbox – see the description below.
1.1 Content of the digital mailbox of enterprises
As an end-user, the enterprise is the data controller of the personal data processed and stored in its digital mailbox, and e-Boks is the data processor for the enterprise. e-Boks acts under instructions from the enterprise, and the relationship is governed by Article 28 of the General Data Protection Regulation, including the terms of use for enterprises. If, as an enterprise, you have questions about the content of your digital mailbox, you can contact the sender, for example a public authority or an enterprise that has sent you the messages.
1.2 Content of the digital mailbox of private individuals
The content, i.e. the messages, of a private end-user’s digital mailbox is not covered by the General Data Protection Regulation, as the data are processed as part of the private end-user’s purely personal activities. e-Boks is therefore neither the data controller nor the data processor for the processing of personal data in messages in Private End-Users’ digital mailboxes. The relationship between e-Boks and a private end-user is governed by the terms of use for the private end-user. If, as a private end-user, you have questions about the content of your digital mailbox, you can contact the sender, for example a public authority or an enterprise that has sent you the messages.
1.3 How do you contact us?
You are always welcome to contact us or our Data Protection Officer if you have any questions about how we process your personal data, or if you wish to exercise one of your rights.
e-Boks’ contact details are as follows:
e-Boks Nordic A/S
Hans Bekkevolds Allé 7
DK-2900 Hellerup
CVR no.: 25674154
Tel.: +45 70 21 24 00
If you have any questions about our processing of your personal data, you can also contact our Data Protection Officer (DPO) by email DPO-team@e-boks.dk or telephone +45 70 21 24 00.
2. Categories of data subjects, types of personal data, purposes, and lawfulness of processing
2.1 Private End-Users
In relation to the actual administration of the digital mailbox and the commercial viewing client, e-Boks, as data controller, processes a number of ordinary personal data about you such as:
- Login details;
- Data that you have yourself entered etc. in our systems, for example payment details and data in connection with requests for support assistance;
- Data on your communication with e-Boks;
- Data on activities in your digital mailbox;
- Contact details, including name, email address, address;
- Other identification data, including civil registration number, and
- Data on the operating system of your computer and your mobile device, including the chosen browser and IP address.
e-Boks processes your personal data as part of its activities, including:
- To be able to make e-Boks’ services/products available;
- For administrative purposes, including communication with Sender Customers, end-users and other stakeholders etc.;
- To be able to provide support assistance;
- For anonymised statistics and analysis;
- For product development and improvement of e-Boks’ services.
e-Boks processes your personal data based on the following lawfulness of processing:
- We process your civil registration number on the basis of your prior consent, see section 12(2) para (2) of the Danish Data Protection Act (Databeskyttelsesloven), see Article 7 of the General Data Protection Regulation, for Norwegian end-users see section 12 of the Norwegian Data Protection Act (Personopplysningsloven), see Article 6(1)(a) of the General Data Protection Regulation, for Swedish end-users see section 10 of the Swedish Data Protection Act (Dataskyddslagen), see Article 6(1)(a) of the General Data Protection Regulation as this is necessary for our administration of your digital mailbox, including to enable us to ensure that you receive your mail.
- When you registered with e-Boks, you accepted our terms of use, and our processing of your personal data is therefore also necessary to enable us to perform our contract with you, see Article 6(1)(b) of the General Data Protection Regulation. This applies to, among other data, your login details, user number, digital signature, data that you have yourself entered in our systems, identification and contact details, data about communication in your e-Boks and activities in your digital mailbox.
- In specific circumstances, we may process data to pursue a legitimate interest, see Article 6(1)(f) of the General Data Protection Regulation. The legitimate interests that justify the processing may include improvement of our services, responding to your enquiries or the like.
2.2 Contacts/employees in enterprises which have a digital mailbox (End-User Enterprises)
e-Boks processes a number of ordinary personal data about you such as:
- Name;
- Information about who your employer is (the enterprise which has a digital mailbox);
- Contact details, including email address and telephone number;
- Data on activities in the enterprise’s digital mailbox;
- Login details;
- Data on the operating system of your computer and your mobile device, including the chosen browser and IP address.
e-Boks processes your personal data as part of its activities, including:
- To be able to make e-Boks’ services/products available to your employer;
- For administrative purposes, including communication with your employer;
- To be able to provide support assistance;
- For anonymised statistics and analysis;
- For product development and improvement of e-Boks’ services.
e-Boks processes your personal data based on the following lawfulness of processing:
- If you are a contact in an enterprise that is a customer with us, we process your contact details to pursue our legitimate interest in being able to perform our contract with the company in which you are employed, including for the purpose of making our services available, administrative purposes connected with this, support, and improvement of e-Boks’ services, see Article 6(1)(f) of the General Data Protection Regulation.
- In certain cases, the processing of your personal data is necessary for compliance with a legal obligation imposed on e-Boks, for example in connection with storage of accounting records in accordance with the Danish Bookkeeping Act (Bogføringsloven). In such cases, lawfulness of processing is based on Article 6(1)(c) of the General Data Protection Regulation.
2.3 Contacts/employees working for Sender Customers
e-Boks processes a number of ordinary personal data about you as an employee with an enterprise or authority which sends mail to Private End-Users and/or End-User Enterprises such as:
- Name;
- Information about who your employer is (the enterprise/authority sending the mail);
- Contact details, including email address and telephone number.
e-Boks processes your personal data as part of its activities, including:
- To be able to make e-Boks’ services/products available to your employer;
- For administrative purposes, including communication with your employer;
- To be able to provide support assistance.
e-Boks processes your personal data based on the following lawfulness of processing:
- If you are a contact in an enterprise/authority which sends mail via our services, we process your contact details to pursue our legitimate interest in being able to perform our contract with the enterprise/authority in which you are employed, including for the purpose of making our services available, administrative purposes connected with this and support, see Article 6(1)(f) of the General Data Protection Regulation.
- In certain cases, the processing of your personal data is necessary for compliance with a legal obligation imposed on e-Boks, for example in connection with storage of accounting records in accordance with the Danish Bookkeeping Act. In such cases, lawfulness of processing is based on Article 6(1)(c) of the General Data Protection Regulation.
2.4 Recipients of newsletters and participants in webinars
If you have signed up for our newsletters, we process the following personal data about you to be able to send you newsletters:
- Name;
- Email address.
If you receive our newsletter, we also process the following personal data about you to be able to send you newsletters:
Information about the industry/sector in which you are employed.
e-Boks processes your personal data based on the following lawfulness of processing:
- Your consent, see Article 6(1)(a) of the General Data Protection Regulation in conjunction with section 10(1) of the Danish Marketing Practices Act (Markedsføringsloven), for Norwegian recipients in conjunction with the Norwegian Marketing Control Act (Markedsføringsloven) section 15(1), for Swedish recipients in conjunction with the Swedish Marketing Act (Marknadsföringslagen) section 19(1).
If you have signed up for a webinar, e-Boks processes the following personal data about you in order to manage and follow up on the webinar, including to market our own and our partners’ products and services:
- Name;
- Email address;
- Information about your employer;
- Information about your job level;
- Information about which webinar(s) you have participated in.
e-Boks processes your personal data based on the following lawfulness of processing:
- Your consent, see Article 6(1)(a) of the General Data Protection Regulation in conjunction with section 10(1) of the Danish Marketing Practices Act for Norwegian recipients in conjunction with the Norwegian Marketing Control Act (Markedsføringsloven) section 15(1), for Swedish recipients in conjunction with the Swedish Marketing Act (Marknadsföringslagen) section 19(1).
2.5 Participants in events
If you are to participate in one of our events, e-Boks processes the following personal data about you in order to manage and follow up on the event, including to market our own and our partners’ products and services:
- Name;
- Email address;
- Information about your employer;
- Information about your job level;
- Information about which event(s) you have participated in.
e-Boks processes your personal data based on the following lawfulness of processing:
- Your consent, see Article 6(1)(a) of the General Data Protection Regulation in conjunction with section 10(1) of the Danish Marketing Practices Act for Norwegian recipients in conjunction with the Norwegian Marketing Control Act (Markedsføringsloven) section 15(1), for Swedish recipients in conjunction with the Swedish Marketing Act (Marknadsföringslagen) section 19(1).
2.6 Participants in user surveys
If you agree to participate in a user survey, we register the following personal data about you in order to conduct the survey and ultimately develop and optimise our products and services:
- Name;
- Email address;
- Information about your employer;
- Information about your job level;
- Information about whether you are a user of e-Boks’ products and services and, if so, which;
- Your responses and feedback in the user survey, which vary depending on the specific user survey and its purpose.
e-Boks processes your personal data based on the following lawfulness of processing:
- e-Boks’ legitimate interest in conducting satisfaction surveys and developing and optimising products and services, see Article 6(1)(f) of the General Data Protection Regulation. If this is specifically necessary to conduct the survey, e-Boks will obtain your consent, see Article 6(1)(a) of the General Data Protection Regulation.
2.7 Contacts working for partners
If you are a contact working for one of our suppliers, business contacts or other partners, e-Boks processes the following personal data about you when you communicate with us, for example in connection with e-Boks’ contractual relationship with the enterprise or authority in which you are employed, in connection with the conclusion or termination of a contract, or if you use our online contact form to communicate with us on behalf of the enterprise or authority in which you are employed:
- Name;
- Information about who your employer is;
- Contact details, including email address and telephone number;
- Job title;
- Workplace.
e-Boks processes personal data about you as part of our activities, including:
- To be able to make e-Boks’ services/products available to your employer;
- For administrative purposes, including communication with your employer about the collaboration or the conclusion or termination of a collaboration.
e-Boks processes personal data about you based on the following lawfulness of processing:
- If you are a contact working for partner or potential future partner, we process your contact details to pursue our legitimate interest in being able to communicate with our partner, including about the conclusion of a contract and the performance of the contract, see Article 6(1)(f) of the General Data Protection Regulation. The legitimate interests pursued by e-Boks are the performance of our contractual obligations, retention and strengthening of our collaborative relationship, invoicing of the services that the enterprise/authority with which you are employed provide and vice versa, as well as for documentation purposes.
- In certain cases, the processing of your personal data is necessary for compliance with a legal obligation imposed on e-Boks, for example in connection with storage of accounting records in accordance with the Danish Bookkeeping Act. In such cases, Article 6(1)(c) of the General Data Protection Regulation provides the lawfulness of processing.
3. Recipients or categories of recipients
e-Boks treats your personal data as confidential, but we may disclose them to the following third parties:
- Affiliated companies;
- Registered sender authorities and enterprises;
- e-Boks’s partners, for example where this is necessary to make an e-Boks Plus service available to you or to send you marketing material about products and services.
Such disclosure will always be done in compliance with applicable law, and the recipients have a legal obligation to process your personal data securely and confidentially.
Disclosure of data to affiliated companies is done on the basis of our legitimate interest in being able to share such data internally in the group and always only when it is assessed to be specifically necessary, see Article 6(1)(f) of the General Data Protection Regulation.
We disclose your personal data to registered sender authorities and enterprises, as this is necessary for the performance of our contract with you to provide our services to you, see Article 6(1)(b) of the General Data Protection Regulation.
Disclosure of data to partners for the purpose of providing an e-Boks Plus service is done based on your consent, see Article 6(1)(a) of the General Data Protection Regulation or (if the disclosure concerns a civil registration number) section 11(2) para (2) of the Danish Data Protection Act, see Article 7 of the General Data Protection Regulation, for Norwegian end-users see section 12 of the Norwegian Data Protection Act (Personopplysningsloven), see Article 6(1)(a) of the General Data Protection Regulation, for Swedish end-users see section 10 of the Swedish Data Protection Act (Dataskyddslagen), see Article 6(1)(a) of the General Data Protection Regulation. Disclosure of data to partners for marketing purposes, for example as follow-up on a webinar or event, is likewise based on your consent, see Article 6(1)(a) of the General Data Protection Regulation in conjunction with section 10(1) of the Danish Marketing Practices Act, for Norwegian recipients in conjunction with the Norwegian Marketing Control Act (Markedsføringsloven) section 15(1), for Swedish recipients in conjunction with the Swedish Marketing Act (Marknadsföringslagen) section 19(1). You will always be informed about the data to be disclosed before you grant your consent to the disclosure.
In certain situations, e-Boks may be required by law enforcement authorities to disclose personal data concerning Private End-Users. Such disclosure will be done for the purpose of compliance with a legal obligation under Article 6(1)(c).
We also disclose your personal data to IT suppliers and third parties which process your data on our behalf (data processors), including, for example, in connection with hosting and sending newsletters. These parties process your personal data according to our instructions, which means that they cannot process your personal data for their own purposes.
4. Transfer to recipients in third countries, including international organisations
Your personal data may be transferred to third countries, i.e. countries outside the EU/EEA, for example in connection with use of data processors located in a third country or which use sub-processors located in a third country. If we transfer your personal data to recipients in third countries, we will ensure in advance that the data are transferred in accordance with the data protection legislation in force at any given time. This means that a recipient of your personal data which is not domiciled in the EU/EEA will ensure an adequate level of protection, for example by entering into an agreement with e-Boks on the use of the European Commission’s standard contractual clauses or by becoming certified by a recognised transfer mechanism that provides adequate protection. To the extent that supplementary protective measures are deemed to be necessary in the specific case, such measures will be established prior to the transfer. You can get further information about the lawfulness of processing for the specific transfer from the above contact details.
5. Storage of your personal data
We will only store your personal data for as long as is necessary for the purposes described above and/or as required by the applicable law.
Private End-Users:
- The account (name, address, civil registration number, email, telephone number, user number) is erased when the user erases the user’s account or when the user has been inactive for 10 years (that is no login for 10 years and no mail sent or received for 10 years).
- The account will also be erased if a next-of-kin contacts e-Boks and the end-user has been registered as deceased for 5 years.
Contacts/employees in enterprises which have a digital mailbox:
- The enterprise’s account, including your personal data, is erased when the enterprise erases its account or when the enterprise has been inactive for 10 years (that is no login for 10 years and no mail sent or received for 10 years).
- If your personal data are included in e-Boks’ accounting records, for example in connection with invoicing, your personal data will be stored for 5 years from the end of the financial year that the accounting records concern. The purpose of this processing is compliance with our legal obligations under the Danish Bookkeeping Act, see Article 6(1)(c) of the General Data Protection Regulation.
Contacts/employees working for Sender Customers:
- Personal data about contacts are erased when it is no longer necessary to store the data for the purpose of documenting correspondence with the sender customer. Personal data connected with the use of the sender customer’s account will be erased when the sender customer erases the data or 5 years after termination of the contract.
- If your personal data are included in e-Boks’ accounting records, for example in connection with invoicing, your personal data will be stored for 5 years from the end of the financial year that the accounting records concern. The purpose of this processing is compliance with our legal obligations under the Danish Bookkeeping Act, see Article 6(1)(c) of the General Data Protection Regulation.
Recipients of newsletters and participants in webinars:
- Personal data connected with your newsletter profile are stored until you withdraw your consent and no longer wish to receive newsletters from us.
- Personal data connected with your participation in a webinar will be stored until the webinar has been held and any follow-up questions have been answered. Your consent to receive marketing material that you granted in connection with your registration for the webinar will be stored until you withdraw your consent.
Participants in events
- Personal data connected with your participation in events are stored until the event is held and for a subsequent period for follow-up purposes. Your consent to receive marketing material that you granted in connection with your registration for the event will be stored until you withdraw your consent.
Participants in user surveys:
- Personal data that you have provided in a user survey will be erased or anonymised as soon as the user survey has been finally completed and evaluated.
Contacts working for partners:
- We process personal data about you for as long as e-Boks communicates with you because you are a contact working for a partner or a potential future partner and for up to 3 years after termination of the contractual relationship or until your personal data are no longer necessary for the establishment, exercise or defence of legal claims.
- If your personal data are included in e-Boks’ accounting records, for example in connection with invoicing, your personal data will be stored for 5 years from the end of the financial year that the accounting records concern. The purpose of this processing is compliance with our legal obligations under the Danish Bookkeeping Act, see Article 6(1)(c) of the General Data Protection Regulation.
6. Your rights
With the limitations and exceptions that follow from the General Data Protection Regulation and the Danish Data Protection Act, you have a number of rights in relation to our processing of personal data about you.
Right to see and receive data (right of access)
You have a right to request access to the personal data, including receiving a copy of the personal data, that we process about you. In this connection, you also have the right to receive a number of further data as well as confirmation that we process personal data about you.
Right to rectification (correction)
You have a right to request to have inaccurate personal data about you rectified and a right to request to have incomplete personal data completed.
Right to erasure
You have a right to request to have personal data about you erased in certain circumstances, for example if the processing is based on your explicit consent and you withdraw your consent.
Right to restriction of processing
You have the right to request restriction of the processing of your personal data, for example if you are contesting the accuracy of your personal data.
Right to object
You have the right to object to our processing of your personal data, including, in particular, in relation to direct marketing.
Right to transmit data (data portability)
When our processing is carried out by automated means and is based on your consent or on the performance of a contract with you, you have the right to request to receive the personal data that you yourself have provided to us in a structured, commonly used and machine-readable format, and you have the right to request to have those personal data transmitted to another data controller enterprise if this is technically feasible.
Right not to be subject to an automated decision
You have the right to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Right to withdraw your consent
If you have granted your consent to the processing of your personal data, you have the right to withdraw your consent at any given time. However, if you withdraw your consent, this will not affect the processing of your personal data that was carried out before the withdrawal of your consent.
Right to complain
You have the right to lodge a complaint with the Danish Data Protection Agency if you disagree with the way we process your personal data. The Danish Data Protection Agency can be contacted at www.datatilsynet.dk/kontakt. However, we hope that you will first contact us so that we have the opportunity to answer any questions you may have regarding the processing of your personal data.
7. Changes to Privacy Policy
This Privacy Policy replaces all previous versions. It will be necessary to update and change this policy on an ongoing basis, and we therefore reserve the right to update and change it. In the event of significant changes, we will notify you on www.e-boks.dk.
Version 3.2 10/2023