Act No. 297 / 2016 Coll.
Act on Trust Services for Electronic Transactions
Valid
Law
Effective from 19.09.2016
Zobrazeno prvních 200 z celkem 237 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
297
THE LAW
of 24 August 2016
on trust services for electronic transactions
Parliament has decided on this law of the Czech Republic:
Subject matter
This law regulates following the directly applicable European Union1)
(a) certain procedures of trust service providers;
(b) certain requirements for trust services;
(c) the competence of the Digital and Information Agency (hereinafter referred to as the Agency) in the field of trust services; and
(d) penalties for infringements of trust services obligations.
Procedures for qualified trust service providers
A qualified trust service provider shall provide a qualified trust service under a written contract.
(1) A qualified trust service provider shall keep for 10 years documents related to the issuance of:
(a) qualified certificates for electronic signatures or electronic seals;
(b) qualified certificates for the authentication of websites; and
(c) qualified electronic time stamps.
(2) Upon expiry of the period referred to in paragraph 1, a qualified trust service provider shall keep for the next 15 years the data on which the identity of the applicant for the issue of a qualified certificate for electronic signatures or electronic seals or the identity of the natural person authorised to act for the legal person requesting the issue of a qualified certificate for electronic seals has been verified.
(3) Unless otherwise provided for in Regulation (EU) No 910 / 2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999 / 93 / EC (hereinafter referred to as "the Regulation"), the handling of retained documents shall be subject to the law governing archiving and file services.
(1) A qualified trust service provider which, on completion of its activities, cannot comply with the obligation to maintain and make available the register referred to in Article 24 (2) (h) of the Regulation shall ensure that it takes over that register without delay by another qualified trust service provider upon completion of its activity.
(2) Where a qualified trust service provider cannot ensure that the records referred to in paragraph 1 are taken over, it shall transmit the records to the Agency without delay.
(1) A qualified trust service provider issuing qualified certificates for electronic signatures, electronic seals or authentication of a website is entitled to use data from the population base register to fulfil its obligations under the legislation
(a) surname;
(b) the name and, where appropriate, the names,
(c) the address of the place of stay,
(d) the date, place and district of birth of the data subject who was born abroad, the date, place and state where he was born;
(e) the date of death; if the court's decision on the declaration of death is given, the date indicated in the decision as the date of death or the date which the data subject declared dead did not survive;
(f) citizenship and, where appropriate, multiple citizenship; and
(g) the numbers and types of identification documents.
(2) A qualified trust service provider issuing qualified certificates for electronic signatures, electronic seals or authentication of websites is entitled to use data from the basic register of legal persons, business natural persons and public authorities to fulfil its obligations under the legislation
(a) the name and, where appropriate, the names of the natural person or foreign person involved; and
(b) the address of the place of residence in the Czech Republic or, where applicable, the place of residence abroad of the trading natural person or foreign person.
(3) A qualified trust service provider issuing qualified certificates for electronic signatures, electronic seals or authentication of a website is entitled to use data from the population registration information system to fulfil its obligations under the legislation
(a) the name and / or the names, surnames and surnames,
(b) the date of birth;
(c) sex;
(d) the place and district of birth and the place and state of birth of the data subject who was born abroad;
(e) birth number,
(f) citizenship;
(g) the address of the place of permanent residence;
(h) the date of the acquisition of legal power of the decision of the court to approve the contract of assistance or representation of a member of the household, including the reference of the court to which the contract or representation has been approved, the date of the acquisition of legal power of the decision of the court to revoke the restriction of the law of the court, the date of the appeal of the subsidiary by the court and the date of the termination of the representation of the member of the household,
(i) the name and, where appropriate, the name, surname and birth number of the guardian;
(j) the date of death; and
(k) the date indicated in the court's decision on the death declaration as the date of death or the date on which the data subject declared dead did not survive.
(4) A qualified trust service provider issuing qualified certificates for electronic signatures, electronic seals or authentication of websites shall be entitled to use data from the alien information system to the extent of:
(a) the name and / or the names, surnames and surnames,
(b) the date of birth;
(c) sex;
(d) the place and state where the data subject was born;
(e) birth number,
(f) citizenship and, where appropriate, multiple citizenship,
(g) the address of the place of residence in the Czech Republic,
(h) the date on which the decision of the court to restrict jurisdiction, including the number of the case and the court's designation, which has decided to restrict jurisdiction;
(i) the date of death; and
(j) the date indicated in the court's decision on the death declaration as the day of death or the date on which the data subject declared dead did not survive.
(5) A qualified trust service provider issuing qualified certificates for electronic signatures, electronic seals or authentication of a website shall be entitled to use data from the information system of the registration of citizens' cards to fulfil its obligations under the legislation to the extent that:
(a) the identity card number and, where appropriate, the series of identity cards;
(b) the date of issue of the identity card;
(c) the designation of the administrative department which issued the identity card;
(d) the expiry date of the identity card;
(e) the date of effective expiry of the invalid ID.
(6) A qualified trust service provider issuing qualified certificates for electronic signatures, electronic seals or web authentication shall be entitled to use the travel document registration information system to fulfil its obligations under the legislation to the extent:
(a) the number and type of travel document issued;
(b) the date of issue of the travel document;
(c) the expiry date of the travel document; and
(d) an indication of the authority which issued the travel document.
(7) The information system through which a qualified trust service provider uses the data referred to in paragraph 1 must allow for a remote and continuous evaluation of the records of the provision and use of data for the purposes of accounting data protection under other legislation3).
Signature of the document
Only a qualified electronic signature may be used to sign an electronic signature if it signs an electronic document which:
(a) the act or act of the State, the territorial unit, the legal person established by law or the legal person established or established by the State, the territorial unit or the legal entity established by the law or their body or any other part thereof (hereinafter referred to as the "signatory"); or
(b) the person not referred to in (a) shall act in the exercise of his or her duties.
(1) Only a recognised electronic signature may be used to sign an electronic signature if an electronic document is being signed which acts against a public signatory or another person in connection with the exercise of their powers.
(2) A recognised electronic signature means a guaranteed electronic signature based on a qualified electronic signature certificate or qualified electronic signature.
A guaranteed electronic signature, a recognised electronic signature or a different type of electronic signature may be used to sign an electronic signature, provided that the electronic document is signed by a legal act other than that referred to in Section 5.
Seal the document
Where other legislation does not provide for the signature of an act or a legal act contained in the document or does not result from the nature of the act or act, the contracting authority and another legal person, if acting in the exercise of their powers, shall seal the document in electronic form with a qualified electronic seal.
(1) Only a recognised electronic seal may be used to seal the electronic seal if an electronic document is done against a signatory or other person in connection with the exercise of their powers.
(2) A recognised electronic seal means a guaranteed electronic seal based on a qualified certificate for an electronic seal or a qualified electronic seal.
A guaranteed electronic seal, a recognised electronic seal, or another type of electronic seal, may be used to seal the electronic seal, provided that the electronic document is handled in a legal manner other than that referred to in Section 8.
Use of a qualified electronic time stamp
(1) A public-law signatory who has signed an electronic document by which he acts or acts legally in accordance with § 5 and the person who has signed an electronic document by which he has carried out his work in the exercise of his or her duties shall affix the signed electronic document by qualified electronic time stamp.
(2) A public-law signatory who has sealed an electronic document by which he acts or acts legally in accordance with Paragraph 8 and the person who has sealed an electronic document by which he has carried out his work in the exercise of his or her duties in accordance with Section 8 shall affix a sealed electronic document by qualified electronic time stamp.
Verification of the validity of the guaranteed electronic signature and the guaranteed electronic seal
Article 32 (1) (a) to (e), (g) and (h) The Regulation shall apply mutatis mutandis to the verification of the validity of a guaranteed electronic signature based on a qualified electronic signature certificate and to the verification of the validity of a guaranteed electronic seal based on a qualified electronic seal certificate.
Scope of the Agency
(1) The Agency shall perform the tasks of the supervisory authority under the Regulation and under this Act.
(2) The Agency may instruct a qualified trust service provider to invalidate a qualified certificate issued by it if there are reasonable grounds for suspecting that the qualified certificate has been falsified or if it has been issued on the basis of false data. The Agency may also instruct to invalidate a qualified certificate if it finds that the signatory or the sealing person is using a means of creating electronic signatures or electronic seals which demonstrates safety deficiencies enabling the falsification of electronic signatures or electronic seals or the modification of signed or sealed data.
(3) The Agency shall publish, in a way that allows remote access, trusted lists containing information relating to qualified trust service providers, together with information on qualified trust services provided by them.
(4) The Agency shall keep a list of certificates on the basis of which qualified trust service providers sign by guaranteed electronic signature or seal of guaranteed electronic seal issued by qualified certificates or issued by qualified electronic time stamps. The list of certificates shall be published by the Agency in a way that allows remote access.
(5) The Agency complies with the obligation under Article 24 (2) (h) of the Regulation in the event of the receipt of a register pursuant to Article 4 (2).
(6) The Agency shall inform without delay the Office for the Protection of Personal Data of findings made in connection with the performance of the tasks of the supervisory authority referred to in paragraph 1, insofar as they concern the competence of that authority.
Provision of trust services by the Trust Service Administration
(1) The Trust Service Administration (hereinafter referred to as "the Administration") is established and established as a state contribution organisation. The headquarters of the Administration is Prague.
(2) The Agency is responsible for the establishment of the Board.
(3) The Director is the statutory body of the Administration. The Director of the Administration shall be appointed and removed by a member of the Government responsible for the management of the Government's Information Society Council in agreement with the Minister for the Interior.
(4) The purpose of the Service is to provide trust services for the needs of the Czech Republic. The closer conditions of operation of the Administration, including the conditions under which the Administration provides trust services, are governed by a statute approved by a member of the Government responsible for the management of the Council of the Government for the Information Society in agreement with the Minister for the Interior.
(1) Where the Administration provides a trust service the subject of which is a certificate which is not an electronic signature certificate, an electronic seal certificate or an authentication certificate, it shall keep a record of the certificates and / or their components to which the certificate was issued.
(2) The records shall contain:
(a) details of the natural person who has been issued the certificate to the extent that:
1. name and surname, if any;
2. date, place and district of birth; for a natural person who was born abroad, the date, place and state of birth;
3. Date of death,
4. the address of the place of stay and, where appropriate, the address to which the documents are to be served;
(b) details of the legal person or part thereof issued to the extent that:
1. business name or name,
2. address of the registered office,
3. person identification number,
(c) certificate details to the extent
1. identifier,
2. beginning and end of validity;
3. Date and time of activation,
4. date and time of invalidity,
(d) other data to the extent
1. the identifier of the carrier on which the certificate is stored;
2. the natural person's agenda identifier.
(3) The data referred to in paragraph 2 (c) are publicly available in a way that allows remote access.
(4) The data referred to in paragraph 2 shall be recorded during the period of validity of the certificate and for the following 15 years after the end of the certificate.
Transfers of natural, legal and business natural persons
(1) A natural person commits an offence by using the EU2 trust mark) in breach of Article 23 (1) of the Regulation.
(2) A fine of up to CZK 2 000 000 may be imposed for the offence referred to in paragraph 1.
(1) A legal person or an undertaking natural person commits an offence by:
(a) apply the EU2 Trust Mark) in breach of Article 23 (1) of the Regulation; or
(b) in contravention of Article 24 (2) (h), the Regulation does not register or make available all relevant information after the cessation of the activities of a qualified trust service provider or it does not transmit to the Agency the registration referred to in Article 4 (2).
(2) A trust service provider commits an infringement by:
(a) does not take appropriate technical and organisational measures to manage risks to the safety of the services provided by it pursuant to Article 19 (1) of the Regulation;
(b) contrary to Article 19 (2): The Regulation shall not inform the supervisory authority of a breach of safety or loss of integrity without undue delay under this Act or a person to whom the breach of security or loss of integrity may have an adverse impact; or
(c) contrary to Article 21 (3): The Regulation provides trust services designated as qualified before the status of a qualified trust service provider and qualified services has been identified in trusted lists.
(3) A qualified trust service provider commits an infringement by:
(a) contrary to Article 20 (1) of the Regulation
1. shall not be audited by a conformity assessment body at least every 24 months; or
2. not submit the resulting conformity assessment report;
(b) are not subject to an audit by the supervisory authority under this Act or conformity assessment body pursuant to Article 20 (2) of the Regulation;
(c) shall not ensure that a link to the relevant trusted list referred to in Article 23 (2) of the Regulation is available on its website;
(d) not notify any changes in the provision of trust services or the intention to terminate any of its activities under Article 24 (2) (a) of the Regulation;
(e) employs employees or uses subcontractors in breach of Article 24 (2) (b) of the Regulation;
(f) contrary to Article 24 (2) (c) of the Regulation,
1. does not maintain sufficient funds; or
2. does not conclude appropriate liability insurance;
(g) fails to comply with the information obligation referred to in Article 24 (2) (d) of the Regulation;
(h) does not use trusted systems and products as referred to in Article 24 (2) (e) of the Regulation;
(i) does not use trusted data storage systems pursuant to Article 24 (2) (f) of the Regulation;
(j) does not take appropriate measures against counterfeiting and theft of data pursuant to Article 24 (2) (g) of the Regulation;
(k) in breach of Article 24 (2) (h), the Regulation does not register or disclose all relevant information;
(l) it does not have an updated closure plan for the service continuity referred to in Article 24 (2) (i) of the Regulation;
m) does not provide qualified trust services under a written contract pursuant to § 2;
(n) it does not retain the documents referred to in Article 3 (1); or
(o) does not retain the data referred to in Article 3 (2).
(4) A qualified trust service provider issuing qualified certificates shall commit an offence by:
(a) shall not verify the identity or special characteristics of the natural or legal person to whom a qualified certificate is issued pursuant to Article 24 (1) of the Regulation;
(b) shall not ensure that the qualified certificate issued by it contains accurate, true and complete data;
(c) in breach of Article 24 (2) (k), the Regulation does not maintain or update the database of qualified certificates issued by it;
(d) shall not disclose the invalidation of the qualified certificate issued by it pursuant to Article 24 (3) of the Regulation;
(e) does not provide any relying party with information on the validity or invalidation of qualified certificates issued by it pursuant to Article 24 (4) of the Regulation;
(f) contrary to Article 28 (4): The Regulation amends the status of invalidity of the qualified certificate issued by it for electronic signatures,
(g) contrary to Article 38 (4): The Regulation shall amend the status of invalidated by it for electronic seals, or
(h) issue a qualified certificate for electronic signature, a qualified certificate for electronic seal or a qualified certificate for the authentication of a website which does not meet the requirements of the Regulation.
(5) A qualified trust service provider providing a qualified service to validate qualified electronic signatures and qualified electronic seals shall commit an offence by:
(a) does not ensure verification of the validity of the qualified electronic signature or the qualified electronic seal referred to in Article 33 (1) (a) of the Regulation; or
(b) provide qualified services for the verification of qualified electronic signatures or qualified electronic seals in breach of Article 33 (1) (b) of the Regulation.
(6) A qualified trust service provider providing a qualified service of retention of qualified electronic signatures and qualified electronic seals shall commit an offence by not using the procedures and technologies referred to in Article 34 (1) of the Regulation.
(7) A qualified trust service provider issuing qualified electronic time stamps shall commit an offence by not ensuring that the qualified electronic time stamps issued by it comply with the requirements laid down in Article 42 (1) of the Regulation.
(8) A penalty may be imposed in respect of an offence:
(a) 500 000 CZK if the offence referred to in paragraph 3 (c) and (g) is committed;
(b) 1 000 000 CZK, if it is an offence pursuant to paragraph 2 (b), paragraph 3 (a), (e) and (m),
(c) CZK 2 000 000, if it is an offence pursuant to paragraphs 1, 2 (a) and (c), 3 (b), (d), (f), (h) to (l), (n) and (o) and 4 to 7.
The Agency shall discuss transfers under this law.
Transitional provisions
(1) For a period of 2 years from the date of entry into force of this Act, a guaranteed electronic signature based on a qualified electronic signature certificate may also be used for signature under Section 5.
(2) For a period of 2 years from the date of entry into force of this Act, instead of a guaranteed electronic seal based on a qualified certificate for an electronic seal or a qualified electronic seal, it may be used:
(a) an electronic mark pursuant to Act No. 227 / 2000 Coll., on electronic signature and amending certain other laws (Electronic Signature Act), as effective before the date of entry into force of this Act, based on a system certificate issued by a person who was an accredited certification service provider before the date of entry into force of this Act and is a qualified trust service provider; or
(b) a guaranteed electronic seal based on an electronic seal certificate issued by a qualified trust service provider.
(3) For the purposes of paragraph 2, Article 11 (2) shall apply mutatis mutandis.
(4) A qualified trust service provider issuing system certificates for use in accordance with paragraph 2 (a) shall provide such trust service on the basis of a written contract. Paragraphs 3 (1) (a) and 3 (2) shall apply mutatis mutandis to the retention of documents related to the issue of system certificates.
(5) For a period of 2 years from the date of entry into force of this Act, an electronic time stamp issued by a qualified trust service provider may be used instead of a qualified electronic time stamp pursuant to Article 11.
(6) A qualified trust service provider issuing electronic time stamps for use in accordance with paragraph 5 shall provide such trust service on the basis of a written contract. Paragraph 3 (1) (c) shall apply mutatis mutandis to the retention of documents relating to the issuing of electronic time stamps.
(7) Obligations pursuant to § 6 (5) to (8) of Act No. 227 / 2000 Coll., as effective before the date of entry into force of this Act, remain valid after the date of entry into force of this Act.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 297 / 2016 Coll., on Trust Services for Electronic Transactions |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 19.09.2016 |
|---|---|
| Effective from | 19.09.2016 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0