Act No. 250 / 2017 Coll.
Electronic identification law
Valid
Law
Effective from 01.07.2018
Zobrazeno prvních 200 z celkem 214 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
250
THE LAW
of 19 July 2017
on electronic identification
Parliament has decided on this law of the Czech Republic:
Subject matter
This law regulates the application of the directly applicable European Union regulation on electronic identification1)
(a) the use of electronic identification;
(b) the competence of the Digital and Information Agency (hereinafter referred to as the Agency) on the electronic identification section; and
(c) offences in the electronic identification section.
Proof of identity using electronic identification
Where a legal act or exercise of the scope of the proof of identity is required, it may be possible to demonstrate identity using electronic identification only through a qualified electronic identification system (hereinafter referred to as "the qualified system ').
Qualified system
(1) A qualified system is an electronic identification system,
(a) which is managed by a qualified manager of an electronic identification system (hereinafter referred to as "qualified administrator");
(b) which complies with the technical specifications, standards and procedures for at least one of the levels of guarantee laid down by the directly applicable European Union Regulation amending the minimum technical specifications, standards and procedures for the levels of guarantee of electronic identifies2 (hereinafter referred to as "the relevant European Union Regulation"),
(c) which allows the provision of a national identification and authentication point service (hereinafter referred to as the "national point");
(d) within which personal identification data are uniquely identified to the person at the time of issue of the electronic identification device, linked to the person in accordance with the technical specifications, standards and procedures for the appropriate level of guarantee laid down by the relevant European Union Regulation; and
(e) within which only an electronic identification device which is linked to the person it identifies is issued and used in accordance with the technical specifications, standards and procedures for the appropriate level of guarantee laid down by the relevant European Union Regulation.
(2) Furthermore, a qualified system is an electronic identification system notified in accordance with a directly applicable European Union regulation governing electronic identification1), under which only an electronic identification device with a level of guarantee is issued and used at least significant.
Qualified AIFM
A qualified administrator may only be:
(a) a State authority; or
(b) a person who has been granted an accreditation for the management of a qualified system (hereinafter referred to as an accredited person).
Accreditation
(1) The Agency shall decide on the granting of accreditation for the management of a qualified system (hereinafter referred to as "accreditation") upon written request.
(2) The condition for accreditation is:
(a) the fact that the accreditation applicant issued an electronic identification device and the accreditation applicant have complied with the technical specifications, standards and procedures laid down in the relevant European Union Regulation;
(b) the integrity of the applicant for accreditation;
(c) liability insurance for damage caused by the management of a qualified system;
(d) processing of the closure plan;
(e) the fact that the electronic identification system of the accreditation applicant allows the provision of a national point service; and
(f) the fact that an applicant for accreditation is eligible for the management of a qualified system in terms of public policy, security and respect for third parties' rights.
(3) The applicant for accreditation attaches
(a) a contract for the conclusion of liability insurance caused by the management of a qualified system;
(b) proof of integrity, provided that integrity is not demonstrated by an extract from the Register of Penalties,
(c) confirmation that the applicant for accreditation issued by the electronic identification device and the applicant for accreditation of the electronic identification system managed complies with the technical specifications, standards and procedures laid down in the relevant European Union Regulation; and
(d) the closure plan.
(4) The Agency is entitled to request information from the Police of the Czech Republic, the Intelligence Service or any other authority when determining the facts referred to in paragraph 2 (f).
(5) The Agency shall decide on the application for accreditation within 3 months of the date of its submission. Where an applicant for accreditation fulfils the conditions for accreditation, the Agency shall grant accreditation. Otherwise, the Agency shall reject the application.
(6) The accredited person is required to notify the Agency in writing without undue delay that he has ceased to fulfil any of the conditions for accreditation.
(1) The Agency shall decide on a change of accreditation on the basis of a written request from an accredited person to extend the management of a qualified system to issue and use an additional electronic identification device.
(2) The accredited person is required in the application referred to in paragraph 1 to demonstrate compliance with the condition laid down in Article 5 (2) (a) with regard to another electronic identification device.
(3) The Agency shall decide on the application referred to in paragraph 1 within 3 months of the date of its submission. Where an accredited person fulfils the condition laid down in Article 5 (2) (a) in relation to another electronic identification device, the Agency shall amend the accreditation. Otherwise, the Agency shall reject the application.
(1) If an accredited person ceases to comply with any of the conditions for granting accreditation, the Agency shall draw its attention in writing to the possibility of withdrawing the accreditation and at the same time shall invite the accredited person to remedy it without undue delay. The Agency shall withdraw the accreditation if the accredited person has not acted upon the Agency's notification.
(2) The Agency shall withdraw accreditation where the accredited person has requested it in writing.
Accreditation ceases to exist when an accredited person dies or dies.
Insurance against damage
(1) An applicant for accreditation must be insured in the event of liability for damage caused by the management of a qualified system in such a way that the amount of the insurance amount is proportional to the possible damage that can reasonably be expected. The Agency shall establish by decree rules for the calculation of the minimum limit on claims.
(2) The accredited person is obliged to make good the damage caused by the management of the qualified system, regardless of the agreed limit of insurance benefits.
integrity
(1) For the purposes of this Act, a person who has not been legally convicted for:
(a) an intentional offence; or
(b) an offence against order in public matters of negligence.
(2) For the purposes of this Act, the person to whom it is viewed as not being convicted shall also be deemed to be righteous.
(3) The integrity of natural persons is demonstrated
(a) an extract from the Register of Penalties,
(b) an extract from the Register of Penalties with an annex containing information entered in the criminal record of a Member State of the European Union of which a person is a national or a Member State of the European Union of the last residence, if the person is a national of another Member State of the European Union or if he or she has, or resides in, another Member State of the European Union;
(c) an extract from the criminal record or an equivalent document issued by the State of which the person is a national or, where that State does not issue an extract from the criminal record or an equivalent document, an honorary declaration of integrity made before a notary or another competent authority of the State of which the person is a national;
(d) an extract from the criminal record or an equivalent document issued by the State of last residence, lasting for more than 3 months in two consecutive years, or unless that State issues an extract from the criminal record or an equivalent document, an honorary declaration of integrity made before the notary or other competent authority of the State of residence.
(4) The integrity of legal persons is demonstrated
(a) an extract from the Register of Penalties,
(b) an extract from the record of the Register of Penalties with an annex containing information entered in the criminal record of the Member State of the European Union in whose territory the person has his registered office, if he has his registered office in another Member State of the European Union;
(c) an extract from the criminal record or an equivalent document issued by the State in whose territory the person has his registered office or, where that State does not issue an extract from the criminal record or an equivalent document, an honorary declaration of integrity made before the notary or other competent authority of the State in whose territory the person has his registered office;
(d) an extract from the criminal record or an equivalent document issued by the State in whose territory the person in the last two consecutive years has been in business or, failing that, the Member State shall issue an extract from the criminal record or an equivalent document, an honorary declaration of integrity made before the notary or other competent authority of the State in whose territory the person was in business.
(5) The proof of integrity referred to in paragraphs 3 (b) to (d) and 4 (b) to (d) must not be more than 3 months old.
(6) The Agency will request an extract from the Register of Penalties for the purpose of establishing integrity under the Criminal Register Act. An application for an extract from the Register of Penalties and an extract from the Register of Penalties shall be sent in electronic form in a way that allows remote access.
Assessment of the electronic identification device and the electronic identification system
(1) The means of electronic identification and the electronic identification system shall be assessed by the person empowered to do so by the Agency (hereinafter referred to as the "authorised person").
(2) The Agency shall entrust the assessment of the electronic identification device and the electronic identification system on request to the person responsible for carrying out the tests under the Public Administration Information Systems Act. The authorisation for the assessment of an electronic identification device and an electronic identification system (hereinafter referred to as "mandate ') may not be transferred to another person.
(1) If the delegate ceases to fulfil the obligations laid down in this law, the Agency shall notify him in writing of the possibility of withdrawal of the mandate and shall at the same time invite him to remedy it without undue delay. The Agency shall withdraw the mandate if, even on the basis of the Agency's notification, the authorised person fails to comply.
(2) The Agency shall withdraw the mandate if the delegate so requests in writing.
(3) The delegation shall cease if the delegate has no mandate to carry out the tests under the Public Administration Information Systems Act.
(1) The delegate shall assess whether the electronic identification device and the electronic identification system comply with the technical specifications, standards and procedures laid down in the relevant European Union Regulation. Article 6d (3) and Article 6e of the Act on Information Systems of Public Administration shall apply mutatis mutandis to the assessment of the electronic identification device and the electronic identification system.
(2) If the electronic identification device and the electronic identification system of the technical specification, the standards and procedures laid down in the relevant European Union Regulation are complied with, the authorising officer shall confirm this in writing to the applicant for assessment within 3 months of the date of the request for assessment.
(3) The certificate referred to in paragraph 2 shall contain a specified level of guarantee for electronic identification in accordance with the relevant European Union Regulation.
(4) If the electronic identification device and the electronic identification system do not comply with the technical specification, the standards and procedures laid down in the relevant European Union Regulation, the authorising officer shall inform the applicant in writing of this fact within 3 months of the date of the request for assessment and shall inform him of the reasons for the non-compliance.
Where no person is entrusted with the assessment of the electronic identification device and the electronic identification system, the Agency shall assess the electronic identification device and the electronic identification system. Paragraph 13 shall apply mutatis mutandis to the assessment of an electronic identification device and an electronic identification system by the Agency.
Termination plan
The State authority or accreditation applicant in the closure plan shall specify the procedures for the termination of the issuance and use of the means for electronic identification and the provision of authentication services, including the manner in which the administrator of the national point and the holders of electronic identification funds (hereinafter referred to as "the holder ') are informed of the cessation of the activities of the qualified administrator.
Duties of the qualified AIFM
(1) Qualified AIFM
(a) ensure the availability of a qualified system managed by it for the relying party in a way that allows remote access through a national point and for a national point of access in a way that allows remote access;
(b) keep records of the electronic means of identification issued by him;
(c) verify the identity of the holder by means of a national point before the first use of an electronic identification device within a qualified system;
(d) enter the identifier of the electronic identification device issued by it and the level of guarantee of that device at the national point;
(e) update the data in the electronic identification records of the issued funds on the basis of an alert by the administrator of the national data change point;
(f) on completion of its activities, it shall forward the records of the electronic identification funds issued to the Agency;
(g) without undue delay, invalidate an electronic means of identification of the holder, which he has been shown to have died or has been declared dead;
(h) shall, without undue delay, invalidate an electronic identification device at the request of the holder or on the basis of a declaration by the holder of an abuse or danger of misuse of an electronic identification device;
(i) when they have ceased their activities, they shall use the means of electronic identification issued by it;
(j) notify the administrator of the national invalidation point of the electronic identification device referred to in points (g) to (i);
(k) maintain and update the closure plan; and
(l) when it ceases to operate, it shall proceed as planned.
(2) The qualified administrator shall ensure that management activities in the management of a qualified system are carried out by natural persons who have received higher education under an accredited Bachelor's or Master's degree programme and have experience in the field of information technology of at least 3 years, or by natural persons who have obtained secondary education and have experience in the field of information technology of at least 5 years.
(3) The qualified AIFM shall ensure that natural persons carrying out management activities in the management of a qualified system and natural persons verifying the identity of the holder are sound.
Obligations of the holder
Holder
(a) verify the accuracy of the data entered in the electronic identification device when the device is taken over;
(b) treat the electronic identification device with due care to minimise the possibility of its misuse;
(c) report to the competent administrator without undue delay any misuse or danger of misuse of an electronic identification device.
Obligations of a qualified provider
(1) Any person who makes it possible to demonstrate the identity required by law or enforcement, using electronic identification (hereinafter referred to as "qualified provider"), shall inform the administrator of the national point thereof without undue delay after it has occurred. The qualified provider shall indicate in the notification the online service or other activity in which it allows the identification by electronic identification and the level of guarantee of the electronic identification device required when the identification by electronic identification is provided.
(2) He who has ceased to provide proof of identity in accordance with paragraph 1 shall inform the administrator of the national point without undue delay.
(3) The notification referred to in paragraph 1 or 2 shall be made by means of an electronic application managed by the administrator of a national point.
Scope on the electronic identification section
Agency
(a) carry out the tasks referred to in Articles 9 and 10 of the directly applicable European Union electronic identification Regulation (1);
(b) carry out the tasks of the single point of contact in accordance with the directly applicable European Union law governing procedural arrangements for cooperation between Member States in the field of electronic identification3);
(c) controls qualified administrators, qualified providers and authorised persons;
(d) keep records of the accreditation and changes thereto and publish them on its website;
(e) keep the data kept in the register of the funds issued for the electronic identification of the qualifying AIFM that has ceased to operate and make such data available to the person who certifies the legal interest in making them available, or, where the law so provides,
(f) by informing the qualified provider, allow the provision of a national point service;
(g) draw the expert administrator's attention to changes in the data in the electronic identification records of the funds issued; and
(h) is a qualified administrator issuing an electronic identification device.
National point
(1) The national point is the public administration information system supporting the electronic identification and authentication process through a qualified system.
(2) The national point manager is the Agency.
(3) A separate part of the national point plays the role of the node in accordance with the directly applicable European Union regulation governing the interoperability framework (4).
(4) The administrator of the national point shall ensure that the national point complies with the requirements laid down in the directly applicable European Union regulation governing the interoperability framework (4).
(1) The national point
(a) the identifier of the electronic identification device and the level of guarantee of the device;
(b) the holder's agenda identifier for the authentication agenda;
(c) the holder's identifier within a qualified system; and
(d) the holder's identifier within an online service or other activity meeting the requirements laid down in the directly applicable European Union interoperability Regulation (4).
(2) At least the following shall be kept as operational data at the national point:
(a) the date of initial entry of the data to the national point;
(b) the date of the last amendment of the data referred to in the national point; and
(c) a record of the use of the national point data.
(3) In addition, data provided by the holder may be kept at the national point.
(4) The data referred to in paragraph 1 (b) to (d) and paragraph 2 are entered by the administrator of the national point in a national point. The data referred to in paragraph 3 shall be entered by the holder at the national point.
(5) The data referred to in paragraphs 1 and 2 shall be kept at the national point for a period of 15 years from the expiry of the electronic identification device. The data referred to in paragraph 3 shall be kept at the national point during the period of validity of the electronic identification device, unless it is previously the holder.
(6) The data to be kept in the node referred to in Article 9 (3) of the directly applicable European Union Regulation governing the interoperability framework (4) shall be kept for 15 years after their initial registration.
Registration of electronic means of identification issued
(1) Records of electronic means of identification issued shall be kept:
(a) the name and, where applicable, the name of the holder;
(b) the address of the holder's place of residence or, where applicable, the address of the place of residence outside the Czech Republic, unless the holder has a permanent residence in the Czech Republic;
(c) the date of birth of the holder;
(d) the identifier of the electronic identification device;
(e) holder identifier within a qualified system;
(f) an indication of how the applicant's identity is verified for the issue of an electronic identification device and, if identity has been verified by an identity card, the number and type of identity card;
(g) the date and time of issue of the electronic identification device and the date and time of its invalidity;
(h) the period of validity of the electronic identification device; and
(i) the date and time of receipt of an application for annulment of an electronic identification device or notification to the holder of an abuse or danger of misuse of an electronic identification device.
(2) The information referred to in paragraph 1 shall be kept in the electronic identification means issued for a period of 15 years from the expiry of the electronic identification device.
(3) The competent administrator shall make the data referred to in paragraph 1 available to those who certify the legal interest in making them available or, where the law so provides, to them.
List of qualified AIFMs and qualified providers
(1) The Agency shall keep a list of qualified managers established in the Czech Republic, together with their electronic identification means and a list of qualified providers established in the Czech Republic, together with online services or other activities, enabling identification to be demonstrated using electronic identification.
(2) The Agency shall publish the list referred to in paragraph 1 on its website.
Transfers to the electronic identification section
(1) An accredited person commits an offence by:
(a) does not ensure the availability of the qualified system managed by it in accordance with Article 16 (1) (a);
(b) it shall not keep records of the electronic means of identification issued by it pursuant to Article 16 (1) (b);
(c) not verify the identity of the holder through the national point referred to in Article 16 (1) (c);
(d) the identifier of the electronic identification device issued and the level of guarantee of the device shall not be entered in the national point referred to in Article 16 (1) (d);
(e) does not update the data in the electronic identification records referred to in Article 16 (1) (e);
(f) it shall not transmit to the Agency the electronic identification documents referred to in Article 16 (1) (f);
(g) the electronic identification means referred to in Article 16 (1) (g) to (i) shall not be used;
(h) not to notify the invalidation of an electronic identification device pursuant to Article 16 (1) (j);
(i) in contravention of Article 16 (1) (k), does not or does not update the closure plan;
(j) it does not comply with the closure plan referred to in Article 16 (1) (l);
(k) does not ensure that management activities in the management of a qualified system are carried out by natural persons meeting the requirements of Article 16 (2); or
(l) contrary to Article 16 (3), it shall not ensure that management activities in the management of a qualified system and identity verification are carried out by fair natural persons.
(2) A penalty may be imposed in respect of an offence:
(a) 1 000 000 CZK if the offence referred to in paragraph 1 (k) or (l) is committed; or
(b) 2 000 000 CZK if it is an offence referred to in paragraph 1 (a) to (j).
The Agency shall discuss transfers under this law.
Transitional provisions
(1) Any person who has made it possible to demonstrate an identity required by law or enforcement, using electronic identification before the date of entry into force of this law and to allow such a proof of identity from the date of entry into force of this law, shall inform the administrator of the national point within 6 months of the date of entry into force of this law. Paragraph 18 (3) shall apply mutatis mutandis.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 250 / 2017 Coll., on Electronic Identification |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 18.08.2017 |
|---|---|
| Effective from | 01.07.2018 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0