- General terms
- Digital postbox
- Digital services
- e-Boks mobile
- User support
- Terms for processing of personal data
- Commercial viewing client
1. General terms
1.2 About e-Boks
e-Boks is a digital platform that provides the Enterprise with access to digital mail from both public authorities and private enterprises.
e-Boks provides the Enterprise with access to:
- letters, messages etc. (‘Messages’) from private enterprises and digital mail from public authorities;
- the Enterprise’s archives in e-Boks;
- communicating directly and securely with a registered enterprise;
- signing agreements digitally;
- making payments through partners and
- using the services and functions that e-Boks may offer at any time by virtue of e-Boks’ cooperation with third parties.
1.3 Limitation of liability
Unless otherwise required by law, e-Boks cannot be held liable for the solutions offered by e-Boks, the contents of Messages, notifications, or for losses incurred in the event of delay, non-delivery, incorrect delivery, loss of data, IT errors and faults, viruses, damage to the Enterprise’s hardware or force majeure-like situations, regardless of whether such circumstances affect e-Boks alone. Moreover, e-Boks does not acknowledge any liability for damages for breach of contract, non-performance or non-functionality. Furthermore, e-Boks is not liable for any loss resulting from unauthorised use, for example if other parties have been granted access to the Enterprise’s digital e-Boks postbox or to the Enterprise’s access to e-Boks User Support, or if the Enterprise has failed to inform e-Boks of any irregularities or unauthorised use or suspicion thereof. Nor will e-Boks be liable for third-party services offered via the e-Boks solution.
If the Enterprise discontinues its activities, e-Boks reserves the right to erase the Enterprise’s data with e-Boks 15 months after such discontinuation. The same applies if the Enterprise has not been logged into e-Boks for over five years. In case of inactivity for more than five years, the Enterprise’s correspondences and profile in e-Boks user support will be erased.
All material in e-Boks, such as names, logos, trademarks, graphics, texts, icons, images, software etc., belongs to e-Boks and its partners and is protected by the legislation on trademarks, copyrights and marketing practices.
1.7 Governing law and venue
Disputes concerning matters regulated by these terms must be settled by Danish courts in accordance with Danish law.
e-Boks can be contacted via https://www.e-boks.com/danmark/en/contact/
2. Digital postbox
In the Enterprise’s e-Boks digital postbox, the Enterprise can access mail from both public authorities and private enterprises.
2.1 Legal effect
The Messages that the Enterprise receives via e-Boks will not be sent to the Enterprise as regular mail. Messages received in e-Boks have the same legal effect as if they were received by regular mail, for example regarding payment, acceptance and complaints deadlines. Messages will be regarded as having been delivered to the Enterprise when they are made available to the Enterprise in e-Boks.
The Enterprise is responsible:
- for checking regularly whether new Messages have been delivered to its digital e-Boks postbox;
- for ensuring that e-Boks always has the correct email address and/or the Enterprise’s mobile number if the Enterprise wants to be notified of new Messages;
- for immediately changing its password and notifying e-Boks if the Enterprise becomes aware of or suspects irregularities or unauthorised use of its e-Boks digital postbox.
The Enterprise is also responsible for the content of documents archived in e-Boks always being in compliance with the applicable law.
Messages deleted in an e-Boks digital postbox cannot be restored or recreated. Only the Enterprise and parties who have access to the Enterprise’s digital postbox can delete Messages and documents in the Enterprise’s e-Boks digital postbox. e-Boks cannot access the content of the Enterprise’s Messages. However, e-Boks reserves the right to make Messages in the e-Boks digital postbox inaccessible when e-Boks is obliged to do so by law, and when other parties’ data have been compromised by error.
2.4.1 Deregistering from receiving messages from a specific sender
Unless the Enterprise has entered into an agreement with a sender which requires the Enterprise to have an e-Boks digital postbox, or the sender otherwise has statutory authority to send mail to the Enterprise, the Enterprise can opt out of receiving messages from a sender in e-Boks. The Enterprise can opt out of receiving Messages from a sender, including any pre-installed registrations of senders, at seven days’ notice.
2.4.2 Deregistering from digital postbox
The Enterprise may deregister or delete its e-Boks digital postbox at any time. However, e-Boks will be obliged by these terms for as long as the Enterprise stores personal data with e-Boks.
3. Digital services
e-Boks provides the Enterprise with access to a choice of digital services. The content depends on who provides and manages the digital service. The digital services chosen by the Enterprise will be provided and managed by either e-Boks or a third party.
e-Boks has the right to pre-install services that are not in the nature of commercial services and which e-Boks finds to be of relevance to all users. The company may deregister from these services at any time, see clause 3.3.
3.1 Content of digital services
The content displayed when the Enterprise accesses a digital service may be determined by a third party. When third parties make content available through a digital service, e-Boks has no responsibility or liability for the content of such service.
3.2 Consent and verification
When opting to receive an add-on digital service provided and managed by a third party, the Enterprise accepts that e-Boks may disclose such data about the Enterprise to the third party as are necessary for the third party to verify the Enterprise. The Enterprise will always be informed about the data which are disclosed in connection with the Enterprise opting to receive an add-on service.
3.3 Opting out of digital services and pre-installed services
The Enterprise may freely opt out of services in e-Boks. To do so, simply delete the digital service in Settings. When the Enterprise opts out of a digital service, this does not mean that the Enterprise no longer has a user account with the third party that provides and manages the Service, and this third party may still have data registered about the Enterprise. The Enterprise must therefore contact the third party in question directly for erasure of the Enterprise’s user and/or the Enterprise’s data with the third party. Erasure of data held by third parties is not e-Boks’ responsibility.
4. e-Boks Mobile
e-Bok gives the Enterprise the opportunity to access e-Boks Mobile via the e-Boks App (‘the App’). Not all functions from e-Boks can be executed in the App. For these functions, the Enterprise needs to log on to e-Boks in a browser. In the App, the Enterprise can, for example:
- read and manage Messages;
- save pictures from camera or picture archive;
- register and deregister senders of mail;
- edit user profile with email and mobile number;
- and pay bills.
4.2 Right of use
4.3 Unauthorised use
If the Enterprise suspects that other parties have acquired knowledge of its password or activation code, the Enterprise must change these immediately. Password and activation code can be found in the Enterprise’s e-Boks digital postbox under Settings.
4.4 Biometric authorisation
The Enterprise’s employees etc. can use biometric authorisation, such as touch ID or face ID, to log on to the App. For this to be possible, the Enterprise must accept that the device’s ability to unlock with biometric authorisation will be linked to the Enterprise’s user profile in the App. The Enterprise can only link the registered biometrics of the device to one user profile in the App. Other parties may make unauthorised use of the App if they have access to administering biometric authorisation on the device. The Enterprise must therefore ensure that the Enterprise has only activated its own biometrics as password. Only use biometric authorisation on devices to which the Enterprise has access and never on jailbroken devices. If the Enterprise has acquired the device from another party, the Enterprise must first delete the stored biometrics before activating its own. If the Enterprise transfers its device to another party, the Enterprise must first delete the Enterprise’s user profile in the App.
4.5 Termination of biometric authorisation
The Enterprise can terminate its use of biometric authorisation to log on to the App by:
- removing its user profile from the list of enabled users in the App;
- logging on to the App and disabling the selected biometric authorisation under Settings or
- deleting the App from the device.
4.6 Lost mobile device
If the mobile device is lost, the Enterprise must generate a new activation code and/or password in the Enterprise’s e-Boks digital postbox as soon as possible.
4.7 Blocking of mobile access
e-Boks reserves the right to block mobile access for security reasons on suspicion of unauthorised use. If the mobile access is blocked, the Enterprise may contact e-Boks.
5. User support
e-Boks User Support gives the Enterprise access to communicate with a support team that provides assistance in connection with use of e-Boks’ solutions.
5.1. Submission of personal data
The Enterprise is responsible for ensuring that personal data are only entered in the user support fields designed for this purpose. If personal data, such as civil registration (CPR) number, are entered in the subject or description field as well as in the chat function, the enquiry will automatically be deleted and will not be processed.
5.2. Suspected unauthorised use
If the Enterprise becomes aware of or suspects irregularities or unauthorised use of its access to e-Boks User Support, the Enterprise must immediately change its password and notify e-Boks.
6. Terms for processing of personal data
The terms lay down the rights and obligations of the Enterprise as data controller and of e-Boks as data processor, respectively, when the Enterprise uses e-Boks’ services, including the digital postbox and archive solution.
‘Personal data’ is defined as any form of information about an identified or identifiable natural person, see Article 4(1) in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (‘the General Data Protection Regulation’).
6.1 Scope and purpose
e-Boks only processes personal data for purposes necessary to enable e-Boks to make its services available to the Enterprise, including the Enterprise’s use of a digital postbox and archive system.
6.2 Processing activities
e-Boks’ processing of personal data on behalf of the data controller (the Enterprise) in connection with the provision of services includes:
Furthermore, the data are included in general statistics for use and application of e-Boks’ services.
6.3 Categories of personal data and data subjects
6.3.1 Categories of personal data
The contents of Messages and documents that are transferred to e-Boks, either by a sender for delivery in the Enterprise’s digital postbox or by the Enterprise for storage in its archive system with e-Boks, are determined by the sender or the Enterprise. Messages and documents therefore contain body text that is not determined by e-Boks and that may contain a wide range of personal data.
e-Boks’ processing may therefore include the following types of personal data:
- Ordinary personal data (such as name, address, IP address, tel. no., email address, sender ID, message ID, transaction ID, transaction data, log data, metadata for receipt and sending of mail, DPID numbers, RID numbers, UUID number)
- Body text in Messages
- Criminal offences
- Civil registration number.
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Philosophical beliefs
- Trade union membership
- Data concerning health, including genetic and biometric data
- Sex life or sexual orientation.
6.3.2 Categories of data subjects
Like the contents of Messages and documents, the categories of data subjects about whom personal data are processed by e-Boks are determined by the Enterprise or the sender. As such, data subjects can fall within a number of categories, including employees, former employees, applicants, customers, members, owners et al., or others who may be mentioned in the contents of documents and Messages (body text).
6.3.3 Duration of processing
The duration of the processing of personal data is determined by the Enterprise. Read more about this under clause 2.4.2.
6.4 Instructions from the Enterprise
e-Boks only processes the transferred personal data on the basis of instructions from the Enterprise, unless such processing is required under EU law or Member State law, in which case e-Boks will inform the Enterprise of such legal requirements before processing, unless the law in question prohibits such information to safeguard important public interests.
If e-Boks regards a specific instruction as being in violation of applicable personal data protection law, e-Boks will notify the Enterprise thereof.
6.5 The Enterprise’s responsibility as data controller
The Enterprise decides which personal data it wants e-Boks to process. The Enterprise therefore warrants that the purpose of processing personal data is lawful and correct, and that no more personal data are processed by e-Boks than absolutely necessary to meet this purpose. The Enterprise is responsible for ensuring lawfulness of processing when the personal data are transferred to e-Boks, including (if required) obtaining consent that is express, voluntary, unambiguous and informed.
The Enterprise further warrants that the data subjects whom the personal data concern have been given sufficient information concerning the processing of their personal data.
Any instruction or amendments to instructions concerning the processing of personal data according to these terms must be presented to e-Boks.
The Enterprise is obliged to inform e-Boks of any changes to the lawfulness of processing, purpose, basis of processing, instructions from the Enterprise etc., including (but not limited to) changes of the categories/types of personal data and data subjects to be processed by e-Boks on behalf of the Enterprise under these terms.
6.6 Security of processing
e-Boks’ processing of personal data on behalf of the Enterprise may comprise a large volume of personal data covered by Article 9 on “special categories of personal data” of the General Data Protection Regulation, and e-Boks is therefore obliged to ensure a “high” level of security.
6.7 Technical and organisational security measures
e-Boks will implement appropriate technical and organisational security measures, including such further measures as may be necessary to protect data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, unauthorised use or other processing in violation of the provisions laid down in Danish data protection law.
Technical and organisational security measures comprise the following:
- Physical safeguards for protection of sites against unauthorised access to personal data;
- Technical and organisational measures and procedures for ensuring that access to personal data is limited to staff with a work-related need of access to such data;
- Technologies for secure identification, authentication and authorisation.
- Measures for encryption of personal data
e-Boks will ensure that the employees involved in processing of the personal data have undertaken a duty of confidentiality or are subject to a statutory duty of secrecy.
6.9 Personal data breach
In the event of a breach or suspected breach of data protection law in connection with the processing of personal data, e-Boks will inform the Enterprise, and, at the Enterprise’s request, provide assistance with determining the cause of such breach, including the nature of the ascertained personal data breach and, if possible, (a) which categories of persons (data subject) are involved as well as the approximate number, (b) the probable consequences of the personal data breach and (c) categories of personal data and approximate number of registrations of personal data, as well as the measures which e-Boks has taken to remedy the ascertained personal data breach. Any further investigation of personal data breaches will be at the Enterprise’s expense. If e-Boks is to assist the Enterprise further with provision of information to third parties, such as the Danish Data Protection Agency or data subjects, in connection with the personal data breach, the Enterprise will pay e-Boks’ expenses for this.
6.10 Possibility of provision of documentation and auditing
The Enterprise can request e-Boks to account for and/or document that e-Boks meets the requirements of the General Data Protection Regulation, including that e-Boks has implemented the necessary technical and organisational security measures. e-Boks’ costs in connection with such a request are payable by the Enterprise.
At the Enterprise’s request, and by further agreement, e-Boks will facilitate and contribute to an annual audit, including inspection, subject to a minimum of nine months’ notice and for the Enterprise’s account. The audit and inspection will be conducted by the Enterprise or by another auditor authorised by the Enterprise. With such a request for an audit, the Enterprise must enclose a detailed audit plan setting out the scope, duration, purpose and proposed start date for the audit. If necessary, e-Boks can demand that security be pledged for the expenses associated with the audit.
Where the Enterprise uses a third party for the audit, the Enterprise warrants that the third party accepts and complies with e-Boks’ requirements for security and confidentiality. The Enterprise cannot use a third party without e-Boks’ prior approval. e-Boks may solely refuse such approval on reasoned grounds, including (but not limited to) the status of the third party as a competitor.
6.11. Objections to processing etc.
With due consideration being given to the nature of the processing and using appropriate technical and organisational measures, e-Boks will assist the Enterprise in as far as possible with the performance of the Enterprise’s obligation to respond to requests for the exercise of the data subjects’ rights under Chapter III of the General Data Protection Regulation. The Enterprise must reimburse e-Boks’ costs in connection with this.
e-Boks must assist the Enterprise, to a reasonable extent and for the Enterprise’s account, in ensuring compliance with the obligations set out in Articles 32-36 of the General Data Protection Regulation, with due consideration being given to the nature of the processing and the details available to e-Boks.
6.12. Disclosure of personal data to suppliers (sub-processors)
e-Boks uses suppliers to operate the e-Boks solution, and therefore discloses the Enterprise’s personal data to KMD, CVR no. 26911745, Lautrupparken 40, DK-2750 Ballerup, Stratu ApS, CVR. no. 42543039, Lautruphøj 5 - 7, DK-2750 Ballerup and to e-Boks' affiliated companies.
6.12.1 Changes in the use of sub-processors
e-Boks will inform the Enterprise in writing if e-Boks plans to make changes to the use of the above suppliers (sub-processors). The Enterprise will then have the opportunity to make objections as soon as possible and within 30 calendar days of receipt of notification from e-Boks. The Enterprise can only make objections on reasonable and specific grounds.
If the Enterprise makes a reasonable and specific objection to the use of sub-processors within the deadline specified, e-Boks is obliged take this into consideration in accordance with the following. e-Boks can thus choose to take remedial action to comply with the Enterprise’s objections. If e-Boks decides not to take remedial action or if e-Boks is unable to take remedial action within a reasonable period of time, the Enterprise is entitled to cease using e-Boks’ services, including the digital postbox and archive solution, and can request that personal data be handed over and/or erased.
e-Boks only stores personal data within the borders of the EU.
Prior to the disclosure of personal data to a supplier/sub-processor, e-Boks will ensure that a written data processing agreement is entered into that meets the requirements of the General Data Protection Regulation. If the sub-processor fails to comply with its data protection obligations, e-Boks will be fully liable to the Enterprise for the performance of the sub-processor’s obligations.
7. Commercial viewing client
e-Boks grants access to digital mail from public senders. Digital mail from public authorities can also be accessed from the public viewing clients (virk.dk) as an alternative/a supplement to e-Boks.
7.1. Authentication of end-users
An end-user is authenticated by logging in to e-Boks via NemLog-In.
7.3. Notice of termination
Notice of termination of end-users of the viewing client is done at a minimum of one (1) month’s notice.
Version 2 – 2022/03